This is what all news web sites should look like, not just for EU readers (although I fear that this is just a temporary solution until they've figured out that whole GDPR thing...
I am willing to believe it to be someones idea of sarcasm, lets strip our website of all the "goodies", give viewers poorer experience and watch the cries!!1 Except its actually better, and I wouldnt be surprised if it vanishes really quickly once they realize it backfired by reminding users how fast and clean web once was.
Might be a little more lucrative than juice bag startups.
If they want to monetize, publishers should control their own generic ad inventory (like they used to in old pre internet days) and ask for opt-in if you want customization.
Easy on paper but hard in reality.
This site provides news and information of USA TODAY NETWORK. We hope you enjoy the site."
Colour me impressed. I sincerely hope it catches on.
The idea that "user tracking" is now happening on the internet and not in print isn't true. Yes, internet tracking can follow you specifically, but that's because the systems have gotten faster and more connected.
Back then it took the form of the subscriber database as you suggest, and was used to help target and sell ads in the paper. The print industry often "sold" the subscriber list in detail to prospective advertisers to demonstrate the potential reach.
Losing detailed subscriber data was one of the primary objections many papers expressed to Apple's app store distribution model which can effectively render readers anonymous, as this was apparently one of the most valuable things they had.
This means the revenue they can charge for that ad is 100x less, which means that any sites without massive, massive user bases will perish, and those that survive will do it on a pittance.
I think Patreon has the only good answer so far. There are multiple people on there that make top quality content and earn good money from it.
It's probably not an answer for every industry.
I mean: GDPR didn't forbid money. Not even advertising. Only using personal informations without explicit consent... Please, don't be too ridiculous and stop watching FoxNews :-D
Behavioural targeting is fine!*
Contextual targeting is fine!
*In many circumstances.
In the 90s, the N.Y. Times was $1 in my city and the local paper was $0.30. That covered paper, distribution and ink.
The ads paid for it, and I think the ads were more effective. IMO online ads are mostly fraud and bullshit.
The irony is that we'll get there, eventually: Apple and Google are slowly agreeing a payment system and then they will push it into the browser, and everyone will use it.
If we just do big-dollar monthly or daily subscription paywalls, we end up with a Balkanized web where I can't read the article you're reading unless I pay for it. That'll significantly change the way interactions happen on the worldwide web.
Sure, maybe that's exactly what would happen, but changing one variable in a toy model is not proof that it will.
There are successful news sites that do just fine without becoming relentless clickbait optimization mills - and in fact, those are exactly the sites I tend to read. Two examples, so we're talking about something specific: talkingpointsmemo.com and techdirt.com are both daily reads for me.
TPM is, for want of a better term, the more advertiser-friendly of the two, but it intentionally works fine with ad blockers. Techdirt is probably well-known to most folks here.
The other commonality is that both of them work hard to not be enslaved by the adtech surveillance machine - they both have non-ad revenue streams.
And I think that is the real trick missed by overly simple reasoning - even when it is correct (and it is, frequently), it obscures more than it helps. And somewhat more nebulously, I think it trains people into a way of thinking that blinds them to options. After all, if you "know" you can't reduce your surveillance metrics below industry-average intrusiveness, you won't look at possibilities involving doing so. Instead, you'd look at additional non-ad revenue as "more and better" and do both - thereby losing me as a potential customer.
Is that a good tradeoff? I don't know - and that's the point. These are much more complicated questions than econ 101 will guide you through.
It's also a dilemma of sorts. If you stop running ads, then there is one less outlet for them, which means rates for all the other outlets are likely to grow. If enough people do it, the few players left will make very good business. Would you rather move out, risking your livelihood on experimental business models, or stay in with the devil you know, ensuring nobody is going to do better than you?
What you mean is running 3rd party ads via ad networks.
It's perfectly feasible to show an image that links to some advertiser's site for a negotiated fee. This is the equivalent of a paper magazine with advertisements. Not renting out injection points to executing whatever foreign code on their visitor's devices.
My ad blocker won't even block it (well not by default, and only as long as you play nice, it's not like online advertising has any goodwill left over, or ever acted to deserve it).
Still it's hard to deny that the (presumably temporary) EU site is a much nicer experience. It's certainly faster.
They have plenty of metrics on the ads still, just not on the users. It's not going to be an issue to see how often an ad is shown, they just don't know if it's relevant to the reader. The good thing is that no they have a way of measuring the effectiveness of targetted ads, because the entire EU is available as a control group.
For a newspaper, like USA Today, I honestly doubt that targetted ads convert much better than random ones. EDIT: Random or based on the content of the article.
Just because it's been useful doesn't give it some unqualified right to exist.
Either pay or sell yourself.
A gamble they might lose if people just stop sharing and click Washpo articles, but a possible route if others follow suit.
Meanwhile, NPR goes more hardcore than even USA Today: https://text.npr.org
I wonder, does that mean EU users are just a nuisance costing traffic, or that all graphics are tracking visitors?
To wit (washpo):
Where is the "No I don't. Just give me regular/random ads" button?
"Premium EU subscription"
"No on-site advertising or third-party ad tracking"
There's nothing specifically EU about that, in fact, it sounds like a good service to offer to all your readers. But still, there's a big difference between on-site advertising and third-party ad tracking, and that difference is at the heart of the GDPR. A half decent journalist could have figured that out. Maybe that's their real problem.
But most importantly, and frighteningly, instead of these two stunts being knee-jerk backlash reactions, maybe they're serious and most data-peddlers aren't shady figures in smoke-filled backrooms, but simply the fourth estate en large.
Also, I wonder how much of Washington Post and NPR's revenue comes from Europeans. It might not even make sense for them to spend resources to be more precise in their compliance.
What is your preferred third option for content that costs money to make?
A pity I'm not from the US so most of the news aren't that interesting to me, I hope some European news outlet follows suit (although it won't happen).
This just shows us how big and influential the media giants are becoming.
Some of the links appear broken. For example, all the "More" links here haven't been hyperlinked: https://eu.usatoday.com/story/news/nation-now/2018/05/25/rac...
If anyone knows of more let us know.
If the business was so predicated on user tracking and selling that data or using it to target ads, I think GDPR (in spirit) is saying “that’s not a business” and requiring a greater form of transparency and informed consent before a website can inflict that on a (possibly unwitting) user.
I’m not trying to say this point of view is right or wrong, just that I think there is a spirit here in the intention of GDPR to say “that’s not something we’ll allow to be called a business model.” (Obviously it doesn’t fully go that far, but it’s the idea.)
It’s not that different in spirit than regulating usury or payday loan businesses. If your business model profitably works only because it preys on people, the spirit of the regulation is to say, “that’s not a business model,” and regulate or disallow it. Usury laws in the case of excessive short-term interest rates; GDPR in the case of excessive user tracking and data privacy concerns.
So when you ask, “how can be a business sustainable in this way?” it sort of has the wrong premise.
Instead, if the business could not be profitable without this then it wasn’t actually ever a business— rather it was some other data exploitation entity, and the lack of an alternate way to be profitable in compliance with GDPR is a signal that the entity was unable to determine a way to exist without causing the kinds of harm that GDPR aims to prevent.
Again, I’m just trying to represent what I think the spirit is behind the GDPR choices— not saying they were right or wrong.
If that USA Today site sticks around and adds advertising, it will presumably be low quality inventory like the internet used to be flooded with - casinos, punch the monkey etc.
You can have sensible context-sensitive advertising without problem with GDPR. You just can't target a specific reader using its behaviour
The shitty early-web ads were already a result of shady 3rd-party ad networks selling private data.
Does a paper magazine need to run unsavoury ads? Because they don't have pay-per-click. They don't even record impressions, they have to negotiate the deal beforehand with the advertiser.
I don't want data about me to be someone's asset. I want an Internet shop to delete data about me as soon as possible after I made a purchase. That's why I want GDPR in my coutry too.
Is nobody outside of America ignorant of these laws?
Also, how much of the internet technology and content you use and consume was created by Americans? Probably quite a lot.
Why so rude?
By not building their entire business around ads and tracking.
I don’t think it’s as simple as finding the same news elsewhere for free though, or accepting this level of data collection, or subscribing to every site with micro transactions.
I would pay to use HN if the articles I clicked through to (or upvoted, or engaged with in the comments) got a piece of the pie. I’d pay a fair amount because I get a lot of value out of the aggregation and community HN offers. There’s no obvious allegiance to a particular perspective on life so one day I can enjoy a spiritual read and another I can learn about baking bread. I’m not only challenged, my curiosity is being piqued. It may be that HN works this way because there is no direct profit motive in HN itself except to point budding startups to Y Combinator.
I’m unlikely to pay an individual publication (say, The Guardian) because such publications have a specific editorial viewpoint, and more often than not it’s going to be the point of view that supports my own. My money is wasted on an echo chamber that makes me mad about the state of the world.
Neither am I likely to pay a publication that I persistently disagree with because our values are incompatible. I might read them if they have something profound to say but I’m not going to commit to them for that.
So maybe there’s something in a co-operative effort where the community collectively funds the content it engages with. But rather than it being an individual thing like with Patreon or individual subscriptions, it’s a pool you contribute to in order to participate further in the community.
On the other hand, there's quite a lot of evidence of successful businesses operating on a subscription model because they provide a good value proposition. Which leads me to conclude that your claim is simply false.
Also relevant: https://membershippuzzle.org/about/
Please stop attacking services and sites that hundreds of millions or billions of people find useful because of your own over the top histrionics.
Those users need to be protected.
The parent makes an excellent point: it’s easy to argue the other models (micro transactions, subscriptions, paywalls) failed because they were in competition with an industry that has safely operated with little to no regulation for a decade or two.
The ad industry in this situation has an insane advantage because it can make money from end-users without them even being aware that they are involved in a transaction. They don’t have to see a banner ad in order for dozens or hundreds of other businesses to learn about them.
There is no explicit contract between the website and the user in the way that there is when you agree to pay the business money in exchange for the value it offers.
So GDPR levels the playing field by removing that advantage. If an advertiser or another business runs above board they don’t have a problem. More to the point, if they can convince a user to opt in, then they have a serious value proposition to the user too.
Advertising itself is an easy and almost fallacious target. People know about adverts so they use Adblock. People have no idea what a business will do with all of the data that reaches their servers without any JS required.
I think that elides pretty important aspects from the equation. In reality, it's more like: "It's easier for Bill-brand horses to compete with John-brand horses; if you ban the steroids, amphetamines, and cruel practices John uses to get his results."
i.e "It's easier for employers to produce cheaper products by exploiting their employees if your protection of labour is on the level it was 1850"
Now sure those prices were subsidized by ads. But they can still use utargeted ads, in addition, cost of the “medium” and distribution is much lower.
You sound like the other people complaining "you know how much money I have to spend on lawyers to ignore this law??".
There are millions of businesses around the world that don't give a fig about European customers or the E.U. Hurts to hear it, but it's true.
They manage to survive an thrive without any interaction with anyone in the E.E.A.
It's a very European thing to think of the E.U. as the indispensable center of the world.
Huh? Culturally, that has absolutely not been my experience - quite the contrary.
In the case of the GDPR, it's simply a matter of "if you can't respect our citizen's basic rights, then we don't want to be doing business with you".
That has nothing to do with considering the EU to be the 'center of the world', and everything with setting the conditions for trading with it. You can either take or leave those.
Obviously if ads are less targeted then they may be less effective so advertisers will make less on ads that cost more. This will hurt their bottom line, which in turn will make the products we buy more expensive. But that's exactly the end goal. I want to pay for things (information, products) with more money rather than with slightly less money and all my integrity.
I remember the tedium of non-targeted advertising---it's what ultimately pushed me away from most traditional print and broadcast media and online. Targeted advertising occasionally brings me information I actually want; non-targeted advertising feels like such a waste of everybody's time.
I hope someone takes on the experiment of opt-in GDPR compliant ads.
I'm sure you considered all the poor people across the world that are subsidized by the ad driven model we use today. What we truly need on the internet is data gated behind pay walls to protect important information such as which facebook groups you clicked like on.
A lot of them are poor, because we don't want to pay a decent amount for the products that we consume and instead rely on people working in sweatshops in third-world countries.
You don't solve poverty by giving them 'free' products that require them to give you all their private data. You solve poverty by giving people a decent wage, so that they make these decisions themselves.
Adtech might move to correlating all these things + the website visited to target particular demographics.
ie: figure out why they are doing what they're doing and direct them to ads that capture that intent.
I think this much vaguer stuff will be fine.
To show ads you don't have to report about all of your site visits to Facebook and Google.
My god. They sucked so hard! AdSense was a revolution.
found an invalid character in header value
In the long term I would be happier if we'd all be treated with equally high privacy standards and pay for the content we consume. For that to happen we only need one thing, Americans and their legislators need to start valuing their privacy too.
Edit: There many other ads as well not just from taboola.
If a service didn't had a big user base in Europe, most countries don't speak English, it may be cheaper to remove the service.
The New York Times or The New Yorker that even have physical copies available in Europe work as usual.
I work in a gambling company and this is our day to day business. To enter a new market means to follow a new set of regulations. To do the adaptation or not is an strategic decision based in complexity, expected revenue and other factors. GDPR is just another regulation to add to the long list related to tax evasion, responsible gambling, fair play, etc.
Some regulations are good. Some regulations are bad. Some regulations are smart. Some regulations are dumb. Reasonable people can disagree on the quality or intelligence of a given regulation, or its impact on a given industry, but that doesn't change that most regulations do tend to make products more expensive to manufacture and by proxy, more expensive to buy.
In Europe, if you want to sell eggs, you're required not to wash them or get them wet, because doing so erodes the natural coating that protects them from diseases. This is a regulation implemented to prevent salmonella.
In America, if you want to sell eggs, you're required to wash them in water at least 90 degrees, to make sure that they're clean, then rinse them with a chemically infused spray, then because you've got them wet, they need to be thoroughly dried to prevent bacterial growth. Further, because you've now washed and dried them, removing the natural protective coating, they need to be refrigerated in transit, at the store, and at home.
Both regulations are imposed to defend against Salmonella, and both are apparently quite effective, but the American regulations in play require the purchase of (conservatively) thousands of dollars in washing, sanitizing and drying equipment, and at least a partnership with a refrigerated trucking company. If you're selling the eggs in California, there's the additional requirement that the eggs were laid by free-range hens, which of course increases the amount of land required to raise the chickens upon, which of course makes it harder to prevent and protect the hens against predators.
Like I said, reasonable people can disagree on any given regulation, but it's hard to make the claim that egg regulations in America are more effective than those in Europe, or that the American regulatory environment doesn't make it the egg business a more capital intensive affair.
Not only that, even auto safety regulations do favor incumbents. There were far more new independent car companies created before the 1970s when the safety regulations were passed, and they were often created by small groups of people rather than huge established companies.
It's possible that the safety improvement is worth that cost, but that doesn't mean the cost isn't still there.
When we start talking about other industries where the result isn't literally a matter of life and death, it becomes much more likely that the cost outweighs the benefit. You're essentially talking about destroying competition -- the same competition that keeps companies from doing things you don't like.
If you want to pass regulations that destroy competition, those regulations had better prevent companies from doing more evil on net than competitive pressure does. Which is a pretty high bar.
Apparently there is some evidence that egg-related salmonella is 7x more prevalent in Europe vs the US.
I'm European and have never washed an egg before cooking it in my life. what is this ? I crack it open and cook it and am still here.
I do wash my tomatoes when I make a salad with raw tomatoes though. And that's mostly to get stuff off since I'd argue my vinegrette would kill all the bacteria.
And washing your potato ? I'm so confused. Don't we all cook potatoes in boiling hot water ?
As for potatoes, no, we don't all cook them by boiling them in water -- many of us bake them, fry them, or use them for making hash browns. This might just be cultural, but I would actually be more inclined to wash them before boiling them, since the reason you wash potatoes is because they have dirt on them, and just as I wouldn't want to toss dirt into my boiling water, I would prefer to clean (or peel) my potatoes before boiling them.
It is? What is the data?
No one here is saying that ALL regulations are bad or should be removed, just that all regulations have unintended consequences.
You can launch and run a business similar to Facebook from a dorm room.
A car factory? Not so much, regardless of the regulatory issues.
Maybe it's because the auto industry is far more capital-intensive than software. I don't see anyone taking on incumbents in capital-intensive IT businesses, such as cloud services (do you want to compete with Google, Amazon, and Microsoft with your VC money?), or in software, operating systems in entrenched markets (desktop and smartphone).
Taking the piss with laws and employment rights such as Deliveroo etc, or taking the piss with user data and personal privacy.
We'll be left with some of the regulation long after many of the disruptors that caused it have burnt out.
GDPR is full of vague terms and is global regulation based on principle rather than actual hard rules, which will increase costs and come nowhere near accomplishing the objectives it claims to do.
Modern cars need ABS, TPMS, electronic stability control, passenger airbags, a backup camera and crash test standards all but demand side curtain airbags.
Don't get me started on emissions. Fuel economy really isn't a big deal or hard to meet. It's the half million other little things that need to be in a specific range that really waste the R&D time and money.
For something like a low end subcompact compliance is a huge chunk of the price.
Given the choice between a 1999 Toyota Solara (or whatever) which has one or two airbags for $5k or a new subcompact hatch with none of the listed safety features for $6k or $7k I'd probably take the subcompact. There's been huge improvements in all sorts of non-safety aspects of vehicle design in the past ~20yr that the subcompact has that the old sedan doesn't.
There's rapidly diminishing returns for regulating cars because by driving up the price of new cars you extend the time that the old ones stick around and the people who choose less safe alternatives (see mopeds in Asia)
Saying "regulation that mandates $goodthing is good" as a blanket statement is approximately of the same dumbness as saying "regulation is bad" as a blanket statement.
Look at how fines work, say with the GDPR. The maximum fine is 20 million or 4% of revenue, which ever is larger, which means that small businesses see a much larger risk as a percent of revenue from these regulations. This is independent of the chance of the max fine being applied. This inherently creates a pro-incumbent bias even if nothing else about the law created pro-incumbent bias.
Now with something like car safety it's easy to say - no one will come up with something like this or if they do then the regulator will immediately allow it. But what about something like Internet privacy? I think it's more likely in that case for the rules like the GPDR to be used to protect incumbents by keeping out competition.
A more realistic example:
Regulations say cars are required to have steering wheels. They also say cars are expected to be under the control of a driver at all times.
Good and all if you expect to have human drivers. But it increases the cost of self-driving cars. And humans are terrible at mode-switching right before an emergency (we know this from studies on airplanes, as well as from studies on self-driving cars).
The two ways of solving this: (1) develop a self-driving car that doesn't need a steering wheel (ala trains under positive train control) or (2) restrict operation of self-driving cars to people who are highly trained and regularly operate cars in manual mode (ala the airplane industry).
Alphabet/Waymo/Google can afford the army of lawyers and lobbyists required to make this happen. All the other start-ups in this space had to get acquired by an incumbent (GM or Uber) or restrict their domain to something with less regulation (e.g. private land -- golf courses; university campuses; the Las Vegas Strip).
Selling used cars? Generally, as long as the car is sold as originally equipped, there's no issues. I can sell or drive a 1970s era car without having to add modern emissions equipment, bumpers, and airbags for example. At least I can where I live.
"A Federal agency today abandoned the longdisputed requirement that automobile manufacturers install automatic crash protection, such as airbags or ''passive'' safety belts.
The action by the agency, the National Highway Traffic Safety Administration, drew immediate protest from safety groups and praise from the automobile industry."
I think by going to cars to prove your point proves how ridiculous regulation for websites are. For some reason there exists a group of people that believe that websites like facebook need regulations that are as strict as those required for developing cars.
People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)
Unrelated but something that further adds to the irony of using cars as an example is that companies such as VW haven't even been fined for cheating on their emissions test.
I doubt a country like Germany would ever consider allowing the EU to fine 4% of Vws global revenue even though they broke the law in a way that has resulted in people's deaths.
The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.
Equifax lost millions and millions of records and have so far faced no meaningful punishment from the UK regulators: as far as I can tell, they've so far made one brief statement on their website, and one tweet.
Major ISPs like TalkTalk lost millions of records (and ignored security researchers telling them about gaping security holes) and were given a slap on the wrist - £400,000 by the UK ICO. Mere pennies per user in fines; a drop in the bucket compared to their annual revenue. There is no economic interest to change their behaviour.
The negligence of these companies has led to millions of people having their personal and financial data stolen, having to keep eagle-eyed over bank statements and credit cards, having to worry that their transactions (or their travel bookings) might get flagged up as suspicious, that their credit rating gets eaten, and much else besides.
If a company you've entrusted your personal data with—not just your tweets or whatever, but sensitive personal data including health data, data about your religious affiliation, sexual orientation, etc. loses that data, as a UK citizen, you currently have no right to appeal the ICO failing to take action. GDPR/DPA2018 changes that balance.
Companies tell consumers "hey, trust us with your personal data". Consumers do in the false belief that there is some protection or basic responsibility taken. When they colossally fail to take the most basic steps to protect consumers from data loss, the status quo was this: nothing happens to them.
You present a false dichotomy here. As much as the GP is wrong for boldly asserting the negative as fact, you are wrong for just as boldly asserting the opposite, without allowing for the panoply of options that inevitably arise from the point a regulation is conceived to the point that it is enacted. During the process of drafting the legislation, at least here in America, the existing players have a voice on the legislation's course, and the larger the existing player is, the louder their voice gets to be.
Sounds like you need campaign finance and lobbying regulations. ;-)
Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
No, it boils down to an incentive. No company wants to get hacked, but a lot those same companies aren't willing to invest in security measures and training that could mitigate the risk.
> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".
I don't think anyone's proposing a regulation like that. However, it's not fair to put the costs of a data-theft squarely on the victims, when it was really the company that was responsible for securing the data.
It's also not even always clear what hacking actually means. A common way users get hacked is by reusing the same password on every website. One of those small sites gets hacked, the hackers try the users password at bigger sites to see if they work. Big players like Google and Facebook have heuristic systems that try to detect and block that, but sometimes they don't work.
So who's at fault then? The user for losing control of their password? The small site, probably not EU based, doesn't give a shit? Or the big guys who tried to protect the user but failed? Given the way the GDPR is being done my guess is the big guys will get taken to the cleaners even though they did nothing wrong.
Basically, you can't stop a big company from getting hacked no matter how much you spend on security.
I never said anything to the contrary, but the observation is irrelevant. You can't stop all pollution, but that doesn't mean you shouldn't pass regulations that ether ban it or impose liability for it.
The GDPR authors appear to believe that not being hacked is merely a matter of choice, despite all evidence to the contrary. They are clearly dangerously delusional. If even Google, with its pick of the crop, unlimited budget and massive security team, cannot avoid being hacked, then nobody else has a chance.
What they care about is how much data you had (and did you need all of it), did you tell the users, have you put things right, had you done anything to protect the data?
If you have a lump of data that you don't need, that you store with no attempt at encryption, and it's held behind software that you haven't bothered to update even though security patches have been released then yes, you're going to be regulated.
It was the financial industry and government that were responsible for implementing an identity scheme with a less insane architecture than handing the same secret material to every relying party. I disagree that we can or should force everyone to tie themselves in knots supporting it.
- Unpatched, publicly documented vulnerabilities.
- Unauthenticated S3 buckets.
- Unencrypted laptops.
- Default passwords.
This isn't subtle crypto weaknesses or attack vectors missed in the security assessment of protocol designs. It's carelessness. It's stuff that any high school kid who's good with computers will tell you about, let alone any IT professional or software engineer.
People who think defending networks is merely a matter of choosing not to get hacked have clearly never tried to do it.
It doesn't say "don't get hacked", it says "if (when?) you get hacked, minimize the the cost to people who trusted you with their data". And the easy way to conform is: 1. do not collect more than you need to provide the service, and 2. do not keep the data you don't need any more just in case. Which should be the default, but in the world of cheap storage and data mining seems to be forgotten, or an afterthought. E.g. when a user unsubscribes we tend to set the flag "subscribed" to false next to the rest of their data, instead of removing the e-mail address we don't need.
Good work everyone.
We'll see. I have a feeling that European consumers and web companies are in for a world of hurt.
>The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.
I know that GDPR applies to everyone, I think it's pretty obvious it will be selectively enforced since the regulation is too burdensome. Do you think your local mom and pop hair salon that is not in compliance will ever be fined?
Exec has been fined and sentenced to 7 years
VW have been fined $2.8B
You must point to the laws violated. E.g. Schmidt made a false statement to the California Air Resources Board under the Clean Air Act.
Trial in the court of opinion and mob lynching is not compatible with the Western tenements of law.
>Trial in the court of opinion and mob lynching is not compatible with the Western tenements of law.
Stop trying to shift goalposts, my point is that if any company deserved to be fined 4% of global turnover it's VW and they have currently received a total of $0 in fines even though they have probably increased the likelihood of you getting cancer.
Their annual profit is about $13BN, they were fined $2.8BN which is about 22%. I think that along with imprisoning an exec that was complicit in the lie is a significant and reasonable deterrent/punishment.
As for VW significantly increasing the likelihood of any given arbitrary citizen getting cancer I'd love to see the numbers on that. Sounds like hyperbole to me
I think the public, and much of HN, disagrees and is beginning to believe that the lack of privacy is undermining democracy, liberty, and human rights.
There are actually some historic examples. A university once performed scientific research on a minority group. Then the Nazis acquired the list and murdered the participants.
Obviously that's at risk of happening again, but machine learning and AI are risk of learning to be discriminatory by training on data sets resulting from historic and modern discrimination.
When applying for jobs, it may be possible to enter somebody's info into a next generation background check software to get a % probability of the candidate voting for a specific political party, and declining to call/interview based on that alone.
Even when it's not intentionally discriminatory, this is leading to a future where the teller says "sorry, you were declined. I don't really know why, the computer just made the decision". Where's the accountability?
In credit reports, I can at least request my credit report and understand how to improve my score or dispute line items.
In the US, people who gave their information to the government as part of a program to protect them from deportation are being deported.
Privacy and safety/security are not distinct concepts.
It is for that reason in the German constitution.
It's not like a future hypothetical fascist dictatorship isn't going to have access to the necessary records to piece it together or would follow its own GDPR constraints, nor would the GDPR stop it from arbitrarily deciding some people are Jewish without detailed evidence.
I'd like to think the GDPR is underpinned by better philosophy than a false hope it could prevent a future Holocaust.
A core rule of data privacy is to restrict yourself to the necessary information you need. Religion like sexual orientation is rarely justifiable why it is collected at all.
Onerous regulations are always overcome, one way or another. (And airbags are not onerous.)
Car manufacturers are required to put seatbelts in their cars because of regulation. In this case, it's not done to "decrease competition". It's not done to "increase monopoly". It's not done to "create central hubs of systemic risk". It's done to save lives.
Regulations affect profits, yes. Regulations may have unintended consequences. Making regulations that protect people and still allow for a healthy free market is a hard thing to do. It's heavily context- and market-dependent.
It is what it is and we have to live with it, but it's not as black-or-white as you make it sound.
When Amazon entered the French market, it tripped over laws putting a floor on discounts allowed that are intended to protect book sellers, not purchasers.
Except in Europe where it has done the exact opposite for telecom, especially compared to the unregulated US.
> unregulated US
On the contrary, telecoms are very much regulated in the US. There is an entire commission for regulating radio/television/cable communications: the FCC.
I could hardly choose a more regulated industry than telecommunications.
Regulation can mean different things to different people. It's just stupid, one-dimensional, shallow thought to try to paint all regulation with a broad good-vs-bad brush.
And while all those has their share of monopolies, I do not see how the current data handlers on the web before GDPR is better. Google is massive. Facebook is massive. The number of online news papers that hold 90% of the market are few. Talking about how regulations is going to increase monopolies where its already monopolized seems strange.
I realize that I've heard that before, but what is that based on?
> There is no free lunch with one-size-fits-all rule making. Unfortunately regulators think there is.
I've never heard of regulators, at least in the U.S., not considering the cost of regulations. It would be hard to avoid in the legal rule-making process.
Whio is more likely to be hurt by GDPR. Google, or DuckDuckGo?
Have there been studies on this?
See everything from lemonade stands to taxis to banks.
What is disputable is whether in total a regulation has a net positive or negative effect.
A lot of things “make sense” but aren’t true.
"Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR." (https://ec.europa.eu/info/law/law-topic/data-protection/refo...)
OP’s country. The "place" that interaction took place in is irrelevant here, unless the company "doesn’t specifically target its services at individuals in the EU"; OP is citizen of an EU country so the GDPR rules apply.
Your example is flawed in that most countries that use these kind of mechanisms will tend to either require a extraterritorial jurisdiction to be written into the law, or will assume that only certain classes of crimes transcend jurisdictions. E.g. in the case of Norway, Norway has traditionally claimed extraterritorial jurisdiction over Norwegian citizens, but with the practice that things that are legal in the country you are in are generally not possible to prosecute in Norway unless there is a law that specifically claims extraterritorial jurisdiction (sexual abuse of children being one such example, where Norway may prosecute people who return from countries with weak or non-existent protection of children younger than the Norwegian age of consent).
In other words: It's how jurisdiction works if your courts wants it to work that way.
The laws apply to European people. What if a site just doesn't want any of these people to be customers?
The EU can't force you to accept it's users.
If anything, the business should sue the EU customers who accessed their website without permission. You are breaking the rules as a EU citzens by doing so.
These rules are very similar to rules limiting loans. No matter how desperate a person is and how low credit they have, in the US you can't give them a loan for above a certain amount of interest. That could be terrible for a poor person who is about to be evicted if they don't get some money right away. But we as a society are willing to accept that if the result is that more loans will be "reasonable".
If GDPR is enforced as HN people say it will be (in a good way) then the result will probably be that a lot of free websites ban EU users and smaller companies take their place with products that either cost money or will be a bit worse.
If it enforced in a bad way then big companies who can navigate the law will get bigger because their small competitors will be to afraid of the law and shut EU users out.
I mean, mild annoyance is nothing compared to the annoyance of war thorn continent, I wouldn't bet too much on the destruction of EU or even withdrawal of GDPR
Those are the only two options? Now that I know that, instead of what a practical person might deem as an option which is to repeal the law, the EU and GDPR proponents' mindsets make a lot more sense. I often wondered why new legislation was piled on older legislation that wasn't even enforced then, and why other statues wrt cookies and what not cannot be seen by legislators as more bad than good and worth removing. Now I know.
Please respect our laws and privacy or don't do business with us. We will be very sorry if your product is irreplaceable or we will use a competing product that complies with GDPR.
Obviously the last incarnation of the GDPR didn't work for multiple reasons, the most oft-cited one being non-enforcement. Was the option to repeal and take other approaches to the problem considered? Nope...double down. Since people agree with the intent, the approach often appears above reproach.
I see you're in Texas. Don't worry too much about EU, we are doing fine. We will figure this thing out if it turns out to be more bad than good.
Stop sending us your data and money? I don’t leave the US to deal with EU customers. You send requests to my server in the US. If you’re unhappy with me, stop doing that.
And it’s pretty rich to complain about companies not complying and leaving the market, while also using VPNs to use their service anyway. Apparently protecting your data isn’t as important as you say?
See, how browsers work is that they load this thing called HTML that describes the content and can load other stuff without asking me. Apologies if I accidentally sent any data or money, it wasn't my call. It was in the HTML that I loaded because I was offered to view a free article.
Regardless, whether you intended to send my server a request is your problem. The fact is that you did, and that hardly gives full control of my business to whatever legal jurisdictions claim you as their subject.
Anyway, don't be too upset about all this. The law is not banning you from collecting my data, you just need to be explicit and informative about it so that I can decide if I am going to send a request to your servers.
I'm often disturbed by the mindset that people are some business' god given a right to exploitation. It's the other way around really, that is, if you can find a way to serve me or solve a problem of mine I might choose to do a business with you if I decide that the compensation you demand fair.
If your business is unprofitable when you have to ask me for permission in plain English maybe it simply means that you don't have a profitable Business and you should consider doing something else.
We don't see business people complaining that government regulations are hurting their organ harvesting businesses, right? People decided that they don't want other people to sell their kidneys on open markets, so that business doesn't exist.
People at some point decided that they don't want to get cancer from Asbestos, regulations kicked in and the Asbestos businesses were destroyed.
This time around people seem to be in control of their data, if that makes your business unprofitable or impossible do what others did: Something else.
Only if the EU can enforce it, which they can’t. I don’t pay attention to laws from other countries that don’t apply to me and have no teeth, and I’ll ignore this one as well, until there’s some enforcement mechanism. At that point I’ll evaluate. I’d probably just block the EU though; not worth the hassle.
There you get it. If your business is not profitable when you respect the privacy preferences of your users you simply don't do business.
It's not your god given right to violate user's privacy so that you can turn a profit.
In other words, if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business.
No need for hard feelings.
This is a false dichotomy:
1. Fully comply with the GDPR, no matter the cost, even if that's just legal and administrative because you're not actually doing anything in terms of data practices that would violate the law.
2. Go out of business, because you clearly are intending to do shady things that violate user privacy.
if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business
Say I run a burger shop that is perfectly clean and in compliance with all local laws, but the EU passes a law that says I need to fully audit all my food safety practices, publish them in a public place with their format, appoint a food safety rep in the EU, and comply with other vague requirements that they deem necessary, just in case an EU citizen visiting the US comes and eats at my shop.
Now, if I ignore that, am I "breaking the law"? I guess so. Just like I might be breaking some Indian law by serving beef at all (hypothetical). But does it actually matter? Can the law be enforced? Should I care as a matter of civic duty? Very likely not.
Worse, should the entire citizenry of the EU suddenly decide that my small town burger shop in Iowa clearly intends to feed every customer tainted beef and deserves their opprobrium and any fines that can possibly be levied by the EU, just because I didn't fully comply with their law?
And if they do develop some enforcement mechanism to use against small town USA burger shop, how is it not my right to put up a sign that says "Sorry, EU customers, but please don't eat here, as I don't comply with your laws"? Is your argument seriously that I should comply with every law from every jurisdiction in the world, just because a customer from that jurisdiction might wander into my shop, even when I've expressly told them not to?
About the burger thing, we do not need to assume things here, we can examine the reality and the reality is that McDonald's complies with the EU regulations when doing business in the EU, local American burger shops that don't do business in the EU do not comply with the EU regulations. I hear that you have some amazing burgers in the USA, will definitely try few local shops!
Also, burger shops that do business in EU(usually chains, McDonald's and Burger King) do care about the EU food regulations, why shouldn't they and why shouldn't you? You are aware that McDonald's isn't steamrolling in the EU, right? They do follow the EU food regulations. And no, you don't have to be a big company to sell burgers in the EU, we have plenty of local independent burger shops all over the continent.
My primary argument is that the GDPR's attempt to regulate companies in other jurisdictions because EU citizens go INTO those jurisdictions and do business is a dangerous precedent. If there was an enforcement mechanism for all such laws, it implies that any business or individual anywhere in the world with a website should therefore have to comply with any laws from any jurisdiction that are similarly constructed.
If my website says things about Islam that Saudi Arabia passes a law against, I should be fined.
If my website disrespects the king of Thailand, I should be extradited for imprisonment.
If I encourage NK citizens to revolt against their oppressive regime, I should end up in a labor camp.
After all, those governments have a right to say that if I want to "do business in their jurisdiction", I must respect their laws, right?
(To be clear, I'm not talking about enforcement of these kinds of laws, because all of those countries might do the above if given the chance. I'm talking about what I SHOULD do as a matter of morality or ethics or civic duty or whatever, or what my government should cooperate with those governments on, because it's just.)
But the problem is that they're describing "doing business in their jurisdiction" as a citizen from their country (maybe even one who is currently visiting my country) going online and sending my server requests, data, and money. And apparently explicitly telling those citizens to please NOT do that, or blocking them, is not sufficient. The only way to make the majority of the EU users on HN happy is to comply. Why would that same logic not apply to all other kinds of laws?
So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?
Or is your arguments something else, something selfish like all online businesses should operate according to the US laws or something like online businesses should not be bound by any laws whatsoever? Or something else?
If by "operate in the US" you mean that they are based in the EU and allow US residents to visit their website and purchase from them, then yes, absolutely. Why would it be any other way?
I just don't see how the alternative works at all. Why couldn't some city in France pass a law that if a citizen of their city buys something from your site based in Hong Kong, you owe that city a tax of $50k. That's obviously ridiculous and not enforceable, but why is it not based on the same underlying legal theory that a business is bound by the laws of jurisdiction where visitors or customers to their site originate from?
The USA too is going after foreign companies doing business with Iran or Cuba. The USA is not happy with cryptocurrency ICO's and it's enforcing it. The USA is forcing the world to respect DMCA.
The taxes are also an issue, even within the USA doe to different VAT in different states.
These are topics that have been in discussion since the beginning of the internet and the dust is just settling and the solution is not simple as "You obey to the laws according to the country you're based in". It's a huge huge topic.
Edit: And FYI, many countries do enforce a tax on foreign purchases. For example, Turkey will be forcing American internet giants to charge VAT to its Turkish clients and transfer that VAT to the Turkish government. Countries want to collect taxes, you can't really get away with "I am an American company so I operate tax-free" argument. Politicians will work out an arrangement like "I will make your tax law enforceable on my companies if you let me use your military base and purchase weapons".
The tax situation is a good example. Historically, sales tax has not been able to be levied by states against companies just because they have customers in that state. They have to have physical "nexus" in that state as well. There are a number of states trying to do an end run around that right now with "economic nexus", which will probably end up in the Supreme Court at some point.
Many countries try to say that VAT is due, but their ability to enforce is pretty limited. If you run a small business online and you WANT to pay attention to every single global tax jurisdiction and send them whatever tax they say is due, go for it. But if you don't, the practical reality is that there's nothing they can currently do about it.
I do agree that these issues are complicated and that the Internet has thrown a monkey wrench in a LOT of legal precedent in ways that will need to be sorted out.
I just don't think the GDPR is the right framework. Data privacy may be a human right, but so is democratic representation, and having governments all over the world pass laws that they say apply to my company is unjust.
EDIT: looks like economic nexus is being decided now: https://www.journalofaccountancy.com/news/2018/apr/supreme-c...
Anyway, it boils down to enforceability. EU is a huge entity and probably will be able to enforce the GDPR by forcing payment systems and gatekeepers like Google and Apple that legally operate in the EU not to do business with businesses that do not respect GDPR. Maybe it will be a bargaining point in some trade talks between other countries and the EU and EU will insist that the countries will help with the enforcement of the GDPR in exchange for something that other countries want from the EU.
As long as we don't live in some kind of libertarian anarchy world order, these things will be determined by the politicians.
Well, duh, businesses are subject to local laws! That is not an argument, but a fact. Don't take my word, ask your friendly lawyer.
What is your alternative? That online businesses are subject to the union of all the laws of all the countries whose citizens can reach them?! That's ridiculous. Do EU businesses follow Iranian regulations?
Of course, if they want to do business in Iran. The same goes for every company and country. Don't you believe me?
Go to your iPhone's Settings-> General -> About -> Legal -> Regulatory
There you'll see which regulation Apple follows. Despite being an US based company, Apple complies with the regulations of Canada, Europe, Japan, Singapure, Russia etc.
How do you even imagine that a company will be doing business in one country byt will be excepted from the regulations because it's based in some other country? That would not be possible, companies would simply move to the least regulated place with the lowest taxes. Oh and they do that wherever possible(i.e sell to EU from Ireland).
Availability of quality free content is not a problem, the content will just be available from other source.
The big problem on the ads-monetized web today is ranking high enough, and the site that don't want to apply GDPR will just have to compete with the site that do have the extra push the EU market give them. On the advertizer side, they make direct money from content accessibility so they will upgrade their tracker so it is GDPR compliant for EU-traffic with no work from the content publisher. That is a non issue, this is just day one of a big change.
Let's also not paint a rosy picture of the web either. GEO blocking is a common daily reality for people outside the US. Any valuable and popular content is locked already, despite being monetized quite directly (see Netflix, Amazon Prime, ...)
Only if all content on every web site around the world is equal. Which it is not.
If the quality was the same everywhere, and the same content was available everywhere, then people in Europe wouldn't have to go to web sites in other countries.
There are lots of reasons for companies in Europe to need to read the Chicago Tribune (PR clipping service, for example). But the Tribune's content is no longer available to the E.U., and will not be replicated elsewhere for copyright reasons.
As much as I dislike Tronc as an entity, I don't blame it for this decision. Within hours of GDPR going into effect, the lawsuits started flying. That's exactly why some companies decided it was easier to just opt out of Europe.
Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.
Because you would rather grow your market?
The world doesn't have uniform GDP per capita. Potential European customers have more money to spend than most of those other potential customers. If you're looking for a new market, Europe is a juicy one.
Personally, I do no tracking on my sites so it's irrelevant to me but I understand why news sites with primarily local readership would decide dealing with the EU is more trouble than it's worth.
For a large, well-capitalized company to make this choice, it’s an indication of a few possibilities:
- Tronc doesn’t practice anything close to adequate IT practices to even know its compliance status, and pefers not to invest in doing so.
- Tronc can’t remain profitable if displaying GDPR-compliant pages in EU (this seems fleetingly unlikely, given the specific attempts to grow digital subscribership by marketing the papers as more global).
- Tronc is trying to make a political statement, like a boycott, hoping that many companies do this and it puts pressure on mitigating GDPR.
So while I agree with you for some small businesses just not wanting to mess with GDPR compliance or risks, however small, it certainly isn’t aviable explanation for these newspapers.
Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.
If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.
So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that
In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.
If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.
By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.
IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.
The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.
I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.
So no, that's not how it works.
So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.
That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.
Hence my comment up thread - the law is not a closed system you can program like a code wars game, where if you're clever enough a judge will say 'oh you outsmarted me here because your logic is internally perfectly consistent, have a good day sir'.
So shouldn't the website's intent to block you from accessing it matter?
Short version: GDPR does not apply if you happen to collect data on a few EU residents by accident (assuming you're not otherwise based in the EU).
Shouldnt you be the one sent to jail, as you are illegally accessing a computer that you were sepecially told not to access?
Geo-locked products are nothing new. I lived in a communist country, few EU countries and a middle eastern country and I can promise you that when a certain brand is not available a local competitor pops up and after the original brand becomes available it stays remain a curiosity unless it's a massive pop culture icon(McDonald's, CocaCola, Amazon, Netflix etc. - stuff that's on American TV shows all time. The TV Shows are also geo-locked but local pirates make them available few hours after the USA. Even in Cuba).
So, it's not a simple problem of if(profit < feel like worth it) then block EU.
More like, sent a clear message you're not concerned of your user's data.
(Nothing personal, the signal may not necessarily echo the reality)
I'm all for it.
False equivalence. You can do nothing untoward with user data and still not be compliant.
Spin up a DO/Linode/etc. instance and apt-get install apache2? You're now theoretically liable for a 20 million Euro fine.
One of the most annoying things about the GDPR fandom is the black and white nature it seems to inevitably take. If your log files store IP addresses, you're clearly evil and shady and are violating human rights, just as bad as if you're recording people's conversations at home with the intent to deprive them of insurance or publish their sexual histories or whatever.
What possible "horrendous" harm is there from apache's default config storing IP addresses? Can you give me an actual harm that has befallen someone as a result of this that isn't some freak one-in-a-billion example?
It means that any future government, no matter how evil it is, could query your log and know precisely what I am doing on the internet right now. I might not want that.
The fine for this would not be €20m either.
Do the same, but from any country in the world, and make sure your welcome page has multiple languages, including some EU ones. Now you're specifically targeting EU users and you're liable for up to $20 million euros.
The response from GDPR fans is that: a) regulators would never levy such a fine, or b) they can't enforce it, or even c) that of course you should be fined because you're a filthy scammer who is stealing people's data and violating their human rights!
But all that misses the point: in what universe is it reasonable to even make such a claim to begin with? And why should I have to trust that the regulators will be more reasonable than the law requires, or that they won't be able to enforce what they'd like to do? And why should I have to comply because you sent me your info voluntarily??
Is there something that makes the internet different here? If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?
Everyone I've tried to make this point to has ultimately said something to the effect of "yes, you're violating their rights by not throwing out the letter." It's baffling.
That's optimistic ... but there is no reason to believe in many niche areas that another equally good product will do that. It is very plausible that in fact what will happen is that EU customers will be significantly delayed in accessing valuable services and products. And in many cases the web sites provide those would be making no meaningful intrusion on privacy in the first place.
Define "largest" in this context.
The European Union is 7% of the world's population.
So by "largest" he means "not largest," as in there's still 93% of the world left to do business with.
Please don't believe your own propaganda. EU/EEA revenue is a fraction of US revenue for all large multinationals. Small businesses probably make even less from the EU.
Good riddance, at least we know what websites we shouldn't have visited in the first place.
> smaller companies take their place with products that either cost money or will be a bit worse.
Or they will be better and still be free.
News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.
> small competitors will be to afraid of the law and shut EU users out
It's not a complicated piece of legislation, the short version is this simple: only collect data you actually need on your user to offer your service and be prepared to explain why, that's basically it.
> But we as a society are willing to accept that if the result is that more loans will be "reasonable".
The actual reason is that if you don't limit the loans, your economy will collapse.
If they are not collecting any personal data, there is no hassle.
Do you think it's somehow bad for a car manufacturer to not want to go through the hassle of making their cars conform to the safety standards?
> Among other things this includes setting up an EU represeneitive
> a high bar for a free product
The product is not really free because users pay for it with their data, which was unclear before.
> Obviously you haven’t had to deal with GDPR compliance.
Obviously from what? Are you a GDPR compliance expert?
Ah yes, the old "all regulations are equal" argument. It should come as no surprise to you that people view safety regulations on automobiles as vastly different than regulations on what a company can do with data about you.
Safety regulations exist because people wanted them, and the same is true here for privacy and data protections. Unless you can convince EU citizens en mass that they don't want the rights and protections afforded to them by this law then it really doesn't matter what anyone in particular person thinks.
You don't need to be a GDPR compliance expert to know that the costs of implementing GDPR are huge and I doubt any GDPR experts actually even exist today.
So you don't actually know anything, but you are going to pretend to know that it's "huge".
> I doubt any GDPR experts actually even exist today
Then why be so condescending and pretend that you are actually one?
Or the original news simply ceases to exist as is already happening at the local level in many cases. There's probably a continuing market for some global news organizations that are at least muddling through with subscriptions and other products. (Or not. See story on Time Inc. recently.) But I suspect the non-national/international journalism will continue to decline.