Hacker News new | comments | show | ask | jobs | submit login
EU parliaments website in violation of GDPR (medium.com)
74 points by mgliwka 5 months ago | hide | past | web | favorite | 92 comments



How is this news? Everyone is scrambling to be GDPR-compliant before the due date. Probably the people behind this site also.


Well, if the intent behind the legislation was to protect personal data, presumably they would have modified their own behavior before regulating.

But they haven't. Makes things clear.

They also control the enforcement mechanism. Let's see if they will modify it to save face or if they'll just ignore it. Or do you think they'll fine the parliament (not that they haven't exempted themselves, of course) ?


You're making the incorrect assumption - deliberately, I presume - that the people writing the legislation have anything to do with how the website operates. You're wrong, of course. The EU(P) is a very large and very complex organization, just like many multinationals.

Should they eat their own dog food? Probably. But pretending there's some kind of hypocrisy going on is stretching it.


Well my opinion is that the EU shouldn't exist. A non-democratic state controlling democratic states seems to me to be a spectacularly bad idea. But I'm a consultant and I've worked and work for these people, mostly indirectly.

Let me assure you: there is absolutely no shortage of hypocrisy. You don't need anything more than to walk around their offices and ask what all those weird marking on public and private spaces mean. You'll be disgusted, and cured of any notion that the EU intends to do anything for anyone but themselves.

But outside of that, there are clear personal status cult being upheld everywhere around the European organisations, with the biggest distinction between the "fonctionnaires" and everybody else (although as an employee of the commission you're still several rungs above "les gens de la rue" (which does not mean homeless, like in France, it just means normal people of Brussels). And may God help you if you're working for ISS or any of the cleaning companies. At that point your status is so low that people routinely throw things at you just to cool their frustration. This is accepted and normal behavior, despite how incredibly immoral it is.

(The "European quarter" of Brussels has a ton of public and private spaces, from "public" parks to a small shopping center (with mostly cafes), and the highly coveted parkings and parking spaces that are reserved, by law, for European officials' use only. So does Woluwe, even if they're a lot better hidden there. To say that these people have no intention to use their power to improve people's lives is absurd when you walk around their offices)


> A non-democratic state controlling democratic states seems to me to be a spectacularly bad idea. But I'm a consultant and I've worked and work for these people, mostly indirectly.

The EU isn't a state it's a union of states and there is EU elections happening.


EU elections aren't selecing the people who make laws. That's the commission and the EU council.

By that standard the Soviet Union, China and Saudi Arabia are/were democratic too. They all have/had elections. Elections that do not determine who has legislative and executive power are not elections.

The reason why is of course simple. People in member states do not care about the EU. They care about local politics 99% of the time. On top of that member states electorates do not agree on the issues. Not on what the issues are in the first place and certainly not on what is to be done about them. There is no way for politicians to campaign across the EU, it's all done locally. Therefore the assessment of most fonctionnaires in Brussels is probably correct: there is no way to have an effective democratic EU. They also asses that they don't want to do that, as it would not be a unifying force.

[1] https://en.wikipedia.org/wiki/Elections_in_the_Soviet_Union

[2] https://en.wikipedia.org/wiki/Elections_in_China

[3] https://en.wikipedia.org/wiki/Elections_in_Saudi_Arabia


> Well, if the intent behind the legislation was to protect personal data

Either prove that it isn't or please stop this rhetoric. Thanks


Reading the GDPR text shows there is a bunch of exceptions for which storing of example IP-addresses can be done without anonymizing or consent, with one of the more clear cut being security. If the processing is done exclusively for security purpose then the site can argue in court that they are in compliance.

Compliance with the law is always about context. What is gathered, why and how is it used, and last is there additional factors to consider. Google Analytics in itself is interesting because it is not clear if Google themselves then process the data and for what use, especially for the enterprise version.


Google Analytics is not a security tool. You can’t even see what an specific IP has been doing.


Of those exception, security is one and the most clear cut one. The other are more muddy which is why I did not describe them, even if in this case those are more likely to be used than security.

The list is as following: 1. Processing shall be lawful only if and to the extent that at least one of the following applies:

    (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

    (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

    (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

    (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

    (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

    Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
The security exception is then an additional point, Article 6, Paragraph 1, Point F.


The issue isn't that _you_ can't see what a specific IP is doing, but Google certainly can, and it's more than that.

The GDPR really spells out that you can't ask for consent / basis to do one thing and then flip around and do more with it.

Aka, if you consent to signing up for a newsletter they can't turn around and sell your email to another list, take that list to their next startup that's unrelated, etc.

For Google this gets tricky, you're consent to using them for analytics (most everyone on the free, non enterprise, version). Are they also using that to feed their search engine? Tweak display ads? Check for fraud? Build profiles of people across sites/browser sessions, and devices?

And while this is about analytics, the same can be said for Maps, Docs, Domains, Fonts, etc. all of which have a primary use and (for Google) a stack of juicy secondary uses they can make money off of. Most of it doesn't even strike me as nefarious (it seems reasonable that they'd index pages that come up in Google analytics), but it's not disclosed so nobody is exactly sure what's being done.

Even this anonymize IP business is tricky b/c:

1. They still get the IP as surely as you browsing to www.google.com 2. They may be tracking in other ways (fingerprinting, cookies, etc.) that unique identify you, so does it matter?


> The GDPR really spells out that you can't ask for consent / basis to do one thing and then flip around and do more with it.

That's not how reality works. Laws, despite god knows how many attempts, don't change that. If you have the information, you can use it.

> Aka, if you consent to signing up for a newsletter they can't turn around and sell your email to another list, take that list to their next startup that's unrelated, etc.

Ok. When the spam problem stops, I'll believe this. Until then, I reserve judgement.

> For Google this gets tricky, you're consent to

Sure, but with a chunk of their operating expenses ($9 billion a year) spent on lawyers ... tricky is not a problem. For everyone else, it is.

It gives them a legal way to destroy any company they don't like, it's a land-grab for both their own jurisdiction (as opposed to member nations' jurisdictions), it's land-grab for global jurisdiction, it's a (partial) denial of private contracting rights and it's explicitly designed for selective enforcement.

What more could one want in a big new law ?


Your points made me think that this law is likely just going to solidify market monopolies and ensure competition can't exist legally, similar to large banks in the US


Well, yes. However, we should look at illegally: it's going to make it much easier for sites to exist in areas where there won't be any enforcement. So it's going to kill European sites, not anything else.

Effectively European companies below a certain size can't allow for forums anymore.

Obviously this will impact things like newspaper forums, tech support, webfora on specific topics, ...


I don't have the text in front of me but I'm pretty sure there is an exception for member states government agencies (if they choose to have the exception). I wouldn't be surprised if this covers EU agencies and institutions as well.


They're excluded from the fines, but not from the regulation itself.


I thought IPs are not considered personal identifiable information.


Yes it is - it's in the FAQ:

https://www.eugdpr.org/gdpr-faqs.html

What constitutes personal data?

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.


I like this definiton better. IANAL Warning.

Personal Data:

  - PII is Personal Data.

  - If a user has PII, then all of the userdata is Personal Data.
So HN posts would not be Personal Data for the users that have email field empty. And even email (and any other user-entered data) can be made non-PII if ToU explicitly required to be so.

My advice would be to legally and technically isolate PII and other_userdata. GDPR/etc compliance become quite easier this way.


ToU don’t change what PII is or isn’t under the GDPR.

The GDPR also states that consent alone isn’t a legal reason to collect or process PII and “advises” against relying and structuring terms of service to collect PII.

Basically you can’t build a service ask people for their data and then relying on their consent for the legal reasoning of having that data. You need an actual legal basis e.g. a regulatory requirement or a business requirement to collect that data, and in all cases the requirements unless stated in law must be evaluated against the best interests of those you collect data from.


> ToU don’t change what PII is or isn’t under the GDPR.

ToU can by prohibiting user from entering any PII. In case of email, ToU would say that only non-identifying email can be used.

For the rest of your comment, I dont see any relevance here. There is no need for consent for non-PII userdata. All PII userdata is behind legal and technical wall and cannot be accessed by the processor/controller of non-PII userdata.


There is no such thing as a “non-identifiable” email. You cannot use ToU to bypass GDPR.


Ok here is my email: 1373f84998986cf8@tutanota.com. Identify me! Know that I wont used the email elsewhere.

> You cannot use ToU to bypass GDPR.

Just to clarify this is not buried in ToU but laid out clearly.

So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.


Are you serious? the fact that your email isn't yourname@mailprovider.com doesn't make it any less identifiable. My IP address is 192.168.1.1 identify me... It also doesn't matter if you think the information is identifiable or not what matters is how the GDPR defines it.

The GDPR defines PII and there isn't anything you can do about it you can't ask users to make a throwaway email account and hope that you can pass GDPR by claiming that it's not PII this isn't how regulation works.

What matters isn't that the email address reveals your name is that someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.

>So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.

If the website asks for an email address that is PII under the GDPR.


IP is not a user-entered data and cannot be freely selected, unlike email addresses.

> the fact that your email isn't yourname@mailprovider.com doesn't make it any less identifiable.

The only official guidelines about email I could find are in here [1]. It does not say all email addresses are PII. It just says "name.surname@company.com" type addresses are PII and "info@company.com" type addresses are NOT PII. So even "yourname@mailprovider.com" may be non-PII.

> someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.

Thats not enough. The service need to have PII. That is, if none of the services has PII, the email address is not PII.

> you can't ask users to make a throwaway email account

Throwaway is not needed. At best an individual need 2 email accounts. One address for the services where he is identified (eg bank website) and one address for where he is not (eg random forum).

So this is not an onerous condition at all. If thats the case you are making.

> If the website asks for an email address that is PII under the GDPR.

This is not a (official) citation.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...


That is not an official website - if you read the footer you'll see the following text:

"Disclaimer: This is not an offical EU Commission or Government resource. This is a education portal and the information contained within this portal does in no way constitute legal advice. Any person who intends to rely upon or use the information contained herein in any way is solely responsible for independently verifying the information and obtaining independent expert advice if required."


The official EU Commission website[1] still says it's personal data:

> Examples of personal data

> [...]

> - an Internet Protocol (IP) address;

[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...


The safe approach is to assume they are, unless you are 100% sure that there are a large number of people behind a single IP. The easiest way to deal with this is to nul the last octet, that way you still have plenty of use cases covered with respect to analytics (but not forensics!) and the IP is no longer PII.

If you wish to keep IPs for forensic reasons then you will have to put some kind of reasonable upper limit on how long you will keep them (say 90 days) if no specific reason to keep an IP (say an active investigation) comes up in that time justifying further retention.


PII is not a concept of GDPR. Whether IPs are considered personal data covered by GDPR is open to interpretation, but most of the experts I've talked to say yes.


As does the official website faq


It's nuanced

> If the processor has the legal option to oblige the provider to publish additional information which can identify the user who is behind the IP address, this is also personal data.

https://gdpr-info.eu/issues/personal-data/


The GDPR decided otherwise ;) IPs are now PII with all the problems you will now have: every system storing (even temporary) an ip address (e.g. access logs) for a short term are processing (storage is processing) personal information.


It depends. If they can be traced back to a single person, they are. However you also have dynamic IP addresses - multiple people using the same IP..

I wouldn't call it a gross violation.


It's personal data according to GDPR, see this FAQ from the EU commission: https://ec.europa.eu/info/law/law-topic/data-protection/refo...


They'll use legitimate interest as a reason.


This is a reasonable observation but I doubt anyone will care. Moreover it misses the point of GDPR.

The goal is not to improve people's privacy. It's too vague to achieve that. Obviously the EU doesn't care as even its own websites aren't in compliance - assuming this guy's definition of compliance is the same as theirs. How likely is it the rest of the EU's operations are? Zero likelyhood of that.

But that's OK. GDPR doesn't even have a concrete notion of what privacy or personal information actually are. The goal is not to improve privacy, that's just a fig leaf. The goal is to grant the EU large new powers over the private sector and in particular over American tech firms, who will repeatedly be fined and treated as, effectively, a new source of tax income. GDPR is so vague and open ended that there's no way they can ever be compliant, meaning the EU has a new source of cash for years to come. Very useful at a time when they are asking for budget increases despite years of austerity, and facing a budget hole due to Brexit, and member states are getting upset at their financial demands.

GDPR enforcement will be very similar to EU anti-trust policy - deeply political and immediately controversial. It is best understood not as a law but as a political move, sort of like how China uses laws against pornography to justify blocking foreign search engines, or how it uses a law against 'spreading rumours' to censor domestic social media.


I disagree. I believe it is an attempt to put a stop to (mostly) US collection of EU citizen data - or at least to give EU citizens some ability to control what foreign entities are collecting (and monetizing) about them.

The EU uses large fines as a fairly effective threat to dissuade organizations from doing things that the EU believes are not beneficial to its members. Of course it's not perfect, and of course there are political motivations as well... but Europe (and other lower corruption countries, for that matter) have grown tired with the US and its money-above-all behavior.

US citizens will benefit from GDPR because it will force some change in behaviors of profit-seeking entities.


> GDPR is so vague and open ended that there's no way they can ever be compliant

This is nonsense. I really don't see what's so difficult to understand. Personal information is information to which the person can be identified.


The definition of personal information is easy to understand (albeit broad). However, the vagueness seeps in other areas of the regulation.

For example, additional restrictions are in place for “large scale” processing of personal information, yet “large scale” is never defined. Is that hundreds, thousands or millions of records?

As the owner of a very small SaaS business (that does not sell personal information of its users) I found it tremendously difficult to figure out how to comply given the vagueness of it all.


Yeah I get that. I googled around a bit and apparently there were concrete figures in the initial draft.

I don't know if the EU has a contactperson to whom you can ask these questions, if they do, you can simply ask them to clarify. If you've done that, you're in the clear because you've put in the effort to comply.

But yeah in this case they should just give you a number.


> I don't know if the EU has a contactperson to whom you can ask these questions, if they do, you can simply ask them to clarify.

lol of course there isn't an office you can ring to help you with this! If there were we wouldn't be spending quite so much effort working out what it all means.


Well for my country (NL) we have the AP and with 2 clicks I have their phone number: https://autoriteitpersoonsgegevens.nl/nl/contact-met-de-auto... ....

> If there were we wouldn't be spending quite so much effort working out what it all means

People love drama.


You don't seem to know much about GDPR.

Firstly, no, your national regulators cannot give you binding answers about GDPR. This is one thing the EU Commission has been clear on. They can advise, but their advice has no more weight than this Hacker News thread does - the EU is not required to care about what national regulators said and they have no special powers to interpret the law. Only the EU gets to decide what GDPR means, and they have said explicitly they will not answer questions about it. The only time answers finally come is during legal actions.

Secondly, no, people do not "love drama" in the business context, far from it. Maybe you should consider that your own interpretation of the problem is the issue rather than other people just causing drama for the sake of it.


k


Each of the 28 member states of the EU has a data protection authority. Those are the people one rings to get advice.


> For example, additional restrictions are in place for “large scale” processing of personal information, yet “large scale” is never defined. Is that hundreds, thousands or millions of records?

Hundreds or thousands not, millions definitely yes, somewhere in the middle you get to draw a line which to me is an indication that the closer you get to those millions the more you'll have to work and then those additional restrictions kick in.

There are companies that store billions of profiles (Google, Facebook), and for those the 'large scale' moniker is a no-brainer. If you're a small company that stores a few hundred to a few tens of thousands of records because you are doing direct business with those people then that would most likely still qualify as small. But from 100K and up I'd make sure the house was in order, not just because of the GDPR but because you are becoming a nice, fat & juicy target for miscreants as well.


That is the scope I was ballparking mentally (and which fits the scope of processing done in my app), but I just wish they had been explicit about it in the regulation so I could put to rest any apprehension around it.


The room built in is to ensure that there is some flexibility regarding for instance financial and health information where those restrictions would probably kick in sooner versus some e-commerce company such as a web store where the need to keep the data around on live systems is much less urgent.

That way one law will allow banks, insurance companies, hospitals and a mid-sized e-commerce company all to figure out for themselves what their comfort zone is, add a little room for safety and you're most likely going to be good, and even if not you can point at the law and say 'it wasn't explicit', so unless you are purposefully mis-interpreting a few million records as 'small scale' you will likely get away with that. Note the 'likely', this isn't a certainty but in my experience to date everybody that is fear mongering about the GDPR is coming up with the wildest of scenarios rather than to just look at the law as if it was intended well (which I really believe it is).


> Note the 'likely', this isn't a certainty but in my experience to date everybody that is fear mongering about the GDPR is coming up with the wildest of scenarios rather than to just look at the law as if it was intended well (which I really believe it is).

Bringing up the "parade of horribles" is a standard way of reacting to regulations, and it's normally countered by the regulators just pointing out that the horribles rely on really tortured interpretations that aren't intended. With the GDPR, that hasn't been the response (which has instead been a double-down on "it's just common sense" without confirming or refuting what will happen)--for me, that's some cause for concern.


I've rarely seen so much positive effect from a law before the date at which it would be enforced. My inbox is regularly visited by companies that suddenly feel that maybe they should obtain my content to spam me further in spite of me trying - sometimes for years - to get off their lists.

We'll see what happens after may 25th but for now I'm really hopeful that we will finally see some counterbalance to all this ridiculous profile building for marketing purposes.


> This is nonsense. I really don't see what's so difficult to understand. Personal information is information to which the person can be identified.

Does that include email addresses and IP addresses? If so, that means things like using email addresses to log in for comments or logging IP addresses for traffic analysis causes all sorts of GDPR to kick in. As the OP points out, this means that things like the EU's own websites are in violation of the GDPR.


Yes it does. Indeed it also does mean the GDPR kicks in (on the 25th)

All you need to be able to do though is say what you're using the information for. If that is "To allow you to log in to your account" and "Your IP and page requests are logged and kept for 2 weeks to for traffic analysis and troubleshooting" you're good to go - just say that on the sign-up form[1]. If you want add the email address to a mail list too you need to add an opt-in consent checkbox and a bit more information on what the checkbox agrees to.

If you want to pass along the information (indirectly, I know) to Google Analytics for example then you have to mention that too, and don't load the GA snippets until the user has accepted that

You also need a way to tell a user what data you have on them and delete the data where appropriate if the user requests it. You do not need to automate this process, chances are you'll never get either of those requests. Do Things That Don't Scale[2] applies when it comes to the user's ability to request info/deletion

It's just another cost of doing business like if you want to take card payments don't store the card number without getting PCI compliant. Don't store user info without getting GDPR compliant.

This whole thing is good for all of us as users of sites and software too

[1] Actually for a signup form you don't need to say you're using the information to sign them in, that's "unambiguous consent", as long as you're not doing anything but registering them and signing them in you can avoid clogging up your form with that information

[2] http://paulgraham.com/ds.html


Won't this just lead to more thousand page long sign up forms that nobody reads? I could easily right 10 pages on the reason behind using an email address at signup and hide in a bunch of seemingly mundane details


No, that's also a part of GDPR - They have to be understandable. 300 page documents with a position:fixed "I agree" button don't cover you

As with all things GDPR you can of course try to skirt the rules but you're risking the 20mil fine if you don't get it absolutely spot on


> As the OP points out, this means that things like the EU's own websites are in violation of the GDPR.

Actually, it doesn't. There are plenty of valid reasons to collect those things. Collecting them to track your users and to spam them to death are not on that list.


The presumption is that it's illegitimate but you can provide an affirmative defense of having a valid reason.

Proving this can be expensive and is risky. Who knows what any individual judge in any EU country will decide is "reasonable"?

Companies can easily be destroyed by filing multiple charges against them. Guilt, innocence, or reasonableness doesn't come into it: the process is the punishment.

Look at Amanda Knox (Americans tend to think she's innocent, Brits tend to think she's guilty) - after appeals the Italian Justice System found her not guilty of the murder of her roommate. She still spent almost four years in prison in her early twenties and had to spend a huge amount of money on lawyers to arrive at this result. Just because you eventually get what you see as the right result doesn't mean you won't go through hell to get there.

A major reason why Americans are having such a big problem with GDPR is because the EU system appears to change its interpretations and decisions abruptly, with retrospective effect. You set up companies in certain jurisdictions thanks to their tax rates and how transactions are treated. You follow every aspect of national and EU law. These arrangements are widely known, are accepted as legitimate practice, and they continue for decades. The EU commissioners change - suddenly your corporate arrangements are wildly illegal and you are subject to penalties and back taxes stretching over a decade.

If staff changes and they say that they will interpret a rule differently going forward, you can adjust your behavior to comply. New legislation, sure abide by it. But when the rules change and your behavior 15 years ago is now viewed to be illegal you can't do anything. Retroactivity is accepted in Europe but it is explicitly unconstitutional in the US. It's a major reason why the US is not currently part of the UK.

So the GDPR is terrifying because of the massive discretion granted to judges and prosecutors in every EU country and their habit for changing their interpretations. On its face it's not too threatening, but the fines are massive, there are no hard rules, and you can't be sure that today's interpretation will be tomorrow's.

Facebook and Google will manage - they can write billion dollar checks and get the US government to protect them. Many of us can be completely wiped out by a $20MM fine. Just a court case would be existentially threatening in terms of the resources it requires and its impact on fundraising and gaining customers.


More fearmongering. I will simply wait to see what actually is being done and if and when that oversteps the bounds of what I consider reasonable I will definitely make my voice heard but until then this is all totally besides the point and time spent on fearmongering would probably be better spent on studying the law, determining its intent and then doing your best to comply with that intent. The very small chance that some mom & pop shop will be taken to the cleaners by the EU courts 'just because they can' strikes me as not grounded in reality, there is no precedent for anything like that.

And bringing up some unrelated (murder!) case has no effect at all than to point out that justice systems aren't perfect, they are not expected to be perfect and we have lots of evidence to that effect already. That's a totally different discussion.


There's a presumption that every company in the world is violating EU citizens privacy. That storing IP addresses can be construed as illegal. That everyone is liable for a fine of $20MM for any mistake, innocent or malevolent.

The EU itself is hyping up how fearsome this law is to win approval from their citizens and politicians. As well as to strongly encourage firms to take this change seriously.

But I am at fault for taking the EU seriously rather than being blase. I am fearmongering for trying to explain why businesspeople who are not in the EU are afraid of its actions and are afraid of a brand new law that grants a huge amount of discretion to prosecutors and judges.

What I know is that the EU can capriciously change its mind and go after the biggest companies for billions of dollars. I know that I don't have the resources to prove my innocence in a foreign country. I don't even have the resources to understand the charges against me, since legal translation is expensive and I could be faced with actions in any or all of the languages of the EU. If I get a package of documents in Estonian or Bulgarian I won't even know that I'm facing charges!

Claiming universal jurisdiction against every company in the world with a reverse onus of proof is a dangerous and malevolent tactic. Because it's your local government that you have confidence in, you're comfortable with it. I doubt that you would be so blase about a similar approach by the US or Japan.


> There's a presumption that every company in the world is violating EU citizens privacy.

That presumption is probably roughly in line with what I've seen in my daily practice over the last decade or so. Some to minor degrees, some in major ways. But overall, very very few companies take the privacy of their customers so serious that they would make choose for their users privacy if ther was a buck to be made, of the top of my head over the last 75 or so companies I looked at two would check that box.

> That storing IP addresses can be construed as illegal.

What's so surprising about that? You see a whole pile of lawsuits that - erroneously - hinge on IP addresses being PII (Copyright lawsuits) and at the same time you expect the law to treat IP addresses as through they are not PII? That simply won't fly. So yes, IP addresses are - in many places - seen as PII.

> That everyone is liable for a fine of $20MM for any mistake, innocent or malevolent.

Bullshit.

> The EU itself is hyping up how fearsome this law is to win approval from their citizens and politicians.

Where have they done so? All I've seen to date is some pretty dispassionate pieces and the text of the law itself.

> As well as to strongly encourage firms to take this change seriously.

Yes, you should take it seriously. Of course you should, it is the law.

> But I am at fault for taking the EU seriously rather than being blase.

No, you're at fault by drawing this out of proportion, just like you are doing in this comment.

> I am fearmongering for trying to explain why businesspeople who are not in the EU are afraid of its actions and are afraid of a brand new law that grants a huge amount of discretion to prosecutors and judges.

Your fearmongering is to exaggerate, to focus on the edge cases rather than on the bulk and then to start assuming that all cases are edge cases. They're not. The bulk of the businesses will be just fine. Those that chose to creatively interpret the law to see how far they can push things will hopefully find out that the EU actually means business.

By your reasoning we never should make new laws to deal with changing conditions. The EU tried a gentle approach aka the cookie law, companies tried hard to work their way around the law rather than to stop tracking users every which way they could so now you get this.

Self regulation -> mild regulation -> strong regulation+

(+ you are here now).

> What I know is that the EU can capriciously change its mind and go after the biggest companies for billions of dollars.

Capriciously? I have not seen the EU act capriciously yet. I've seen them act too slow and too late.

> I know that I don't have the resources to prove my innocence in a foreign country.

Poor you. Well, then better not to commit any crimes. That's a pretty good protection against having to defend yourself, stay well clear of that bright line.

> I don't even have the resources to understand the charges against me, since legal translation is expensive and I could be faced with actions in any or all of the languages of the EU.

More bullshit, the law is written in English and if you want to go so far as to take something to court - which I would highly advise against, it is much easier to comply with the law - you will find that the EU courts are set up to deal in English just fine. Lucky you, as opposed to say someone from Latin America, China or Outer Mongolia who does not speak or write English.

> If I get a package of documents in Estonian or Bulgarian I won't even know that I'm facing charges!

The chances of that happening are nil. Really, could you please stop the fearmongering, it does not serve any purpose.

> Claiming universal jurisdiction against every company in the world with a reverse onus of proof is a dangerous and malevolent tactic.

As opposed to what the US does? See: David Carruthers.

> Because it's your local government that you have confidence in, you're comfortable with it.

Yep.

> I doubt that you would be so blase about a similar approach by the US or Japan.

If the US or Japan has laws that apply to my situation I will take great care to comply with them. One such law (the DMCA) has caused me a lot of work over the years and I see this as a cost of doing business. If you don't want to comply with the law then you are taking your chances. Similar to speeding or deciding to kill someone: it's not what you can get away with that determines what is legal or not and if you are caught breaking the law you can expect trouble. So better don't break the law.


This is stupid, if they wanted to give the finger to American tech firms they could have wrote the GDPR as affecting only foreign firms using EU citizen data without requiring the same level of control over the EU-based tech firms, far easier.


That's not at all how these things work in the west. You define them as broadly as possible, then arbitrarily enforce them, because that gives you both plausible deniability and the widest potential application of your political power.


It HAS to be broad. The courts will narrow it down (jurisprudence). And why do you think it will be arbitrarily enforced? It isn't even the 25th of may and people are already feeling violated.


Oh, I don't have a strong opinion on the GDPR and its intent, I was addressing yulaow's simplistic dismissal of what is actually a well-trodden political playbook


Fining everyone makes sense to me. Why limit income? Cities do the same non-discriminate ticketing/fining as well.


Are there any EU based tech firms? As an American I honestly can't think of any besides Nokia and that's more manufacturing


Makes sense, as Americans tend to live in a bubble :)

Some of them from the top of my head, that you might or might not recognize: Asos, JustEat, Skyscanner, SoundCloud, LastFM, DailyMotion, Raspberry PI (foundation more than company though), Shazam, Mojang, Skype, King, Spotify, Klarna, Trivago, Xing and BlaBlaCar. I'm pretty sure some of these are quite popular in even the US.

(maybe some of them are not having their HQ in EU anymore, but they certainly had at one point)


And SAP, with 22 billion Euros in revenue


You probably shouldn't insult Americans and then make statements you already know to be erroneous.

As you are apparently well aware, Skype is owned by Microsoft. It's an American product now (from the perspective of who pays any fines). Mojang sold to Microsoft. It and Minecraft are owned by the Americans now.

Asos is an online fashion and beauty retailer. Having a website doesn't make you a tech firm. Ditto for JustEat.

Raspberry Pi - as you note - isn't even a firm at all, let alone a tech firm.

Shazam is in the process of being bought by Apple, although the EU appear to be trying to block it.

You tried to name tech firms that are based inside the EU and mostly ended up listing firms that either aren't tech firms by any conventional definition, or are now owned by US companies. I think that proves the original point.


The companies started out being non-american, then they ended up being bought up by US companies. I don't think that says "there is no EU based tech firms" but rather "There are EU based tech firms! But some of them get bought up by US companies and some stay, but at one point they were all EU based". So doesn't at all prove the original point.


In context it is equivalent. This thread is about why the EU wouldn't write a law that only affects US based tech firms, if that was the intention. Someone answered that there's no need because there are no EU based tech firms worth anything (no significant employment or tax revenue).

That point was correct. The responses all ended up naming either firms that are tiny, or which aren't any longer based in the EU (so there's no need to protect them from the effects of bad laws that primarily affect tech firms). Where they started is irrelevant to the discussion because what matters is who pays fines today.


That's because they use English company/product names for the most part. You probably have heard of some of them unknowingly: AVG, Jetbrains, F-Secure, Suse, Last.fm, Dailymotion, Yubico, Raspberry Pi and many more.


JetBrains is a Russian company (albeit with subsidiaries and offices in various parts of the world). It isn't an "EU firm" by any stretch.


I thought JetBrains was Czech.


Spotify

Skype (Before it was bought and killed by Microsoft)

Rovio

Supercell

Those are all of the big ones off the top of my head. Most founders opt to start in the US since there are less taxes and greater profits.


Quite a lot. Most sell software and support and not cloud services or similiar though.


For example few major anti virus companies are founded in europe, eg. avast, avg, avira, f-secure ...


Some music based ones that I use daily

- spotify.com

- soundcloud.com

- mixcloud.com

Others

- Raspberry Pi

- Wix.com


This is rather paranoid: remember that enforcement is done by national authorities like the ICO not europe-wide ones. It's not as radically different from the previous data protection principles as people seem to think, and how much enforcement of those was actually seen?

> EU anti-trust policy - deeply political and immediately controversial

[citation needed]; it's not as if American industrial policy is apolitical and uncontroversial, e.g. https://www.theguardian.com/business/2018/jan/26/bombardier-...


It's well known that the Obama administration felt the EU was using anti-trust law to implement protectionism:

https://www.wired.com/story/google-big-eu-fine/

For his part, President Barack Obama called the EU's actions protectionism. "[Americans] have owned the Internet. Our companies have created it, expanded it, perfected it in ways that [European companies] can’t compete," Obama said in an interview with Recode in 2015. "And oftentimes what is portrayed as high-minded positions on issues sometimes is just designed to carve out some of their commercial interests."


The goal is to grant the EU large new powers over the private sector and in particular over American tech firms, who will repeatedly be fined and treated as, effectively, a new source of tax income.

No, it really is intended to provide greater control for citizens over their privacy and data stored by corporations.


Another interpretation: IT is really hard, especially for people who don't do it for a living, who thus have less time to learn about it. Writing legislation about IT is equally hard, if not more so. The EU may honestly care about the impact of IT on privacy, but not have the technical ability to write adequately precise legislation about it, or even insure that their own institutional IT is in compliance (assuming it really isn't, and I am not a lawyer).

Do not ascribe to conspiracy, what is adequately explained by incompetence.


Do you have any examples of cases where American companies were fined unjustly by EU?

These companies can attack any fines they receive in the courts.


I'm pretty sure the GDPR is enforced at the national level, by national data protection agencies. The one in the Netherlands is severely understaffed and no match for the lawyers of the likes of Google and Facebook.


I have no idea how European court systems work so sorry in advance for what may be stupid questions. What is stopping any company they try to sue from levying investigations against the EU itself if they are not compliant? Does the EU have any sort of executive power that would investigate companys or will it be another VW incident where each company will check the box saying they comply regardless of actual status


Companies cannot sue over GDPR violations (neither can individuals). People can report violations to the GDPR watchdogs who will investigate and could eventually hand out fines.


I think you actually can sue for whatever reason you like but court can say it does not make sense and they will not run the case. It is your responsibility to get enough evidence but it is hard and no one cares enough.

If your data was used without your knowledge you might have had some damage and you could request compensation, removal or other way of fixing damage - with court help of course. GDPR violations can be used as base for court case. So GDPR does not really bring anything new because I believe you already could sue companies for selling your data, but in practice it is not possible to get evidence, prove damage, put price on damage, and it takes too long.

What changes is that if you don't have all data usages listed for user to view it is enough for some action so offended users can suspect something. If watchdog goes and checks you might be in problem with fines and then with court cases from offended users.


”I think you actually can sue for whatever reason you like but court can say it does not make sense and they will not run the case.”

True.

”It is your responsibility to get enough evidence but it is hard and no one cares enough.”

In this case, every “doesn’t comply with the GDPR” case a company starts will be immediately dismissed because:

a) you can’t start a lawsuit on the GDPR. The only way is through a national data protection authority.

b) even if you could, companies wouldn’t be interested parties in such a case.

(By the way, I think the national data protection authorities are the sore spot in the GDPR. I don’t think it is good that they are both prosecutor, jury, and executioner)


I would think of scenario:

"I received unsolicited marketing information from company X, with contact information which was obtained from company Y. I did not agree on sharing my information by company Y. My wife noticed I receive 'grow my manly parts' advertisements from company X. Because of this she concluded I am cheating on her and requested divorce. For such humiliation I request company Y to reimburse damages. Noted by protection authority AU, company Y did not comply to GDPR."


I am not a lawyer, but I don’t think that would fall under prosecuting under the GDPR.

If a speeding car driver hits and injures you, you aren’t going to try and sue him for speeding, either, are you?

You probably would sue under something like “Reckless behavior causing injury” (with the bonus that that even is possible if the driver wasn’t speeding)


So google (or whoever) can just tell stonewall investigators and/or inform them they are GDPR compliant and that's good enough? Are the investigators going to be allowed to examine intellectual property? Sorry for all the questions I am failing to see how this will be able to be enforced


The goal is to grant the EU large new powers over the private sector and in particular over American tech firms, who will repeatedly be fined and treated as, effectively, a new source of tax income

I'm guessing the rest of the world will just pull their operations out of the EU and then ignore the law. It obviously has no jurisdiction outside of the EU...despite what EUrocrats and some propaganda here on HN would have you believe.

The rest of the world could also impose sanctions on the EU for illegally claiming global jurisdiction.


The US claims global jurisdiction over e.g. Megaupload without sanctions.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: