Hacker News new | comments | ask | show | jobs | submit login
GDPR: US news sites unavailable to EU users over data protection rules (bbc.com)
361 points by vincvinc 8 months ago | hide | past | web | favorite | 657 comments



Alternatively there's this: https://eu.usatoday.com/

No ads, no tracking, no cookies, not even Javascript. Just plain HTML+CSS and JPEG images. The whole front page is around 650 KByte, and by far most of this is in the image files. As a result the page looks very clean and loads very fast.

This is what all news web sites should look like, not just for EU readers (although I fear that this is just a temporary solution until they've figured out that whole GDPR thing...


>https://eu.usatoday.com/ is fantastic, loads instantly, no clutter, smooth experience, I love it.

I am willing to believe it to be someones idea of sarcasm, lets strip our website of all the "goodies", give viewers poorer experience and watch the cries!!1 Except its actually better, and I wouldnt be surprised if it vanishes really quickly once they realize it backfired by reminding users how fast and clean web once was.


Sure, it's great until the whole thing is shut down because there's no funding.


Surely the greatest innovators in Silicon Valley could focus on creating sustainable business models that don't rely on data harvesting? Necessity is the mother of invention.

Might be a little more lucrative than juice bag startups.


They already know the answer to that: direct charges and subscriptions.


But it's also great if the whole thing gets shut down because it finds itself to be unsustainable without harvesting my personal data and selling it off to third parties.


It force redirects me to www. on mobile for me :(


Same. But with adblock the USA version is a light page anyway.


Safari on iPhone in private browsing seem to work here..


That looks fantastic, I would actually read USA Today if this lean site sticks around.

If they want to monetize, publishers should control their own generic ad inventory (like they used to in old pre internet days) and ask for opt-in if you want customization.

Easy on paper but hard in reality.


"This site does not collect personally identifiable information or persistent identifiers from, deliver a personalized experience to, or otherwise track or monitor persons reasonably identified as visiting our Site from the European Union. We do identify EU internet protocol (IP) addresses for the purpose of determining whether to direct you to USA TODAY NETWORK’s EU Experience.

This site provides news and information of USA TODAY NETWORK. We hope you enjoy the site."

Colour me impressed. I sincerely hope it catches on.


I was surprised when my adblocker didn't bleep once. This is like looking what the internet could be. It could've been great.


Of course, that vision of what the internet could be never really answered the question of where the money was coming from to pay for the servers that are delivering that content.


USA Today originally distributed their advertisements on paper without any user tracking. I don't see why advertising without tracking is so unthinkable today.


I'm of the opinion that at some point USA Today had demographic data on it's users. Maybe polled directly, or based on a list of names in their subscriber database cross referenced with some other database.

The idea that "user tracking" is now happening on the internet and not in print isn't true. Yes, internet tracking can follow you specifically, but that's because the systems have gotten faster and more connected.


This was true for a huge number of newspapers - user data was an enormous part of the ad business in the print days as well, and has some striking similarities to what happens today online.

Back then it took the form of the subscriber database as you suggest, and was used to help target and sell ads in the paper. The print industry often "sold" the subscriber list in detail to prospective advertisers to demonstrate the potential reach.

Losing detailed subscriber data was one of the primary objections many papers expressed to Apple's app store distribution model which can effectively render readers anonymous, as this was apparently one of the most valuable things they had.


Because it is two orders of magnitude less effective. Putting an ad for a blender in front of someone recently searching for blenders is 100x more effective than putting it in front of a random person.

This means the revenue they can charge for that ad is 100x less, which means that any sites without massive, massive user bases will perish, and those that survive will do it on a pittance.


People paid money for USA Today, and people looked at more advertisements in print papers.


It takes many more servers to deliver a 200mb page than it does a 600kb page


Servers are pretty cheap these days, and always getting cheaper. It's the staff salaries that are the real cost.

I think Patreon has the only good answer so far. There are multiple people on there that make top quality content and earn good money from it.

It's probably not an answer for every industry.


Or how to pay the people who create the content


It seems many people think content worth enjoying is somehow created and delivered freely.


Mmmm... and what about non-targeted ads ?

I mean: GDPR didn't forbid money. Not even advertising. Only using personal informations without explicit consent... Please, don't be too ridiculous and stop watching FoxNews :-D


There's not even anything wrong with targeted ads!

Behavioural targeting is fine!*

Contextual targeting is fine!

*In many circumstances.


It always was.

In the 90s, the N.Y. Times was $1 in my city and the local paper was $0.30. That covered paper, distribution and ink.

The ads paid for it, and I think the ads were more effective. IMO online ads are mostly fraud and bullshit.


You're aware that this is precisely how the web (successfully!) worked before it was taken over by marketing interests, right?


And it was funded by universities and a defense department project. Once we got the private sector into the experiment, it needed to pay for itself. Bandwidth isn't free, and neither is content creation.


Look at it: that's an RSS feed, basically. They could have had paywalled feeds with a standard payment system that people could write clients and aggregators for. No ads, just subscriptions.

The irony is that we'll get there, eventually: Apple and Google are slowly agreeing a payment system and then they will push it into the browser, and everyone will use it.


If the payment system allows for microtransactions (and, ideally, allows for ads or alternative payment methods for people who don't have the cash to be micro'd), we get a worldwide web somewhat shaped like the one we have today. That seems similar to what Google is pursuing with Contributor (https://contributor.google.com/v/marketing).

If we just do big-dollar monthly or daily subscription paywalls, we end up with a Balkanized web where I can't read the article you're reading unless I pay for it. That'll significantly change the way interactions happen on the worldwide web.


I call BS on this. You’re going to read a publication because of the relevance and quality of the content. USA Today Europe will no longer have metrics to sell advertising which may then force them to dial back on their writers salaries.


This is, I think, a great illustration of the problems with a lot of economic reasoning.

Sure, maybe that's exactly what would happen, but changing one variable in a toy model is not proof that it will.

There are successful news sites that do just fine without becoming relentless clickbait optimization mills - and in fact, those are exactly the sites I tend to read. Two examples, so we're talking about something specific: talkingpointsmemo.com and techdirt.com are both daily reads for me.

TPM is, for want of a better term, the more advertiser-friendly of the two, but it intentionally works fine with ad blockers. Techdirt is probably well-known to most folks here.

The other commonality is that both of them work hard to not be enslaved by the adtech surveillance machine - they both have non-ad revenue streams.

And I think that is the real trick missed by overly simple reasoning - even when it is correct (and it is, frequently), it obscures more than it helps. And somewhat more nebulously, I think it trains people into a way of thinking that blinds them to options. After all, if you "know" you can't reduce your surveillance metrics below industry-average intrusiveness, you won't look at possibilities involving doing so. Instead, you'd look at additional non-ad revenue as "more and better" and do both - thereby losing me as a potential customer.

Is that a good tradeoff? I don't know - and that's the point. These are much more complicated questions than econ 101 will guide you through.


> it trains people into a way of thinking that blinds them to options.

It's also a dilemma of sorts. If you stop running ads, then there is one less outlet for them, which means rates for all the other outlets are likely to grow. If enough people do it, the few players left will make very good business. Would you rather move out, risking your livelihood on experimental business models, or stay in with the devil you know, ensuring nobody is going to do better than you?


To demonstrate the way it blinds people to options:

What you mean is running 3rd party ads via ad networks.

It's perfectly feasible to show an image that links to some advertiser's site for a negotiated fee. This is the equivalent of a paper magazine with advertisements. Not renting out injection points to executing whatever foreign code on their visitor's devices.

My ad blocker won't even block it (well not by default, and only as long as you play nice, it's not like online advertising has any goodwill left over, or ever acted to deserve it).


You're right that people don't read publications because of the layout, it's all about the content.

Still it's hard to deny that the (presumably temporary) EU site is a much nicer experience. It's certainly faster.

They have plenty of metrics on the ads still, just not on the users. It's not going to be an issue to see how often an ad is shown, they just don't know if it's relevant to the reader. The good thing is that no they have a way of measuring the effectiveness of targetted ads, because the entire EU is available as a control group.

For a newspaper, like USA Today, I honestly doubt that targetted ads convert much better than random ones. EDIT: Random or based on the content of the article.


Too late. It now redirects to http://www.usatoday.com with lots of cookie trackers.


How exactly would one expect this to stick around with no way to monetize it?


Why exactly would you want it to stick around if it can't sustain itself without selling my personal data to shady 3rd party ad networks?

Just because it's been useful doesn't give it some unqualified right to exist.


Apparently, WashPo prefers a more coercive method: https://www.washingtonpost.com/gdpr-consent/

Either pay or sell yourself.

A gamble they might lose if people just stop sharing and click Washpo articles, but a possible route if others follow suit.

Meanwhile, NPR goes more hardcore than even USA Today: https://text.npr.org

I wonder, does that mean EU users are just a nuisance costing traffic, or that all graphics are tracking visitors?


What it means for me personally is that The Washinton Post as well as the NPR can't be relied upon for reporting news, since they are apparently unable to even marginally interpret a legal document aiming for clarity and instead channel their incompetence into snarky behaviour that still isn't compliant with the GDPR.

To wit (washpo):

"You consent to the use of cookies and tracking by us and third parties to provide you with personalized ads"

Where is the "No I don't. Just give me regular/random ads" button?

and,

"Premium EU subscription" "No on-site advertising or third-party ad tracking"

There's nothing specifically EU about that, in fact, it sounds like a good service to offer to all your readers. But still, there's a big difference between on-site advertising and third-party ad tracking, and that difference is at the heart of the GDPR. A half decent journalist could have figured that out. Maybe that's their real problem.

But most importantly, and frighteningly, instead of these two stunts being knee-jerk backlash reactions, maybe they're serious and most data-peddlers aren't shady figures in smoke-filled backrooms, but simply the fourth estate en large.


What's NPR doing wrong? Are they redirecting to the text-only version for EU IPs or something?


I looked at it with an EU proxy, it gives you the choice to either consent or go to the text-only version.


They may have just done that as a cheap and easy way to comply with the new regulations while they wait for the dust to settle. Especially since the text-only version already existed.

Also, I wonder how much of Washington Post and NPR's revenue comes from Europeans. It might not even make sense for them to spend resources to be more precise in their compliance.


for what it's worth text-only npr has been around for a while now


> Either pay or sell yourself.

What is your preferred third option for content that costs money to make?


There are a ton of great business models for financing content that do not require smart ads or the kind of tracking we see today. They are not as exciting but ... tough cookies.


Yes.. it’s called charging money... Which some are mad about which is ridiculous.


I just get redirected back to https://usatoday.com :( Perks of living in the US, I guess.


I set my VPN to an EU server and it seems to work. I wonder if this will be one of the new "privacy tips" for Americans from now on.


you can still use their rss feeds for maximum information density - http://rssfeeds.usatoday.com/usatoday-NewsTopStories


For a news site, it loads quite fast.


Wow, you just made my day. It's so fast. I don't think I've ever experienced such a fast latency in a nontrivial website. I was around since the NCSA Mosaic times and I remember a much simpler Web than today, but at that point computers and connections were rather crappy so it wasn't that fast either.

A pity I'm not from the US so most of the news aren't that interesting to me, I hope some European news outlet follows suit (although it won't happen).


The most interesting part of that website is its certificate. It includes 342 different news websites domains. There are many duplicates for the wildcards, but even 171 is a big number.

This just shows us how big and influential the media giants are becoming.


US users who want the same, lovely, experience can route via Europe (for now).


I just did and it's such a fantastic user experience.


It's very good.

Some of the links appear broken. For example, all the "More" links here haven't been hyperlinked: https://eu.usatoday.com/story/news/nation-now/2018/05/25/rac...


If you view that from the US, it redirects to the US site, full of Facebook crap.


Same with npr! https://text.npr.org/ It's brilliant


That's more of a fallback in disasters to get important information out to the public. Here is CNN's in english and Spanish.

http://lite.cnn.io http://lite.cnn.io/es

If anyone knows of more let us know.


And how can be a business sustainable in this way?


One way to think of it is that “a business” is not “a user tracking, ad targeting website.” Whatever the business is, it’s not equal to the website, which is just one means of distribution of information or content.

If the business was so predicated on user tracking and selling that data or using it to target ads, I think GDPR (in spirit) is saying “that’s not a business” and requiring a greater form of transparency and informed consent before a website can inflict that on a (possibly unwitting) user.

I’m not trying to say this point of view is right or wrong, just that I think there is a spirit here in the intention of GDPR to say “that’s not something we’ll allow to be called a business model.” (Obviously it doesn’t fully go that far, but it’s the idea.)

It’s not that different in spirit than regulating usury or payday loan businesses. If your business model profitably works only because it preys on people, the spirit of the regulation is to say, “that’s not a business model,” and regulate or disallow it. Usury laws in the case of excessive short-term interest rates; GDPR in the case of excessive user tracking and data privacy concerns.

So when you ask, “how can be a business sustainable in this way?” it sort of has the wrong premise.

Instead, if the business could not be profitable without this then it wasn’t actually ever a business— rather it was some other data exploitation entity, and the lack of an alternate way to be profitable in compliance with GDPR is a signal that the entity was unable to determine a way to exist without causing the kinds of harm that GDPR aims to prevent.

Again, I’m just trying to represent what I think the spirit is behind the GDPR choices— not saying they were right or wrong.


Everything's fine if they add generic, non-targeted ads that are completely under control of the news publisher, hosted on their servers, don't track users, don't use cookies. Just like print media and TV does since forever.


The problem is that those ads could not be pay-per-click because you need cookies, javascripts and other tricks to combat clickfraud and impression spam.

If that USA Today site sticks around and adds advertising, it will presumably be low quality inventory like the internet used to be flooded with - casinos, punch the monkey etc.


Cookie & javascript aren't forbidden...

You can have sensible context-sensitive advertising without problem with GDPR. You just can't target a specific reader using its behaviour


No it will be high quality, like an astronomy magazine negotiating a deal with a telescope producing business.

The shitty early-web ads were already a result of shady 3rd-party ad networks selling private data.

Does a paper magazine need to run unsavoury ads? Because they don't have pay-per-click. They don't even record impressions, they have to negotiate the deal beforehand with the advertiser.


As I understand, you still can use cookies and IP addresses, but you should not keep them for long time and should not give those data to Google and Facebook. Do you really need to track user across all the Internet (like Google and Facebook do) and keep that data forever, buy and sell them to data brokers? Definitely not.

I don't want data about me to be someone's asset. I want an Internet shop to delete data about me as soon as possible after I made a purchase. That's why I want GDPR in my coutry too.


[flagged]


Is it reasonable to attribute ignorance of laws on another continent with stupidity?

Is nobody outside of America ignorant of these laws?

Also, how much of the internet technology and content you use and consume was created by Americans? Probably quite a lot.

Why so rude?


You can still have ads under GDPR. You can even continue to track people, you just have to ask consent and not doing it behind user’s back.


And as I understand it you can't punitively restrict access to the service for not consenting to that tracking.


And then you can still have ads, just not track them.


I have no answer to this, but the targetted ad business has driven traditional news outlets/traditional ads out of the market almost completely, so I think it has no good standing to ask for protection. In fact, I think GDPR proponents will welcome the collateral damage to targetted advertising.


And how can be a business sustainable in this way?

By not building their entire business around ads and tracking.


People have tried lots of other stuff in the last 10-15 years, it was not sustainable (micro-transactions never took off, subscription-based newspapers are the exception rather than the norm etc). I'm personally fine with newspapers like the LA Times collecting and selling my personal data as long as I can read articles for "free" on their website, I think it's a pretty fair deal.


Part of the reason for the failure of those other models is their need to compete with an exploitative ad driven model. When you remove the lowest common denominator, you make it is easier for the market to accomplish something better.


If payment is optional then you are only likely to hand over money out of principle, or your own personal values.

I don’t think it’s as simple as finding the same news elsewhere for free though, or accepting this level of data collection, or subscribing to every site with micro transactions.

I would pay to use HN if the articles I clicked through to (or upvoted, or engaged with in the comments) got a piece of the pie. I’d pay a fair amount because I get a lot of value out of the aggregation and community HN offers. There’s no obvious allegiance to a particular perspective on life so one day I can enjoy a spiritual read and another I can learn about baking bread. I’m not only challenged, my curiosity is being piqued. It may be that HN works this way because there is no direct profit motive in HN itself except to point budding startups to Y Combinator.

I’m unlikely to pay an individual publication (say, The Guardian) because such publications have a specific editorial viewpoint, and more often than not it’s going to be the point of view that supports my own. My money is wasted on an echo chamber that makes me mad about the state of the world.

Neither am I likely to pay a publication that I persistently disagree with because our values are incompatible. I might read them if they have something profound to say but I’m not going to commit to them for that.

So maybe there’s something in a co-operative effort where the community collectively funds the content it engages with. But rather than it being an individual thing like with Patreon or individual subscriptions, it’s a pool you contribute to in order to participate further in the community.


And the other part of that failure is people don't want to pay for content, games, etc. They want it all to be free.


I have never, ever, ever seen a single reputable source to support this claim. As far as I can tell, this is just something that people blindly repeat to justify their exploitative business models.

On the other hand, there's quite a lot of evidence of successful businesses operating on a subscription model because they provide a good value proposition. Which leads me to conclude that your claim is simply false.

Also relevant: https://membershippuzzle.org/about/


I've never felt exploited by advertisers. Nor do most other people, otherwise they would keep their internet usage to a minimum when what we see is the exact opposite.

Please stop attacking services and sites that hundreds of millions or billions of people find useful because of your own over the top histrionics.


Most users on the internet are completely incapable of understanding what tracking even means. Those users, therefor, can not consent to that tracking in an informed way.

Those users need to be protected.


There are more histrionics in this reply than the person you’re responding to.

The parent makes an excellent point: it’s easy to argue the other models (micro transactions, subscriptions, paywalls) failed because they were in competition with an industry that has safely operated with little to no regulation for a decade or two.

The ad industry in this situation has an insane advantage because it can make money from end-users without them even being aware that they are involved in a transaction. They don’t have to see a banner ad in order for dozens or hundreds of other businesses to learn about them.

There is no explicit contract between the website and the user in the way that there is when you agree to pay the business money in exchange for the value it offers.

So GDPR levels the playing field by removing that advantage. If an advertiser or another business runs above board they don’t have a problem. More to the point, if they can convince a user to opt in, then they have a serious value proposition to the user too.

Advertising itself is an easy and almost fallacious target. People know about adverts so they use Adblock. People have no idea what a business will do with all of the data that reaches their servers without any JS required.


i.e. "It's easier for horses to compete with cars if you set the speed limit everywhere to 5 miles per hour."


> i.e. "It's easier for horses to compete with cars if you set the speed limit everywhere to 5 miles per hour."

I think that elides pretty important aspects from the equation. In reality, it's more like: "It's easier for Bill-brand horses to compete with John-brand horses; if you ban the steroids, amphetamines, and cruel practices John uses to get his results."


i.e "It's easier for car manufacturers to build cars if your remove regulations on safety or pollution"

i.e "It's easier for employers to produce cheaper products by exploiting their employees if your protection of labour is on the level it was 1850"


I might be exaggerating, but you can say the same thing about environment protection laws, anti-slavery laws, worker protection laws etc. They made some businesses unsustainable too.


Probably not sustainable as an ad supported business. We may see a bigger push to a subscription based model—-one many people have come to hate, but was one twenty years ago people paid $10-30, mo. for the subs to their favorite daily.

Now sure those prices were subsidized by ads. But they can still use utargeted ads, in addition, cost of the “medium” and distribution is much lower.


People will actually visit the site... so they get traffic. They could then advertise to through more creative, less user-unfriendly ways (besides having giant ad networks that store tons of user data on each person, along with 20 different vendors’ trackers to make sure each department gets the same data about each user in a very slightly different way).


There is no fundamental right for a business to be "sustainable" if it hinges on being able to sell off my personal data to 3rd parties. That is almost literally what this law is about.

You sound like the other people complaining "you know how much money I have to spend on lawyers to ignore this law??".


> And how can be a business sustainable in this way?

There are millions of businesses around the world that don't give a fig about European customers or the E.U. Hurts to hear it, but it's true.

They manage to survive an thrive without any interaction with anyone in the E.E.A.

It's a very European thing to think of the E.U. as the indispensable center of the world.


> It's a very European thing to think of the E.U. as the indispensable center of the world.

Huh? Culturally, that has absolutely not been my experience - quite the contrary.

In the case of the GDPR, it's simply a matter of "if you can't respect our citizen's basic rights, then we don't want to be doing business with you".

That has nothing to do with considering the EU to be the 'center of the world', and everything with setting the conditions for trading with it. You can either take or leave those.


It works both ways.


You are correct. That's what makes visiting another country/region fun for many people. They like to explore and encounter things they don't have available to them where they live. Otherwise, why leave home?


Decide if you talk about not giving a flying toss doing business or visiting for fun and leisure.


Media businesses can introduce or grow subscription revenue, reducing reliance on ads.


Hopefully what will happen is that it will be more expensive to advertise and publishers will earn more on dumber ads

Obviously if ads are less targeted then they may be less effective so advertisers will make less on ads that cost more. This will hurt their bottom line, which in turn will make the products we buy more expensive. But that's exactly the end goal. I want to pay for things (information, products) with more money rather than with slightly less money and all my integrity.


That's a sad outcome.

I remember the tedium of non-targeted advertising---it's what ultimately pushed me away from most traditional print and broadcast media and online. Targeted advertising occasionally brings me information I actually want; non-targeted advertising feels like such a waste of everybody's time.

I hope someone takes on the experiment of opt-in GDPR compliant ads.


Targeted advertisement can be done if the user is entirely in control of the data and the consent process. No one would be against that. This is a technical problem that can be solved, there was just no incentive to do it. Now perhaps there is.


It would be nice to give people the option. I personally would love everything to be free, and show me ads instead. I don't see how my integrity has anything to do with it.


>Obviously if ads are less targeted then they may be less effective so advertisers will make less on ads that cost more. This will hurt their bottom line, which in turn will make the products we buy more expensive. But that's exactly the end goal. I want to pay for things (information, products) with more money rather than with slightly less money and all my integrity.

I'm sure you considered all the poor people across the world that are subsidized by the ad driven model we use today. What we truly need on the internet is data gated behind pay walls to protect important information such as which facebook groups you clicked like on.


I'm sure you considered all the poor people across the world that are subsidized by the ad driven model we use today.

A lot of them are poor, because we don't want to pay a decent amount for the products that we consume and instead rely on people working in sweatshops in third-world countries.

You don't solve poverty by giving them 'free' products that require them to give you all their private data. You solve poverty by giving people a decent wage, so that they make these decisions themselves.


This is a false dilemma. There's no reason we can't both work towards better wages for everybody and support cheaper services for poor people in the meantime.


So us having our right to privacy using paywalls, means that we deprive those less well off of valuable information. Or everyone forfeits their right to privacy for free stuff. I'm sure there's a middle ground here.


By hosting non-tracking ads. Like they used to be before Google started this whole profiling menace.


They can even be dynamic. Filter on location, uplink/computer speed, screen size, browser etc. None of it requires storing data.

Adtech might move to correlating all these things + the website visited to target particular demographics.


They can also be quite smart. What was your referrer, what's your user flow through the site, what do similar users do when arriving from the same pages and searches? What time of day is it for the visitor?

ie: figure out why they are doing what they're doing and direct them to ads that capture that intent.


I'm not certain but much of that sounds like the kind of information GDPR doesn't let you use like that.


The only reason that IP address logging is a problem is that ISPs could theoretically cross reference with subscribers leases and identify them.

I think this much vaguer stuff will be fine.


Why? None of it requires saving info on an individual server-side. As long as you don't do that the GDPR doesn't even apply to you.


I keep seeing this argument. But the reason I don't see this happening is the giant amount of fraud out there. Sure ad fraud is an arms race, but if you can't do js fingerprinting, cookies, etc it would be impossible to verify ad impressions are real humans, not bots. And actual clicks from real humans would be impossible to differentiate - not coming from the same bot clicking over and over again (can't store ip, cookie, etc I'm not sure how you'd distinguish).


To fight fraud you can use some short-term temporary tracking without saving data for a long time, without linking cookies and IP to email or real name, without exchanging data with other companies (like Google), without buying or selling data to data brokers.

To show ads you don't have to report about all of your site visits to Facebook and Google.


Sure you could store IPs, as you can also use cookies. I think there's a hysteria regarding GDPR. It won't break the web. Perhaps we need to give it some time to settle in and then draw our conclusions.


Did you use the internet back then? Do you remember what online ads were like before AdSense?

My god. They sucked so hard! AdSense was a revolution.


AdSense was definitely a revolution in many fronts, especially because it enabled small sites to start earning a decent income. And for that we'd be eternally grateful to Google. On the other hand Google back then didn't have the variety of products they have now so profiling was much less intrusive.


I have used an ad blocker for the last 10+ years. I don't know how Adsense has improved my internet experience, and I suspect it has had no effect.


adsense ads have not changed much since 10 years go. it had a huge effect compared to 20 years though.


It wasn't privacy invasions that made the ads better, it was Google making the process easier. Instead of dealing with shady smaller networks, or individual sites (which only businesses that extracted high value from online presence could afford, e.g. gambling,) any business could then easily and safely publish their ads widely. That is not going away, and advertising in the EU will still exist.


of course not, there will be more ads. EU developers are not going to just shut down their websites, and there arent any better european ad solutions.


Replace ads with sponsored content. They still will get money for ads, but they even will save money because they get free content. /s


>No ads, no tracking, no cookies, not even Javascript. Just plain HTML+CSS and JPEG images.

Are we viewing the same page? Not only do I see JavaScript in the EU page, but I also see this in the code:

"trackingServer":"gannett.hb.omtrdc.net"},"market":"gpapermobileapp","trackingServer":"repdata.usatoday.com","trackingServerSecure":"srepdata.usatoday.com"},"ads"


it certainly does not like it if you attempt to visit with ublock or some other combination of what I run, all *.usatoday sites only come as

found an invalid character in header value

for me


The speed of this EU site is refreshing.. reminds you of using cable modem for the first time.


Glad you like the ad-free, high quality content. How would you like to pay for that?


In the mid-term I'm glad to be subsidised by American users who forego their privacy and are willing to get served a lot of ads.

In the long term I would be happier if we'd all be treated with equally high privacy standards and pay for the content we consume. For that to happen we only need one thing, Americans and their legislators need to start valuing their privacy too.


Nah, this works the same way pharmaceutical drug development works: US citizens pay and everyone else gets the benefit.


I forgot that websites can load this fast, this is incredible. Not on mobile though


pretty stripped down site https://i.imgur.com/7T5h3Vr.jpg barely any html as well


There are ads. Just above the footer - 'Ad Content by Taboola'. I am accessing it from India.

Edit: There many other ads as well not just from taboola.


Those ads are on www.usatoday.com, not eu.usatoday.com.


Right, but it seems Americans (and probably everyone outside the EU) are being redirected like the parent. I was, which is a shame since I’d love to see that version of the site. It’s almost like a good unintended consequence of the regulation.


Business don't comply with regulations because it is easy, but because it's needed to do business.

If a service didn't had a big user base in Europe, most countries don't speak English, it may be cheaper to remove the service.

The New York Times or The New Yorker that even have physical copies available in Europe work as usual.

I work in a gambling company and this is our day to day business. To enter a new market means to follow a new set of regulations. To do the adaptation or not is an strategic decision based in complexity, expected revenue and other factors. GDPR is just another regulation to add to the long list related to tax evasion, responsible gambling, fair play, etc.


Regulations tend to favor incumbents, decreasing competition, and thereby increase monopoly and creating central hubs of systemic risk. There is no free lunch with one-size-fits-all rule making. Unfortunately regulators think there is.


I was thinking about getting in to the car market but all these pesky requirements that I sell a car with airbags and seatbelts and fuel efficiency compliance are just there to protect existing incumbents.


Snark aside, that doesn't dispute the thesis that regulations tend to favor incumbents.

Some regulations are good. Some regulations are bad. Some regulations are smart. Some regulations are dumb. Reasonable people can disagree on the quality or intelligence of a given regulation, or its impact on a given industry, but that doesn't change that most regulations do tend to make products more expensive to manufacture and by proxy, more expensive to buy.

In Europe, if you want to sell eggs, you're required not to wash them or get them wet, because doing so erodes the natural coating that protects them from diseases. This is a regulation implemented to prevent salmonella.

In America, if you want to sell eggs, you're required to wash them in water at least 90 degrees, to make sure that they're clean, then rinse them with a chemically infused spray, then because you've got them wet, they need to be thoroughly dried to prevent bacterial growth. Further, because you've now washed and dried them, removing the natural protective coating, they need to be refrigerated in transit, at the store, and at home.

Both regulations are imposed to defend against Salmonella, and both are apparently quite effective, but the American regulations in play require the purchase of (conservatively) thousands of dollars in washing, sanitizing and drying equipment, and at least a partnership with a refrigerated trucking company. If you're selling the eggs in California, there's the additional requirement that the eggs were laid by free-range hens, which of course increases the amount of land required to raise the chickens upon, which of course makes it harder to prevent and protect the hens against predators.

Like I said, reasonable people can disagree on any given regulation, but it's hard to make the claim that egg regulations in America are more effective than those in Europe, or that the American regulatory environment doesn't make it the egg business a more capital intensive affair.


> Snark aside, that doesn't dispute the thesis that regulations tend to favor incumbents.

Not only that, even auto safety regulations do favor incumbents. There were far more new independent car companies created before the 1970s when the safety regulations were passed, and they were often created by small groups of people rather than huge established companies.

It's possible that the safety improvement is worth that cost, but that doesn't mean the cost isn't still there.

When we start talking about other industries where the result isn't literally a matter of life and death, it becomes much more likely that the cost outweighs the benefit. You're essentially talking about destroying competition -- the same competition that keeps companies from doing things you don't like.

If you want to pass regulations that destroy competition, those regulations had better prevent companies from doing more evil on net than competitive pressure does. Which is a pretty high bar.


There are benefits to washing the eggs, isn't there? I have read that in Europe as a consumer it's a lot more important to wash the eggs before using them.


I have lived all my life in Europe, in three different countries and with friends and colleagues from many more. and I have never seen or even heard about anyone washing eggs. So if it happens, it is certainly not a Europe-wide norm.


Actually I found this post about it: https://cooking.stackexchange.com/questions/66957/is-salmone...

Apparently there is some evidence that egg-related salmonella is 7x more prevalent in Europe vs the US.


Should I also be washing fresh eggs from friends' chickens/ducks then?


Yes. I have chickens (hence the anecdote above), and if you're getting eggs from friends, you should definitely wash them. I've personally just made it a habit to to wash all eggs in warm water, regardless of whether they're store-bought or fresh.


You should definitely wash the eggs before you cook with them. As you mention, that is de rigueur for Europeans, as it is in America for things like lettuce and potatoes.


You should wash the eggs before opening them. If you cook them in boiling water without opening them (except for the prick at the bottom), I don't see how washing them beforehand would make a difference.


What ? Is this legitimate or are you being funny ?

I'm European and have never washed an egg before cooking it in my life. what is this ? I crack it open and cook it and am still here.

I do wash my tomatoes when I make a salad with raw tomatoes though. And that's mostly to get stuff off since I'd argue my vinegrette would kill all the bacteria.

And washing your potato ? I'm so confused. Don't we all cook potatoes in boiling hot water ?


The incidence rate for salmonella is pretty low either way, but you should definitely wash eggs before cracking them open, for the same reasons you wash your tomatoes.

As for potatoes, no, we don't all cook them by boiling them in water -- many of us bake them, fry them, or use them for making hash browns. This might just be cultural, but I would actually be more inclined to wash them before boiling them, since the reason you wash potatoes is because they have dirt on them, and just as I wouldn't want to toss dirt into my boiling water, I would prefer to clean (or peel) my potatoes before boiling them.


Nope. In fact when I was in cookery school here in the EU, I was told that it is perfectly safe to eat raw egg here, but that in the US this is never advisable.


You can eat raw egg (yolks and whites) in the EU because chickens are inoculated against salmonella. This has absolutely nothing to do with whether or not salmonella is allowed to accumulate and/or incubate on the outside of the shell.


I can only speak for Germany, but I haven‘t ever seen anyone wash eggs, neither when cooking, nor when frying.


> it's hard to make the claim that egg regulations in America are more effective than those in Europe

It is? What is the data?


I think the phrase "You're oversimplifying a complex situation to the point of no longer adding anything to the discussion" applies to your comment.

No one here is saying that ALL regulations are bad or should be removed, just that all regulations have unintended consequences.


The grand parent did the exactly the same thing.


Not really, all regulation will favor incumbents - its just that some may with worth it. And it's worth noting that not all regulation is universally seen as useful.


He was certainly quite terse, but I wouldn't necessarily call that an oversimplification


I would. It’s much more of a gross (and inaccurate) oversimplification than the sarcastic response to it was.


You can make fun of it, but there's a reason that Silicon Valley venture capital goes to software engineering (where regulations have generally been lower) while significant disruption in the automotive space is coming from incumbents and one company founded by a guy with a net worth of $18 billion.


This is a hugely simplistic comparison. There's far, far more complexity to why the automotive space sees less "disruption" than just regulations.

You can launch and run a business similar to Facebook from a dorm room.

A car factory? Not so much, regardless of the regulatory issues.


> there's a reason that Silicon Valley venture capital goes to software engineering (where regulations have generally been lower) while significant disruption in the automotive space is coming from incumbents and one company founded by a guy with a net worth of $18 billion.

Maybe it's because the auto industry is far more capital-intensive than software. I don't see anyone taking on incumbents in capital-intensive IT businesses, such as cloud services (do you want to compete with Google, Amazon, and Microsoft with your VC money?), or in software, operating systems in entrenched markets (desktop and smartphone).


That would be the self same reason the net is starting to attract regulation. Some of that significant disruption basically involves extending a middle finger to the laws and regulations of the country they want to do business in. I might call it taking the piss.

Taking the piss with laws and employment rights such as Deliveroo etc, or taking the piss with user data and personal privacy.

We'll be left with some of the regulation long after many of the disruptors that caused it have burnt out.


Conversely, people have also seen how some laws - like those protecting taxi drivers in this example - did nothing to help consumers. Not all regulations are being missed.


From the times I've been to the US I can see how disrupting NYC taxis could be a very good thing indeed. UK taxis? Nope, happy to keep those regulations and want to see them applied to Uber etc.


Vast difference between those examples, not least of which is that there are concrete rules around automotive safety to easily calculate the cost of implementation and verify compliance.

GDPR is full of vague terms and is global regulation based on principle rather than actual hard rules, which will increase costs and come nowhere near accomplishing the objectives it claims to do.


What is this, 1995? You're gonna need more than airbags and seat-belts and fuel efficiency.

Modern cars need ABS, TPMS, electronic stability control, passenger airbags, a backup camera and crash test standards all but demand side curtain airbags.

Don't get me started on emissions. Fuel economy really isn't a big deal or hard to meet. It's the half million other little things that need to be in a specific range that really waste the R&D time and money.

For something like a low end subcompact compliance is a huge chunk of the price.

Given the choice between a 1999 Toyota Solara (or whatever) which has one or two airbags for $5k or a new subcompact hatch with none of the listed safety features for $6k or $7k I'd probably take the subcompact. There's been huge improvements in all sorts of non-safety aspects of vehicle design in the past ~20yr that the subcompact has that the old sedan doesn't.

There's rapidly diminishing returns for regulating cars because by driving up the price of new cars you extend the time that the old ones stick around and the people who choose less safe alternatives (see mopeds in Asia)

Saying "regulation that mandates $goodthing is good" as a blanket statement is approximately of the same dumbness as saying "regulation is bad" as a blanket statement.


Relations, the regulators that make them, and the incumbents that support those regulators are under a sort of survival of the fittest to optimize for regulations that protect the incumbents but do so without being obvious and with some benefit to the consumer. Regulations that clearly support the incumbent and which clearly have no benefit to consumers will be the easiest to attack and remove. So if you want to cherry pick regulations, you can make them seem like perfect things that no sane person would ever have an issue with.

Look at how fines work, say with the GDPR. The maximum fine is 20 million or 4% of revenue, which ever is larger, which means that small businesses see a much larger risk as a percent of revenue from these regulations. This is independent of the chance of the max fine being applied. This inherently creates a pro-incumbent bias even if nothing else about the law created pro-incumbent bias.


Wouldn't it be sufficient to regulate outcome? I.e. mortality rate per passenger mile? Then, hypothetically, an AI company might be able to dispense with a lot of physical safety devices by taking advantage of the lower reaction times of a non-human driver.


What if - hypothetically - you came up with something safer then airbag & seatbelt? Even if all your customers found it to be self-evidently true that it was safer the only thing that would matter would be if the regulator thought it was safer. A regulator who is likely controlled by the incumbents.

Now with something like car safety it's easy to say - no one will come up with something like this or if they do then the regulator will immediately allow it. But what about something like Internet privacy? I think it's more likely in that case for the rules like the GPDR to be used to protect incumbents by keeping out competition.


Not only that - this is great weapon to shut down websites that are against current political agenda since virtually every site could be found non complaint.


Regulation can both help make people safer and also get in the way of innovation.

A more realistic example:

Regulations say cars are required to have steering wheels. They also say cars are expected to be under the control of a driver at all times.

Good and all if you expect to have human drivers. But it increases the cost of self-driving cars. And humans are terrible at mode-switching right before an emergency (we know this from studies on airplanes, as well as from studies on self-driving cars).

The two ways of solving this: (1) develop a self-driving car that doesn't need a steering wheel (ala trains under positive train control) or (2) restrict operation of self-driving cars to people who are highly trained and regularly operate cars in manual mode (ala the airplane industry).

Alphabet/Waymo/Google can afford the army of lawyers and lobbyists required to make this happen. All the other start-ups in this space had to get acquired by an incumbent (GM or Uber) or restrict their domain to something with less regulation (e.g. private land -- golf courses; university campuses; the Las Vegas Strip).


Car market in what sense? Making new automobiles? Yes you'll need to comply with the safety requirements of the markets in which you sell.

Selling used cars? Generally, as long as the car is sold as originally equipped, there's no issues. I can sell or drive a 1970s era car without having to add modern emissions equipment, bumpers, and airbags for example. At least I can where I live.


Airbags and seat belts were installed in cars long before they were required by regulators. The same goes for improvements in fuel efficiency. This all is driven by competing companies trying to make a profit.


Air bags were 'installed before they were required' because auto manufactures in the US were given a 7 year period to add them, not out of competition based on safety. This only after a decade of the auto industry fighting to keep those safety features from being required, exactly because the auto makers were worried about profits and not consumer safety.

"A Federal agency today abandoned the longdisputed requirement that automobile manufacturers install automatic crash protection, such as airbags or ''passive'' safety belts.

The action by the agency, the National Highway Traffic Safety Administration, drew immediate protest from safety groups and praise from the automobile industry."

https://www.nytimes.com/1981/10/24/us/airbag-regulation-on-c...


No... this is just pure revisionist history.

https://en.wikipedia.org/wiki/Unsafe_at_Any_Speed


>I was thinking about getting in to the car market but all these pesky requirements that I sell a car with airbags and seatbelts and fuel efficiency compliance are just there to protect existing incumbents.

I think by going to cars to prove your point proves how ridiculous regulation for websites are. For some reason there exists a group of people that believe that websites like facebook need regulations that are as strict as those required for developing cars.

People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)

Unrelated but something that further adds to the irony of using cars as an example is that companies such as VW haven't even been fined for cheating on their emissions test.

I doubt a country like Germany would ever consider allowing the EU to fine 4% of Vws global revenue even though they broke the law in a way that has resulted in people's deaths.


My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.

The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.

Equifax lost millions and millions of records and have so far faced no meaningful punishment from the UK regulators: as far as I can tell, they've so far made one brief statement on their website, and one tweet.

Major ISPs like TalkTalk lost millions of records (and ignored security researchers telling them about gaping security holes) and were given a slap on the wrist - £400,000 by the UK ICO. Mere pennies per user in fines; a drop in the bucket compared to their annual revenue. There is no economic interest to change their behaviour.

The negligence of these companies has led to millions of people having their personal and financial data stolen, having to keep eagle-eyed over bank statements and credit cards, having to worry that their transactions (or their travel bookings) might get flagged up as suspicious, that their credit rating gets eaten, and much else besides.

If a company you've entrusted your personal data with—not just your tweets or whatever, but sensitive personal data including health data, data about your religious affiliation, sexual orientation, etc. loses that data, as a UK citizen, you currently have no right to appeal the ICO failing to take action. GDPR/DPA2018 changes that balance.

Companies tell consumers "hey, trust us with your personal data". Consumers do in the false belief that there is some protection or basic responsibility taken. When they colossally fail to take the most basic steps to protect consumers from data loss, the status quo was this: nothing happens to them.


> My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.

You present a false dichotomy here. As much as the GP is wrong for boldly asserting the negative as fact, you are wrong for just as boldly asserting the opposite, without allowing for the panoply of options that inevitably arise from the point a regulation is conceived to the point that it is enacted. During the process of drafting the legislation, at least here in America, the existing players have a voice on the legislation's course, and the larger the existing player is, the louder their voice gets to be.


> During the process of drafting the legislation, at least here in America, the existing players have a voice on the legislation's course, and the larger the existing player is, the louder their voice gets to be.

Sounds like you need campaign finance and lobbying regulations. ;-)


In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked, and the primary bottleneck to making software more secure is crap tools, crap platforms, poor training and inability to hire people who deeply understand security.

Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".


> In practice fining companies for getting hacked just boils down to a tax, as no company wants to be hacked

No, it boils down to an incentive. No company wants to get hacked, but a lot those same companies aren't willing to invest in security measures and training that could mitigate the risk.

> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".

I don't think anyone's proposing a regulation like that. However, it's not fair to put the costs of a data-theft squarely on the victims, when it was really the company that was responsible for securing the data.


But companies that do invest massively still get hacked. See: Google. Yahoo. Microsoft.

It's also not even always clear what hacking actually means. A common way users get hacked is by reusing the same password on every website. One of those small sites gets hacked, the hackers try the users password at bigger sites to see if they work. Big players like Google and Facebook have heuristic systems that try to detect and block that, but sometimes they don't work.

So who's at fault then? The user for losing control of their password? The small site, probably not EU based, doesn't give a shit? Or the big guys who tried to protect the user but failed? Given the way the GDPR is being done my guess is the big guys will get taken to the cleaners even though they did nothing wrong.

Basically, you can't stop a big company from getting hacked no matter how much you spend on security.


> Basically, you can't stop a big company from getting hacked no matter how much you spend on security.

I never said anything to the contrary, but the observation is irrelevant. You can't stop all pollution, but that doesn't mean you shouldn't pass regulations that ether ban it or impose liability for it.


That's an invalid metaphor. The point behind regulating specific types of pollution and fining companies that emit it is in fact to completely eliminate it. When total elimination isn't possible regulators have taken alternative approaches, like phase outs and carbon trading schemes.

The GDPR authors appear to believe that not being hacked is merely a matter of choice, despite all evidence to the contrary. They are clearly dangerously delusional. If even Google, with its pick of the crop, unlimited budget and massive security team, cannot avoid being hacked, then nobody else has a chance.


Regulators don't care if you're hacked.

What they care about is how much data you had (and did you need all of it), did you tell the users, have you put things right, had you done anything to protect the data?

If you have a lump of data that you don't need, that you store with no attempt at encryption, and it's held behind software that you haven't bothered to update even though security patches have been released then yes, you're going to be regulated.


> it was really the company that was responsible for securing the data

It was the financial industry and government that were responsible for implementing an identity scheme with a less insane architecture than handing the same secret material to every relying party. I disagree that we can or should force everyone to tie themselves in knots supporting it.


You say that, but what are the attack vectors in these high-profile breaches?

- Unpatched, publicly documented vulnerabilities.

- Unauthenticated S3 buckets.

- Unencrypted laptops.

- Default passwords.

This isn't subtle crypto weaknesses or attack vectors missed in the security assessment of protocol designs. It's carelessness. It's stuff that any high school kid who's good with computers will tell you about, let alone any IT professional or software engineer.


And the entrypoint when Google got hacked by the Chinese was Internet Explorer 6.

People who think defending networks is merely a matter of choosing not to get hacked have clearly never tried to do it.


> Hacking is not a problem you can solve by passing a regulation that says "don't get hacked".

It doesn't say "don't get hacked", it says "if (when?) you get hacked, minimize the the cost to people who trusted you with their data". And the easy way to conform is: 1. do not collect more than you need to provide the service, and 2. do not keep the data you don't need any more just in case. Which should be the default, but in the world of cheap storage and data mining seems to be forgotten, or an afterthought. E.g. when a user unsubscribes we tend to set the flag "subscribed" to false next to the rest of their data, instead of removing the e-mail address we don't need.


So now we get a new status quo: "These measures are onerous and bake in internationally-controversial concepts like 'right to be forgotten,' so now companies may actually decide to punt on doing business with 500 million customers because the risk outweighs the rewards.' "

Good work everyone.


>My comparison is simply to show the standard laissez faire talking point of "oh, regulation exists just to protect incumbent market players" as bullshit: regulations exist to protect consumers from negligence and misbehaviour on the part of the companies.

We'll see. I have a feeling that European consumers and web companies are in for a world of hurt.

>The fact you think GDPR only applies to websites rather than the huge clusterfuck of personal data loss means you haven't understood the reason behind GDPR.

I know that GDPR applies to everyone, I think it's pretty obvious it will be selectively enforced since the regulation is too burdensome. Do you think your local mom and pop hair salon that is not in compliance will ever be fined?


> VW haven't even been fined for cheating on their emissions test.

Exec has been fined and sentenced to 7 years[0] VW have been fined $2.8B[1]

[0] https://arstechnica.com/tech-policy/2017/12/judge-sentences-...

[1] https://www.nbcnews.com/business/autos/judge-approves-larges...


By the US and 2.8B is a fraction of what they deserved to be fined. All VW execs should be in prison for the rest of their lives for what they have done.


Is that a bigger offence than „losing over 1400 migrant children” under an official governmental US programme, „some returned to child traffickers”? https://eu.azcentral.com/story/opinion/op-ed/ej-montini/2018...


And how is this related?


I guess it isn’t. There are laws which US considers to be broken by external entities, yet US introduces a comletely inhumane programme worth of DPRK. Where’s the logic.


[flagged]


Sure. But please remind me, how did we end up with VW case on a GDPR topic in the first place?


The original poster believes software should be regulated like cars. I pointed out that the fines for violating gdpr are larger than any fine VW will ever receive from the EU for literally killing people.


> All VW execs should be in prison for the rest of their lives for what they have done.

You must point to the laws violated. E.g. Schmidt made a false statement to the California Air Resources Board under the Clean Air Act.

Trial in the court of opinion and mob lynching is not compatible with the Western tenements of law.


>You must point to the laws violated. E.g. Schmidt made a false statement to the California Air Resources Board under the Clean Air Act.

>Trial in the court of opinion and mob lynching is not compatible with the Western tenements of law.

Stop trying to shift goalposts, my point is that if any company deserved to be fined 4% of global turnover it's VW and they have currently received a total of $0 in fines even though they have probably increased the likelihood of you getting cancer.


I thought we established they received a non-zero dollar fine.

Their annual profit is about $13BN, they were fined $2.8BN which is about 22%. I think that along with imprisoning an exec that was complicit in the lie is a significant and reasonable deterrent/punishment.

As for VW significantly increasing the likelihood of any given arbitrary citizen getting cancer I'd love to see the numbers on that. Sounds like hyperbole to me[0]

[0] http://scienceblog.cancerresearchuk.org/2012/06/14/diesel-fu...


> People die from cars that are badly designed. People don't die from facebook (yes I'm sure you can find some contrived example.)

I think the public, and much of HN, disagrees and is beginning to believe that the lack of privacy is undermining democracy, liberty, and human rights.


> contrived example

There are actually some historic examples. A university once performed scientific research on a minority group. Then the Nazis acquired the list and murdered the participants.

https://en.m.wikipedia.org/wiki/Institut_f%C3%BCr_Sexualwiss...

Obviously that's at risk of happening again, but machine learning and AI are risk of learning to be discriminatory by training on data sets resulting from historic and modern discrimination.

When applying for jobs, it may be possible to enter somebody's info into a next generation background check software to get a % probability of the candidate voting for a specific political party, and declining to call/interview based on that alone.

Even when it's not intentionally discriminatory, this is leading to a future where the teller says "sorry, you were declined. I don't really know why, the computer just made the decision". Where's the accountability?

In credit reports, I can at least request my credit report and understand how to improve my score or dispute line items.


False equivalency.


Ones related to safety. The other ones related to a nebulous concept of data privacy


Right now, people in Saudi Arabia are being arrested for protesting in 1990: https://www.theguardian.com/world/2018/may/25/saudi-arabia-a...

In the US, people who gave their information to the government as part of a program to protect them from deportation are being deported.

Privacy and safety/security are not distinct concepts.


If my car crashes or I am extorted due to my sexuality or killed for my religion. All the same. It is deadly. Data Privacy is not a nebulous concept. It is a human right.

It is for that reason in the German constitution.


If you have to keep your religion secret to avoid being killed, you have MUCH bigger problems in your society that I don't think "nobody knowing who is secretly Jewish" is actually going to fix.

It's not like a future hypothetical fascist dictatorship isn't going to have access to the necessary records to piece it together or would follow its own GDPR constraints, nor would the GDPR stop it from arbitrarily deciding some people are Jewish without detailed evidence.

I'd like to think the GDPR is underpinned by better philosophy than a false hope it could prevent a future Holocaust.


I think it is generally based against discrimination and not focused on something extreme as a state organized Holocaust. Also GDPR does not care about this. For the GDPR these are just attributes which should be protected.

A core rule of data privacy is to restrict yourself to the necessary information you need. Religion like sexual orientation is rarely justifiable why it is collected at all.


You jest, but to use another example, aggressive regulations is exactly why manufactures produce private aircraft designed 50 years ago.

Onerous regulations are always overcome, one way or another. (And airbags are not onerous.)


That's your opinion, not a fact.

Car manufacturers are required to put seatbelts in their cars because of regulation. In this case, it's not done to "decrease competition". It's not done to "increase monopoly". It's not done to "create central hubs of systemic risk". It's done to save lives.

Regulations affect profits, yes. Regulations may have unintended consequences. Making regulations that protect people and still allow for a healthy free market is a hard thing to do. It's heavily context- and market-dependent.

It is what it is and we have to live with it, but it's not as black-or-white as you make it sound.


And when it comes to European business law in particular, there's no reason to believe favoring incumbents and decreasing competition isn't an intended benefit.

When Amazon entered the French market, it tripped over laws putting a floor on discounts allowed that are intended to protect book sellers, not purchasers.


> Regulations tend to favor incumbents, decreasing competition

Except in Europe where it has done the exact opposite for telecom, especially compared to the unregulated US.


> telecom

> unregulated US

On the contrary, telecoms are very much regulated in the US. There is an entire commission for regulating radio/television/cable communications: the FCC.

I could hardly choose a more regulated industry than telecommunications.


The US has a problem of private industry infiltrating and co-opting government, and people largely normalizing it. The landscape for telecoms is simultaneously over-regulated with respect to allowing room for new players to enter the market, and under-regulated with respect to consumer rights. US regulations favor monopolies, and monopolies abuse their influence on regulatory boards to shut out new competition.

Regulation can mean different things to different people. It's just stupid, one-dimensional, shallow thought to try to paint all regulation with a broad good-vs-bad brush.


This is not an issue exclusive to the US. Simply look at all the back room sweetheart tax deals made in the EU with government officials.


Name any system that does not experience entropy.. all 'regulations' over time become corrupted/exploited. That's the nature of evolution and natural selection.


The biggest area of regulations are food safety, health care, mining and transportation. There is a large theme for why does exist and rather established history on how things were before it.

And while all those has their share of monopolies, I do not see how the current data handlers on the web before GDPR is better. Google is massive. Facebook is massive. The number of online news papers that hold 90% of the market are few. Talking about how regulations is going to increase monopolies where its already monopolized seems strange.


> Regulations tend to favor incumbents, decreasing competition, and thereby increase monopoly and creating central hubs of systemic risk

I realize that I've heard that before, but what is that based on?

> There is no free lunch with one-size-fits-all rule making. Unfortunately regulators think there is.

I've never heard of regulators, at least in the U.S., not considering the cost of regulations. It would be hard to avoid in the legal rule-making process.


> Regulations tend to favor incumbents, decreasing competition,

Whio is more likely to be hurt by GDPR. Google, or DuckDuckGo?


> Regulations tend to favor incumbents, decreasing competition, and thereby increase monopoly and creating central hubs of systemic risk.

Have there been studies on this?


Regulation is essential to avoid having corporations run a country into the ground.


Can you back up such strong and broad claims with something?


It's hardly disputable that regulation creates barriers to entry. Nor it is disputable that barriers to entry limit competition.

See everything from lemonade stands[1] to taxis[2] to banks[3].

What is disputable is whether in total a regulation has a net positive or negative effect.

[1] http://www.newyorkcityfamily.com/2017/08/are-lemonade-stands...

[2] https://www.linkedin.com/pulse/uber-business-model-breaking-...

[3] https://www.investopedia.com/ask/answers/031015/what-barrier...


That it can, sure. It can also reduce barriers to entry. E.g. entering the ISP market anywhere in the EU is vastly simpler than it was, since the incumbents have faced legal requirements to lease last mile capacity at regulated prices (e.g. in the UK you can go to OpenReach's site and download the wholesale price lists), while they can also lay their own cables if then can afford it.


Not every claim on HN needs a backup. This one makes total sense to me. In this case, the article itself shows that regulation is definitely decreasing alternatives, which in turn can lead to monopolies


Glad you can tell how regulation affects a market after less than one day of being active law, and zero enforcement actions or cases suggesting how courts/regulators are going to interpret the rules.


You do know that GDPR is not the first regulation that has ever been written correct? There is a huge body of economic literature already dedicated to the subject.


And you do know that not all regulations are the same? You are making it sound like some kind of universal consensus on the validity of regulations exists, but such a consensus does not exist because it's a way too complex, and wide, topic to be making blanket statements about.


> This one makes total sense to me

A lot of things “make sense” but aren’t true.


Cutting access in Europe does not solve anything. I'm living in US but I am European. Thus I can visit any of the above listed website they are processing my data, and GDPR applies to me. So they are not complying and I could file a complaint.


> Thus I can visit any of the above listed website they are processing my data, and GDPR applies to me.

"Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR." (https://ec.europa.eu/info/law/law-topic/data-protection/refo...)


File a complaint with who? There's no EU-wide data privacy regulator. Which specific EU country would have jurisdiction over an interaction which took place in the US?


> Which specific EU country would have jurisdiction over an interaction which took place in the US?

OP’s country. The "place" that interaction took place in is irrelevant here, unless the company "doesn’t specifically target its services at individuals in the EU"; OP is citizen of an EU country so the GDPR rules apply.

(edit: rephrasing)


That's not how jurisdiction normally works. A French citizen working within the US for a US company can't demand that they follow French employment regulations.


That depends entirely on how the lawmakers in question decide to act. Many countries claim jurisdiction over certain types of events occurring outside their own borders. E.g Belgium claims jurisdiction over human rights violations. Norway and many others claim worldwide jurisdiction over sexual abuse of children. The US claims jurisdictions to tax US citizens worldwide. The question tends to rather be whether or not they are able to enforce them, and so normally in such cases the practice is to only prosecute if the people involved are within your own borders.

Your example is flawed in that most countries that use these kind of mechanisms will tend to either require a extraterritorial jurisdiction to be written into the law, or will assume that only certain classes of crimes transcend jurisdictions. E.g. in the case of Norway, Norway has traditionally claimed extraterritorial jurisdiction over Norwegian citizens, but with the practice that things that are legal in the country you are in are generally not possible to prosecute in Norway unless there is a law that specifically claims extraterritorial jurisdiction (sexual abuse of children being one such example, where Norway may prosecute people who return from countries with weak or non-existent protection of children younger than the Norwegian age of consent).

In other words: It's how jurisdiction works if your courts wants it to work that way.


France could absolutely pass such a law, companies would either have to comply or stop doing business in France.


Of course! But hiring a US resident who happens to also be a French citizen doesn't count as doing business in France.


Pretty sure the EU and US have deals that allow legal actions against companies in other's jurisdiction.


You are wrong and spreading disinformation.


No that's not correct. GDPR applies if you are in Europe. So a US citizen in Poland is protected but a Polish citizen living in the US is not.


Personally, this is the fun part of GDPR for me. The days of weasling out of regulations for private data with cute workarounds are coming to an end.


How in the heck is "blocking all European users" a cute work around?

The laws apply to European people. What if a site just doesn't want any of these people to be customers?

The EU can't force you to accept it's users.

If anything, the business should sue the EU customers who accessed their website without permission. You are breaking the rules as a EU citzens by doing so.


Things like this will test how much EU citizens value their privacy. Of course there will be some sites they will not be able to visit but time will show if they are okay with that.

These rules are very similar to rules limiting loans. No matter how desperate a person is and how low credit they have, in the US you can't give them a loan for above a certain amount of interest. That could be terrible for a poor person who is about to be evicted if they don't get some money right away. But we as a society are willing to accept that if the result is that more loans will be "reasonable".

If GDPR is enforced as HN people say it will be (in a good way) then the result will probably be that a lot of free websites ban EU users and smaller companies take their place with products that either cost money or will be a bit worse.

If it enforced in a bad way then big companies who can navigate the law will get bigger because their small competitors will be to afraid of the law and shut EU users out.


So EU citizens will either revolt and destroy EU or read their news from somewhere else? More likely, will do the usual thing people do for geo-locked content: Use proxy or pirate until a convenient solution takes off. That convenient solution will be GDPR compliance by the offender or a competitor.

I mean, mild annoyance is nothing compared to the annoyance of war thorn continent, I wouldn't bet too much on the destruction of EU or even withdrawal of GDPR


> So EU citizens will either revolt and destroy EU or read their news from somewhere else?

Those are the only two options? Now that I know that, instead of what a practical person might deem as an option which is to repeal the law, the EU and GDPR proponents' mindsets make a lot more sense. I often wondered why new legislation was piled on older legislation that wasn't even enforced then, and why other statues wrt cookies and what not cannot be seen by legislators as more bad than good and worth removing. Now I know.


My next sentence is literally a third option, describing what happens with geo-blocked content.


And that it isn't even an option to recognize a bad law and repeal it, even if it had good intentions, speaks volumes.


As an EU citizen, I don't think the law is bad but you are free to be upset about it, of course.

Please respect our laws and privacy or don't do business with us. We will be very sorry if your product is irreplaceable or we will use a competing product that complies with GDPR.


I didn't say the law was bad, I was saying if it turns out to be, repealing it should be an option. Too often there is no going back from these things because it's not considered an option. Instead only options like revolt, go elsewhere or use a VPN are presented.

Obviously the last incarnation of the GDPR didn't work for multiple reasons, the most oft-cited one being non-enforcement. Was the option to repeal and take other approaches to the problem considered? Nope...double down. Since people agree with the intent, the approach often appears above reproach.


Of course, it is an option, the problem is that you claim not to be and you claim that "the EU and GDPR proponents' mindsets make a lot more sense" because I asked a question to emphasize the "test" on the EU citizens.

I see you're in Texas. Don't worry too much about EU, we are doing fine. We will figure this thing out if it turns out to be more bad than good.


Please respect our laws and privacy or don't do business with us.

Stop sending us your data and money? I don’t leave the US to deal with EU customers. You send requests to my server in the US. If you’re unhappy with me, stop doing that.

And it’s pretty rich to complain about companies not complying and leaving the market, while also using VPNs to use their service anyway. Apparently protecting your data isn’t as important as you say?


I haven't been given an option not to make calls to your servers, those websites used to load 20 tracking scripts without asking me. Thanks to the GDPR now I will be able to stop sending requests. What's the problem?

See, how browsers work is that they load this thing called HTML that describes the content and can load other stuff without asking me. Apologies if I accidentally sent any data or money, it wasn't my call. It was in the HTML that I loaded because I was offered to view a free article.


If it’s your right to use an adblocker under the theory that you should control what requests your browser makes from your device, then which requests it makes are also your responsibility.

Regardless, whether you intended to send my server a request is your problem. The fact is that you did, and that hardly gives full control of my business to whatever legal jurisdictions claim you as their subject.


Well, as it turns out, it's your problem. Like, literally :)

Anyway, don't be too upset about all this. The law is not banning you from collecting my data, you just need to be explicit and informative about it so that I can decide if I am going to send a request to your servers.

I'm often disturbed by the mindset that people are some business' god given a right to exploitation. It's the other way around really, that is, if you can find a way to serve me or solve a problem of mine I might choose to do a business with you if I decide that the compensation you demand fair.

If your business is unprofitable when you have to ask me for permission in plain English maybe it simply means that you don't have a profitable Business and you should consider doing something else.

We don't see business people complaining that government regulations are hurting their organ harvesting businesses, right? People decided that they don't want other people to sell their kidneys on open markets, so that business doesn't exist.

People at some point decided that they don't want to get cancer from Asbestos, regulations kicked in and the Asbestos businesses were destroyed.

This time around people seem to be in control of their data, if that makes your business unprofitable or impossible do what others did: Something else.


Well, as it turns out, it's your problem. Like, literally :)

Only if the EU can enforce it, which they can’t. I don’t pay attention to laws from other countries that don’t apply to me and have no teeth, and I’ll ignore this one as well, until there’s some enforcement mechanism. At that point I’ll evaluate. I’d probably just block the EU though; not worth the hassle.


>not worth the hassle

There you get it. If your business is not profitable when you respect the privacy preferences of your users you simply don't do business.

It's not your god given right to violate user's privacy so that you can turn a profit.

In other words, if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business.

No need for hard feelings.


If your business is not profitable when you respect the privacy preferences of your users you simply don't do business.

This is a false dichotomy:

1. Fully comply with the GDPR, no matter the cost, even if that's just legal and administrative because you're not actually doing anything in terms of data practices that would violate the law.

2. Go out of business, because you clearly are intending to do shady things that violate user privacy.

if you can't make a profit by selling 1$ burgers when you meet hygiene requirements just get out of the 1$ burger business

Perfect example.

Say I run a burger shop that is perfectly clean and in compliance with all local laws, but the EU passes a law that says I need to fully audit all my food safety practices, publish them in a public place with their format, appoint a food safety rep in the EU, and comply with other vague requirements that they deem necessary, just in case an EU citizen visiting the US comes and eats at my shop.

Now, if I ignore that, am I "breaking the law"? I guess so. Just like I might be breaking some Indian law by serving beef at all (hypothetical). But does it actually matter? Can the law be enforced? Should I care as a matter of civic duty? Very likely not.

Worse, should the entire citizenry of the EU suddenly decide that my small town burger shop in Iowa clearly intends to feed every customer tainted beef and deserves their opprobrium and any fines that can possibly be levied by the EU, just because I didn't fully comply with their law?

And if they do develop some enforcement mechanism to use against small town USA burger shop, how is it not my right to put up a sign that says "Sorry, EU customers, but please don't eat here, as I don't comply with your laws"? Is your argument seriously that I should comply with every law from every jurisdiction in the world, just because a customer from that jurisdiction might wander into my shop, even when I've expressly told them not to?


See, that's not what GDPR does. Maybe In your alternative-facts GDPR, your case may have a point. I don't see why I should argue over a hypothetical GDPR, let's focus on the reality.

About the burger thing, we do not need to assume things here, we can examine the reality and the reality is that McDonald's complies with the EU regulations when doing business in the EU, local American burger shops that don't do business in the EU do not comply with the EU regulations. I hear that you have some amazing burgers in the USA, will definitely try few local shops!


OK, so let's say that hypothetically I run a small business in the US. I just sell access to software (that lives on my server in the US) instead of burgers. An EU visitor comes to my server in my country and buys something. Why should I care about their laws any more than the burger shop owner should?


Is your argument that someone else in the business should care or is your argument that EU visitors should not have rights to their data because it is inconvenient to you? Depending on your arrangement, if you are a reseller for example, you probably are not responsible for what that software does with your customer's data.

Also, burger shops that do business in EU(usually chains, McDonald's and Burger King) do care about the EU food regulations, why shouldn't they and why shouldn't you? You are aware that McDonald's isn't steamrolling in the EU, right? They do follow the EU food regulations. And no, you don't have to be a big company to sell burgers in the EU, we have plenty of local independent burger shops all over the continent.


Burger shops IN the EU are a completely different thing.

My primary argument is that the GDPR's attempt to regulate companies in other jurisdictions because EU citizens go INTO those jurisdictions and do business is a dangerous precedent. If there was an enforcement mechanism for all such laws, it implies that any business or individual anywhere in the world with a website should therefore have to comply with any laws from any jurisdiction that are similarly constructed.

If my website says things about Islam that Saudi Arabia passes a law against, I should be fined.

If my website disrespects the king of Thailand, I should be extradited for imprisonment.

If I encourage NK citizens to revolt against their oppressive regime, I should end up in a labor camp.

After all, those governments have a right to say that if I want to "do business in their jurisdiction", I must respect their laws, right?

(To be clear, I'm not talking about enforcement of these kinds of laws, because all of those countries might do the above if given the chance. I'm talking about what I SHOULD do as a matter of morality or ethics or civic duty or whatever, or what my government should cooperate with those governments on, because it's just.)

But the problem is that they're describing "doing business in their jurisdiction" as a citizen from their country (maybe even one who is currently visiting my country) going online and sending my server requests, data, and money. And apparently explicitly telling those citizens to please NOT do that, or blocking them, is not sufficient. The only way to make the majority of the EU users on HN happy is to comply. Why would that same logic not apply to all other kinds of laws?


So do you argue that businesses that do business over the internet should be subject to the laws where the business is legally based?

So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?

Or is your arguments something else, something selfish like all online businesses should operate according to the US laws or something like online businesses should not be bound by any laws whatsoever? Or something else?


So, do you say that EU businesses should be able to operate in the USA but according to the EU laws and without any consideration to the US laws?

If by "operate in the US" you mean that they are based in the EU and allow US residents to visit their website and purchase from them, then yes, absolutely. Why would it be any other way?

I just don't see how the alternative works at all. Why couldn't some city in France pass a law that if a citizen of their city buys something from your site based in Hong Kong, you owe that city a tax of $50k. That's obviously ridiculous and not enforceable, but why is it not based on the same underlying legal theory that a business is bound by the laws of jurisdiction where visitors or customers to their site originate from?


Well, "HQ based law" not the case and it's a much larger discussion that doesn't have anything to do with the GDPR or EU.

The USA too is going after foreign companies doing business with Iran or Cuba. The USA is not happy with cryptocurrency ICO's and it's enforcing it. The USA is forcing the world to respect DMCA.

The taxes are also an issue, even within the USA doe to different VAT in different states.

These are topics that have been in discussion since the beginning of the internet and the dust is just settling and the solution is not simple as "You obey to the laws according to the country you're based in". It's a huge huge topic.

Edit: And FYI, many countries do enforce a tax on foreign purchases. For example, Turkey will be forcing American internet giants to charge VAT to its Turkish clients and transfer that VAT to the Turkish government. Countries want to collect taxes, you can't really get away with "I am an American company so I operate tax-free" argument. Politicians will work out an arrangement like "I will make your tax law enforceable on my companies if you let me use your military base and purchase weapons".


You don't have to convince me that the US tramples on the sovereign rights of other countries just because it can.

The tax situation is a good example. Historically, sales tax has not been able to be levied by states against companies just because they have customers in that state. They have to have physical "nexus" in that state as well. There are a number of states trying to do an end run around that right now with "economic nexus", which will probably end up in the Supreme Court at some point.

Many countries try to say that VAT is due, but their ability to enforce is pretty limited. If you run a small business online and you WANT to pay attention to every single global tax jurisdiction and send them whatever tax they say is due, go for it. But if you don't, the practical reality is that there's nothing they can currently do about it.

I do agree that these issues are complicated and that the Internet has thrown a monkey wrench in a LOT of legal precedent in ways that will need to be sorted out.

I just don't think the GDPR is the right framework. Data privacy may be a human right, but so is democratic representation, and having governments all over the world pass laws that they say apply to my company is unjust.

EDIT: looks like economic nexus is being decided now: https://www.journalofaccountancy.com/news/2018/apr/supreme-c...


Let's agree to disagree about GDPR.

Anyway, it boils down to enforceability. EU is a huge entity and probably will be able to enforce the GDPR by forcing payment systems and gatekeepers like Google and Apple that legally operate in the EU not to do business with businesses that do not respect GDPR. Maybe it will be a bargaining point in some trade talks between other countries and the EU and EU will insist that the countries will help with the enforcement of the GDPR in exchange for something that other countries want from the EU.

As long as we don't live in some kind of libertarian anarchy world order, these things will be determined by the politicians.


> So do you argue that businesses that do business over the internet should be subject to the laws where the business is legally based?

Well, duh, businesses are subject to local laws! That is not an argument, but a fact. Don't take my word, ask your friendly lawyer.

What is your alternative? That online businesses are subject to the union of all the laws of all the countries whose citizens can reach them?! That's ridiculous. Do EU businesses follow Iranian regulations?


>Do EU businesses follow Iranian regulations?

Of course, if they want to do business in Iran. The same goes for every company and country. Don't you believe me?

Go to your iPhone's Settings-> General -> About -> Legal -> Regulatory

There you'll see which regulation Apple follows. Despite being an US based company, Apple complies with the regulations of Canada, Europe, Japan, Singapure, Russia etc.

How do you even imagine that a company will be doing business in one country byt will be excepted from the regulations because it's based in some other country? That would not be possible, companies would simply move to the least regulated place with the lowest taxes. Oh and they do that wherever possible(i.e sell to EU from Ireland).


Well they ARE doing business. They are just blocking the EU.


Not when a US site uses a "copy protection" mechanism to ban all EU users, and grants a copyright license giving full access to US users and no access to EU users. Then your EU-based choice to use a proxy becomes a copy protection circumvention under the ECD, and the user is subject to a lawsuit.


Better Call Saul!


Well played sir.


> then the result will probably be that a lot of free websites ban EU users and smaller companies take their place with products that either cost money or will be a bit worse.

Availability of quality free content is not a problem, the content will just be available from other source.

The big problem on the ads-monetized web today is ranking high enough, and the site that don't want to apply GDPR will just have to compete with the site that do have the extra push the EU market give them. On the advertizer side, they make direct money from content accessibility so they will upgrade their tracker so it is GDPR compliant for EU-traffic with no work from the content publisher. That is a non issue, this is just day one of a big change.

Let's also not paint a rosy picture of the web either. GEO blocking is a common daily reality for people outside the US. Any valuable and popular content is locked already, despite being monetized quite directly (see Netflix, Amazon Prime, ...)


>Availability of quality free content is not a problem

Only if all content on every web site around the world is equal. Which it is not.

If the quality was the same everywhere, and the same content was available everywhere, then people in Europe wouldn't have to go to web sites in other countries.

There are lots of reasons for companies in Europe to need to read the Chicago Tribune (PR clipping service, for example). But the Tribune's content is no longer available to the E.U., and will not be replicated elsewhere for copyright reasons.

As much as I dislike Tronc as an entity, I don't blame it for this decision. Within hours of GDPR going into effect, the lawsuits started flying. That's exactly why some companies decided it was easier to just opt out of Europe.


The question is - the sites that serve massive amount of content (images, videos, etc) - will they be able to cover their costs in the EU without making their apps paid? What about currently free games which rely on personalized ads?


You can still run a free website and be compliant with the GDPR. The EU/EEA is the largest market in the world, closing yourself for an market that size will hurt more than changing a few thing to be compliant.


>closing yourself for an market that size will hurt more than changing a few thing to be compliant

Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles? The fact that it's potentially a large market is irrelevant to me. In this case, any moderately tech-savvy consumers can get to my site anyway using a VPN. But I've sent a clear message that I'm not marketing to European consumers.


> Only if I make significant money from that market. If most of my revenue/profit comes from the US and it's problematic to "do business" in the EU or China, why wouldn't I want to just cut access off rather than dealing with potential hassles?

Because you would rather grow your market?


If you run a free website that depends on targeted ads to make money, you might want to expand to the EU but now you'd need to totally change your business model to do so. For some that would basically mean inventing a new company because their service is not the type people would pay for. So in this case, it may not be worth it.


There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.


> There are 6.5 billion non-Europeans, there's plenty of market outside of Europe.

The world doesn't have uniform GDP per capita. Potential European customers have more money to spend than most of those other potential customers. If you're looking for a new market, Europe is a juicy one.


They could still make some money from showing non-tracking ads to European users and tracking ads to American ones. Perhaps not as much, but as they have already written the content I don't see why you would just give up on that revenue stream.


The point is that, if I'm not making material money from EU residents today, it may be easier for me to just make it clear that I'm not trying to do business in the EU than figuring out if I need to do anything to become compliant. I may in fact be 100% compliant, but it may take effort to figure that out and there's potentially still some risk.

Personally, I do no tracking on my sites so it's irrelevant to me but I understand why news sites with primarily local readership would decide dealing with the EU is more trouble than it's worth.


This could definitely happen, but would not make sense for the Chicago Tribune and LA Times, which are big corporate entities united as subsidiaries of Tronc, Inc., and could even pool resources to have one compliance office among them from the parent company.

For a large, well-capitalized company to make this choice, it’s an indication of a few possibilities:

- Tronc doesn’t practice anything close to adequate IT practices to even know its compliance status, and pefers not to invest in doing so.

- Tronc can’t remain profitable if displaying GDPR-compliant pages in EU (this seems fleetingly unlikely, given the specific attempts to grow digital subscribership by marketing the papers as more global).

- Tronc is trying to make a political statement, like a boycott, hoping that many companies do this and it puts pressure on mitigating GDPR.

So while I agree with you for some small businesses just not wanting to mess with GDPR compliance or risks, however small, it certainly isn’t aviable explanation for these newspapers.


It's likely that it's just side effect of months of institutional paralysis. The Chairman of Tronc stepped down earlier this year after allegations of misconduct and I believe they were negotiating the sale of the LA Times to an investor and the rest of the company to Softbank.


Well, you could! We’d be happy for you to make some space for a competitor who doesn’t make his money selling personal data.


I see this 'VPN' argument a lot, but it's wrong. If the Chicago Tribune tracks users accessing their site through a VPN, without informed consent, they are in violation. Art 3 para 2 in b makes the Regulation apply to them and doesn't make provisions about whether the controller or processor has a way to find out if the behaviour of the data subject takes place within the Union. I don't see any reason for a different interpretation in the Recitals, either. Furthermore note that subs a and b in art 3 para 2 are alternative, not cumulative requirements.

Let me rephrase: when you collect data on people with the goal to do behavioral / preference analysis on it, it doesn't matter any more whether or not you're 'marketing' to them, or even that you 'send them a clear message' you don't 'market to them'. The GDPR still applies to you.


The relevant language is in recital 24. “Factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.”

If the Chicago Tribune doesn't envisage offering goods or services to EU residents, it's not covered. And geofencing out EU residents is a pretty good indicator it's not. (Frankly, it probably doesn't have to--it's unclear why someone would think the Chicago Tribune was actively marketing to EU residents anyway--but geofencing them out certainly eliminates any ambiguity.)Someone can't find their way to a site, fake being outside the EU, yell gotcha, and expect European regulators to do anything about it whatever people may wish.


Sure, that's a criterion for art 3 para 2 sub a. What I am talking about is sub b, for which the question whether one offers goods and services is irrelevant (that's what I meant when I said 'a and b are alternative, not cumulative').

So the question is - does the Chicago Tribune 'monitor user behavior'. The recitals say about that

In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.

If I look at the list of tracking scripts, it's rather obvious that this is what their 'data processors' are doing. Hence, the territorial scope extends to them.


I've been served ads on US outlets for products which clearly target my home market (Germany). This will make a hard time arguing that you are not targeting that audience. In my opinion, if you serve ads on your site which target EU consumers, you're doing business here. I don't think it matters whether you do that through a third party.

By blocking EU ip-ranges, that may change, I admit that. However, if by other measures like finger-printing the browser you serve EU-specific ads to vpn'd users you may be up to problems.


>> "offering goods or services"

IANAL but it would seem pretty obvious that any content a visitor might seek on a website would fall under the rubric of "services." It seems like a tough position to argue that since e.g. the Chicago Tribune doesn't offer subscriptions denominated in Euros, that it isn't offering services ("news") globally.

The only thing that today makes clear is that this law is a mess, and it will take a lot of litigation before anybody really knows what it means.


So you're saying that if I block my site to EU IPs, and someone uses a VPN to look like they're coming from the US and bypass that, they can then sue me under the GDPR? No way.


No, they can't 'sue' you; they can make a complaint to their data authority who will then decide if and what to do about it. So if your site blocks EU IPs and you then violate the privacy of someone in the EU grossly enough to warrant the data authority to make a case out of it, then yes. (provided everything else also applies, e.g. the things being talked about in the rest of this thread).


Put it in your TOS that European users are forbidden from using your site, and then if they complain to a data authority press charges under the CFAA, and sue them for damages you incurred due to their violation. Then let the courts hash it out.


Such TOS would most likely be 'unduely onerous' or whatever the local term for this concept is in other EU jurisdictions.

I've said this many times here already, but law is not a closed rule based decision tree. Intent matters, and laws are written in a way that they can be interpreted so that their meaning can be adapted to new circumstances or different times. Now, I'm not going to argue about whether that's how it should be (because that's such a trite 1L discussion), but it's a fact that it is.

So no, that's not how it works.


Unduly onerous to say you're not allowed to access the site if you're in the EU?

So the EU regulators can say my TOS have to allow EU citizens to access my site and my site must follow the GDPR.

That seems unlikely, and the fact that there's so much ambiguity around this is why so many websites are opting to block the EU rather than dealing with it.


In many civil law systems, there are limits to contracts. Sometimes these limits are codified, sometimes they're not. Let's take Dutch law here as an example, because well that's what my degree is in. The Dutch civil code has a list of so-called 'black' and 'gray' clauses in terms and conditions; the black ones are always void, the grey ones sometimes (obviously grossly simplifying here, I'm not going to type a paper on a phone). Many catch-all statements are either black or grey, especially when they are designed to absolve one party from their legal obligations. Nobody is saying anything about requiring you to allow EU citizens. What I'm saying is the GP's plan is an obvious scheme to avoid one's legal obligations, and will be treated as such - and hence won't be a defense or obstacle when an authority goes after a non-compliant processor.

Hence my comment up thread - the law is not a closed system you can program like a code wars game, where if you're clever enough a judge will say 'oh you outsmarted me here because your logic is internally perfectly consistent, have a good day sir'.


> Intent matters

So shouldn't the website's intent to block you from accessing it matter?


That point was part of a general observation. When something 'matters', that doesn't mean there cam be other factors. In thi specific case I see no reason why the territorial scope would not extend to processors outside the EU when they monitor user behavior. Taking some limited technical measures to prevent access doesn't absolve them from the law to apply.


The Cambridge Analytica whistleblower is using Facebook and Google for incomplete compliance so yes, you can get sued.


I don't quite understand what you're saying here.


The relevant part of GDPR is Recital 23.

https://gdpr-info.eu/recitals/no-23/

Short version: GDPR does not apply if you happen to collect data on a few EU residents by accident (assuming you're not otherwise based in the EU).


This is only your opinion. It doesn't say that on the page you pasted. To be complaint you probably must clearly state that the service is not for EU resident and ask them to leave. Even that could be too little.


"...the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union [...] is insufficient to ascertain such intention"


This only applies to sub a (of art 3 para 2). So no, this quote does not confirm your assertion.


If you use a VPN to access a server that does it want you to access it, then you are breaking the computer fraud and abuse act in the United States.

Shouldnt you be the one sent to jail, as you are illegally accessing a computer that you were sepecially told not to access?


Maybe. That's entirely orthogonal to the question whether or not the person who's server it is, is affected by the GDPR though.


But if that person could get sent to jail for that, then I don't see why they would file a complaint.


I don't even see in the law whether or why the dpa would disclose the identity of the complainant. Maybe there are procedural situations where it would happen, I haven't really thought about it. I think people are too hung up on a specific person making a complaint. It's the dpa that will take action, probably removed a few steps from the initial complainant(s). This is not Law and Order style legal proceedings.


If they are from poor EU village that could be tempting to get to US jail to learn language and have free food and bed.


When you don't a competitor steps in and if the day comes that you want some EU sales, you will have to spend huge sums to establish your brand if you are not a huge brand that's on TV shows and the News all the time.

Geo-locked products are nothing new. I lived in a communist country, few EU countries and a middle eastern country and I can promise you that when a certain brand is not available a local competitor pops up and after the original brand becomes available it stays remain a curiosity unless it's a massive pop culture icon(McDonald's, CocaCola, Amazon, Netflix etc. - stuff that's on American TV shows all time. The TV Shows are also geo-locked but local pirates make them available few hours after the USA. Even in Cuba).

So, it's not a simple problem of if(profit < feel like worth it) then block EU.


> But I've sent a clear message that I'm not marketing to European consumers.

More like, sent a clear message you're not concerned of your user's data.

(Nothing personal, the signal may not necessarily echo the reality)


False. The marginal cost of an EU customer is no longer zero. Why should I put in a bunch of work for GDPR compliance if the cost to implement it exceeds the initial marginal cost of an EU user. There is still the rest of the world.


Good. if you do not value my privacy, I dont want you to do business here. another product will replace your own. And in all likeness an EU one, meaning less euros leaving the eurozone.

I'm all for it.


if you do not value my privacy

False equivalence. You can do nothing untoward with user data and still not be compliant.


Exactly. The most basic/outrageous example: anyone in the EU who installs Apache and leaves it in its default configuration which logs all page visits indefinitely is now a criminal.

Spin up a DO/Linode/etc. instance and apt-get install apache2? You're now theoretically liable for a 20 million Euro fine.


Your point is that apache default config is horrendous regarding log keeping policy ? I agree.


Nobody would have said this a year ago. How are people getting so swept up in this privacy zeitgeist that they think web admins keeping logs is horrendous?


At my company doing this would be in complete violation of our data retention policy (not GPDR related). Where are companies running production services without handling logging of sensitive information? Regulation or not that kind of data is a huge liability for our legal department.


I know! Just imagine...your (likely dynamic) IP address exists in forgotten log files all over the web. The horror!

One of the most annoying things about the GDPR fandom is the black and white nature it seems to inevitably take. If your log files store IP addresses, you're clearly evil and shady and are violating human rights, just as bad as if you're recording people's conversations at home with the intent to deprive them of insurance or publish their sexual histories or whatever.

What possible "horrendous" harm is there from apache's default config storing IP addresses? Can you give me an actual harm that has befallen someone as a result of this that isn't some freak one-in-a-billion example?


you can log ip adresses. keeping them forever is bad.

It means that any future government, no matter how evil it is, could query your log and know precisely what I am doing on the internet right now. I might not want that.


[flagged]


We ban accounts that post like this. Please post civilly and substantively, or not at all.

https://news.ycombinator.com/newsguidelines.html


You might want to actually read the GDPR. IP addresses are PII.


Are you disputing that GDPR disallows you from retaining visitor IPs, especially without explicit consent?


Yes. It's fine to retain IP addresses for a reasonable amount of time if you have a good reason to keep them, such as security. Just rotate them as usual, and don't keep them longer than you need.


Consent is one basis for gathering personal information. It's only one, there are five others. Consent isn't always needed.

The fine for this would not be €20m either.


Oh, it's much worse than that :)

Do the same, but from any country in the world, and make sure your welcome page has multiple languages, including some EU ones. Now you're specifically targeting EU users and you're liable for up to $20 million euros.

The response from GDPR fans is that: a) regulators would never levy such a fine, or b) they can't enforce it, or even c) that of course you should be fined because you're a filthy scammer who is stealing people's data and violating their human rights!

But all that misses the point: in what universe is it reasonable to even make such a claim to begin with? And why should I have to trust that the regulators will be more reasonable than the law requires, or that they won't be able to enforce what they'd like to do? And why should I have to comply because you sent me your info voluntarily??

Is there something that makes the internet different here? If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?


> If someone in the EU puts some personal info in an envelope and mails it to me and I never get around to opening it and it just sits on a stack with other junk mail, am I now violating their human rights by keeping the info they voluntarily sent to me?

Everyone I've tried to make this point to has ultimately said something to the effect of "yes, you're violating their rights by not throwing out the letter." It's baffling.


How so?


> another product will replace your own

That's optimistic ... but there is no reason to believe in many niche areas that another equally good product will do that. It is very plausible that in fact what will happen is that EU customers will be significantly delayed in accessing valuable services and products. And in many cases the web sites provide those would be making no meaningful intrusion on privacy in the first place.


Launch in the rest of the world first, if you're successful then think about the EU. Seems like the way to go.


If I run a free website, I have 0 revenue. Why would I care how big the EU market is?


* The EU/EEA is the largest market in the world*

Define "largest" in this context.


Nevermind. I looked it up.

The European Union is 7% of the world's population.

So by "largest" he means "not largest," as in there's still 93% of the world left to do business with.


> The EU/EEA is the largest market in the world

Please don't believe your own propaganda. EU/EEA revenue is a fraction of US revenue for all large multinationals. Small businesses probably make even less from the EU.


> the result will probably be that a lot of free websites ban EU users

Good riddance, at least we know what websites we shouldn't have visited in the first place.

> smaller companies take their place with products that either cost money or will be a bit worse.

Or they will be better and still be free.

News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.

> small competitors will be to afraid of the law and shut EU users out

It's not a complicated piece of legislation, the short version is this simple: only collect data you actually need on your user to offer your service and be prepared to explain why, that's basically it.

> But we as a society are willing to accept that if the result is that more loans will be "reasonable".

The actual reason is that if you don't limit the loans, your economy will collapse.


You assume that just because someone doesn’t want to got through all the hassle of being GDPR compliant that the website is somehow bad? Among other things this includes setting up an EU represeneitive—a high bar for a free product..... Obviously you haven’t had to deal with GDPR compliance.


> You assume that just because someone doesn’t want to got through all the hassle of being GDPR compliant that the website is somehow bad?

If they are not collecting any personal data, there is no hassle. Do you think it's somehow bad for a car manufacturer to not want to go through the hassle of making their cars conform to the safety standards?

> Among other things this includes setting up an EU represeneitive

Citation needed.

> a high bar for a free product

The product is not really free because users pay for it with their data, which was unclear before.

> Obviously you haven’t had to deal with GDPR compliance.

Obviously from what? Are you a GDPR compliance expert?


> Do you think it's somehow bad for a car manufacturer to not want to go through the hassle of making their cars conform to the safety standards?

Ah yes, the old "all regulations are equal" argument. It should come as no surprise to you that people view safety regulations on automobiles as vastly different than regulations on what a company can do with data about you.


And there are people that think that seat-belt laws are an affront to human dignity. What's the point?

Safety regulations exist because people wanted them, and the same is true here for privacy and data protections. Unless you can convince EU citizens en mass that they don't want the rights and protections afforded to them by this law then it really doesn't matter what anyone in particular person thinks.


>Obviously from what? Are you a GDPR compliance expert?

You don't need to be a GDPR compliance expert to know that the costs of implementing GDPR are huge and I doubt any GDPR experts actually even exist today.


> You don't need to be a GDPR compliance expert to know that the costs of implementing GDPR are huge

So you don't actually know anything, but you are going to pretend to know that it's "huge".

> I doubt any GDPR experts actually even exist today

Then why be so condescending and pretend that you are actually one?


You only have had to gone through the implementation challenges personally to know that it’s hard and the costs (to do it by the letter) are high. In fact to do it by the letter you’re going to have to hire a law firm to ensure you’re compliant and they’re going to err on the side of caution and take you down a rabbit hole of implementation changes.


Can you give me a concrete example where the GDPR forces you to do a lot of relatively costly stuff that are not worth doing otherwise?


I did. First hire a lawyer to review your GDPR compliance and recommend changes, and also set up an EU representative who can assume liability.


>News companies are dying, news is commodity, if I can't read something on the LA times, I'm sure I'll find that same article on some other news site.

Or the original news simply ceases to exist as is already happening at the local level in many cases. There's probably a continuing market for some global news organizations that are at least muddling through with subscriptions and other products. (Or not. See story on Time Inc. recently.) But I suspect the non-national/international journalism will continue to decline.


Website could be compliant already, but don't want to spend money on an audit that would still be inconclusive as there is no official interpretation of the law.

More

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: