Hacker News new | comments | ask | show | jobs | submit login
Google and Facebook accused of breaking GDPR laws (bbc.com)
329 points by nemoniac 8 months ago | hide | past | web | favorite | 369 comments



I am reading through the complaints,

The first one: https://noyb.eu/wp-content/uploads/2018/05/complaint-android...

The User sets up a "new" (non Google) phone, and isn't given an option to decline consent to Googles ToS.

Now how does this work with a physical product? It needs to be compliant on the 25th of May 2018, but the version of Android may be old and not updated (given its Android). Even if there was an update waiting to resolve GDPR related issues, you would need to agree to the ToS to get that update, to enable opt-out?

In that point of view, it seems a rather unfair complaint. I havn't checked the other's yet, but I start to feel that perhaps these have been filed too early, without enough thought and examination, just to get headlines?


In that point of view, it seems a rather unfair complaint

It is an unfair complaint. But to be fair to the regulators, these complaints were filed by users, and may well be dismissed once reviewed by regulators. This type of unfair complaint will be an interesting test to see just how abusive the GDPR enforcers may or may not be.


The real test is how Google behaves.

Google shouldn't be collecting data from users who agreed to share their data based on outdated ToS that are no longer legally valid.

They should ask for agreement to new GDPR-compliant terms just as they do for users who agreed to the old terms before GDPR was law.


Why do you think that previous ToS was outdated and no longer legally valid? Why do you think consent given x years earlyer would not be valid?


Because the new law says the user can’t be assumed to consent, unless the specific parts of the contract are stated more explicitly, are opt-in rather than opt-out, etc. The old ToS become invalid and unenforceable.

If they stop collecting data for those users (at least until they opt in to an updated ToS) that would work around the problem.


Anyway, I'm in EU and I received mailon 12th may about updated privacy policy. In my native language that is used only by <2m ppl.


Companies have had two years to get their act sorted out on this.


I can still purchase a "new" 2 year old phone. I think that is a valid question.


If a product that was in compliance goes out of compliance due to legal changes, it generally has to be pulled from the shelves. I'm saying this strictly from a legal perspective, not endorsing it per se, and I acknowledge the significant expense involved. But this sort of thing happens pretty frequently in a lot of other industries, and the result is pulled product and often a lot of destruction of unsold product.

In this case, fortunately, the hardware may not necessarily need to be destroyed, but it couldn't be sold until the software stack complies. Or, more likely economical, ship the phones somewhere where they are still legal and ship new stock into the EU with updated software. Or make sure there's an immediate update available for the phones and petition the EU for a variance on the grounds that as long as they update, they'll get compliant software. There's a number of options.


If google had made software updates available, which gave the correct options and are GDPR compliant.

But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)


> But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)

Great question. I have no idea, and with the GDPR having been looming on the horizon for two years now, is something that would be beneficial (and cost-effective) to spend money on getting quality legal advice.

To anyone who has seen the complaints about startups having to spend $20k on a lawyer to explain the GDPR to them, a small startup won't be facing complicated legal questions like these (and those who insist on doing so, have been given ample warning).

A friend of mine has an online business that involves offering/reselling/managing a client's domain registrations (as part of a package of specialised hosting services). Meaning he can't really get around sharing his clients' information with third parties (registrar, other domain shop, I'm not sure). 25th of May approaching. He reads up on the GDPR, makes some adjustments how or what data he stores (because earlier, you know, it was considered good practice to "store all the things" just-in-case), writes a 3-page license agreement (I suppose he took a boilerplate example and adjusted it to his needs), sends it to his clients to agree, and done. Less than a week's work.


Interesting line of argument; if it was a CE compliance issue it would clearly be the vendor/importer. But the GDPR doesn't talk about devices, it talks about data controllers.

Information commissioners can't require data controllers to do things which cannot reasonably be done. So I think this ends up with "the existing phones are fine for technically necessary data processing, but buying an Android phone cannot be direct marketing consent in and of itself".


It's Google's terms, and Google is the one who determined the mandatory flow of that setup as per agreement with the hardware vendor. The EU could absolutely hold them responsible for not having this sorted out with their partners, it isn't like the OEM put the terms on a device and sold it without Google's permission.


But the OEM is responsible for software support for their devices (this is the entire Android model and why Google has been working so hard on the Treble project the past year+). Since the current version of Android doesn't have this problem, I don't see how this is Google's problem.


It's Google's terms for an agreement with Google. How could any reasonable person make the claim it is not Google's problem? Especially considering they had two years to prepare, and 2018 phones still have this problem.

Presumably, if moderately recent phones were compliant, Google could ensure that outdated/invalid consent forms were only tentatively accepted until Play Services updated within the first day or so of activation, and then presented a remedial consent form which was GDPR compliant. The EU would very likely accept this solution as a technical best effort method to ensure older devices were respecting people's rights.

But it sounds like they never really put in the effort. What version of Android is GDPR compliant? 8.1?


Aren‘t the ToS pulled from the web when you set it up with a google account? I doubt you‘re agreeing to two year old ToS.


Possibly, but it still might not be possible for Google to provide a means to decline the ToS without issuing an update (which, as has been pointed out, wouldn't be possible to install anyway without accepting the ToS).


Then it's a device that does not comply the regulation and must not be sold.


Terrible for the environment. Lets apply rules with common sense [1]. As much I am for privacy this kind of interpretation is very bad.

1. https://study.com/academy/answer/summarize-all-about-a-dog-b...


The device could still be software-updated then sold, or sold outside the EU. Nobody is saying that it must be landfilled.


Sure, that argument could certainly be made. But unless someone is taken to court over this (or at the very least, threats are made), I think people will continue selling such phones. After all, most sellers aren't going to realise their products are in violation of the law.


If they flag compliant devices, it would be possible on the server side to limit data collected that comes in without the "GDPR-Compliant: true" flag.


Even if the ToS are pulled from the web, it might just pull the document, not the UI, providing opt-outs, etc


They could replace it with a document saying “There are no conditions of use. Enjoy your new phone!”


fwiw, the phone in the complaint is from 2018.


Well, think about cars and emission issues that need updates - manufacture does recalls and fixes it for everyone. Not sure what's different here? Why not just pull it from stores and fix it if its violating law?


"you would need to agree to the ToS to get that update"

If you have to agree to their ToS before you can use the device, it should be before you purchase.

Google intentionally waited until they had your cash to say GOTCHA! We require an additional payment of your soul. Now its biting them in the ass, it is entirely fair.


That is entirely false.

If you buy from the Google store, you'd have to agree before buying (you can't buy without an account).

If you don't, then the seller had to notify you before your purchase. Google had little influence there.

And your argument doesn't work if you're taking about third party devices, which the parent was.

Android itself is open source. OEMs aren't forced to bundle the Google services with it. This can't be blamed on Google either.

They're probably still violating gdpr, and I'm looking forward to the first real cases. These are just silly


Google has a checklist of things that each OEM has to do in order to distribute the Google Apps, which are not open source. If the OEMs are in compliance with Google's terms for OEM distributors, I would say that it is an issue with Google's terms.

I am curious, I have a Samsung device and I note that I can't uninstall Gmail. Is that Google's choice or Samsung's choice?


honestly, i think the best choice would be to 'accept', and use the google services, or deny -- and just not get any google apps installed.

this would give privacy oriented people the option to simply opt out of anything google and still uphold the pretty good stock experience.

but this is imo still not google's task. OEMs choose to just flash google's services and apps by default right into their OS. that should only be done after the user said 'yes, i want to tell google everything i do'


If denying would mean that I am denied service of their apps, then that would be a violation of gdpr. That is the point of the regulation.


Android has the ability to push updates to phones that haven't been set up yet; when you first turn on a new phone the first thing it does is ask for wifi so it can check for updates. Google has the ability to update the phone before literally any other part of setup occurs. You do not need to consent to the ToS first; the setup steps on Android are really carefully thought through from a legal perspective.

(I know this because I worked both on the setup system and on one of these "zero-day updates", where we fixed some bugs between when we sent the "final" image to the manufacturer and when we actually shipped devices)


Google cannot update a phone that uses an OS built by another OEM. Since the OEM cited in this complaint is a low end Huawei phone they're responsible for pushing the update.


I'm pretty sure that's incorrect at least today, it's possible to skip through the initial setup on a stock Android device without adding a Google account or accepting a ToS.


If there is, they don't make it obvious. Whenever I've tried setting up a stock Android phone, I've looked for a way to do so without adding a Google account, but found no such option.

Perhaps it's possible to do so by pressing or holding some obscure sequence of buttons, but in that case it is reasonable to argue that a 'hidden' option isn't really an option at all. After all, you can't hide microscopic text on a paper contract and expect signees to be bound by it.

There may be stock Android phones out there that do provide a clear option to not use a Google account, but there are certainly many phones that do not.


"Add a google account, enter your email"

On the bottom of that page in grey is a skip button. You do that and you've skipped over it.


I am using a chinese noname Android phone without a Google Account. It is somewhat useable even without Internet connection and without SIM card. For example, I can use a camera, radio, music player, a dictionary or offline maps.


China gets your data now.


That's why I thought about either routing all traffic through my server or replacing proprietary ROM with open source software.


Good luck downloading apps though. I can't see how it's necessary for Google to track all your stuff, just to permit you to download an app.


You can use third party app repositories like the FOSS-only F-Droid, or even simply download apps directly from individual creators if they release the apk.


Also there are sites that allow you to download .apk file from Google Play without Google Account.


Google and the manufacturer had 2 years to ensure this wouldn't be an issue.


Apparently that didn't work. I think we're all curious what they can/will do now, because it is an issue.


> and isn't given an option to decline consent to Googles ToS

You can turn off the phone and sell it on Ebay


Hobson's Choice regarding tracking / data collection consent is specifically a breach of GDPR.


The option to refuse the new terms is there, it's just not explicit. I'm not saying this is nice or good, but OP's comment sounded like there's no option, they just made it less obvious.


Less obvious and not explicit terms are violations of GDPR.


If you live in the USA. However, as an European you have more rights, and in the next years we will witness a lot of battles between EU users and American corporations desperately trying to maintain the old status quo.


So far Google and FB has no complaints about GDPR - that was the word from EU regulators. Why would you think they are so desperate?


I'm actually kinda curious what role the US government will end up playing in all of this


To downvoters: I'm curious to hear your counter-arguments. Yes, as a European I have more rights related to personal data than Americans. American companies can continue playing the same old tricks on American citizens with no consequences. It's not possible to do the same to Europeans anymore.


You were probably downvoted for your the absoluteness of your statement. For instance, you do not have more rights as a European business owner. Even as just a user, you have fewer rights to enter agreements now with these tech companies free from government involvement. What you may call rights, others call restrictions and limitations of rights.


Agreed. As an American, reading the term rights associated with increased government control is nonsensical. I understand the European viewpoint, its just much different in America


> As an American, reading the term rights associated with increased government control is nonsensical.

This is nonsensical. You can not have rights w/o government anyways. You may have privileges or power to force others to comply, but "rights" are defined by a third party entity that enforce them.


You have those backward. Natural rights, at least, are considered to exist before and outside of government. Enumerated rights may derive from government, as do privileges. The "lege" in privilege literally means "law".

Enumerated rights are the rights the GP was talking about. These are defined in law, though may derive from natural rights.


Yeah, good luck enforcing that natural rights w/o any entity to protect you from those who are stronger than you and keen on violating your "rights" for their own good. If I have a gun and you don't, and nobody can enforce your right to life, the chances are that I can kill you and your right to life with a single movement of a finger any time I want. And because not everybody can become warlords, w/o any organisation to enforce those natural rights, they'll only belong to those with more guns. And such organisation, in one form or another, is some sort of government. Calling some rights "natural rights" and believing that they "exist before and outside of government" are just naivety in the least, if you don't have nobody to make sure nobody violates them. We don't live in philosophical wonderlands, unfortunately. In our lands some A. Nix guy can easily acquire data of 50million people in a country and put that to use of unlawful, evil organisations. And just like everybody will kill everybody if you don't have jails to put killers in, these companies will continue on forming and exploiting until there are grave consequences to doing so.


I'm just clearing up some confusion about definitions here, not making any comment on enforcing rights.


This is actually very interesting. It seems to me that many Americans really don't care how their personal data are (ab)used and will happily agree to absurd ToS-es without complaining. In Europe, we have quite different culture of doing things. And yes, the misnomed "right to be forgotten", i.e. the ability to remove my own personal data from a website, is an important right. Not being tracked is an important right. Not being profiled - ditto. It's really shocking to me that the narrative in the USA is that GDPR is evil, whereas many people in Europe consider it a very positive development, in spite of additional work that needs to be done.


Put simply: Americans prefer corporate overreach to government overreach. The latter is seen as only needed in extreme circumstances because there is often no going back. It's why you see hate for things like the cloud act and GDPR... it doesn't matter where they are enacted, some people don't want the government involved on these things at this point.


Genuine question: So Americans actually prefer the corporate Black Mirror-esque tracking and profiling that has become endemic and out of control over what I would consider a reasonable update to the old DPA?

How is it overreach and how is it solved without regulation? Equally, how is there any going back from the corporate overreach without?

Edit: typos.


You have deviated into the absolutist approach I mentioned before. You don't even have to do without regulation, just not more and larger. Among solutions there includes: education, enforcement of existing statutes, reduced scope legislation until enforcement catches up, promotion of alternative approaches, tacit support for technical defenses, etc, etc. There are so many more. Adopting this large sweeping legislation is a myopic approach taken by those who think they wield a toolbox with only one tool in it. Sometimes even, if the unfortunate choice is corporate or government overreach, we should not be so hasty to counteract the former with the latter. Work towards it.


GDPR really isn't that much more than the previous DPA which was in place 20 years without problem. Businesses and startups were still formed.

To stick to the general. Who pays for education and promotion of alternatives against industries spending billions? Either it's coming out of tax or a regulation is required to force educational messages and disclaimers. If neither it just seems a way to assert the status quo as any interested party or user rights group that does get a little visibility will be immediately advertised against by those with a financial interest but far deeper pockets.

Regulation might not be perfect, but seems to be the only viable way left to limit the problems that come with unrestricted commerce.


I think anti social media PSAs are as reasonable as any other PSAs. It's ok to encourage people to go outside instead of play video games or encourage people to not talk on the phone while driving. The video game and phone industries are big too. It's ok to give grants to projects that already have other players in the industry. It's ok to suggest people use ad block. There's no need to be so defeatist assuming nothing will work. We can't even really discuss these types of solutions if everything but law is assumed to not work for internet privacy issues when law is the only one that has been shown not to work. Absolutist phrases like "unrestricted commerce" (as though that exists) "regulation [...] only viable way left" are the reason nobody can see alternatives. It's like self-imposed blinders.


It's OK but ineffectual when up against industries spending orders of magnitude more. It can never be a level playing field.

You give using a phone while driving as an example. UK tried PSAs for years before ultimately outlawing it. Enough were seen ignoring that law that they doubled the penalty some years later. From the occasional piece I've seen on US sites that mention the issue I get the impression that distraction from phones is a disappointing but accepted facet of modern driving.

The older I get the more agreeable I feel to more regulation and adequate enforcement. Without it companies large and small, and individuals, are too inclined to be abusive - of pollution, of privacy, of financial misselling and so on. All to make that sale or commission. Caveat emptor works when it's a consumer against the local greengrocer, or taking a survey before house purchase. Not so much when it's a consumer against multi-nationals employing psychologists and so forth which is why most UK consumer regulation has been steadily moving away from that model for years.

As a European I can look as the US, who prefer minimal regulation, and see it as providing much confirmation that I don't want to do it that way. I'm a little disappointed that UK governments frequently do wish to adopt a US-lite approach.


Americans for the most part hates being told what to do by the government. For me, I hate it because government intervention tends to cripple economic growth. I value economic growth > social welfare (used in the non derogatory way, in America "welfare" has an immediate negative connotation). I am also aware of this and can understand why other cultures would reverse that equation


That's correct: government intervention stifles economic growth, be it GDPR or the Paris Agreement. The point is, these laws are proposed where self-regulation fails, and the corporate greed lead us to the situation that is worse to the society as a whole than without it.


> In that point of view, it seems a rather unfair complaint

Regulations arent necessarily designed to be "fair" though.. if GDPR is written in a way that manufacturers need to recall all stock and update phones, its cost is part of GDPR compliance and a fair tradeoff for its benefits as per EU citizens


> "The GDPR explicitly allows any data processing that is strictly necessary for the service - but using the data additionally for advertisement or to sell it on needs the users' free opt-in consent"

This is the key point. As the saying goes, on Facebook, you aren't the customer, you are the product.

The GDPR just changed this -- rightfully, in my opinion.


Somebody has to pay for it in the end, so Facebook could simply say "agree to targeted advertising and use the site for free or do not agree and pay a monthly fee for the site".


Sign me up!

The sad truth though is that the users who are most likely to pay to get rid of ads, are also the users that are most valuable to advertisers, because that's a signal they have more money to spend than the rest.


You can disable Google's ad targeting at any time: https://adssettings.google.com/ You don't have to pay anything. What you get instead is untargeted ads, like ads for cars, potato chips, and shampoo, just like on TV. Personally I find those to be a lot more annoying.

Facebook's ad targeting can be similarly disabled under https://www.facebook.com/ads/preferences/?entry_product=ad_s...


So... I have to be logged in or have a Google cookie in order to not be tracked by Google. This is complete bullshit and worthless for anyone using private browsing.


> What you get instead is untargeted ads, like ads for cars, potato chips, and shampoo, just like on TV. Personally I find those to be a lot more annoying.

I'm genuinely curious: what's so much more annoying to you about untargeted ads? I've never found targeting to be effective at showing me ads that were genuinely better or less annoying.

I feel more comfortable with untargeted ads, since I can be much more confident nothing truly sneaky is going on, especially technology ever gets good enough to reliably manipulate me to buy more now.


>I've never found targeting to be effective at showing me ads that were genuinely better or less annoying.

I'm not the guy you're responding to, but I think the key difference is this statement. I had untargeted ads on for about a year and they were always irrelevant. Since returning to targeted ads, I now see things all the time that I'm at least mildly interested in (mostly startups and new services, and/or tools/software I want to try out).

I don't care if I'm being coaxed into buying more: the things they're tempting me with are legitimately interesting and I have the ultimate say on whether I buy it or not.

Untargeted ads don't give that choice: they're just always irrelevant to my interests.


I consider most advertising-delivered information to be suspect. I find about things I'm interested in organically, through interest-based websites and the like.

In any case, except for a few specific circumstances, I've rigorously used ad-blocker so I haven't had to deal with any ads at all. The last ads that I have seen were on Facebook, but even it couldn't seem do a good job, even though it's purportedly the master of targeting


"What you get instead is untargeted ads, like ads for cars, potato chips, and shampoo, just like on TV. Personally I find those to be a lot more annoying."

Really? I kind of despise the targeted Ads. They're typically poor quality, and often it's some website I visited months ago to look at one product constantly dangling that product in my face in a desperate attempt for me to come back and buy it.

Show me the cars and potato chips, please!


This is retargeting, and is pretty much the least sophisticated ad targeting out there.


For me I don't really care whether ads are targeted or untargeted. It's the data collection they use to target the ads that's the real concern. I suspect that's true for most people but for some reason these discussions are typically framed as targeted vs untargeted, which IMO misses the point.

That said, I also really don't like seeing ads at all.


Does this disable Facebook's data hoovering about you?

I wouldn't think so.


You can also disable Google's ads on some sites, https://contributor.google.com/

Sadly, Google Contributor is not available outside US. I am eagerly waiting for it.


It also puts users in the mindset of starting to consider if their time on Facebook is worth $X/mo.


What if they say it's $20 a month? And it's just facebook. Google also asks for $20, Reddit too, etc.

It won't be cheap.


Google services with guaranteed no tracking and profiling?

$20 is cheap.


Huh? A Google Suite account is 4 euros a month. No tracking and profiling.


So you are stipulating an account worth is 240USD a year at facebook? Instead of 20, why won't you say 100, make it round.

Seriously though, behemoths do fall and if facebook ceases to exist there will be no harm but good in my book.


I've seen this so many times, but if this future comes I think there will be a lot of angry ass people complaining about the $100s of dollars it costs to make the internet useful.


Every recipe site runs on ads as one example. Now five million recipes across 1,000 prominent sites are to be locked behind paywalls, and you must pay $5 per month for access to each site due to the extreme drop in traffic they suffer (nobody is signing up to pay except at the largest sites, smaller sites have to charge more to make up for that, they implode accordingly).

The result: 973 of those sites disappear. Diversity of choice just collapsed. Starting a new recipe site or blog just got 100x more difficult. But hey, in Communist Internet, who needs lots of recipe sites.


What do you think the creative work is for running a recipe site? And what about the technical work/costs?

I guess you mean the kind where either there are users providing those for free or it uses a huge number of compiled one, not some person inventing new ones.

I would wager that 970 of those sites can be run for virtually no cost, either maintained by loyal community or the wide internet.


Many recipe sites are basically blogs, so yes, there is a lot of cost associated with each of them. I do not know if they tend to make money their money on ads or on books or on other methods.


First of all, ethical ads are possible, and more so on a website already very targeted like a recipes website. I can easily guess what sorts of ads would be useful.

Furthermore, I agree the sibling commenter in that these sorts of websites usually just publish what community submits anyways, so we can have a bunch of wikis instead.

P.S.: Everybody should know the difference between trying to overcome the status quo which is selling yourself to companies and hoping that they do not abuse you, and things like communism or government overreach. And if businesses will lose money or get closed if they stop bad, malevolent practices of theirs, good riddance. Let the sanity get the better of them.


The number that's been kicked around for he value of North American user is about $50/year. So $5/month will cover it.


The problem is that even if I pay Facebook this company is so utterly untrustworthy that I don't believe for one second that they wouldn't run their data sucking shenanigans on paid accounts.


And that's why you want to have regulations. In the case you suggest, you could ask e.g. EFF if you suspected that they are abusing the contract, to sue FB in behalf of the users. Or even kick-start a big court case yourself.


I agree, but at least if the ad market is much smaller, the data will have that much less value.

Various companies will probably still gather and sell data for even more nefarious purposes, like manipulating elections, but that’s a different battle.


That's not the number that is being kicked around.

Facebook will yield more than $100 per active user in the US and Canada for fiscal 2018. That's going to $200 from here over the next six or seven years (it doubled from 2015 to 2017). No meaningful number of users are paying $15 per month out of pocket for Facebook.

Google search is similarly worth a lot per user in the US. People would be irate if they had to pay $10 or $20 per month to use search engines after commonly enjoying the free utility of that for the last two decades.


Last time someone claimed they knew the numbers I asked them to explain how. They disappeared without replying. So I'll ask you the same thing.

If you divide revenue by users you get between $1-$2 USD. I need to know how NA are 50-100 times that.


Facebook publishes revenue per MAU on page 37 of their 2017 annual report:

https://investor.fb.com/financials/default.aspx

Note that it is reported quarterly (I had some numbers but took them out when I realized I was using 1 quarter instead of the year).


OK thanks. Indeed, $100 isn't a bad number to use.


Per daily active user or monthly active user?

I also think it's conceivable in a more equitable arrangement with paid subscriptions that you could easily have a sizable number of paying users not being active in a given month.


Are you saying the free market doesn't apply to pricing for these services?


I am more than willing to pay $20 a month for both Google and Facebook. Do you hear me? Take my money!


Google gsuite pricing is $5 / month for the basic version.


I would actually pay a small amount to have a read-only account for facebook that doesn't track me at all. I don't want to post anything, but I would like to view stuff more easily on the platform. Especially since so many events are organized through fb.


Have you tried the mobile site with JavaScript disabled. Or have to tried Facebook command line where you can simply query for posts in the terminal?


That model already works for streaming TV! At least it’s working pretty well for Netflix, Amazon, HBO... (It’s definitely not ideal for viewers, but at least now it’s easy to get TV without ads.)


We already donate to reddit.


I’m pretty sure Facebook can’t do that. The point of the GDPR, as I understand it, is to make control of your data a right which can’t be bargained away, much like employers can’t try to bargain away your right to sick leave.


depends really, the law says you can't deny service, but doesnt say you get to get the exact same service. I would expect the same for people who deny ad cookies - they 'll get more ads shown.


I didn't think that was possible. Otherwise it would make determination of a fair price very messy -> In the extreme facebook could set an arbitraily high price if they didn't want to change their business model.


That would be a violation of the current policy. I don't wish to be rude, but it doesn't seem that hard to understand, and i'm a little surprised by the number of people making mistakes like this.


It's important to note that the GDPR doesn't ban ads without consent. It bans tracking users without consent.


That's not possible with GDPR. You have to be able to access the same service 'without detriment' even if you do not want targeted advertising.


Yes, but when that point hits hard enough maybe people will stop saying "Why do you not use Facebook/Gmail, it is free".

Now someone can actually try and compete with a free service. It might not work but its a step closer to happening. For example we have had open source federated social networks, and non-profits that ran email services.


That other free service also encounters the same dilemma. They have to pay for the site, so either they take your data or make you pay.


You can have ads without tracking. But frankly I'm 100% happy if you actually have a choice of "give your data or pay". It's a massive improvement over "give your data or don't use the service" or "give your data and pay" which is what we have today.


If people force the issue then I expect big sites will give you this option. But it won't be necessarily cheap, so most people will opt to use the free version instead.


I’d happily pay.


yeah but now the product is not free.


It'd be great if companies offered a "buy back your privacy" subscription model. For the services I really don't want to stop using (Twitter ...) I'd definitely be using that.


https://gsuite.google.com/

A lot of people don't seem to know that GSuite is both usable (useful, even) and affordable (cheap!) even if you are a solo user.

Here's a quick howto:

1. Go buy your own domain name (~$10/yr, https://www.gandi.net/). Make it something you like, something professional. This is for your personal email address. firstname@lastname is the most common pattern. I recommend everybody do this. Even if you want to stay on gmail, yahoo, aol or whatever you can set up redirects. This becomes an email address you truly own, and your email provider cannot hold you hostage anymore.

2. Create a new GSuite account ($5/mo, https://gsuite.google.com) - The entire setup is guided and completely painless if you're even slightly technically-aware.

3. Migrating from a previous Google account: You can use Google Takeout to get a lot of your data (https://takeout.google.com/). Unfortunately, migrating the data automatically is hard. For email you can set up IMAP from gmail, for Drive there's migration scripts. But you also don't have to migrate immediately, Google is good at multiple accounts.

I know I'm sounding like a Google shill right now, but GSuite really is what people tend to ask for when they talk about Google's handling of data and say they'd pay $5/month to "regain their privacy". Well, here's your occasion to do so.


Is GSuite better from a privacy perspective? It doesn't show ads in gmail, but I'm pretty sure they're still tracking you and feeding that into ads on youtube etc.


from the DPA that you can sign with Google with regard to GSuite:

> 5.2 Scope of Processing. > 5.2.1 Customer’s Instructions. By entering into this Data Processing Amendment, > Customer instructs Google to process Customer Personal Data only in accordance > with applicable law: (a) to provide the Services and related technical support; (b) as > further specified via Customer’s use of the Services (including the Admin Console > and other functionality of the Services) and related technical support; (c) as > documented in the form of the applicable Agreement, including this Data Processing > Amendment; and (d) as further documented in any other written instructions given > by Customer and acknowledged by Google as constituting instructions for purposes > of this Data Processing Amendment.

So no, they probably can't track and feed that into youtube ads, because it is not a cause that provides the service or support.

Afaik Google announced last year that they stopped processing GSuite account emails to a large degree.


> Afaik Google announced last year that they stopped processing GSuite account emails to a large degree.

Well, that's surely reassuring.


> This becomes an email address you truly own, and your email provider cannot hold you hostage anymore.

It's hardly yours. Using a custom domain for anything sensitive like banking is not a good idea. Your registrar is almost certainly a lot easier to phish/social engineer/whatever than Google.


> Your registrar is almost certainly a lot easier to phish/social engineer/whatever than Google.

Please don't spread unsourced FUD. I'm not saying registrars are perfect (although Gandi, which I linked, has an impeccable track record), but everyone uses registrars for their domain name, even the biggest businesses out there.

If you have a problem with a particular registrar, I invite you to source it and share it. But the general idea that the potential for a point of attack makes the email "not yours" is nonsensical.

What matters is the email address you give out to people. Where that email is stored and ends up doesn't matter. Which registrar owns the domain doesn't matter.


I'm not spreading FUD. I'm spreading Maciej Ceglowski's information: https://techsolidarity.org/resources/congressional_howto.htm...

@pinboard has explained on Twitter that registrars can get tricked into letting an attacker into your domain account (of course they can). And from there they can update your zone file to send your mail wherever they want.

This isn't about the storage of your email.


Even if such an attack were to take place, that doesn't mean you don't "own" your email. You own it far more than an @gmail.com address...


> but everyone uses registrars for their domain name, even the biggest businesses out there.

Everyone uses registrars, but in some cases you can be your own registrar. Like in Finland, when .fi domain registrations were moved to exclusively to registrars (initially you would register domains with Finnish FCC equivalent, later option was added to let registrar handle that for you and finally it was moved to just registrars), quite a few companies and individuals registered to become registrar for .fi domain.


a) 2FA for your bank account

b) Who is going through all the trouble to target me specifically with a phishing attempt.


Where does it say that paying for GSuite means that Google stops invading your privacy? I can't find it, and can only assume the only difference is you don't see the ads.


The users that can afford and would buy this service are exactly the ones that advertisers want to reach. If you stop showing them ads or only share data for people not willing to pay, the data becomes useless.


Tough luck.

There is no fundamental right allowing tracking or advertising.

There is a fundamental right to privacy.


Right, but what this means is a business often can't support itself via a mix of subscription and ads - if you offer both for the same content the value of your adds will likely crash, so it's mostly equivalent to just being subscription based


They would take your money and track you anyway, and everyone knows it


And be fined into oblivion.


How would anyone find out, and provide proof for this?

Can we expect a EU government agency to validate companies on a regular basis? And if not, would they even cooperate with white-hat hackers to find offenders?

Also, from what I read, data protection agencies have been understaffed and overworked for years now.


Tracking which doesn't result in any visible effect to the users is fairly harmless. The more concerning stuff involves handing the data to third parties like direct marketers and political campaigns. Those commercial relationships are a lot harder to hide and generate a paper trail.

"Why did this company pay you $x million?"

".. stuff?"


When in doubt, make it a consulting fee


You can choose to be paranoid about everything if you want to. Maybe your dentist is drilling fake cavities or your lawyer is giving you bad advice so you spend more money.


It wasn't before either. You were just paying with a different currency.


Good now they have to make it worth paying for.


The GDPR ensures that only Facebook will be able to comply, and prospective competitors shouldn't even bother.

The regulation counts 58 000 words.


The regulation's big but it's probably not larger than a sprawling API documentation, etc. and you approach it the same way: just read what you need.

IIRC almost _half_ of the actual regulation is about what and how the member countries should set up their internal supervisory authorities and the rest is similarly specific.

There are innumerable checklists, summaries and guides on how to deal with GDPR as well.

The two I like are:

https://blog.varonis.com/gdpr-requirements-list-in-plain-eng...

and

https://ico.org.uk/for-organisations/guide-to-the-general-da...


I see so many people parroting this but I just don't get it. Surely it won't be a problem at all for a new startup handling data correctly from day 1? Facebook has a mountain of historical data that was collected using non-GDRP-compliant methods that now falls foul of EU law.


You need somebody that knows the regulations and developers that are capable of auditing the whole system. That's added fixed costs, which is an advantage for incumbents.


But these regulations are not that complicated! Heck, in the EU we've been observing most of them in the last years already. Most things are really straightforward. Things get complicated when your core business is making users' data available to third parties. But it's not different from any other business: if you want to make money in catering for example, you need to read and adhere to relevant laws, too.


Is an IP address PII or not? I have read multiple different interpretations today.

Is a hash of an IP address PII?


Is this really that complex? If it can be linked to the individual, then it is. https://www.whitecase.com/publications/alert/court-confirms-...


So IP + timestamp of my ticket system logs is invalid because I also have a timestamp of ticket updates by a user. Actually, just IP because I have a timestamp on the log file. So the latest line has an IP, so I can take the file timestamp and see the latest ticket comment and now I've linked it to an individual. You're right, this is easy. Even easier now that I can't think of a way of storing an IP without the ability to at least correlate the latest one.


> So IP + timestamp of my ticket system logs is invalid

What makes it "invalid"? If you can identify a person by their IP, then the IP becomes a part of their personal data. For most websites it's irrelevant, because people just visit and leave. But if someone signs in with their real name, you just need to update the ToS saying that apart from their other data you also store their IP. How complicated is that?


Ok, just update the ToS. No ability needed to provide opt out of that IP collection? No ability needed to go, upon request, and delete all these IP+timestamp logs that I could use to correlate with their name? Handwaving all of this stuff away as clear and easy is at the least ignorant to real people's concerns and at most willfully dishonest.


How can anyone "opt out of that IP collection"? It's not the way the Internet works: logging is an essential part of of its infrastructure (and in certain jurisdictions it's required by law). The only problem is if the IP is associated with personal data. If the user really wants to remove it, they can remove their personal data, and in this way the problem disappears.

On the other hand, if you plan to sell the IPs associated with some other data to a third party that can easily link it to people (Google and Facebook can), you may want to consult a lawyer.


Can you point to the bit of the law that requires website owners to delete data upon request? Or the bit of the law that requires website owners to ask for consent to gather IP addresses?


Writing style can be linked to individuals.

Can I still have a forum where users submit text?


I love all these posts that assume because they've never been on a software that team that makes compliance part of their job, that it's completely outside the grasp of a small team.

Those of us in fields regulated prior to GDPR are laughing at you.


Is that what they are saying though? I'm not reading it as 'small teams can't comply'. I'm reading it as if you comply, you will make less money advertising, and that affects the dynamics in a social app.

If you have to charge money, your chance to overcome the network effect of FB or an established site is difficult, because en masse migration of users to a new service typically goes hand in hand with that new service being offered freely.

Conversely if you don't charge money, your ability to fund the development of a competitor is based on reduced ad income since you can't offer targeted ads, which is going to shorten your runway by a significant amount.

These two things seem to indicate that the likelihood of building something that replaces one of the existing social services goes down. I don't think it makes it impossible, but the law seems to make it less likely that the social app incumbents get replaced (if that was at all possible).

As far as those in other regulated fields having done this for some time, I can't think of many regulated fields where the network effect is so high as social apps, so it is probably a bit apples to oranges. Presumably it is not as large a deal in those markets where social network dynamic is not as strong.


I think Facebook's lawyers have determined that they can use the 'legitimate interest' basis for showing targeted ads to their users [0]. This basis does not require consent from users except as part of the take-it-or-leave-it initial terms of service.

Here are the parts of the 'legitimate interest' basis which are most useful to Facebook:

The GDPR does not define what factors to take into account when deciding if your purpose is a legitimate interest. It could be as simple as it being legitimate to start up a new business activity, or to grow your business.

So Facebook's lawyers can simply say, "It's in our legitimate interest to maximise advertising revenue".

You need to demonstrate that the processing is necessary for the purposes of the legitimate interests you have identified. This doesn’t mean that it has to be absolutely essential, but it must be a targeted and proportionate way of achieving your purpose.

Facebook's lawyers can say, "It is necessary for us to use personal information about our users, such as their age and location, in order to maximise our advertising revenue".

The GDPR is clear that the interests of the individual could in particular override your legitimate interests if you intend to process personal data in ways the individual does not reasonably expect.

Facebook's lawyers can say, "People expect that we use their personal information such as age and location to determine what ads to show them, so the interest of the user does not override our legitimate interest of maximising advertising revenue."

[0] https://ico.org.uk/for-organisations/guide-to-the-general-da...


Lawyers can say such things and I'm sure that Facebook will try to fight it, but I don't think they'll be able to do so successfully, because the GDPR is very specific about what a "legitimate interest" is.

See here for an explanation: https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

PS: the EU can't wait to give fat fines to companies like Facebook and Google, due to their tax evasion schemes. It's the whole reason for why these companies haven't been able to stop GDPR, with all of their lobbying prowess. And I don't care about such motives, as an EU citizen I'm glad that GDPR exists.


As an American citizen I'm glad that GDPR exists. Our own government will never strongarm Big Tech into respecting their users - especially in this political climate - so I'm glad someone else is.


I think it is naive at best. To me, it's like the EU is a spoiled child who wants everything for free without paying for it. Most of the web is payed for by targeted advertising and getting rid of that would make the web suck as their would be way less money to actually pay for content. Also, non-targeted ads suck as they usually end up being like Viagra ads since they pay the most.


> non-targeted ads suck as they usually end up being like Viagra ads since they pay the most.

Ads on TV have been non-targeted since the TV was invented, TV stations have survived thus far and are doing a little better than online publishers.

Note that we are talking of tracking individuals. You can still say a lot about the demographics of a TV show and thus do ads targeting based on the actual content being watched. That's not user profiling and while you can infer a lot about those watching, it's not dangerous either, because you're not keeping a history of what that user watched.

Saying that tracking individuals is necessary for getting revenue is disingenuous.

Besides, in case you aren't watching the news, the biggest problem for publishers is by far ad-blocking, not GDPR. If they would have respected people's privacy, security and time, we wouldn't have been in this mess and we wouldn't need laws. In our country we have a saying, you sleep in the bed you make ;-)


> Saying that tracking individuals is necessary for getting revenue is disingenuous.

I'm definitely not saying that. I'm saying non-targeted ads generate a lot less money than targeted ones which means the content on the internet won't be as good as companies will generate less money to pay for the content.

In the extreme cases as we are seeing now, businesses are shutting down or blocking all EU users because the peanuts they would make from generic ads are not worth the server costs, content creation costs, costs to comply with the law, and potential fine costs (risk).


Shutting down or blocking all EU users is perfectly fine by me. At least I'd know which are the companies I should stay away from.

But no, it won't happen, because the EU is the world's second biggest market. If China can afford to coerce companies into censorship and violating people's rights, the EU can afford to impose some privacy laws as well.

And as I've been saying elsewhere, targeted ads are only needed at this point because people are fed up with ads due to abuse, this being a race to the bottom anyway. Pretty soon targeted ads won't work well either, how well they work right now is questionable and all of that data will have been collected already, ready to be sold and abused.


> If China can afford to coerce companies into censorship and violating people's rights, the EU can afford to impose some privacy laws as well.

Take this with a grain of salt since I am not from China and really only know about it from HN: The EU is not nearly as powerful as the Chinese government nor do I think the general Chinese population is aware of how much better G/FB/other sites are outside of china (admittedly speculation on all accounts), nor are they in a country where they can vote to change laws (pretty sure on this one from what I have read on HN).

If G/FB suddenly stopped supporting EU users, they would most likely cry out so loud that the law would get reversed in days. This law seems to target privacy and opt-ins mostly and I as a programmer don't even give a shit about those since they give me amazing services for it. I highly think most people want the free apps with targeted ads over a full block or paywalls.


> * The EU is not nearly as powerful as the Chinese government*

Not sure what that's supposed to mean.

> If G/FB suddenly stopped supporting EU users

But they won't because they are not stupid. Instead they'll start respecting the privacy of EU citizens, which is going to be a win for us.

> I highly think most people want the free apps with targeted ads over a full block or paywalls.

Most people aren't aware of the threat to their privacy.

Also, do you work for a company that makes its living off targeted ads?

Not that I judge you or anything, I worked on a startup in the past building a platform for serving ads on bidding exchanges (what Criteo has been doing, except they succeeded). And now I'm working on anti-ad-blocking technologies. But I'm also privacy aware, as I've seen full well what targeting can do and I don't suffer from double standards.

The people that defend ads targeting are those that work in the ads industry.


TV stations have survived thus far and are doing a little better than online publishers.

The number of TV stations has a hard limit, so that's why the average TV station makes more in ad revenue than the average online publisher. But the top online publishers (Google and Facebook) make much, much more in ad revenue than the top TV stations.

Perhaps we should just give out operating licenses to 1000 websites and force the rest to shut down :)


Setting aside older ad-showing media (newspapers, magazines, cable TV), even the web itself did just fine before today's holistic individual ad-targeting. For the most part, today's problematic practices started happening after the Dot Com boom.

It's amazing the point we've reached, where egregious tracking is so normalized that we assume it's fundamental to the internet's feasibility. Facebook and Google aren't meek charity-organizations, trying to give the world free stuff and only asking for the pittance of our data, to help keep the lights on. Their profit margins are enormous. They could do quite well for themselves without any tracking at all, just showing random ads. Not to mention that many people would pay for their services if it meant getting rid of ads altogether.

The reason they don't offer individuals the option to pay for their services instead of being tracked isn't out of charity. It's because they would make less money. Your data is more valuable than any reasonable monthly fee you'd be willing to pay.

If GDPR puts an end to the gold-rush that's happening at the expense of everyone else in society, forcing tech companies to make a normal amount of money instead of an insane amount of money, that sounds to me like an unambiguous good.


I don't see what is naive. The EU has never said that you can't have ads. You can do ads without using and selling user data. For instance, you can have contextual ads (depending on what you read, not who you are) or just random ads.

GDPR is not against the ad business, it is only setting limits and obligations on how you can use personal data. It is saying that it is not normal for businesses to build huge user profiles without oversight or even consideration.


> GDPR is not against the ad business

Yet somehow, I doubt that GDPR would exist if Google and Facebook were German companies, rather than American ones.


Is that relevant in any way?

And Germans are more privacy aware than Americans, for obvious historical reasons.


There's nothing inherently wrong with storing user data or using targeted advertising as long as it's not abused. Instead of outlawing only cases of abuse like any sensible law would do, the EU just chooses to throw the baby out with the bathwater because it's not their baby.


No, data can be sold or leaked and abused at any point in time, it doesn't matter that it doesn't happen right now.

People that blame Cambridge Analytica are missing the point, which is that Facebook is a threat to everything we know just by existing.


The EU tried that. Google and friends gave a shit. Then result was creating a regulation more painful to them. These companies apply their US based understanding of right and wrong to the globe. You see China, EU and Russia are reacting and applying their local rules. With different methods, but they do.


They would never be German companies. We (Germans) would have regulated them bancrupt long time ago :).

You are right. GDPR is a very German thing. We essentially have a two digit party (the greens) which rose because of the rejection of a general census (and nuclear energy). In Europe we are also not alone with that (see pirate party).

Oh and regards sensibility: The EU tried that. Google and friends gave a shit. Then result was creating a regulation more painful to them. These companies apply their US based understanding of right and wrong to the globe. You see China, EU and Russia are reacting and applying their local rules. With different methods, but they do.


> Also, non-targeted ads suck as they usually end up being like Viagra ads since they pay the most.

You can still have targetted ads without tracking user data. Show ads for gaming content on eurogamer/ign, or ads for technology on techcrunch, or ads for Viagra on WebMD


> EU can't wait to give fat fines to companies like Facebook and Google, due to their tax evasion schemes.

How does GDPR relate to "tax evasion" at all? Also, Google and FB set up to pay taxes in Ireland, which is a member of the E.U. That seems legal to me. See https://en.wikipedia.org/wiki/Double_Irish_arrangement


The 4% of worldwide revenue aspect is almost exclusively pointed at the giant US tech companies. Europe has few meaningfully large tech companies, with large global sales, such that taxing worldwide revenue matters (this is why they didn't just make it an EU revenue tax).

It's meant to try to plunder some of the global revenue that Google, Facebook, Microsoft, Netflix, Apple, Amazon, Twitter, Snapchat, etc. are generating. They're betting that these companies will slip up at some point (who the hell taxes revenue, instead of profit, other than the backwards Russian state anyway?).

Amazon is going to $400 billion in sales (and is about to have a giant, lucrative ad business). Google is going to $200 billion in sales. Facebook is going to $100 billion in sales. Netflix will have 250 million subscribers. Apple is pushing toward $250 billion in sales.

GDPR itself wasn't designed just to tax the US giants. The 4% tax on worldwide revenue however does exist solely to try to get loot from the US tech dominance. As the EU gets left further and further behind the US tech colossus, their rage and envy will increase by the year.

The Germans like to snark at the Americans about how they should build better cars. Well, Europe should learn to build better tech, and learn to pay their engineers what they're actually worth if they want to compete with the US that pays 3x or 5x more.


> Europe should learn to build better tech, and learn to pay their engineers what they're actually worth if they want to compete with the US that pays 3x or 5x more.

I'm an European and I must say that's bullshit.

Yes, you can earn 3x to 5x more in Silicon Valley. Property prices are crazy expensive however, many people don't afford to live near their office, with crazy commute times being common, the schools there are either expensive and crazily competitive or poor, if you work on your own or in a startup it's pretty common to not have health insurance, in which case you can get fucked, plus your gun control is pretty broken and it's horrific to see kids shot in US schools all the time.

I live in Romania. I'm within 15 minutes of my office that I do by bike, I have both public and private health insurance for cheap (and in spite of popular opinion, Bucharest has some of the best trained medical personnel in the world), my earnings are well above the average which means that for me the cost of living is cheap, my 8 year old son goes to a good public school, I own my own apartment and we'll build a house in the future too and I freely travel to Berlin, Munich, London, Barcelona, Rome, etc. yearly for conferences and I can walk the streets of Bucharest without fear, gun-related murders and murder in general being almost unheard of.

People in Silicon Valley may be earning 5x, but the cost of living is 10x at least.

If anything, Silicon Valley is only attractive because all the cool companies are there. But you know what, due to the high competition, nowadays you've got plenty of companies hiring remotely or opening offices in Europe. I'm fine with that.


Most of this is pretty irrelevant to the comment you're replying to. The argument is that EU companies don't pay tech talent what they're worth. School shootings and bike lanes don't have anything to do with that.

And I'm completely sympathetic to the argument that you're making about compensation vs. cost-of-living, but I think you're mistaken. The cost of living isn't 10x that of Europe. Taking into account taxes and government benefits that we have to pay for ourselves, it's probably more like 50-100% more expensive to live in, say, the Bay Area or NYC vs. any major metro area in Europe other than Eastern Europe, which will catch up eventually. I could be wrong though! I live in NYC, in a very nice 2 bedroom apartment in a doorman building right next to a large park. My daughter attends an expensive private school. We have excellent healthcare, travel a LOT, eat out frequently, etc. Total basic budget (not including taxes, savings, or other splurges) is ~$10k - 12k / month. Is your budget for similar lifestyle around $1k / month?

In general, those of us in the US who are lucky enough to work in tech and live in HCOL areas and work for high salaries aren't irrational; the tradeoff is usually worth it, especially if you enjoy urban areas.


That is a good argument, but some things are priced as absolutes and not as a percent of CoL. So, true, in Romania your salary is ~ 10x your CoL and in SV it would be 5x maybe, but the money left over in absolute terms (9x Romainan_CoL vs 5x SV_CoL) is significantly different. So, if you want something that is priced absolutely, like a plane or a boat, SV is still better.


Keep in mind that in absolute terms, earning 5x more and 10x cost of living might be larger savings. It sounds like Romania is a nice place, so you could even save for 5 years and retire there.

That said, I dislike rewarding california a single cent of tax revenue for them to piss their LSD-addled urine into the wind, fuck SF go to austin TX (state income tax, easiest 10% raise of your life! pay is same as SF)


> Europe should learn to build better tech, and learn to pay their engineers what they're actually worth if they want to compete with the US that pays 3x or 5x more.

Funny, I see plenty of happily employed engineers with 30 days PTO, mandatory sick pay, national healthcare, stable security nets, support for maternity (and in some cases even paternity) leave.


There's no 4% tax on revenue in the GDPR as far as I can tell. It's a 4% fine for violations. Which is potentially far greater than a 4% tax, since it applies to every violation.


If fines are impossible to avoid without going out of business or leaving the market, they're taxes by another name.


They are impossible to avoid if and only if they continue to give a shit about user's rights.

I agree however that the law targets the big tech companies. They ignored previous laws and regulations so they got a meaner more targeted one.

Btw, constitutions start with "we the people" not with "we the companies".


> who the hell taxes revenue, instead of profit, other than the backwards Russian state anyway?

Both Washington and Texas for starters....


Yes, it's tax avoidance, not tax evasion. On the other hand, EU seems to want to make the current arrangement tax evasion in the future.


New companies can't benefit from that scheme anymore, since 2014 actually.

"Finance Minister Michael Noonan closed the Double Irish to new schemes in October 2014 (existing schemes to close in 2020), and expanded the Capital Allowances for Intangibles scheme as a replacement"


If companies successfully argue that maximising revenue is a legitimate interest and thus, don't need users consent, then the GPDR will worth less the paper it was written on.

I would be extremely surprised if the EU goes through all this tome, effort, and money just to let corporations continue with business as usual


Eu cookie law is one prior example of this. That worked out to “business as usual” in the end, didn’t it?


Think of the GDPR as a bug-fix release to remove the loopholes those legal hackers used.


Nope. It was a nice step that showed everyone how even the most unexpected website tracks you with some cookies.


> I would be extremely surprised if the EU goes through all this tome, effort, and money just to let corporations continue with business as usual

I wouldn't. EU is all about bureaucracy and hordes of civil servants doing meaningless jobs. If GDPR becomes fruitless like Cookie Law, then they'll say tough luck, hire more civil servants and start working on another useless law.


There was a lot of lobbying done to water down the GDPR.

But on the other hand, corporations are all about unscrupulous behaviour and doing the minimum possible (if that) to claim they respect the law. If the GDPR works, they'll just hire more lobbyists.


> I would be extremely surprised if the EU goes through all this tome, effort, and money just to let corporations continue with business as usual

trust me, you didn't see what the eu already gone through, just to keep existing.


You could probably take it a step further and say that it is in the user’s best interest to see targeted rather than generic advertising, because you can show fewer ads and make the same revenue. I don’t know if regulators will buy it though.

I for one am very interested to see how this continental experiment changes the experience of internet users in Europe. And I’m sure glad (at least in this dimension) that I’m not there. (Overall I think I’d be better off living in Europe despite the occasional law I disagree with, but that’s another story.)


> You could probably take it a step further and say that it is in the user’s best interest to see targeted rather than generic advertising, because you can show fewer ads and make the same revenue. I don’t know if regulators will buy it though.

It would be hard to argue that when none of these companies are in fact showing "fewer ads" as a result of targeting.


You don’t know that, because you don’t know how many ads they would be showing in the alternate reality where they only show non-targeted advertisements.


So regulators should just take their word for it and allow them to slide on compliance because they claim they would be showing more ads in some alternate reality if it weren't for targeting? That sounds like a loophole that would allow pretty much everyone to ignore GDPR completely, and I think you'd actually have to live in an alternate reality to consider that reasonable. The entire advertising industry would be exempt from GDPR.

By that logic, they could fill an entire site with ads, and claim that since those ads are targeted it's still a benefit to users, because if the ads weren't targeted they would have to make the site larger in order to fill it with even more ads. There's no limit to how far you could take that.


I wouldn’t say they should take their word for it. They should hear the argument and decide if it is reasonable and supported by the data.


"Legitimate interest" works for regular data (Article 8).

You cannot claim "legitimate interest" for sensitive data (Article 9), such as political and religious views, or sexual orientation.


That’s probably ok though, as I imagine those features are somewhat less important to advertisers.


I don't think they 'll manage to convince anyone that maximum profit can be a legitimate reason - at least not in the current climate. They can claim however that, since facebook's business is selling targeted ads (which is truly their source of revenue), their system simply needs user's data to work.

I believe that facebook DID ask about permission with its terms pop-up that i saw on the web. In any case however, any complaint against facebook will be judged emotionally at this time, so the details may matter less.


At the scale at which Facebook operates there are billions at stake and they will litigate these things until the last breath rather than to give up these lucrative revenue streams. Look forward to FB pulling out of Ireland if that's what it comes down to.


> So Facebook's lawyers can say, "It's in our legitimate interest to maximise advertising revenue".

They can say it is their interest to have enough revenue to operate the site and some (how much?) profit above that. Maximizing revenue is an other angle.

Though if we accept that we live in capitalist society then maximizing profits is one of the core tenets of that.


Well, in case of "need enough revenue to operate" they could just add reasonable "no tracking" monthly fee.


Can they? I was under the impression that GDPR does not allow “accept tracking or else pay money”. If it does then that seems like an easy, obvious solution to the problem. So easy and obvious that the fact no one is implementing it makes me suspect it is not actually compliant.


This is the crux of the problems with how companies are interpreting the GDPR. Every service I've seen with a privacy policy pop up within the last 24 hours has basically justified all of their current data collecting practices as being necessary for their business. The spirit of the GDPR is to improve privacy, not just make Terms of Service pages longer.


Yeah, but the law of unintended consequences is sure to apply. The GDPR hits adtech companies fundamentally.


This is not "unintended consequences", it is explicitly anticipated by the law. Which is why people can and are suing. We'll see how it shakes out in the courts.


People are not "suing," they're filing complaints.

It's a small but important difference, since a lot of the uncertainty and doubt around the GDPR seems to revolve around being sued out of existence in courts of law, which is not a thing: you can't get sued randomly by disgruntled users.


You are absolutely right, sorry for the imprecise/misleading language.


They're not being sued, and it's not a case for the courts.

They're being reported to the Data Protection Agencies in various EU countries.


Yes, but that's the first step to being sued.


No, if a company gets reported, the DPA is supposed to investigate, and help the company get compliant if it finds that it isn't.

If the company is willfully refusing to become compliant, the DPA can slap the company with a proportional fine to make non-compliance more expensive than complying.

And if the company is fined, the company can probably sue the DPA in question if they think the fine was unreasonable or unapplicable or no good very bad and unfair.


Does the DPA also get to choose who is making a strong effort and who isn't. Reporters can probably start pre-typing the corruption scandal articles.


The law explicitly said "within hours of taking effect, these specific companies are to be sued due to not preparing sufficiently for GDPR"?


The law is explicitly aimed at direct marketing. It's mentioned in the text: (article 21)

"Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.

3. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes."

(also I think "In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications." means that suddenly people are required to respect Do Not Track, which will be .. entertaining)

All laws enable action to be taken against people who are not following them at the time they come into effect. That's what "coming into effect" means.


Fair. I appreciate the input.


What a refreshingly honest question.


I know it seems like a stupid question, but I wanted to make sure I understood the parent commenter's point.


“Within hours”

You mean “within the 2 years probation period + a few hours”


GDPR has been law for two years, since 25 May 2016, a point your downvoters seem to be missing.


Yeah, that may be true, but it doesn't matter. Nobody was talking about it back then. /s


Let them downvote. I’d be downvoting left and right too, if those pesky EU bureaucrats had ruined my moneymaking scamvertising scheme.


> The GDPR hits adtech companies fundamentally.

Hopefully...


I'm not holding my breath. To paraphrase Jurassic Park "Money finds a way".


Actually the spirit of GDPR is also to make Terms of Service shorter by being clear and understandable. If you as a user is unable to understand what you are agreeing to then it is a violation of GDPR.


Our policies got much longer with GDPR. We only collect information for legitimate reasons (i.e we need it for the service they are using), we ask for it, and we never target it / sell the data. It helps that our customers are paying customers and not using a free service.

So our TOS used to be quite simple in plain english that all the data we request is only for the purpose of providing the service.

Now we had to outline all the information we collection (even though they are the ones who provide it, so they know what we collect) and outline all our services we use where that data we collect ends up (AWS, Sentry, Loggly, etc... the services we need to run our system and support them). Most of our clients have no idea what any of the information we added is because its all technical details about how we are providing the service to them.

GDPR required us to do a lot of work that ended up costing us time and money and literally nothing changed because we were already making sure we protected our users privacy.

Hopefully some bad actors get hit but for now GDPR has left a bad impression on me.


> unable to understand

What if he is not very smart? Or even better, what if he is very dumb?

At which level should those be written then?


The literal text of the GDPR is as follows:

>the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language


Yes, and before that it says ` If the data subject's consent is given in the context of a written declaration which also concerns other matters,` which means i can use legalese but only if it does not concern other matters in the same document? :)


You'd hope not, but I also thought the phrasing in that sentence was sloppy.


that’s the whole issue with the regulation unfortunately :(


Theoretically yes. Practically you need to be rather verbose in certain cases (e.g. you need to specifically name which articles of the GDPR you're using to justify collection) while also being told to be concise. The general advice I've heard is to have a human-readable summary and then follow it up with the lawyer speak for compliance.


Twitter got it right.


I am trying to think what the secondary consequences of GDPR are going to be.

If any user can see their data on any service than any government can quickly plug-in to access all user data on any service. This is like NSA Prism for everything.

If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.

Account takeovers by hackers will lead to much more severe data breaches, since all data on that user in the system is easily accessible.

The information apocalypse is made all that more easy because acount takeover + deep fakes + lyrebird plus all that easily accessible juicy data = impersonate anyone.

Data renting will create a way to monetize account takeover. The account takeover will include all possible information used to identify a person so how are the data brokers supposed to know it isn't you and how are you supposed to get your data back once it's out there getting monetized?


The option to monetize your own data is an amazing idea: a startup that pays you to upload the data you can download from your google, apple, facebook, BIGNAME account, basically renting it daily until you revoke consent, then uses it to do all sort of shit you can with it. You’ll get hypeprofiled and harassed with all sorts of advertising, but you’re actually getting real money for that.


The problem with that model is... how much money is a single profile worth, really?

I'd love to be proven wrong and for a company to implement this. But as far as I know, it's not being done because the math doesn't work out. It's too cheap for regular people to be interested, and an incentive for spamtech to mass create fake profiles and get paid pennies for it.

In fact, the one variant I am aware of that works is survey sites, but that's because you get paid per result rather than for your data as a whole. If you're just renting your data daily, you'd get a lot less.


> The problem with that model is... how much money is a single profile worth, really?

I remember some estimates, facebook profile with a few years of history is around 1$, a few profiles from different sites of the same person 5$.


When “you are the product”, you can sell that product.


you would have to find a market for them first. realistically private data is useless outside of a marketing platform like google or facebook. Maybe you can fill up some forms or polls for a few cents, that's it.


Your data is worth about 21 cents.


The assumption you're making with most of your points is that, currently, data is only safe from governments/hackers because its not readily available to users, and for some reason it being not easily accessible by users means its safer (correct me if I'm reading what you're saying wrong).

I don't think making the data more available to users means it's now inherently less safe - actually, it could be argued that having all the data in one place makes it easier to protect ('Keep all your eggs in one basket, and put that basket in Fort Knox'). Additionally, if PII isn't stored securely enough, as it should, and that data gets breached, the company is at fault - again, which it should. Making these companies more liable incentivises them to take their security more seriously, which I think is good.

(I also trust my government, but that's a separate argument)


You have expanded the surface area for hackers for sure esp. if you have an automated system. If your system is manual, like a phone number, that's not immune to phishing/stolen identity attacks.


On the positive side, it could also reduce product lock-in by increasing data portability. For example if I'm creating a social network startup, and users can export their data from Facebook in a parseable format, then it's trivial for me to offer an "import your data from Facebook" feature. The interesting question then becomes, could Facebook do anything about that? In the past they would be able to sue the startup for appropriating data that Facebook was granted an exclusive license to via TOS. Now it's not so clear. Where are the limits of my control of my own data?


The data belongs to the user. There's nothing Facebook can do to prevent exporting if it's via the data backup. They can just design it in a way that is easy to read by humans but very challenging for parsers.


>They can just design it in a way that is easy to read by humans but very challenging for parsers.

This is explicitly forbidden in article 20.1


Machine readable only means no images. You can still structure it in a way that it's a pain to import. Or use changing structures. Definitely violates the spirit of the law but don't think Facebook cares about that.


I'd argue that the GDPR is entirely about spirit.


well they can make a big, very readable screenshot of your data, handwritten by an adversarial DNN


What's with generated images (some crap like facebook frames or generated slideshows etc) doesn't have facebook the copyright on those - at least the designs? Should those be included in the export?


Yeah, I understand it belongs to the user and they can export it. But does any third party service then have a right to allow the users to import their data from Facebook?


Yes, the user owns the data and can give consent.


I don't understand how a facebook post made by me 'belongs' to me. It was addressed to specific audience that facebook made available to me, it wouldn't have existed in the first place if facebook didn't exist. How does it completely belong to me.


If you make a song on a Gibson guitar, should the song belong to Gibson?


I think your analogy holds true for the documents you write on MS word that you bought. Posting on facebook is equivalent to recoding on a song in Gibson's studio, in which case it doesn't completely belong to you.


Facebook has been offering their data for free for a very long time. in fact that's what they re accused of. They also have export tools since long ago, like twitter IIRC.

I think their terms specifically say that your data belongs to you.


Well, to an extent. They still reserve the right to block apps from using their API if they infringe on Facebook business interests. For example you can’t make an alternative newsfeed app. People have tried to make apps that aggregate multiple social account feeds, and they got sued / C&Ded IIRC.


What do you think changed for governments?

If there is a search warrant, police could and still can access data. GDPR didn't change anything in this regard.

My feeling is that in the EU there is a different view of government: it's not a third adversarial entity.

Many other remarks you've made don't have anything to do with GDPR, for example fake accounts and takeovers.


> My feeling is that in the EU there is a different view of government: it's not a third adversarial entity.

That should be the de facto stance regarding government in democratic countries, in my opinion.

The government is a third party that intermediates, fundamentally, between:

* individuals/groups of individuals and other individuals/groups of individuals, all inside the same country

* itself and the governments of other countries

The first point is very important, a society of a big enough scale, in the absence of hierarchy invariably degenerates into an anarchy where the only law is the law of the jungle: the strongest survive. That's why we add this third party that can intervene for the weak. This third party can be corrupted by various interests, but the hope is that these interests balance themselves out.

And even a corrupt state is better than no state at all (or even a very weak state). Look at current day Somalia, Iraq post 2001, Libya post 2011.


> EU there is a different view of government: it's not a third adversarial entity.

We are not from another planet. EU likes to portray itself as trustworthy - it largely is - but that doesn't mean there are no problems. EU governments can vastly differ in quality , you just happen to hear from the most accountable ones.


> If any user can see their data on any service than any government can quickly plug-in to access all user data on any service. This is like NSA Prism for everything.

This could streamline processing of warrants, but beyond that, not much changes. If company's infrastructure was vulnerable to governments, it probably still will be. Maybe less so, given that GDPR also adds extra motivation for keeping users' data secure.

> If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.

As it should be? They own it, so they can sell it.

> Account takeovers by hackers will lead to much more severe data breaches, since all data on that user in the system is easily accessible.

Not necessarily. GDPR isn't about storing all user data in one big table named PII. It's about knowing, via company procedures, what data you store and what the lifecycle of that data is. Also, with rights to delete data and revoke consents, there'll likely be less data available for an attacker to exfiltrate.

> The information apocalypse is made all that more easy because acount takeover + deep fakes + lyrebird plus all that easily accessible juicy data = impersonate anyone.

Not sure how this is relevant to GDPR. Could you elaborate?

> Data renting will create a way to monetize account takeover. The account takeover will include all possible information used to identify a person so how are the data brokers supposed to know it isn't you and how are you supposed to get your data back once it's out there getting monetized?

How was this different before GDPR? I don't see anything changing in that regard; what you wrote is already the case. Again, if anything, GDPR will reduce the amount of information an attacker can extract from a compromised account, because companies are incentivized to reduce the amount of data they store.


Nothing in the directive requires the access to personal data to be done "in band" through the normal login only. It's a valid interpretation of GDPR to only accept "give me all my data" requests by post, and require additional ID to confirm that you're giving it to the right person.

"The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means."

"Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject."

(article 12)


> If a user can export their data easily from any service, they can easily resell their own data for money to services that seek to monetize that data. They could even rent out their data by the day for model training using the right to delete.

This has been tried infinitely. It doesn't work. Say your service can extract $5/year/user from advertisers. At 25million users, you can pull a $125m revenue. That's huge. But if users were to sell their data, it'd only give $2-3 if you take commissions into questions.

As people realize that their data does not bring much cash, and the invasiveness of the procedure (will you agree to share your weekly grocery purchases for one year with 202 advertiser, and you get paid $2?).

Most people will disagree as they realize how a horrible on an equation it is. Only bots and kids with no disposable income will remain.

More

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: