Hacker News new | past | comments | ask | show | jobs | submit login
Lessons from Google's Geographical GDPR Goof (dmnews.com)
143 points by CrankyBear 36 days ago | hide | past | web | favorite | 64 comments

We (staffers) wanted to consider google g suite for integrated mail/calendar. We couldn't because as an Asia-Pacific entity, we felt we wanted a guarantee our data was in Asia-Pacific (preferably Australian) DC and under local law.

What we found, is that only the US State and federal governments can demand US located data from Google. All other economies and agencies can ask for local, but cannot have it a checkbox requirement: Google retain the right to host you wherever they decide, subject to laws they decide.

Somebody else has noted that Microsoft, for all their faults, actually looked at customers in Europe and said "you know what: we can declare hosting in ireland is subject to EU laws and we will (at the right price) guarantee your data is in the EU, subject to EU law" and for that, I salute them.

I think Google got this wrong. I think microsoft got this right.

We didn't go with G Suite. We went another direction with mail and calendar.

> as an Asia-Pacific entity, we felt we wanted a guarantee our data was in Asia-Pacific (preferably Australian) DC and under local law.

I don't understand why you would want a generic Asia/Pacific location. It makes sense that you might want it to be in a particular jurisdiction for legal purposes, so I understand specifying Australia, in the same way other businesses specify EU or US or China. But why would you ever want to say "put our data somewhere in this hemisphere, Australia or Malaysia or Korea are all OK but don't let it be in Ireland or the USA"?

Ideally we wanted OZ. Google hadn't even come onshore at that point. We wanted in our hemisphere, we'd have settled for JP or SG probably. It wasn't on offer: Google didn't sell "put my data in my chosen jurisdiction" it sold "we put it where we want to, unless you are the US government in which case yes sir whatever you want sir"

Being told they do "now" is great. 5+ years too late. And, the evidence about this is that Google cave to intercept requests far faster than microsoft do. Microsoft ask for strong evidence you have jurisdiction. Google don't make any public noise about this, and about how they act.

I am not a hater btw. I use a lot of google product.

(to latency: a lot of fiber in Asia goes odd paths. being in Japan or SG wasn't actually a good guarantee it would be faster than from the USA)

Oz is probably the worst possible location for any kind of data other than China or North Korea due to their new encryption law. I realize that wasn’t the case 5 years ago.

Right. Which hopefully will evaporate in the coming election although I wouldn't trust Labor on that.

Probably latency requirements?

This is not true anymore, at least not the second part. It's not possible to select JAPAC data location (yet).


You can select US or Europe or no preference. So, you cannot select LatAM or Asia.

Google are getting better, sure. EU feels like they did a reaction to GDPR extra-territoriality issues. The thing is there is either zero selectivity, or there is n+ because nobody codes a two value toggle for this: They clearly have intent to add more. How many more?

Things like this is why Microsoft is still retaining a lot of business-customers which Google will never touch.

They care about addressing the customers need first and foremost, while Google’s #1 priority will always be tracking and ads.

When the EU said processing needed to be done in the EU, Microsoft was fine with that, while Google has been playing nice only on paper.

With rulings like this, guess which one will seem more reliable and dependable (from a business POV) for the EU market?

Not Google. That’s for sure.

Pretty odd comment, considering Windows 10 does a lot of tracking and ads.

> Windows 10 Collects Activity Data Even When Tracking Is Disabled, But You Can Block It


> We also display advertising in some services, and we’d prefer to show you ads you find interesting.


And the numerous steps you have to take to improve your privacy:


As it pertains to this complaint though, those are all seem less relevant than the issue of well... plain non-compliance? I mean, if they didn't even have a DPO...

Still, let's not overstate this "recordbreaking" fine. It's not large, at all. It's only of a fraction of profits (not revenue) in France alone. Even if google fully expected to take this hit, it might not have bothered to change its behavior. The fine, by itself, has no impact on google's business. The greater risk, really, is that they've got a record now: if they get caught again, they'll be more likely to suffer more punitive measures that really are relevant to its core business.

Also, they come across as slightly incompetent, really: I'm kind of surprised such a huge organization didn't bother to prepare very well. I mean, for some the law might have come as a surprise, but it's not been unannounced, and it sure looks like google - amongst others might even count as the law's raison d'etre. How exactly did they miss that?

Legally, they can't pay the fine and continue their behavior. It's not a cost of doing business as you are required to alter your behavior.

Exactly. The fine is basically a token at this point; it's the potential for followup that matters.

I don't see what's odd about the comment. For core philosophy, Google has always about using an algorithm instead of manual labor whenever possible. The mindset they push to developers is always to "think at Google scale". Customer service has 100% been crappy with Google from day 1, and on purpose. This GDPR situation is political and messy and hits them very much in their weak spot.

Microsoft came from (and continued to focus on) the business market, which is all about big deals and playing ball. The entire concept of Windows was meant to bridge the business market with the home market and they've had split business/home pricing for most of their products forever.

Yes, Microsoft also sucks at privacy and has been evil forever like all of these amorphous businesses that reach their tendrils as far and wide as profitable. But selling ads (and privacy) is just another revenue stream for Microsoft, not their core product. And don't forget that Hacker News' favorite search engine, DDG, is based on Bing. Microsoft doesn't really care about privacy but also doesn't really care about ads - they just want money.

The article seems to relate only to data handling for Android, so I'm not sure your comparison and conclusions are relevant.

op only cites it as an example. but there is empirical evidence -- MS holds enterprise market-share even for products google is otherwise competitive in, and privacy impact is absolutely one of the reasons

But everything on GCP is encrypted?

If you really want, you can use your own keys end-to-end.

I'm satisfied that Google treats adwords and advertising areas of the business differently to business services. Apple, Twitter and many large banks use GCP - do you really think they would do that if Google was snooping at the data?

Please back up any claims with evidence.

i should clarify: i dont think google is snooping at enterprise data when there are proper agreements in place -- my comment was only that there is a difference in privacy impact between MS and google

i cant share the PIA of my own enterprise but specifically we needed certain guarantees about where data would be stored that MS could make and google could not. that's all.

Bing operates in China, doesn't it?

Is this like a cheerleading competition?

Just to highlight that OP was (rightly) talking about business consumers.

As a business, under GDPR I am responsible for the compliance of my subcontractors (which includes Google Cloud or Azure for instance). I read about this Google blunder and I think that I have other sh*t to worry about than how Google is screwing around with my data. On the other hand, Microsoft has demonstrated time and again that they care about their customers’ data. 2 examples: the fight with the DoJ over access to emails stored in Ireland and the fact they subcontract Azure’s operations in Germany to a German company (to avoid having to hand over the keys to the data center to a 3-letter agency: they literally don’t have them).

The german azure location is a joke. Only the most basic services are available, there are so many missing in germany...

Maybe they aren't competing on technical competency but regulatory competency? It's a valid strategy.

We are currently struggling with firebase cloud messaging as the instance id has been deemed personally identifying by our laywers which google clearly does not think is the case (they don't even offer a data processing contract for firebase). So, if you are currently using Firebase cloud messaging, there is a big chance you are in violation of gdpr.

I was told the main problem is that google's view on things is not en par with gdpr. Google claims that "Data associated with Instance IDs is generally not personally-identifying" (see 2.) which our lawyers say they clearly are. In that regard, google does not talk about instance ids or, worse, data processing in between APNs and the sending backend (see 1).

The current legal situation does not allow us to use firebase cloud messaging.

Google Cloud has a DPA if I remember correctly, that would cover Firebase usage?

The google cloud DPA unfortunately does not cover Firebase.

I don't think I had understood the why behind Google's GDPR fine prior to this. It's also illustrative of the challenges of running a worldwide business with GDPR. Google knew it had a target on its back, is organized and spent a lot of time becoming GDPR compliant and STILL screwed up in a significant way.

I disagree. It only displays the challenges when you're trying to comply with the letter of the law while doing everything you can to evade its purpose. Stuff like pre-selected consent boxes are not just mistakes or misunderstandings.

The only guaranteed way to avoid regulatory attention is to shut down everything and stop operations. There is fundamentally no decision you can make other than "comply with the law while continuing to operate as effectively as possible".

Even more unfortunately, bureaucracies, including every modern corporation and government, are UnFriendly AIs. You must comply with the letter of the law because not a single agent involved, not the regulators writing the law nor the courts that will interpret the law nor your competitors that will bring complaints against you nor even the users of the products involved, knows or cares what the spirit is. They don't have the correct value systems, experiences, philosophical frameworks, or cognitive architectures to execute the "comprehend human values" step that would be required to interpret the "spirit" of the law. That incapability is why an even minimally functional justice system needs things like checks and balances and case law and jurisprudence and rules of evidence and all of those things. But we do need those things, because history has proven universally that the letter of the law is the only thing that matters.

On the one hand, this means we literally can't trust any organization composed of more than approximately two people. You often can't even trust organizations with one person, simply because bureaucracy is a force-multiplier even for single humans; think about things like bug trackers and source-control systems and apply them to other workflows. On the other hand, this means that it's pretty much worthless to try to do anything about any individual corporation. Up to the point where you entirely obliterate their industry you're stuck. Which is, coincidentally, what an antitrust action really is - antitrust actions happen exactly when a single agent has taken over an entire industry, and making sure that that an identical bad actor doesn't reappear requires not just breaking it up but also obliterating its industry and introducing a new one with similar features but substantially different (non-agglutinative) dynamics.

Standard disclaimers: Views don't represent employer, etc.

To be clear, this isn't even necessarily about "how Google violated GDPR". This is "why the case didn't go through a country favorable to Google".

Aka, Google would've still likely been violating GDPR if they had a proper DPO in Ireland, but given how favorable Ireland is to the international companies it harbors the EU legal entities for, it's possible Google would've more successfully evaded punishment, had they been set up to ensure the case got handled in Ireland, rather than France.

Frankly, jurisdiction shopping was one of the big questions surrounding GDPR. You can be sure that legal teams are using this ruling to shore up their own documentation to make sure a random DPA can't bring case against them.

Always better to be engaged with an enforcement agency in a country that collects revenue from you.

The biggest problem with this is that the enforcement agency in the country that collects revenue from you has extremely more incentive to side with you, and not the consumer bringing a complaint against you.

It can be a huge challenge to prevent a situation like the Eastern District of Texas and patent lawsuits, and that sort of situation can harm both sides.

That's why there is a Court of Justice of the European Union.

The problem with being engaged with these enforcement agencies is that this is probably a significant amount of "bloat." Google would need to engage with all 28 EU governments on this issue. They didn't even allow a bunch of Eastern European countries to sell apps in their play store until a few years ago because they were that's insignificant.

IMO, it seemed that the purpose of GDPR was to create a legal arrangement to tax/fine Google (and other big US tech companies). The fine was going to happen one way or another, the question was just how big it would be in the end.

For some context on why: consider those "cookie" notices you see on every site now. The notices are often obtrusive, usually don't have a "no" button, don't make it clear how to withdraw your consent if you do click "yes"... So if every company is in violation, and no one knows how to do it correctly even with millions of reasons why... Then how exactly is it going to protect user privacy in the real world?

If that is what you got from the available materials and the track record of the EU DPAs to date then you should probably do some more reading.

EU companies have as much or more stake in being compliant than the few US tech giants active on EU soil.

I see the impact of the GDPR on EU based companies every week and it is definitely moving the needle towards more secure operations and a much better attitude towards stewardship of data-subject related data.

I don't claim to be an expert, but this random site claims that British companies have suffers 10k data breaches [0]. According to this, there have only been 91 fines. I don't see how someone can come to the conclusion that this is actually helping data be more secure.

[0] https://tech.newstatesman.com/gdpr/data-breaches-gdpr

> I don't see how someone can come to the conclusion that this is actually helping data be more secure.

The fines are not what has made things getting more secure, the work done to avoid the fines is.

Before the GDPR pretty much every company I looked at had absolutely terrible security, since the GDPR is in effect most companies at least stopped seeing security as a cost to be avoided, with an associated increase in awareness at the rest of the company and better processes and controls to ensure that data does not leave the servers when it isn't intended that way.

It's 91 fines so far, and a whole pile of warnings and interventions, give it a few years and the cumulative effect will be substantial.

Oh, and that 10K number is only the breaches that the companies are aware of and that have been reported, the real number is likely to be much higher. And without the GDPR it would be much higher still.

But there are few major EU tech companies in the first place. These kinds of rules are going to hurt foreign companies because they're the major players in the market.

I'm European and I barely use anything made by European tech companies in terms of final products. I'm sure there are some networking chips or similar in some of the devices I use, but the major software and hardware I use is made and designed outside of the EU.

Now I would argue that the reason we don't have many major tech companies in the EU is because of a hostile environment for them here. I really can't think of many other reasons. The EU has more people than the US that are about as educated. There's at least a comparable amount of capital around, our internet connectivity is actually better, but we have very few major tech companies, even fewer ones that focus on internet stuff.

Why is this important? Because if eventually we want to build automation to do other jobs then we need a lot if qualified tech workers.

> But there are few major EU tech companies in the first place.

That’s not accurate. One ≠ a few. The only major European tech company is SAP.

Alphabetically: ABB, Adyen, Airbus, Alstom, ASML, BAE, Booking, Ericsson, Logitech, Philips, SAP, Siemens, Spotify, Teamviewer, TomTom.

Not going to spend more than two minutes on this, by the time you do some more reading you will likely end up with 100+ companies on this list.

That’s three software companies, (Booking, SAP and Spotify) one of which I mentioned, one of which is a wholly owned subsidiary of an American company. I concede on Spotify, though it is worth one tenth of SAP.

I regret I was unclear, using tech instead of software. The top five most valuable companies in the world are all US software companies. The only European software company on that list is SAP. Oracle, Netflix and Salesforce also make the cut. SAP is worth 15% of Apple, 25% of Facebook, just barely less than Netflix. Alibaba and Tencent are in the global top ten.

China has big tech companies like the US does. Europe does not.


Did ARM count?

China and the US have a huge single language market. The EU has a single market with tons of languages. It's much harder for a British or German startup to spread EU wide equivalent to how a US startup can achieve reach across the US and Canada. The EU single market only partially mitigates the problem. Single language seems to count much more than a single jurisdiction.

The usual pattern is when someone in the EU gets interesting, they get bought by a larger US outfit. I don't think China yet allows full foreign takeovers, or a selection of their majors might now be US owned or shuttered too. The other standout in your list, Samsung, is a typical huge conglomerate - TVs, monitors, phones, cameras, memory, storage etc, and part of the larger conglomerate with fingers in everything from fridges to ship building.

ARM is not in the top 100 firms worldwide by market capitalisation though it is obviously a very impressive achievement. Also, if you’re going to count ARM Cisco, Intel and NVIDIA should all count too and they are in the top 100 firms worldwide by market capitalisation.

I’m sure there are many, many reasons the EU only has one software company to compare with the US or China’s behemoths but the fact remains that it does only have one. There are 16 European companies (including Swiss) in the world top 100, minimum, so I don’t see any special reason Europe couldn’t have software companies that are a really big deal outside SAP but compared to the US they don’t.

As to standouts Toyota is also an enormous conglomerate though you need to expand the list to get to 32. Taiwan Semiconductor is pretty impressive, worth more than Toyota and no one knows it exists.

Stop moving the goalposts. You started out by saying there is only one major tech company in Europe.

> For some context on why: consider those "cookie" notices you see on every site now.

That's the 'cookie law'[1], not the GDPR. As I understand it, you don't have to provide a way to say no. You just have to notify people before doing it.

[1] Privacy and Electronic Communications Directive 2002

That's correct, if you don't collect or use that data in the first place, you don't have to ask. Keeping email addresses and placing cookies for account creation doesn't by itself require a notice, just due care in handling. It's when you want to use it for advertising or other "off label" purposes that these messages become mandatory.

> That's the 'cookie law'[1], not the GDPR. As I understand it, you don't have to provide a way to say no. You just have to notify people before doing it.

Not even that, the "cookie law" is grossly misunderstood, since it already allowed things like "session cookies" and other account related settings/preferences without any sort of banner. What it banned/didn't allow (at least not without warning) is 3rd party/ad tracking cookies. Some companies just added blanket warnings "to be safe", everyone started mimicing that and now we have the insanity that is modern web publishing...

>IMO, it seemed that the purpose of GDPR was to create a legal arrangement to tax/fine Google (and other big US tech companies). The fine was going to happen one way or another, the question was just how big it would be in the end.

This is what I think as well. The attitude EU politicians (especially German and French) have taken against foreign tech companies is incredibly hostile. I assume they do this because we don't have many large tech companies in the EU. If they hurt foreign tech companies enough then perhaps there's a chance we might get some in the EU ourselves. What they don't understand is that the reason the EU doesn't have many major tech companies is because the environment is hostile towards them.

Think back on when Zuckerberg was at the EU Parliament and he was asked to name an EU competitor to Facebook to show that they're not a monopoly.


The mindset that having a globally distributed team with global VPS coverage is more desirable than ensuring people's private data is handled with care is way more of a fucking disaster.

I have a very difficult time understanding any of this. I mean, yes, for most of the SME 50 mio dollars would be some money, but for Google? Peanuts. Who cares if they messed up? If this is the penalty for it, bring it on... It was cheap school for them (not on how to do GDPR properly, but how to get better at avoiding penalties in the future).

Seriously, I hope EU can do better than that. We could really use some real privacy protections, especially from the likes of Google, Facebook, Microsoft, Apple, Amazon,...

The goal of the DPAs is to ensure compliance. If a small fine is enough to do that, great; if not, they'll fine you more next time.

It's not the size of the fine. It's that there's a fine at all. It's a warning shot across the bow.

Also, this isn't a fine as "cost of doing business". Google still has to address the issues. If they don't, you can be sure the next fine will be 10x.

If you look at some of the GDPR fearmongering (Particularly stuff like "Oh no my designated DPO left and it took us a week to find a replacement." or "Oh no, my 1 person company with no automated process got a GDPR request while I was on holiday in the bahamas and I took too long" leading to 4% of revenue fines, one of the points made is that the EU tends to not apply the maximum penalty immediately based on the severity of the offence and whether it's a repeat offender. So this is (a) Google's first offence and (b) it seems the finding is about a technicality that could be a genuine mistake (1 day after GDPR Google's TOS didn't mention Google Ireland yet), so it's understandable that they didn't pull out the 4% of global revenue fine. Even though ultimately the Google behavior is the target of the legislation, not giving Google the same "first time's a warning" type behavior of local SMEs sounds like a good way to start a trade war.

The next GDPR violation Google is accused of, they will now be a repeat offender and more likely to get a higher fine, until they either become compliant or end up at the 4% of revenue fine.

> it seems the finding is about a technicality that could be a genuine mistake (1 day after GDPR Google's TOS didn't mention Google Ireland yet)

To clarify, the fine is due to the consent mechanism in Android. The fact that the action was led by the French regulator rather than the Irish one is due to this technicality and others (no DPO in Google Ireland for instance)

>one of the points made is that the EU tends to not apply the maximum penalty immediately based on the severity of the offence and whether it's a repeat offender.

But this is how it's done because it's standard practice, not because the law stops them from doing it.

You might want to look up the EU requirement for proportionality in penalties, and the ECJ cases where a regulation or penalty was found not to be proportionate, before claiming there is no law that stops them from doing that. It applies to everything EU wide.

That's quite apart from it already being well established in national laws of many member states.



Interesting. Thank you.

But what's the point of setting upper limits to fines at all then? GDPR says that the maximum penalty is 4% of global revenue or 20 million euros, whichever is greater.

If proportionality is a concept that's followed so well, then why have upper limits at all? Why word it in a way that clearly hurts smaller businesses more?

It doesn't work like that.

I think it was Germany first introduced proportionality into sentencing, in the later 19th century. They still have maximum penalties for offences. The maximum allows a regulator or judge to frame the seriousness of offence within those limits, with fewer surprises, and across the range of legislated offences, as intended by the legislature.

A proportionate fine for a first offence, technical breach by a multinational like Nestle or Google, who should have plenty of people in legal, might be a gentle €50 million slap on the wrist. As we can see from this very discussion, there's been a couple of comments along the lines of "...but that's too small to hurt, why bother?". A proportionate penalty for a Google or Facebook on a fifth offence, showing a wilful attempt to dark pattern around the law, might well turn out to be €4% of global. It's no different to setting criminal offences with a maximum of ten years in jail and finding most get a fine, and just a few get jail, let alone a maximum term.

A proportionate first offence penalty for a 5 person early startup, who made a minor breach, might receive a helpful, but sternly worded letter to help them comply. The same 5 person startup showing a wilful, habitual pattern of breach might get (plucks number out of the air) a €20k fine for their fifth offence. Probably levied after providing proof of their revenue and profit.

The point is supposed to balance the need to a) enough to encourage them to not do it again, and b) not nuke them from orbit. It doesn't clearly hurt a smaller business more. It's meant to hurt each about the same: "enough to achieve compliance". Intent and extent will affect what is enough too. The aim is compliance, not revenue, or remaking some sort of financial equivalent of the Bloody Code. A bankrupt business cannot comply and generates no revenue.

Mistakes, disappointingly large or small penalties and the subsequent appeals will happen, such is the nature of all law, everywhere. IANAL or I might have explained that better. :)

So you seriously think that the only thing that prevents people killing each other is that there is a law against it?

Morals work by adjusting to the expectations of your peers, laws simply codify the expectations and serve primarily to regulate which infractions can be punished.

We're not talking about a general case situation though. We're talking about dealing with rather specific companies where a lot of money moves around. While laws against murder might not affect whether the general public kills one another, it probably does affect a business environment that is cut-throat.

It's peanuts now. Less so on the tenth or hundredth time they get hit.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact