Hacker News new | comments | ask | show | jobs | submit login
Google Feels the Brunt of GDPR Enforcement (saiglobal.com)
51 points by basicplus2 19 days ago | hide | past | web | favorite | 60 comments

50 mil USD is not anywhere close to “hitting Google hard in the coffers”. I get it’s a much bigger fine to what was levied before, but let’s be realistic about the impact here...

This is a fine by the French regulators for one specific breach. In the broader context, it's a warning shot. The GDPR gives them the right to levy fines of up to 4% of global revenues, if such a fine is deemed proportionate.

If Google remedy the breach, that'll be the end of the matter; the fundamental purpose of the regulator is to ensure compliance with the regulations. If Google continue to disregard the regulations, the regulators will not be so accommodating in future.

Last year, the EU fined Google $5 billion for antitrust offences related to Android; Google should be under no illusions about the serious intent of regulatory bodies in Europe.


The fine is in addition to enforcement. It's not a fee they can pay to avoid GDPR compliance. They have to do that as well.

How's it being enforced, though? Short of outright arresting people, the usual enforcement tactic is to use fines

If that enforcement tactic is ineffective, the EU can obviously elevate it's methodology. Companies which do business, transfer monies, and have offices and employees in the territory have a lot of potential assets to seize. Usually fines, which are levied on a regular basis, until compliance is reached, are adequate.

Not sure, but if the 57m EUR fines continue monthly for noncompliance? Weekly? Perhaps that will do more to turn their course..

If nothing else, the fines should continue and I expect escalate.

This was my thought as well. Firat thing I thought is the EU might as well be pissing into the wind. 57M euros? Won't even make a blip on Google's revenue sheet.

Sad that these are the only euro tech news

Well this week we've seen the first Belgian Unicorn (Collibra) but that news didn't seem to reach HN.


I can't help but feel like there exists a certain amount of jealousy/envy that exists on the EU side in regards to American technology companies. Perhaps this stems somewhat from the inability of European countries to cultivate a foundation of successful innovation in relation to software/computation like the Silicon Valley or greater Bay Area has in the United States?

In my opinion, instead of focusing on regulation to hamper outside competition, the better option would be to spend more on funding innovation/growth efforts for local companies and startups so that they can better compete solely based on the merits of the technology or service itself.

This in the long term will provide far more for European countries and its citizens than, again this is just my opinion and it's definitely not necessarily purely black or white here, the short term oriented sort of feel good action that something like the GDPR I believe represents.

You obviously haven't spent too much time around Europeans. They (we) think about totally different things to Americans in general. Privacy (especially in Germany) has always been a hot topic. You can barely use your card to pay for things anywhere in Berlin for example because people use cash to not be tracked.

A substantial proportion of Germans remember the Stasi. Some remember the Gestapo. The idea of databases becoming the tools of oppression is not an abstract risk to the German people. Entirely justifiably, they broadly regard bulk collection of personal data as a dire threat to liberty. Many Europeans live with the memory of similarly awful tyrannies, from Franco in Spain to Ceaușescu in Romania. To dismiss those concerns as mere jealousy of Silicon Valley is rather churlish.

The Germans might remember something slightly older than the Stasi.

I refer you to the second sentence of my comment. With that said, it is worth remembering that only a small number of very elderly people have meaningful first-hand memories of the social and political circumstances of the 1930s and 1940s.

The Stasi is clearly a more pertinent example of the perils of mass surveillance. The scale and sophistication of their surveillance is the closest historical parallel to contemporary digital surveillance, and many currently-serving politicians and civil servants have first-hand experience of it. Germany is still dealing with the legacy of decades of pervasive surveillance and the billions of records collected by that agency. A notable example of those records is a Stasi identity card, issued to major Vladimir Putin of the KGB.


> You can barely use your card to pay for things anywhere in Berlin for example

I am sorry, that's not true. I was in Berlin, Prague, and Copenhagen last year. Hardly used cash anywhere other that Prague. In Prague, it was only Old Town where I ended up need to visit the ATM. I know because I didn't carry any Euros with me from US and need to pay ATM fees for every withdrawal.

I'm not sure where you shop but if you shop like a local it's unlikely you will use your card anywhere but the supermarket. It's getting better but they are way behind. When I first moved to Berlin in 2011 I barely ever used cash and once I landed in Berlin I felt like I had taken a time machine back 20 years.

"Merits of technology" includes privacy.

Privacy is a basic right here. We get it that you are against it and want "everything goes".

That doesn't make enforcement a protectionist matter.

American foreign policy is to tell other countries to fuck off, yet get uppity when other countries do the same.

Because that's the game: e.g. Its not 'bad' or improper that Russia tries to influence American elections, its a failing of America that American elections were influenced. Countries exist to serve the citizens of that country so damn right America should tell other countries to fuck off: because they can and do so when it is (presumptively) good for Americans. (and damn right the Russians should try and influence American elections, Brexit, etc. if they feel it is in their interest)

What superficially is a hypocritical position is merely 'I do what's good for me'. Not endearing I suppose, but its not supposed to be.

> In my opinion, instead of focusing on regulation to hamper outside competition

The word that you are looking for is "unfair", not "outside". It's not like European companies don't have to follow that same regulation.

> the better option would be to spend more on funding innovation/growth efforts for local companies and startups so that they can better compete solely based on the merits of the technology or service itself.


So, some company is externalizing the costs of their abusive behaviour on the public to gain a competetive advantage. The government puts regulation in place to make sure such unfair practices don't work anymore, so companies have to compete on the basis of the merit of their technology or service instead. And your suggestion is that they should instead pay subsidies to local companies only, because what they are doing is unfair to foreign companies?

Seriously, what am I missing that that makes any sense at all?

Perhaps it's just that Europeans value privacy more than anything-goes economic development? Maybe Europeans have decided that people come first, and corporate interests second?

And I say this as an American who has been working at tech companies his entire career. I'm pleased that California has decided to enact similar policies (though I'm not happy with how it was forced through the legislature).

If my search for development jobs in the UK over the past 20 years so I could move back home offers any form of enlightenment, it's that the EU doesn't value software developers. They offer shit salaries compared to North American companies for similar/same work.

A senior developer with 25 years of experience and continually golden references can expect a near 75% pay cut for the privilege of moving to the UK. Near as I can tell, the only companies offering similar pay scales to the U.S. are in Scandinavia.

Until Europe looks at software development in the same manner as North America, you can expect them to continue failing to cultivate a foundation of successful innovation.

If you want to earn decent money to become a developer, then only real option you have to chase a decent career is to leave Europe, and unfortunately once you've done that, there's no real option to go back without a substantial hit to your quality of life.

Why is it so hard to believe that other people might have a different set of values from you?

>compete solely based on the merits of the technology or service itself

This is an extremely simplistic view of national and international economies. The information asymmetry between producers and consumers that exists for almost every product or service should be enough to disqualify the idea that people judge products/services solely based on their merits.

Take a look at the fundraising rules in the EU compared to the US. That probably explains a lot why the EU lags.

You believe the GDPR was created primarily to hamper outside competition? That's a very cynical viewpoint to take, do you have any evidence?

Cynical sure, but hardly unreasonable considering the obvious incentives of money and national pride.

I found the wording of the comment particularly grating because it seemed to take this as an axiom, assuming that everyone else agreed that that's what the GDPR was. Hiding assumptions like that is a dishonest way to communicate.

It also doesn't make a huge amount of sense - the GDPR applies to companies operating inside the EU market, both foreign and domestic.

> It also doesn't make a huge amount of sense - the GDPR applies to companies operating inside the EU market, both foreign and domestic.

Enforcement however is at the discretion of European courts, and as noted previously, affects companies disproportionately foreign. If the EU can (slowly) force a foster a segmentation in the internet, similar to China with Baidu et. all, there are obvious economic benefits

The parent's wording aside, I wouldn't consider it prudent to assume any regulation is benevolently intended. Better to judge on game-theoretical merits. Which makes me suspicious of the GDPR in no small part because of its vagueness and the potential for selective enforcement.

So there's parts of your argument too that are buried in unstated assumptions?

By (pretending?) to think that all the stuff that others actually disagree with in your argument is accepted and doesn't need to be said, and just stating the things that logically follow on from those unstated axioms you're adding very little of value to the conversation.

I see this a lot from people on extreme ends of the political spectrum, I can only assume it's to make your ideas look trivially correct to people who aren't reading what you're saying very carefully. Or perhaps because some are deluded about how common their opinions are?

What assumptions other than 'thou shalt not assume the government is acting altruistically'* have I made? This is hardly an unfair or unreasonable assumption, see: History, all of. I don't believe I was at any point unclear on this assumption, in fact I made a point to clarify it. If you have a specific disagreement you can back up, lets hear it.

If anything my argument is so simple because it is basically a truism: - regulations benefit someone (duh) - regulations don't necessarily benefit the someone the other someone writing them says (duh) - lacking game theoretical* evidence of regulation benefiting aforementioned somebody (here due to vagueness) one cannot fairly assume that said regulation does in fact, benefit the someones (and only the someones) it is purported to.

Quite frankly I don't see how any of these points are particularly arguable, but I always enjoy being proven wrong (so that I won't be next time).

#Even if you want to assume altruism, surely one cannot fairly assume competence.

## I'd even say to the point of being useless except these sorts of conversations always seem to degrade into 'regulations are good'/'regulations are bad' pissing matches instead of actually looking at A. what the regulation does and B. is that a good thing? I was trying to discuss A in view of our imperfect information but that hasn't exactly happened, pity.

### I use 'game theoretical' somewhat loosely here, aiming for succinctness.

Spoken from the point of view of the company.

From the point of view of an individual, I wish GDPR-type principles - that my personal data is mine, and that I have the right to see, to challenge and delete the personal data that you, the company, are holding on me - would be binding in other regions.

I'd love to see the new social giants - US or not - that might emerge in a post-surveillance environment.

I think "jealousy" is the wrong word to use always, "the lord my god is a jealous god" being the instantiator of why thats the wrong word.

But specifically envy is probably wrong. I don't think the EU is "envious" of the US, except in as much as the US secures trade advantages from its power, and asymmetrical bargaining approaches.

EU investment in R&D is pretty good. GDPR was a reaction to individual rights to privacy which had beneficial upsides of addressing extra-territorial data, in ways which favour the EU position.

It interested me that Microsoft (for instance) was a stand out company recognizing its presence in Europe demanded it respect European data laws, and since its taxation strategy demanded the shelf-company in Ireland be less craven, and more clearly Irish, it probably suited them to say no to US court requests for warrantless (or US warrant) data access.

Google, who also have a huge presence in Ireland, has no rational posture here. The only economy which gets a clear signal of intent is the US. US federal agencies can stipulate data is in the US. Everyone else, all bets are off and all law is subject to Googles interpretation of what favours the US google, not the local google office.

To Silicon Valley, It is possibly true what you write. Europe has struggled to make a single instance locale which is pan-european but does the same thing. On the other hand each economies discrete investment method like the Wolfson institute VLSI funded work in the UK and the various German innovation science centres which are Max Planck Branded, They are world-class. and I don't think you should ignore CERN and its impact. European computer initiatives did cave to the US chip moment, but its not there is "nothing" there as much as the IPR model of doing brilliant science and then whoring the IPR worldwide naturally lead to the Saudi and Japanese investments taking control of things otherwise in the USA held to be strategic.

Hollywood isn't that different in the end: there are good European film studios, but you can't break the dominance of the hollywood investment. Elstree, and Cinecitta remain alive.

This is not a "regulation to hamper competition" thing, this is trade war. Competition is happening come what may. People chose to buy German technology from small to medium enterprises because they get bespoke quality which lasts centuries. They buy American mass-produced technology for a disposable culture. But the minute they want something in the cross over space, they might be buying from either.

You might want to consider the car industry. Mercedes invested in Tesla. Ford and GM have largely depended on state and federal teat-funded money to prop up pretty bad business models on big iron engines, and buy in better tech from Europe and Japan when it suits them. Meanwhile... BMW and others set up in Mexico, the US, to sell product into america but the money goes back into EU coffers.

> People chose to buy German technology from small to medium enterprises because they get bespoke quality which lasts centuries. They buy American mass-produced technology for a disposable culture.

What is this uniquely German tech that lasts centuries?

Look on every factory floor. Look in manufactory, look in specialzed machinery. For example: Kuka, Rexroth, Festo, Liebherr, DMG Mori, Bosch, Siemens, Zeiss, Dräger, Infineon, Thyssen Krupp, Aixtron, Osram, Rheinmetall, MTU. No average customer buys anything from them. They dont build the next big thing "Webapp", the next consumer electronics hype or something you use daily. Because its completely B2B. There is no german Facebook or Google or Apple, because Innovation and High Tech happens in the "Mittelstand". You wont ever hear of any of those enterprises, because you aren't their target audience.


Craft style apprenticeship, long lived enterprises with quality focus.

Germany is also an economy where university education remains substantively free (to the student) and a course is not structured towards a 2-3 year "get 'm out and move on" model. People can stay in study for quite a lot longer until they are "ready" although I suspect economic pressures might be changing that. (I didn't study there: this is what German people I know tell me about tertiary education in Germany)

I'm familiar with those firms, but I wouldn't call them Mittelstand enterprises, unless we're calling Siemens and Thyssen Krupp small-to-medium sized. What do they make that lasts centuries that say, General Electric(such as it was) or Halliburton / Bechtel et al don't make? I guess what I'm getting at is that massive generalizations really aren't helpful.

I certainly wouldn't put siemens in mittelstand. But I would put them as worldwide competitive in a range of engineering spaces.

You don't buy the story? fair enough. GE trades worldwide, has local affiliates in Europe. They work in the same way inside the european union, but expatriate profit to the US.

Halliburton and Bechtel do amazing things, but they also do a bunch of things I personally think are significantly less amazing, like grab serious asset and business from the post iraq war teardown, where the US forces basically said "fuck you" to european companies and awarded contracts directly to the beltway. Thats what "no blood for oil" stories are usually about. Schlumberger might be a european company (ok, now incorperated in curacau) to consider in that light.

Massive generalisations are the root topic here. Somebody said "why can't europe do what america does" and the answer is "USA is number 1" is not really a helpful conversation, its silly. Europe doesn't "envy" the US, its competing. Sometimes things like GDPR serve multiple purposes.

btw to be fair, Thyssen Krupp has a pretty dirty past too. The Thyssen museum in Spain is a bit of whitewashing on a company which was in the "schindlers list" bad set, and Krupp had assets siezed for reparations in the wars in Europe so if I am a bit nasty about Halliburton or Bechtel its not like there isn't a lot of dirt to fling around.

Packard Merlin engines were Rolls-Royce exports. Rolls-Royce jet engines powered the world and were being made under licence in the USA, as part of the magic box export in WWII which got radar and the proximity fuze into the war from the USA side. Penicillin production depended on US smart but UK science did the basic work. DNA was Crick and Watson in a context of UK funded science research and Rosemary Franklin got robbed of the Nobel. Du Pont was founded by a frenchman with French capital...

Listen, I just want to know what machinery someone makes that could possibly last centuries. This was engineering curiosity. Hundreds of billions were spent to develop nuclear reactors & spacecraft, and you're lucky if you make it 50 years on any of that, under ideal operating conditions. None of that text answers that.

> Halliburton and Bechtel do amazing things, but they also >do a bunch of things I personally think are significantly less amazing, like grab serious asset and business from the post iraq war teardown, where the US forces basically said "fuck you" to european companies and awarded contracts directly to the beltway.

Wait, you think it's less than amazing that Halliburton & Bechtel profited from the war and didn't give a chance to the Europeans to also profit off the war? This is a new one.

I did make the centuries claim. Its Hyperbole. So, I don't feel I can answer. because its unprovable. I'd edit the centuries out, but thats sort of cheating so I acknowledge that was hyperbole.

I am also skeptical, since nobody makes engineering product that differently: we're all conforming to DIN and ANSI standards which tend to converge. The concrete problems in reactor a in country b wind up reflecting concrete issues in countries c, d, e and don't actually reflect US vs EU much.

I don't think its amazing in a trade war, people leveraged war to achieve trade profit. I think its naieve to think there is any systemic "better" here between nation A and nation B and company Aa and company Bb: there is war, and there is trade war, and morals don't come into it.

But thanks for validating my underlying theory: the key thing is profit. "Just war" didn't enter into it. Nobody really believes it was about liberation. It was geopolitics and money.

GDPR is beneficial to european citizens, but also beneficial to european companies facing offshore data warehousing, and facing US corporates like google who do embrace-extend of US law as google see it, to apply to anyone worldwide.

If american corporates wind up opposing GDPR because it disfavours them in business terms, we're net losers not net gainers from some competition outcome. What would be better would be for the FTC (who regulate data privacy) and the DoC to agree we need higher norms here, and some recognition the SCOTUS has arms which reach to the US border but no further.

> What is this uniquely German tech that lasts centuries?

Beats me. I've owned a Mercedes in the past and it was a piece of junk. Things constantly breaking on it, the lamps were always burning out, it'd burn oil prematurely. The service dept at the dealership was always happy to see me, as another $$$$ ka-ching repair. Never again.

Mercedes builds wagons in a factory which used to be Carl Borgward. Nobody knows that car firm, it died in the sixties but if you say "Borg-Warner" then you're talking the basic automatic clutch which is in every american car until CVT came along.

Maybe Mercedes builds lemons, but do you really think Ford never had a lemon? Whats Ralph Nader on about again? Edsel?

GDPR + Vestager’s crusade against US tech + digital tax is clearly EU protectionism. Unfortunately, none of this is going to help European tech, it’s just going to move US tech out to make way for Chinese tech.

Well yes, given they are the most egregious violator with Facebook, it's to be expected they would be among the first hit, and the hardest. This complaint also only scratches the surface.

Crazy idea, but why not put the onus on the browser and require that EU browsers have the ability to block and manage cookies and tracking scripts.

Much less to regulate plus we wouldn't have ugly banners all over the place.

It is trivial to uniquely fingerprint a browser, even if there are no cookies involved. Surveillance can and should be fought off in the legal sphere.

It is trivial to fingerprint the default configurations that browsers currently ship with, but it isn't very hard to make browsers much more resistant to fingerprinting. There's a lot of unnecessary information leakage in user agent strings that can be dropped. Most of the features that browsers have been adding in recent years as part of their quest to become full-fledged operating systems should be off by default for sites that the user hasn't approved. More than half of the estimated bits of identifying information identified by EFF's Panopticlick tool could be denied to trackers if browsers had better defaults.

Tor exists and is blacklisted by nearly all corporate sites. Technology is not the answer here. Can't tell that to computer programmers though.

Tor has nothing to do with browser fingerprinting, except that browser fingerprinting is the main reason why Tor is relatively useless as a general purpose privacy tool.

staplers 19 days ago [flagged]

  Tor has nothing to do with browser fingerprinting
So you're just purposefully being an idiot..

Personal attacks are not ok here, and unfortunately it looks like you've posted a lot of them. We ban accounts that do that, so could you please review https://news.ycombinator.com/newsguidelines.html and follow the rules from now on? We're hoping for a bit better than internet default in this community.

You might also find these links helpful for getting an idea of the spirit of the site:





Nearly all of my comments are upvoted, many with 50+ upvotes. This poster is making factually incorrect statements and I am the one in trouble here..

So some incentive to design non-fingerprintable browsers sounds great! Especially since such a product would require widespread deployment to be effective.

I haven't worked through the grunt work myself, but I'm fairly certain it's basically not possible to design a completely fingerprint-proof browser so long as a browser includes a programmable Turing machine via Javascript, not to mention network request statistic info etc, all of which are used by completely legitimate websites to improve their experience & performance.

Modern ML can fingerprint you based on your mouse movements. Good luck selling a browser without mousemove events.

The vast majority of web sites don't need mousemove events except to enable bad UI design. The exceptions that are trying to implement a desktop app or video game inside the browser can ask for permission. It's not at all hard for users to make the one or two clicks necessary to grant a domain permission to use the bundle of advanced features it is requesting, and it gives them a reasonable opportunity to provide informed consent before a website starts monitoring their every move.

Dude, it's not like GDPR is trying to solve some inefficiency in http caching, it tries to address a social ill where some people make profits by abusing the private information of others: it's not a technical problem so the solution won't be an browser extension.

Because law should be tailored to the issue it seeks to address and written as close to the root of a problem as is practical? Cookies and tracking scripts are only one aspect of privacy invasion, not privacy invasion itself.

You're looking at a cat and mouse game and suggesting the government put it's effort towards building a better mouse instead of telling the cat to fuck off.

The GDPR regulates the collection and processing of personal data. Not just cookies, not just tracking scripts, but any information about me that an organisation chooses to collect or store. It is important and popular legislation that has significant implications outside of the browser.

A straightforward example is the current trend for consumer DNA testing. In the US, companies like 23andme or Ancestry.com can send you a cheek swab kit, charge you a hundred bucks to find out some trivia about your health or genealogy, then do pretty much anything they like with your genetic data thanks to some vaguely-worded terms of service and a lack of meaningful regulation.

In the EU, those companies can only use your genetic data for explicitly stated purposes with the informed consent of the consumer; the consumer has the right to withdraw their consent at any time, to request a copy of all information held on them or to request deletion of their data.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact