The first one: https://noyb.eu/wp-content/uploads/2018/05/complaint-android...
The User sets up a "new" (non Google) phone, and isn't given an option to decline consent to Googles ToS.
Now how does this work with a physical product? It needs to be compliant on the 25th of May 2018, but the version of Android may be old and not updated (given its Android). Even if there was an update waiting to resolve GDPR related issues, you would need to agree to the ToS to get that update, to enable opt-out?
In that point of view, it seems a rather unfair complaint. I havn't checked the other's yet, but I start to feel that perhaps these have been filed too early, without enough thought and examination, just to get headlines?
It is an unfair complaint. But to be fair to the regulators, these complaints were filed by users, and may well be dismissed once reviewed by regulators. This type of unfair complaint will be an interesting test to see just how abusive the GDPR enforcers may or may not be.
Google shouldn't be collecting data from users who agreed to share their data based on outdated ToS that are no longer legally valid.
They should ask for agreement to new GDPR-compliant terms just as they do for users who agreed to the old terms before GDPR was law.
If they stop collecting data for those users (at least until they opt in to an updated ToS) that would work around the problem.
In this case, fortunately, the hardware may not necessarily need to be destroyed, but it couldn't be sold until the software stack complies. Or, more likely economical, ship the phones somewhere where they are still legal and ship new stock into the EU with updated software. Or make sure there's an immediate update available for the phones and petition the EU for a variance on the grounds that as long as they update, they'll get compliant software. There's a number of options.
But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)
Great question. I have no idea, and with the GDPR having been looming on the horizon for two years now, is something that would be beneficial (and cost-effective) to spend money on getting quality legal advice.
To anyone who has seen the complaints about startups having to spend $20k on a lawyer to explain the GDPR to them, a small startup won't be facing complicated legal questions like these (and those who insist on doing so, have been given ample warning).
A friend of mine has an online business that involves offering/reselling/managing a client's domain registrations (as part of a package of specialised hosting services). Meaning he can't really get around sharing his clients' information with third parties (registrar, other domain shop, I'm not sure). 25th of May approaching. He reads up on the GDPR, makes some adjustments how or what data he stores (because earlier, you know, it was considered good practice to "store all the things" just-in-case), writes a 3-page license agreement (I suppose he took a boilerplate example and adjusted it to his needs), sends it to his clients to agree, and done. Less than a week's work.
Information commissioners can't require data controllers to do things which cannot reasonably be done. So I think this ends up with "the existing phones are fine for technically necessary data processing, but buying an Android phone cannot be direct marketing consent in and of itself".
Presumably, if moderately recent phones were compliant, Google could ensure that outdated/invalid consent forms were only tentatively accepted until Play Services updated within the first day or so of activation, and then presented a remedial consent form which was GDPR compliant. The EU would very likely accept this solution as a technical best effort method to ensure older devices were respecting people's rights.
But it sounds like they never really put in the effort. What version of Android is GDPR compliant? 8.1?
If you have to agree to their ToS before you can use the device, it should be before you purchase.
Google intentionally waited until they had your cash to say GOTCHA! We require an additional payment of your soul. Now its biting them in the ass, it is entirely fair.
If you buy from the Google store, you'd have to agree before buying (you can't buy without an account).
If you don't, then the seller had to notify you before your purchase. Google had little influence there.
And your argument doesn't work if you're taking about third party devices, which the parent was.
Android itself is open source. OEMs aren't forced to bundle the Google services with it. This can't be blamed on Google either.
They're probably still violating gdpr, and I'm looking forward to the first real cases. These are just silly
I am curious, I have a Samsung device and I note that I can't uninstall Gmail. Is that Google's choice or Samsung's choice?
this would give privacy oriented people the option to simply opt out of anything google and still uphold the pretty good stock experience.
but this is imo still not google's task. OEMs choose to just flash google's services and apps by default right into their OS. that should only be done after the user said 'yes, i want to tell google everything i do'
(I know this because I worked both on the setup system and on one of these "zero-day updates", where we fixed some bugs between when we sent the "final" image to the manufacturer and when we actually shipped devices)
Perhaps it's possible to do so by pressing or holding some obscure sequence of buttons, but in that case it is reasonable to argue that a 'hidden' option isn't really an option at all. After all, you can't hide microscopic text on a paper contract and expect signees to be bound by it.
There may be stock Android phones out there that do provide a clear option to not use a Google account, but there are certainly many phones that do not.
On the bottom of that page in grey is a skip button. You do that and you've skipped over it.
You can turn off the phone and sell it on Ebay
This is nonsensical. You can not have rights w/o government anyways. You may have privileges or power to force others to comply, but "rights" are defined by a third party entity that enforce them.
Enumerated rights are the rights the GP was talking about. These are defined in law, though may derive from natural rights.
How is it overreach and how is it solved without regulation? Equally, how is there any going back from the corporate overreach without?
To stick to the general. Who pays for education and promotion of alternatives against industries spending billions? Either it's coming out of tax or a regulation is required to force educational messages and disclaimers. If neither it just seems a way to assert the status quo as any interested party or user rights group that does get a little visibility will be immediately advertised against by those with a financial interest but far deeper pockets.
Regulation might not be perfect, but seems to be the only viable way left to limit the problems that come with unrestricted commerce.
You give using a phone while driving as an example. UK tried PSAs for years before ultimately outlawing it. Enough were seen ignoring that law that they doubled the penalty some years later. From the occasional piece I've seen on US sites that mention the issue I get the impression that distraction from phones is a disappointing but accepted facet of modern driving.
The older I get the more agreeable I feel to more regulation and adequate enforcement. Without it companies large and small, and individuals, are too inclined to be abusive - of pollution, of privacy, of financial misselling and so on. All to make that sale or commission. Caveat emptor works when it's a consumer against the local greengrocer, or taking a survey before house purchase. Not so much when it's a consumer against multi-nationals employing psychologists and so forth which is why most UK consumer regulation has been steadily moving away from that model for years.
As a European I can look as the US, who prefer minimal regulation, and see it as providing much confirmation that I don't want to do it that way. I'm a little disappointed that UK governments frequently do wish to adopt a US-lite approach.
Regulations arent necessarily designed to be "fair" though.. if GDPR is written in a way that manufacturers need to recall all stock and update phones, its cost is part of GDPR compliance and a fair tradeoff for its benefits as per EU citizens
This is the key point. As the saying goes, on Facebook, you aren't the customer, you are the product.
The GDPR just changed this -- rightfully, in my opinion.
The sad truth though is that the users who are most likely to pay to get rid of ads, are also the users that are most valuable to advertisers, because that's a signal they have more money to spend than the rest.
Facebook's ad targeting can be similarly disabled under https://www.facebook.com/ads/preferences/?entry_product=ad_s...
I'm genuinely curious: what's so much more annoying to you about untargeted ads? I've never found targeting to be effective at showing me ads that were genuinely better or less annoying.
I feel more comfortable with untargeted ads, since I can be much more confident nothing truly sneaky is going on, especially technology ever gets good enough to reliably manipulate me to buy more now.
I'm not the guy you're responding to, but I think the key difference is this statement. I had untargeted ads on for about a year and they were always irrelevant. Since returning to targeted ads, I now see things all the time that I'm at least mildly interested in (mostly startups and new services, and/or tools/software I want to try out).
I don't care if I'm being coaxed into buying more: the things they're tempting me with are legitimately interesting and I have the ultimate say on whether I buy it or not.
Untargeted ads don't give that choice: they're just always irrelevant to my interests.
In any case, except for a few specific circumstances, I've rigorously used ad-blocker so I haven't had to deal with any ads at all. The last ads that I have seen were on Facebook, but even it couldn't seem do a good job, even though it's purportedly the master of targeting
Really? I kind of despise the targeted Ads. They're typically poor quality, and often it's some website I visited months ago to look at one product constantly dangling that product in my face in a desperate attempt for me to come back and buy it.
Show me the cars and potato chips, please!
That said, I also really don't like seeing ads at all.
I wouldn't think so.
Sadly, Google Contributor is not available outside US. I am eagerly waiting for it.
It won't be cheap.
$20 is cheap.
Seriously though, behemoths do fall and if facebook ceases to exist there will be no harm but good in my book.
The result: 973 of those sites disappear. Diversity of choice just collapsed. Starting a new recipe site or blog just got 100x more difficult. But hey, in Communist Internet, who needs lots of recipe sites.
I guess you mean the kind where either there are users providing those for free or it uses a huge number of compiled one, not some person inventing new ones.
I would wager that 970 of those sites can be run for virtually no cost, either maintained by loyal community or the wide internet.
Furthermore, I agree the sibling commenter in that these sorts of websites usually just publish what community submits anyways, so we can have a bunch of wikis instead.
P.S.: Everybody should know the difference between trying to overcome the status quo which is selling yourself to companies and hoping that they do not abuse you, and things like communism or government overreach. And if businesses will lose money or get closed if they stop bad, malevolent practices of theirs, good riddance. Let the sanity get the better of them.
Various companies will probably still gather and sell data for even more nefarious purposes, like manipulating elections, but that’s a different battle.
Facebook will yield more than $100 per active user in the US and Canada for fiscal 2018. That's going to $200 from here over the next six or seven years (it doubled from 2015 to 2017). No meaningful number of users are paying $15 per month out of pocket for Facebook.
Google search is similarly worth a lot per user in the US. People would be irate if they had to pay $10 or $20 per month to use search engines after commonly enjoying the free utility of that for the last two decades.
If you divide revenue by users you get between $1-$2 USD. I need to know how NA are 50-100 times that.
Note that it is reported quarterly (I had some numbers but took them out when I realized I was using 1 quarter instead of the year).
I also think it's conceivable in a more equitable arrangement with paid subscriptions that you could easily have a sizable number of paying users not being active in a given month.
Now someone can actually try and compete with a free service. It might not work but its a step closer to happening. For example we have had open source federated social networks, and non-profits that ran email services.
A lot of people don't seem to know that GSuite is both usable (useful, even) and affordable (cheap!) even if you are a solo user.
Here's a quick howto:
1. Go buy your own domain name (~$10/yr, https://www.gandi.net/). Make it something you like, something professional. This is for your personal email address. firstname@lastname is the most common pattern.
I recommend everybody do this. Even if you want to stay on gmail, yahoo, aol or whatever you can set up redirects. This becomes an email address you truly own, and your email provider cannot hold you hostage anymore.
2. Create a new GSuite account ($5/mo, https://gsuite.google.com) - The entire setup is guided and completely painless if you're even slightly technically-aware.
3. Migrating from a previous Google account: You can use Google Takeout to get a lot of your data (https://takeout.google.com/). Unfortunately, migrating the data automatically is hard. For email you can set up IMAP from gmail, for Drive there's migration scripts. But you also don't have to migrate immediately, Google is good at multiple accounts.
I know I'm sounding like a Google shill right now, but GSuite really is what people tend to ask for when they talk about Google's handling of data and say they'd pay $5/month to "regain their privacy". Well, here's your occasion to do so.
> 5.2 Scope of Processing.
> 5.2.1 Customer’s Instructions. By entering into this Data Processing Amendment,
> Customer instructs Google to process Customer Personal Data only in accordance
> with applicable law: (a) to provide the Services and related technical support; (b) as
> further specified via Customer’s use of the Services (including the Admin Console
> and other functionality of the Services) and related technical support; (c) as
> documented in the form of the applicable Agreement, including this Data Processing
> Amendment; and (d) as further documented in any other written instructions given
> by Customer and acknowledged by Google as constituting instructions for purposes
> of this Data Processing Amendment.
So no, they probably can't track and feed that into youtube ads, because it is not a cause that provides the service or support.
Afaik Google announced last year that they stopped processing GSuite account emails to a large degree.
Well, that's surely reassuring.
It's hardly yours. Using a custom domain for anything sensitive like banking is not a good idea. Your registrar is almost certainly a lot easier to phish/social engineer/whatever than Google.
Please don't spread unsourced FUD. I'm not saying registrars are perfect (although Gandi, which I linked, has an impeccable track record), but everyone uses registrars for their domain name, even the biggest businesses out there.
If you have a problem with a particular registrar, I invite you to source it and share it. But the general idea that the potential for a point of attack makes the email "not yours" is nonsensical.
What matters is the email address you give out to people. Where that email is stored and ends up doesn't matter. Which registrar owns the domain doesn't matter.
@pinboard has explained on Twitter that registrars can get tricked into letting an attacker into your domain account (of course they can). And from there they can update your zone file to send your mail wherever they want.
This isn't about the storage of your email.
Everyone uses registrars, but in some cases you can be your own registrar. Like in Finland, when .fi domain registrations were moved to exclusively to registrars (initially you would register domains with Finnish FCC equivalent, later option was added to let registrar handle that for you and finally it was moved to just registrars), quite a few companies and individuals registered to become registrar for .fi domain.
b) Who is going through all the trouble to target me specifically with a phishing attempt.
There is no fundamental right allowing tracking or advertising.
There is a fundamental right to privacy.
Can we expect a EU government agency to validate companies on a regular basis? And if not, would they even cooperate with white-hat hackers to find offenders?
Also, from what I read, data protection agencies have been understaffed and overworked for years now.
"Why did this company pay you $x million?"
The regulation counts 58 000 words.
IIRC almost _half_ of the actual regulation is about what and how the member countries should set up their internal supervisory authorities and the rest is similarly specific.
There are innumerable checklists, summaries and guides on how to deal with GDPR as well.
The two I like are:
Is a hash of an IP address PII?
What makes it "invalid"? If you can identify a person by their IP, then the IP becomes a part of their personal data. For most websites it's irrelevant, because people just visit and leave. But if someone signs in with their real name, you just need to update the ToS saying that apart from their other data you also store their IP. How complicated is that?
On the other hand, if you plan to sell the IPs associated with some other data to a third party that can easily link it to people (Google and Facebook can), you may want to consult a lawyer.
Can I still have a forum where users submit text?
Those of us in fields regulated prior to GDPR are laughing at you.
If you have to charge money, your chance to overcome the network effect of FB or an established site is difficult, because en masse migration of users to a new service typically goes hand in hand with that new service being offered freely.
Conversely if you don't charge money, your ability to fund the development of a competitor is based on reduced ad income since you can't offer targeted ads, which is going to shorten your runway by a significant amount.
These two things seem to indicate that the likelihood of building something that replaces one of the existing social services goes down. I don't think it makes it impossible, but the law seems to make it less likely that the social app incumbents get replaced (if that was at all possible).
As far as those in other regulated fields having done this for some time, I can't think of many regulated fields where the network effect is so high as social apps, so it is probably a bit apples to oranges. Presumably it is not as large a deal in those markets where social network dynamic is not as strong.
Here are the parts of the 'legitimate interest' basis which are most useful to Facebook:
The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.
So Facebook's lawyers can simply say, "It's in our legitimate interest to maximise advertising revenue".
You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose.
Facebook's lawyers can say, "It is necessary for us to use personal information about our users, such as their age and location, in order to maximise our advertising revenue".
The GDPR is clear that the interests of the individual could in particular override your legitimate interests if you intend to process personal data in ways the individual does not reasonably expect.
Facebook's lawyers can say, "People expect that we use their personal information such as age and location to determine what ads to show them, so the interest of the user does not override our legitimate interest of maximising advertising revenue."
See here for an explanation: https://www.gdpreu.org/the-regulation/key-concepts/legitimat...
PS: the EU can't wait to give fat fines to companies like Facebook and Google, due to their tax evasion schemes. It's the whole reason for why these companies haven't been able to stop GDPR, with all of their lobbying prowess. And I don't care about such motives, as an EU citizen I'm glad that GDPR exists.
Ads on TV have been non-targeted since the TV was invented, TV stations have survived thus far and are doing a little better than online publishers.
Note that we are talking of tracking individuals. You can still say a lot about the demographics of a TV show and thus do ads targeting based on the actual content being watched. That's not user profiling and while you can infer a lot about those watching, it's not dangerous either, because you're not keeping a history of what that user watched.
Saying that tracking individuals is necessary for getting revenue is disingenuous.
Besides, in case you aren't watching the news, the biggest problem for publishers is by far ad-blocking, not GDPR. If they would have respected people's privacy, security and time, we wouldn't have been in this mess and we wouldn't need laws. In our country we have a saying, you sleep in the bed you make ;-)
I'm definitely not saying that. I'm saying non-targeted ads generate a lot less money than targeted ones which means the content on the internet won't be as good as companies will generate less money to pay for the content.
In the extreme cases as we are seeing now, businesses are shutting down or blocking all EU users because the peanuts they would make from generic ads are not worth the server costs, content creation costs, costs to comply with the law, and potential fine costs (risk).
But no, it won't happen, because the EU is the world's second biggest market. If China can afford to coerce companies into censorship and violating people's rights, the EU can afford to impose some privacy laws as well.
And as I've been saying elsewhere, targeted ads are only needed at this point because people are fed up with ads due to abuse, this being a race to the bottom anyway. Pretty soon targeted ads won't work well either, how well they work right now is questionable and all of that data will have been collected already, ready to be sold and abused.
Take this with a grain of salt since I am not from China and really only know about it from HN: The EU is not nearly as powerful as the Chinese government nor do I think the general Chinese population is aware of how much better G/FB/other sites are outside of china (admittedly speculation on all accounts), nor are they in a country where they can vote to change laws (pretty sure on this one from what I have read on HN).
If G/FB suddenly stopped supporting EU users, they would most likely cry out so loud that the law would get reversed in days. This law seems to target privacy and opt-ins mostly and I as a programmer don't even give a shit about those since they give me amazing services for it. I highly think most people want the free apps with targeted ads over a full block or paywalls.
Not sure what that's supposed to mean.
> If G/FB suddenly stopped supporting EU users
But they won't because they are not stupid. Instead they'll start respecting the privacy of EU citizens, which is going to be a win for us.
> I highly think most people want the free apps with targeted ads over a full block or paywalls.
Most people aren't aware of the threat to their privacy.
Also, do you work for a company that makes its living off targeted ads?
Not that I judge you or anything, I worked on a startup in the past building a platform for serving ads on bidding exchanges (what Criteo has been doing, except they succeeded). And now I'm working on anti-ad-blocking technologies. But I'm also privacy aware, as I've seen full well what targeting can do and I don't suffer from double standards.
The people that defend ads targeting are those that work in the ads industry.
The number of TV stations has a hard limit, so that's why the average TV station makes more in ad revenue than the average online publisher. But the top online publishers (Google and Facebook) make much, much more in ad revenue than the top TV stations.
Perhaps we should just give out operating licenses to 1000 websites and force the rest to shut down :)
It's amazing the point we've reached, where egregious tracking is so normalized that we assume it's fundamental to the internet's feasibility. Facebook and Google aren't meek charity-organizations, trying to give the world free stuff and only asking for the pittance of our data, to help keep the lights on. Their profit margins are enormous. They could do quite well for themselves without any tracking at all, just showing random ads. Not to mention that many people would pay for their services if it meant getting rid of ads altogether.
The reason they don't offer individuals the option to pay for their services instead of being tracked isn't out of charity. It's because they would make less money. Your data is more valuable than any reasonable monthly fee you'd be willing to pay.
If GDPR puts an end to the gold-rush that's happening at the expense of everyone else in society, forcing tech companies to make a normal amount of money instead of an insane amount of money, that sounds to me like an unambiguous good.
GDPR is not against the ad business, it is only setting limits and obligations on how you can use personal data. It is saying that it is not normal for businesses to build huge user profiles without oversight or even consideration.
Yet somehow, I doubt that GDPR would exist if Google and Facebook were German companies, rather than American ones.
And Germans are more privacy aware than Americans, for obvious historical reasons.
People that blame Cambridge Analytica are missing the point, which is that Facebook is a threat to everything we know just by existing.
You are right. GDPR is a very German thing. We essentially have a two digit party (the greens) which rose because of the rejection of a general census (and nuclear energy). In Europe we are also not alone with that (see pirate party).
Oh and regards sensibility: The EU tried that. Google and friends gave a shit. Then result was creating a regulation more painful to them. These companies apply their US based understanding of right and wrong to the globe. You see China, EU and Russia are reacting and applying their local rules. With different methods, but they do.
You can still have targetted ads without tracking user data. Show ads for gaming content on eurogamer/ign, or ads for technology on techcrunch, or ads for Viagra on WebMD
How does GDPR relate to "tax evasion" at all? Also, Google and FB set up to pay taxes in Ireland, which is a member of the E.U. That seems legal to me. See https://en.wikipedia.org/wiki/Double_Irish_arrangement
It's meant to try to plunder some of the global revenue that Google, Facebook, Microsoft, Netflix, Apple, Amazon, Twitter, Snapchat, etc. are generating. They're betting that these companies will slip up at some point (who the hell taxes revenue, instead of profit, other than the backwards Russian state anyway?).
Amazon is going to $400 billion in sales (and is about to have a giant, lucrative ad business). Google is going to $200 billion in sales. Facebook is going to $100 billion in sales. Netflix will have 250 million subscribers. Apple is pushing toward $250 billion in sales.
GDPR itself wasn't designed just to tax the US giants. The 4% tax on worldwide revenue however does exist solely to try to get loot from the US tech dominance. As the EU gets left further and further behind the US tech colossus, their rage and envy will increase by the year.
The Germans like to snark at the Americans about how they should build better cars. Well, Europe should learn to build better tech, and learn to pay their engineers what they're actually worth if they want to compete with the US that pays 3x or 5x more.
I'm an European and I must say that's bullshit.
Yes, you can earn 3x to 5x more in Silicon Valley. Property prices are crazy expensive however, many people don't afford to live near their office, with crazy commute times being common, the schools there are either expensive and crazily competitive or poor, if you work on your own or in a startup it's pretty common to not have health insurance, in which case you can get fucked, plus your gun control is pretty broken and it's horrific to see kids shot in US schools all the time.
I live in Romania. I'm within 15 minutes of my office that I do by bike, I have both public and private health insurance for cheap (and in spite of popular opinion, Bucharest has some of the best trained medical personnel in the world), my earnings are well above the average which means that for me the cost of living is cheap, my 8 year old son goes to a good public school, I own my own apartment and we'll build a house in the future too and I freely travel to Berlin, Munich, London, Barcelona, Rome, etc. yearly for conferences and I can walk the streets of Bucharest without fear, gun-related murders and murder in general being almost unheard of.
People in Silicon Valley may be earning 5x, but the cost of living is 10x at least.
If anything, Silicon Valley is only attractive because all the cool companies are there. But you know what, due to the high competition, nowadays you've got plenty of companies hiring remotely or opening offices in Europe. I'm fine with that.
And I'm completely sympathetic to the argument that you're making about compensation vs. cost-of-living, but I think you're mistaken. The cost of living isn't 10x that of Europe. Taking into account taxes and government benefits that we have to pay for ourselves, it's probably more like 50-100% more expensive to live in, say, the Bay Area or NYC vs. any major metro area in Europe other than Eastern Europe, which will catch up eventually. I could be wrong though! I live in NYC, in a very nice 2 bedroom apartment in a doorman building right next to a large park. My daughter attends an expensive private school. We have excellent healthcare, travel a LOT, eat out frequently, etc. Total basic budget (not including taxes, savings, or other splurges) is ~$10k - 12k / month. Is your budget for similar lifestyle around $1k / month?
In general, those of us in the US who are lucky enough to work in tech and live in HCOL areas and work for high salaries aren't irrational; the tradeoff is usually worth it, especially if you enjoy urban areas.
That said, I dislike rewarding california a single cent of tax revenue for them to piss their LSD-addled urine into the wind, fuck SF go to austin TX (state income tax, easiest 10% raise of your life! pay is same as SF)
Funny, I see plenty of happily employed engineers with 30 days PTO, mandatory sick pay, national healthcare, stable security nets, support for maternity (and in some cases even paternity) leave.
I agree however that the law targets the big tech companies. They ignored previous laws and regulations so they got a meaner more targeted one.
Btw, constitutions start with "we the people" not with "we the companies".
Both Washington and Texas for starters....
"Finance Minister Michael Noonan closed the Double Irish to new schemes in October 2014 (existing schemes to close in 2020), and expanded the Capital Allowances for Intangibles scheme as a replacement"
I would be extremely surprised if the EU goes through all this tome, effort, and money just to let corporations continue with business as usual
I wouldn't. EU is all about bureaucracy and hordes of civil servants doing meaningless jobs. If GDPR becomes fruitless like Cookie Law, then they'll say tough luck, hire more civil servants and start working on another useless law.
But on the other hand, corporations are all about unscrupulous behaviour and doing the minimum possible (if that) to claim they respect the law.
If the GDPR works, they'll just hire more lobbyists.
trust me, you didn't see what the eu already gone through, just to keep existing.
I for one am very interested to see how this continental experiment changes the experience of internet users in Europe. And I’m sure glad (at least in this dimension) that I’m not there. (Overall I think I’d be better off living in Europe despite the occasional law I disagree with, but that’s another story.)
It would be hard to argue that when none of these companies are in fact showing "fewer ads" as a result of targeting.
By that logic, they could fill an entire site with ads, and claim that since those ads are targeted it's still a benefit to users, because if the ads weren't targeted they would have to make the site larger in order to fill it with even more ads. There's no limit to how far you could take that.
You cannot claim "legitimate interest" for sensitive data (Article 9), such as political and religious views, or sexual orientation.
I believe that facebook DID ask about permission with its terms pop-up that i saw on the web. In any case however, any complaint against facebook will be judged emotionally at this time, so the details may matter less.
They can say it is their interest to have enough revenue to operate the site and some (how much?) profit above that. Maximizing revenue is an other angle.
Though if we accept that we live in capitalist society then maximizing profits is one of the core tenets of that.
It's a small but important difference, since a lot of the uncertainty and doubt around the GDPR seems to revolve around being sued out of existence in courts of law, which is not a thing: you can't get sued randomly by disgruntled users.
They're being reported to the Data Protection Agencies in various EU countries.
If the company is willfully refusing to become compliant, the DPA can slap the company with a proportional fine to make non-compliance more expensive than complying.
And if the company is fined, the company can probably sue the DPA in question if they think the fine was unreasonable or unapplicable or no good very bad and unfair.
"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."
(also I think "In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications." means that suddenly people are required to respect Do Not Track, which will be .. entertaining)
All laws enable action to be taken against people who are not following them at the time they come into effect. That's what "coming into effect" means.
You mean “within the 2 years probation period + a few hours”
So our TOS used to be quite simple in plain english that all the data we request is only for the purpose of providing the service.
Now we had to outline all the information we collection (even though they are the ones who provide it, so they know what we collect) and outline all our services we use where that data we collect ends up (AWS, Sentry, Loggly, etc... the services we need to run our system and support them). Most of our clients have no idea what any of the information we added is because its all technical details about how we are providing the service to them.
GDPR required us to do a lot of work that ended up costing us time and money and literally nothing changed because we were already making sure we protected our users privacy.
Hopefully some bad actors get hit but for now GDPR has left a bad impression on me.
What if he is not very smart? Or even better, what if he is very dumb?
At which level should those be written then?
>the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language
If any user can see their data on any service than any government can quickly plug-in to access all user data on any service. This is like NSA Prism for everything.
If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.
Account takeovers by hackers will lead to much more severe data breaches, since all data on that user in the system is easily accessible.
The information apocalypse is made all that more easy because acount takeover + deep fakes + lyrebird plus all that easily accessible juicy data = impersonate anyone.
Data renting will create a way to monetize account takeover. The account takeover will include all possible information used to identify a person so how are the data brokers supposed to know it isn't you and how are you supposed to get your data back once it's out there getting monetized?
I'd love to be proven wrong and for a company to implement this. But as far as I know, it's not being done because the math doesn't work out. It's too cheap for regular people to be interested, and an incentive for spamtech to mass create fake profiles and get paid pennies for it.
In fact, the one variant I am aware of that works is survey sites, but that's because you get paid per result rather than for your data as a whole. If you're just renting your data daily, you'd get a lot less.
I remember some estimates, facebook profile with a few years of history is around 1$, a few profiles from different sites of the same person 5$.
I don't think making the data more available to users means it's now inherently less safe - actually, it could be argued that having all the data in one place makes it easier to protect ('Keep all your eggs in one basket, and put that basket in Fort Knox'). Additionally, if PII isn't stored securely enough, as it should, and that data gets breached, the company is at fault - again, which it should. Making these companies more liable incentivises them to take their security more seriously, which I think is good.
(I also trust my government, but that's a separate argument)
This is explicitly forbidden in article 20.1
I think their terms specifically say that your data belongs to you.
If there is a search warrant, police could and still can access data. GDPR didn't change anything in this regard.
My feeling is that in the EU there is a different view of government: it's not a third adversarial entity.
Many other remarks you've made don't have anything to do with GDPR, for example fake accounts and takeovers.
That should be the de facto stance regarding government in democratic countries, in my opinion.
The government is a third party that intermediates, fundamentally, between:
* individuals/groups of individuals and other individuals/groups of individuals, all inside the same country
* itself and the governments of other countries
The first point is very important, a society of a big enough scale, in the absence of hierarchy invariably degenerates into an anarchy where the only law is the law of the jungle: the strongest survive. That's why we add this third party that can intervene for the weak. This third party can be corrupted by various interests, but the hope is that these interests balance themselves out.
And even a corrupt state is better than no state at all (or even a very weak state). Look at current day Somalia, Iraq post 2001, Libya post 2011.
We are not from another planet. EU likes to portray itself as trustworthy - it largely is - but that doesn't mean there are no problems. EU governments can vastly differ in quality , you just happen to hear from the most accountable ones.
This could streamline processing of warrants, but beyond that, not much changes. If company's infrastructure was vulnerable to governments, it probably still will be. Maybe less so, given that GDPR also adds extra motivation for keeping users' data secure.
> If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.
As it should be? They own it, so they can sell it.
> Account takeovers by hackers will lead to much more severe data breaches, since all data on that user in the system is easily accessible.
Not necessarily. GDPR isn't about storing all user data in one big table named PII. It's about knowing, via company procedures, what data you store and what the lifecycle of that data is. Also, with rights to delete data and revoke consents, there'll likely be less data available for an attacker to exfiltrate.
> The information apocalypse is made all that more easy because acount takeover + deep fakes + lyrebird plus all that easily accessible juicy data = impersonate anyone.
Not sure how this is relevant to GDPR. Could you elaborate?
> Data renting will create a way to monetize account takeover. The account takeover will include all possible information used to identify a person so how are the data brokers supposed to know it isn't you and how are you supposed to get your data back once it's out there getting monetized?
How was this different before GDPR? I don't see anything changing in that regard; what you wrote is already the case. Again, if anything, GDPR will reduce the amount of information an attacker can extract from a compromised account, because companies are incentivized to reduce the amount of data they store.
"The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means."
"Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject."
This has been tried infinitely. It doesn't work. Say your service can extract $5/year/user from advertisers. At 25million users, you can pull a $125m revenue. That's huge. But if users were to sell their data, it'd only give $2-3 if you take commissions into questions.
As people realize that their data does not bring much cash, and the invasiveness of the procedure (will you agree to share your weekly grocery purchases for one year with 202 advertiser, and you get paid $2?).
Most people will disagree as they realize how a horrible on an equation it is. Only bots and kids with no disposable income will remain.