The sooner companies start to realize that personal data is a liability rather than an asset the better. Happy to see this fine, but as far as I'm concerned given the kind of data we're talking about here it should have been higher.
I remember someone here putting it this way: treat user data like uranium, not oil. Both are valuable, but you don’t want to just collect and store an unlimited amount of uranium. Collect the bare minimum user data you need to operate your business and then dispose of it when it’s no longer needed.
neat, this analogy travels pretty far - user data is radioactive.
theres a background amount of radiation. its everywhere, even in higher amounts than youd expect like bananas and airplanes. no amount is safe, but the risks are neglibly small when exposure is minimized. concentrated amounts can be safe when exposure is controlled and managed with oversight programs in place. disasters can be managed with disaster programs, but its still possible that unforseen problems can cause big issues. unregulated handling can poison local populations. corporate influence on government can be a problrm.
what a comparison! there should be an award for this.
In this growing analogy, developers collecting data mindlessly are descendants of Early Anthropocene humans discovering entombed nuclear fuel and not understanding or ignoring the dire warnings outside.
> Ah, the linear no threshold theory of radiation.
i wasnt aware this was contested. its what i was taught in the us nuclear navy.
> If background radiation is everywhere, how can there be no safe dose.
this is not a self-evident refutation and is a bad argument. cancer is the 2nd leading cause of death in the US, meaning there is an even higher nonlethal occurance of cancer. this is not all radiations doing, but its hardly obvious that bathing in radiation your whole life is a "safe dose"
LNT is controversial because there is not enough data to support it. The data that we do have doesn't support any low-dose model conclusively as far as I know. The upside of this is the effects have to be very small, so it basically doesn't matter, because the risk of low-doses is effectively zero regardless the theory. The problem with LNT in terms of science communication is it's easy to make it sound as-if the risk isn't effectively zero.
> it basically doesn't matter, because the risk of low-doses is effectively zero regardless
this is exactly what i said in my original comment.
I looked up competing LNT models. TIL about radiation hormesis. theoretically, near-zero but >0 levels of radiation activate dormant repair mechanisms that not only repair radiation damage, but also non-radiation damage; this results in a healthier host. interesting.
having thought about this for all of 30 seconds, i wonder if both models arent simultaneously correct. if most radiation damage is repairable, activating dormant repair mechanisms with tiny amounts of radiation would be a net benefit. however, if there exists any possible irrepairable damage in any cell anywhere on your body regardless of otherwise functioning repair processes - which i dont know to be true but seems likely - then LNT could also be true concurrently with radiation hormesis.
> If background radiation is everywhere, how can there be no safe dose.
Easy: there is no absolutely safe dose.
At normal background levels the chance of it causing you significant trouble before something else has long since killed you off in some other way is practically zero so there effectively a “safe enough” dose. But if you are very very unlucky background levels could cause you an embuggerance that becomes life changing or life ending.
It is more complicated than safe doses of most (but obviously not all) drugs/poisons/etc, because for most of the latter they are purged from your system in fairly short order assuming you survive the initial hit, so the next hit if there is one of equal strength is likely to have much the same effect. Radiation tends to hang around a lot longer so repeated exposure to higher levels builds up so the safe dose has to be stated “over time” rather than being simplified to a fixed dose perhaps related to your mass.
There was a village (unfortunately I can't find the reference in a quick search ATM) where there was/is an unusually high incidence of thyroid cancer which was thought to be a genetic pre-disposition as the population stated from a fairly small gene pool, but is now thought to be because the background radiation in the area is a bit higher than elsewhere due to the makeup of the local ground rocks. The difference is nothing to worry about if passing through or visiting regularly, in fact the difference is small enough not to be a major concern to the locals, but a lifetime of the extra exposure is enough to at least be visible in certain health stats.
The reason there is no safe dose is because even background levels of radiation will cause eventual health consequences, just not before another cause of death.
The radiation hormesis idea is controversial but that is a bad argument against it. Molecular scale events interacting with molecular scale DNA repair machinery is a different physical context than bullets.
The body is hit by natural radiation all the time and so it has mechanisms for this. Not so much for macroscopic projectiles.
The question is how these mechanisms behave and whether a small amount of radiation stimulates them… and then how much, for how long, etc. It’s a complex model with multiple systems and feedback loops.
> A different model suggests that very low levels are either benign
Nothing in what others have said suggests low levels are deadly or even likely to be damaging, at leas not over the time frame of a human life as defined by the many things that can take us out.
> or even helpful.
A larger amount of something being damaging does not rule out a small amount being helpful, there just comes a point when the potential danger starts to outweigh the potential benefits. Water is very beneficial, necessary in fact, but too much of it over a short time will kill you.
I can't find any solid supporting sources that provide any evidence that there exists a positively safe dosage, but even the linear-no-threshold models suggest the effects of low dosages are small enough to be hard to measure; i.e. which model is correct is practically irrelevant for low enough (e.g. 1-10 mSv?) dosages.
Presumably there is some level of radiation at which if 100 million people were exposed to for 20 years, we would see measurable excess deaths with the linear no-threshold model, but not with other models.
In particular the linear model treats chronic exposure as all the same; X amount for a week is the same as X/52 for a year.
Yeah, the linearity in the dose seems more plausible than the linearity in time; and I don't understand why the two dimensions necessarily would be intrinsically linked.
The data is power and can equate to money quite easily. This means that people are not going to handle data responsibly unless forced to do so.
Most companies have zero data controls and it ends up getting passed around everywhere and saved off by employees for their own personal use.
It's like waving money in front of people when you have no way to determine if it gets stolen or by whom.
I was raised in a family bookeeping business that handled all of the vital business data for hundreds of clients. Data protection and privacy (respect for clients) were always job #1.
This came to be my philosophy for all user data in any context. A philosophy that very few people share--and the rise of the web seems to have reversed any possibility of such a philosophy taking hold as user data became a form of currency.
If you keep it around to sell then you are likely violating the 'legal basis for processing' part of the GDPR. Data can only be used for the purpose for which it was originally collected, selling the data to others to use without that exact same goal can not be such a purpose, and even then you will have to be quite careful that you maintain control. Various EU data brokers (Schober, for instance) have found ways to do this in a controlled manner usually by anonymizing the data or by selling it only in aggregate form.
But selling it raw with the personal identifying information of the data subject is almost always a complete no-go.
GDPR requires informed consent for ANY type of storing or managing any kind of personal data or data which can be linked to personal data (eg email which can contain name and surname of the person behind an account), and you must be explicit on what you do and you cannot give the data to another entity without re-requiring consent for that specific purpose and declaring who will be exactly the new controller of that data.
But, to use your analogy, why would companies treat user data like uranium when risk/reward is like that of oil?
Grinder surely made much more from data sales than the 6.something million Erous it was find. The paltry fines under GDPR do nothing to dissuade this behavio. That's been a recurring theme in previous HN discussions on this topic.
Right now, I would posit that these low penalties are for show. Governments don't want to lose the economic benefit of having these companies operate in the EU and the general public can be satisfied that their governments are on top of the issue.
I've got an estimate here that says Grindr is doing 31 million dollars net on over 100 mil revenue per year. I am by no means in favor of running these companies into the ground. The fines are definitely a balancing act. But it seems at the present moment the expected value of breaking the rules is substantily higher than 0.
Wait until they try this again. It may not be the Norwegian DPA that acts the next time around, it could be the UK DPO, the Dutch AP or any one of a whole raft of others, and they'll all take into account that they were already fined once before. This fine is level '2', apparently you ignored the first warning so now you get a major but not crippling fine. The next one will not be at that level, there is a pretty clear progression for repeat fines.
One case, a hospital first got a warning, then a small fine and then a mid six figure fine for a case involving a single patient. You can rely on them having learned their lesson and that there will not be a third fine.
I don't think your statement holds true in practice. Collecting data that you then don't do anything with, in theory or even in practice, is also something that GDPR penalizes, since there's no need for you to collect it if you claim you don't do anything with it.
Not doing something with the data is also a function, just like Nulls are a value, so yes you are right that collecting the data and not doing anything with it could be viewed negatively when up before data commissioners. Its interesting watching how the IT industry views GDPR and the advice given out by various law firms. You see unlike maths which is pure, language is vague and open to interpretation, the trick is convincing the decision maker ie data commissioner or judge that your interpretation is the correct one and not just an incorrect herd mentality sweeping the IT industry, which you see in the comments posted here and elsewhere.
A fine of this size indicates to me they should harvest and sell more data to increase profits. Tens of millions would still probably be worth it to Grindr.
Imagine your a government who doesn’t like homosexuals. Pay a fee - $5-$10m and you’ll get a list of users globally. Probably with travel patterns. Next time they enter the country, arrest or block visas before they enter.
Nah, this fine (which I don’t even know if they’ll pay) is the cost of doing business.
These fines tend to go up with repeat performances. Sooner or later some company will be fined right out of business and then we'll see whether the remainder will catch on that playing games with regulators is a losing one.
Wait a second, it's not Grindr gathering and selling a list of homosexuals interested into sex.
It's the users themselves who actively register on Grindr to announce their services and picture on the platform.
If this activity is illegal in the country of the user, the best Grindr can do, is to prevent users from these countries from registering on the platform based on their national ID, but that's basically it.
You don't have to be living in a country where homosexuality is illegal to not want your presence on a dating app - straight or gay - to be public knowledge.
Speaking from unfortunate experience about half the men on Grindr do not put up identifying pictures. Many are in relationships with men and are cheating. And many present publicly as heterosexual or are married to women.
Firstly, yes, Grindr is mostly men looking for sex, but they're not all homosexuals and they're not all looking for sex; many are just there to flirt, others to troll. But Grindr is definitely gathering and selling lists: it's what they do.
Secondly, with the word "services" you're implying that the users are whores.
Thirdly, there are an infinite number of ways that Grindr could protect its users through the design of their app: from purely technical measures such as end-to-end encryption, or through careful informed consent about shared data and protection of people who are legally or functionally incapable of such consent.
But from your statements you just want to blame the users because you disapprove of them. I'm sure you can do better than that.
And what if the country want info on people outside the country. They may want to be sure that they can catch the homosexuals when they come to visit or prevent them from visiting (friends family etc) altogether. Whether or not the person signed up in the first place, nobody should be able to buy the data
What if half of the fine was given to the user(s)?
That way users would have an incentive to sue companies (i.e get rich quick). That way personal data would really have to be considered a liability if companies don't want to start giving millions to their users left and right.
Grindr has around 4 million daily users, and up to 30 million registered users in total. Even a fine of this size would be meaningless once divided between the users.
I meant giving a million dollar per user. People would try to sue them en masse. They would have no choice but to be very strict about what they do with our data.
As much as I want to punish this, the actual outcome of heavy-handed fines would probably result in the company selling off all its assets... whoops there goes the database into the hands of an even less scrupulous actor.
I work with retail tech and provide both "connector" middleware and product solutions.
When we have products that we produce that are required to keep customer data, we figure out what the _minimum_ amount of data required is to deliver the value required _to the end customer_ and do our best not to expose any more data than that.
For everything else, the goal is for our systems to hold _zero_ end customer data and _minimal_ employee data. We don’t want the liability. We do a lot of security engineering around what we do, but we want to make sure that we aren’t the source of a data breach on behalf of our customers because we aren’t holding the data in the first place.
I've been of the thinking that there's no smart need to be a try-hard regarding hoarding private information, or mostly in general really but that can be debated. When you reform your endevour to get profit in the short term because for some reason that's what you need, it likely will be left not properly guided and it will crash or make others crash. (I prefer) [Durable] Quality over meaningless get-by's that will be irrelevant decades from now, but that maybe bought you some time so hey ok.
There's another way to make the collection of personal information less economical, which we can all contribute to. Send GDPR and CCPA data requests. Each request incurs some small but not insignificant cost for the company to handle it. This is because the process is hard to automate. Don't spam companies just for the sake of sending requests, but do get in the habit of using them to reduce your exposure.
Disclosure: I'm one of the founders of YourDigitalRights.org, a free service that makes it easy to send these sort of requests.
I'm all for that but only if you suspect that a company is abusing your data. Otherwise it amounts to a DDOS attack and that should be reserved for those that deserve it, not to place a burden on otherwise compliant companies.
But if you suspect that a company is abusing your data, selling it, enriching it with data that they shouldn't have: fire away.
The EU is merely leading the way here, you can expect all of the developed world to have similar data protection laws on the books sooner or later. And if you think that treating data in the proper way is hard then you probably shouldn't be in business at all. Operating in the EU is not a liability if you treat your users data in a respectful and responsible way. Common sense alone would answer your questions on what is and what isn't allowed in the vast majority of the cases.
That this doesn't align with the free-for-all that was the WWW for the first two and a half decades doesn't change that, morality isn't all that hard and each and every company that crosses those lines is very much aware of it. These are not accidental misinterpretations of the law by any stretch of the imagination, they are wilful abuse.
> The EU is merely leading the way here, you can expect all of the developed world to have similar data protection laws on the books sooner or later.
While i do believe in being privacy conscious, i don't believe that this will be the case anytime soon (or at least until a generational shift happens). No business is interested in having to suddenly comply with such regulations and essentially no longer being able to utilize the data of individuals however they please.
Ergo, corporate interests will probably lead to lots of lobbying in this regard, just look at what happened with net neutrality and the advertising around it.
> Operating in the EU is not a liability if you treat your users data in a respectful and responsible way.
I think that all of this boils down to profit margins and viewing people as just numbers on a sheet somewhere, to extract wealth from. Just look at how scummy many of the cookie banner implementations are, designers being paid to implement as many dark patterns as possible, at least up until lawsuits started.
> No business is interested in having to suddenly comply with such regulations
Just to pick up on this clause - it really needn't have been sudden. The regulation was adopted just over 2 years before enforcement kicked in[0], and of course it was written and debated for a while prior to that. In the UK the ICO researched the implications (for what were then just proposals) back in 2013[1]
And before that we had the DPD, which companies routinely ignored because they would never get fined. That's the only part of the GDPR that made companies take notice: the fact that the GDPR has some pretty impressive teeth. I'm actually quite surprised at the restraint on display so far by regulators, but I'm also quite sure that it is a matter of time before a repeat offender will be shown just how powerful this law is.
Regulators are contacting businesses which they suspect are in breach of GDPR to give them the chance to become compliant (I was in companies that received such communications). If the company is in good faith, they’ll fix whatever the regulator found or explain why haven’t breached the law.
These cases don’t get discussed in the media probably because they aren’t published anywhere.
Before a company gets a fine, at least for now, it must do some really crazy stuff and/or refuse to cooperate with the regulators.
Indeed, I am aware of a few cases like this. But I'm also aware of a couple of companies that have swept breaches under the rug in recent times and if and when those surface they will be in pretty deep trouble.
> No business is interested in having to suddenly comply with such regulations
jesus christ. enough with this bullshit.
Data protection laws had been a thing in European countries for a decade before GDPR.
GDPR itself gave everyone two years to comply.
GDPR was published in 2016, five years ago.
There's no effing "suddenly". If this is "suddenly" for your business, and your business still hasn't figured out how to not collect (and probably sell) user data wholesale, your business deserves to be sued out of existence.
> Just look at how scummy many of the cookie banner implementations are
Yes. And all of those cookie banners are illegal under GDPR.
Maybe i could have also expressed more outright disdain for the practices of these companies in my original post. Then again, i think that the comment that you are responding to, despite its tone, has a fair argument.
> If this is "suddenly" for your business, and your business still hasn't figured out how to not collect (and probably sell) user data wholesale, your business deserves to be sued out of existence.
> And all of those cookie banners are illegal under GDPR.
Here's the thing: if there's profit to be made, both large and small corporations alike are going to look for ways to achieve that, many other concerns (e.g. the actual UX or even ethics) remaining with secondary importance in comparison.
It doesn't even matter that some things are illegal sometimes, depending on how likely it is actually to be enforced. I think that this same disposition and attitude will also extend to lobbying and trying to nudge the lawmaking processes in a direction that benefits said companies, to maximize their profits in the future.
I'm not saying that things shouldn't be more like EUs outcome (in this one regard, at least), i'm saying that they won't be like that.
Just look at the pharmaceutical industry in US, the healthcare industry as a whole, or maybe the education industry or even the military industrial complex, all of which have probably seen lots of lobbying and lawmaking that doesn't necessary benefit the general populace.
Furthermore, for some businesses it is simpler to deny access to people who are protected by GDPR, either because of compliance taking more resources then they want to allot, or simply gaining no benefit from serving them content if they cannot use tracking cookies and monetize otherwise free interaction with their content.
So rather than figuring out how to not collect and sell user data, they're struggling to find ways around the laws, so that they can keep doing that in any capacity, or in some places, just ignore the laws altogether thinking that they're too small/big to actually be persecuted.
Oh, absolutely, make no mistake, I am entirely in agreement with the argument that you make, I'm just pointing out that the form is sub-optimal and not really in the spirit of the website it is made on. That said, I sympathize because I feel much the same way at times.
Think of it as the law catching up with technology.
> No business is interested in having to suddenly comply with such regulations and essentially no longer being able to utilize the data of individuals however they please.
Indeed, hence the need for regulation.
> Ergo, corporate interests will probably lead to lots of lobbying in this regard, just look at what happened with net neutrality and the advertising around it.
Sure. But since EU citizens will be enjoying those protections and US citizens will not eventually this will translate into an advantage for companies doing business from the EU and into the US. For that reason alone there will be a big incentive for the US to make a law that is symmetrical to remove this advantage.
> I think that all of this boils down to profit margins and viewing people as just numbers on a sheet somewhere, to extract wealth from.
This is a big factor, but not the only factor: data that is in isolation worthless can become very valuable or even dangerous when combined with other worthless or innocent data. There are plenty of examples of this. The balance clearly lies in protecting consumers from the fall-out of these and the more purposeful abuses. This is a matter of raising consciousness about what rights you already have, not necessarily of giving you new ones.
> Just look at how scummy many of the cookie banner implementations are, designers being paid to implement as many dark patterns as possible, at least up until lawsuits started.
Agreed. The EU did the right thing with the GDPR, it laid bare how many companies were outright scandalous in how they were dealing with the data that they were entrusted with, they were bad stewards and it is good to see this level of enforcement because that means that companies will wise up to it and find better - and cleaner - ways of monetizing their products and services. Once they have those they will realize that regulatory capture can be theirs if they lobby for these rights to be extended to everybody.
I noticed that some companies, increasingly common, are throwing up banners that will not go away, and have no deny button.
The banner is stuck on the screen and usually has a button captioned: Learn more, instead of the cancel or deny button.
I just want the damn banner out of my face. How long before browsers automatically hide (default deny cookies) the banner and give the user a way to expose it if they wish?
I feel abused and manipulated as a user when they use these dark patterns--which the law, to my knowledge, expressly prohibits.
>Sure. But since EU citizens will be enjoying those protections and US citizens will not eventually this will translate into an advantage for companies doing business from the EU and into the US. For that reason alone there will be a big incentive for the US to make a law that is symmetrical to remove this advantage.
Except it's literally the other way around. EU companies will be at a disadvantage because they cannot use the data to neither improve their service or to monetize it in some way.
>The EU is too large a market to miss out on.
Is it? Then what does that make China and the US? Or the rest of Asia? They don't seem to make nearly as many rules that require a service to change the entirety of their monetization system. If companies have to agree to EU terms then why wouldn't they do the same to China? After all, it's too big a market to ignore.
The EU keeps making more rules for all kinds of things. Eventually this is going to catch up with us - if it hasn't already done so. The EU isn't exactly the tech center of the world nor does it seem to have a great trajectory or bright future. When it comes to tech all we seem to have is cars. Everything else is foreign developed, designed, and manufactured.
> Except it's literally the other way around. EU companies will be at a disadvantage because they cannot use the data to neither improve their service or to monetize it in some way.
As if ROHS weren’t printed on each single piece of hardware produced on the planet.
> since EU citizens will be enjoying those protections and US citizens will not eventually this will translate into an advantage for companies doing business from the EU and into the US. For that reason alone there will be a big incentive for the US to make a law that is symmetrical to remove this advantage.
Given the lack of similar regulation in the US despite the situation being so bad that unsolicited spam subsidises the postal service and that even government agencies sell user data I’m not sure there is a desire for this from the general population.
It doesn’t help that politicians rely on a lot of what would breach the GDPR to help their reelection such as targeted advertising and unsolicited (and often misleading - pretending to be written by the official itself) email and phone campaigns.
Um, CCPA is a thing. It's not as stringent as GDPR, but I would call it "similar" regulation. This stuff tends to happen at the state level in the USA.
How are websites and apps going to make money though? Like it or not, the reason the internet became this popular is because of all the free stuff on it. If everything was behind subscription fees it possibly would never have taken off. I don't think I would've ever used Google if they had charged a fee for the service.
This would effectively make political interests entrenched even more on the internet, because they'll see it as worthwhile to make free services. They get to feed you politically slanted ideas - just like free political newspapers.
>Operating in the EU is not a liability if you treat your users data in a respectful and responsible way. Common sense alone would answer your questions on what is and what isn't allowed in the vast majority of the cases.
Relying on common sense is playing with fire. Common sense says that with this many people using the services of these companies that people are okay with what these companies are doing. That's not what GDPR says and that's not something I had any vote on or anything like that.
You might prefer the cable TV model, but I prefer YouTube. I like that I don't have to pay anything to go look at a large variety of topics. Far more than any paid service would ever provide.
Advertising worked fine before tracking. Selling your users data, especially this kind of data is a thing that more than negates the value your users derived from your service, in some places it might get you killed.
There are many ways for websites and apps to make money, and if you can't then maybe you simply shouldn't.
Advertising without tracking doesn't work. Only a small set of businesses can really advertise online without tracking. Any business that is in a specific area or doesn't use English will find it a bad deal, because most of their ads will be shown to people who don't understand the language or aren't in the area.
Even with tracking ads get the language component wrong frequently. Unskippable ads in a language you can't understand is even worse than normal.
Many billions of dollars are spent annually on advertising without tracking: every ad in print and the vast bulk of all radio and TV advertising are not tracked at all. The web was the first medium were advertising tracking could be done and it is simply an arms race, if everybody stopped doing it then it would work just as well as it does today (and it would be a damn sight less annoying).
Moreover, the benefits of tracking for advertising are yet to be proven. Can't find it on mobile, but there have already been businesses giving up an tracked advertising because it had all the efficacy of shouting in a sandstorm.
>Selling your users data, especially this kind of data is a thing that more than negates the value your users derived from your service, in some places it might get you killed.
There are many ways for websites and apps to make money, and if you can't then maybe you simply shouldn't.
This is too general of a statement. The majority of people in the US don't care about digital privacy and do get positive value.
Except that these are businesses giving away a free product which has been immensely useful. Starting out I wouldn't have paid for almost any of the services that I use on a daily basis.
I feel that "just the way they like" is honestly a pretty low bar to clear and in general are common sense and respectful things that you should be doing with user data in the first place.
- Tell people up front what you will do with their data
- Let them opt out
- Track what services your own service uses (Ex: your website -> google analytics)
- If people want to know what data you have about them tell them
- If people want you to delete their data (and there is no legal obligation to keep it) delete their data
- Take reasonable steps to keep user data safe
In this case Grindr was passing (per the article): advertising ID, IP address, GPS, location, gender, age, device information and app name to a bunch of Ad Services with "no control".
So beyond just "handling data" Grindr was getting paid (ads) for sharing your data to companies that could then also turn around and do whatever they wanted with that data.
>common sense and respectful things that you should be doing with user data in the first place
It's disrespectful to be nosey into what people are doing or to give them orders on what they can or can't do.
>So beyond just "handling data" Grindr was getting paid (ads) for sharing your data to companies that could then also turn around and do whatever they wanted with that data.
Good on them. They figured out a way to make money using information that they collected.
>It's disrespectful to be nosey into what people are doing
>Good on them. They figured out a way to make money using information that they collected.
These two statements don't jive. Its disrespectful to be nosey, but its fine if people buy data and be nosey into other peoples lives? That's quite absurd
The first statement is about a user being nosey into what a company does with the data. There is an expectation for dating services to collect data like age, gender, etc about a user. I wouldn't really call them nosey. Since it's kind of expected for them to get that information from you. Is a dentist being nosey if they ask for your dental history?
> It's disrespectful to be nosey into what people are doing or to give them orders on what they can or can't do.
Not just disrespectful, I would even say it's immoral given the unbalance of power involved. That's why we need GDPR: to protect people from businesses being nosey into what they are doing against their consent, and also to protect people from businesses telling them what they can and cannot decide about their own data.
EU member states and representatives decided that not having certain business models is preferably. Them leaving the single market is a welcome result.
GDPR enforcement is pretty gentle. For the first offence you will just get a warning. Grindr's fine is a warning that you should heed such warnings.
Yes, operating in the EU is a liability; operating anywhere that has laws is a liability. And the risks of operating somewhere that doesn't have laws is an even greater liability.
The idea that some data is owned, and that people can obtain ownership of data that belongs to other entities is as moronic as claiming that the CO2 i breathed is owned by me. Data is data, it's not PII or whatever stupid contraptiion lawyers came up with to keep themselves busy
If EU wanted to ban tracked ads, it should make a law bans tracked ads, that simple. Not only it would instantly achieve the desired effect (which GDPR did NOT), it would level the playing field for more ethical companies to thrive within the EU.
You are totally misinterpreting what GDPR is for, so it makes sense you'd be unable to recognize the benefits.
Data IS owned, by the person the data pertains to. And companies should not be able to capture that data, sell it and share it without explicit consent. Which GDPR does achieve.
> Data IS owned, by the person the data pertains to
This is an almost undefined concept. Data is not copyright, they are observations. Plus for many kinds of data ownership is hard to define, e.g. genetic data which is largely shared by all of us.
You can try as hard as you can to wriggle out from understanding what this is all about but it is actually pretty clear: data supplied by an individual is the property of that individual, they have the right to informed consent on what it is used for, they can ask you to delete it, they can ask you to update it or review it. In some cases other laws (for instance: tax law) can make it mandatory for you to keep certain records, for which there are exceptions.
That's basically it. So it's not an 'undefined concept', it is extremely clear and the text of the law is actually quite legible so there is no real reason not to be informed about this if it affects you in any way (which it likely does).
The idea that data is "property" or that it is "owned" by anyone is not codified in law. And as an analogy for how GDPR works, I think it's more harmful than helpful. I see GDPR as rejecting the idea that data has an owner, more than anything.
GDPR says that the data subject has rights to data about them. If you want to put a label on it, I would say that legally they are a stakeholder in their own data. One stakeholder of several. Not necessarily the most prominent one. GDPR gives you a seat at the table, but it doesn't actually put you in charge, the way that "ownership" implies.
The company that collects & processes the data is still the one making decisions like: What data is being collected? What is it used for? What is the Legal Basis for data collection? What Processors will the data be sent to? What countries will the data be processed in? They have a lot of leeway in how they answer these questions and still be compliant with GDPR.
So for that reason, my view is that GDPR says there are multiple stakeholders will different rights to how the data is handled. Which if anything is a rejection of the idea that the data has an owner. Certainly you have rights to the data, but some of those rights have limits, and the Controller still has right as well.
Yes but that's a necessity to support lawful contracts between a person and an organization e.g. a loan provider.
The data subject, as I think, is the owner. They have rights over how and when their data is used & e.g. have a right to be forgotten.
They do not, however, always have the power to exercise their 'full' rights in cases where they've entered a binding contract. Such as trying to exercise the 'right to be forgotten' with a company who provided a loan they've defaulted on. They do however have the right through law to instruct the controller to use the data in the bare minimum ways they need to reasonably execute the contract.
A reasonable data protection legislation needs to side with the controller in some situations else it would be otherwise incompatible with modern society / law.
It certainly does help more than harm imo, especially when it comes to marketing / advertising.
Fair enough, but from a practical point of view treating the data as owned by the supplier of the data (when it is about them) gets you 95% of the way, the remainder can be explained by the concept of 'control of the data'.
This is contrary to what I have seen in my day to day practice over the last couple of years. Now, of course it is possible that my sample size is too small (about 120 companies over that period) but I highly doubt that.
Data collected indirectly to would for instance be data used to 'enrich' a profile, for instance by buying it from a third party. That data would still show up in a DSAR, but it would likely not be private data because no company is stupid enough in the current climate to sell that without a very good legal review. Data collected surreptitiously (for instance, GPS location information, device IDs and such) count as user supplied for the purpose of the GDPR, and collecting that without consent and disclosing that you are collecting it and supplying a legal basis for processing is illegal.
Once you share information it is no longer private unless you put that person under an NDA or something similar.
If you meant personal information then that doesn't make sense either. No one owns the fact that George Washington was male. It is just a statement that could be true or false. George Washington has no control over me spreading this information. Especially since he is dead.
You have a completely unique idea about the meaning of 'privacy', you may want to adjust your definition to the one that the rest of the world works so that we can have meaningful conversations.
George Washington's gender is of no consideration whatsoever in this discussion, so bringing it up is a variation on the theme of the strawman.
The GDPR, which is what you are commenting on is all about privacy and private data shared with companies for the goal of processing with a specific purpose in mind.
Privacy and private are very well defined terms in that context, and you are adding a unique spin on it that makes fruitful discussion impossible.
'information wants to be free' is a dumb line that got passed around a lot in the 90's by people who thought that they were being clever, but it turns out that there is lots of information that doesn't want to be free at all, and some of that information is about you and you also don't want it to be free.
Your example is nonsensical, and does not further the discussion either.
> unless you put that person under an NDA or something similar.
Now you're getting it. We, the European public, have decided to put anyone handling our personal data under "something similar to an NDA". We call it GDPR.
It's not about ownership. It's about my right to keep private information private. It's a right granted by law: the GDPR.
> Information wants to be free
That slogan originates in a sentence that contrasts "information wants to be expensive" (because it's so valuable) with "information wants to be free" (because it's so cheap to distribute). It's not like saying "televisions want to be free, so I think I'll steal one".
I suspect that many of the GDPR-haters here aren't people who depend on selling PII for their living; I suspect they're just jealous.
> many of the GDPR-haters here aren't people who depend on selling PII for their living
And if they are, they should be ashamed of themselves (though likely not capable of that) and shunned by all members of the industry with any ethical compass.
But to clarify: I meant to include people who aren't directly PII sellers, just workers whose employer happens to sell PII, and even website operators with an ad-network on their site. They're just trying to earn a living, and I'm sure most of them are capable of shame.
A website operator who runs Google ads and scripts on their website isn't evil. They're just "awaiting instruction".
Look at repeat offenses and how fast they go up. Level 1: don't do this, or we'll fine you. Level 2: here is your first fine, don't do this again or we'll fine you for real. Level 3: Ok, you clearly need something that will move the needle, here is fine you can't ignore. Level 4: you ignored it again, here is a fine that will put you out of business. So far we've only seen level 2 and one or two level 3 fines. Nobody has thought it wise to test the next levels up, it's a bit like the GPL in that respect.
I wonder if jail time for developers knowingly implementing lax systems for exchanging personal data could help?
This way most developers would refuse to write systems that could potentially get them in trouble, until their employer transparently ensures that no laws are broken. Some kind of engineering ethics.
Yes, but then you'd have to prove when this stuff was written because otherwise there are going to be a lot of engineers retro-actively in the field of fire.
Git blame their signed commits. If no records available, chief engineer gets the blame. I mean, that should be trivially enforceable — same as getting to know who performed a botched surgery.
Just this year there was a scandal where an anti-gay church fired one of its officials because a homophobic publication somehow got access to his Grindr account and his location data. The details on how the data got out are not clear. https://www.vice.com/en/article/pkbxp8/grindr-location-data-...
For those confused about the fine amount, here is the quote from the original source:
> In light of all the relevant criteria of Article 83 described above in sections 6.3-6.4, we consider that the imposition of a fine of NOK 65 000 000 is effective, proportionate and dissuasive in the present case.
Originally they were going for a 100,000,000 NOK fine, but lowered it down to 65,000,000.
>The NO DPA reviewed the fine announced in its draft decision (10,000,000 €) on the basis that the revenue of Grindr (seems to-this part is redacted) seems different and that Grindr has made with the aim to remedy the deficiencies in their previous CMP.
One thing I'm wondering with these fines is whether they are actually "dissuasive".
In particular, the revenue limit seems problematic. For a "normal" company whose profit margin is a relatively small fraction of revenue, 4% of revenue is huge. But for highly profitable large tech companies that make money primarily from ads, it may not be possible to issue a dissuasive fine if it is capped to 4% of revenue. Maybe "4% of revenue, or 200% of profit, whichever is higher" would be a better limit.
The first fine, usually not. But that fine indicates that regulators have reached a level of pretty serious frustration at a company not doing enough. Second fines are at the level that you'll be talking about them in the board room on how you managed to mess this up so colossally. I haven't seen any third fines yet, but I'm pretty sure we'll see one in 2022 or 2023. And likely the company that is in luck will go right out of business.
And after that I expect compliance will be a much easier subject. So far the whole roll-out has been exactly as I expected it to be.
My point though is that the maximum fines they can hand out, even for the third offense, are so low that they can't really give effective fines to some companies (unless they apply such a fine e.g. per user whose rights were violated, which doesn't seem to be what they're doing).
Grindr made a profit of $31M and a revenue of "well over $100M". The maximum fine is 20M EUR or 4% of revenue (whichever is higher). So assuming under 500M EUR in revenue, the maximum fine is lower than Grindr's 2019 profit. So if Grindr is the lucky one that serves as an example, I don't see how even the absolute worst case fine would put them out of business.
Although the max fine is probably higher than the 2019 profit from the EU, I could totally see that changing, and someone deciding that getting slapped with the maximum fine is cheaper than the loss of revenue from complying, especially if it is a business that is entirely in ads.
The thing that always bothered me most about Grindr is the fact they do not allow any connectivity from VPNs, even if you have an upgraded account. This doesn't seem to jive well with the need for privacy or anonymity in places where it's dangerous to be gay.
The Norwegian Data Protection Authority imposed a fine of €6,500,000 on Grindr for not collecting users' valid consent for sharing data with third parties for profiling and advertising purposes from the Grindr App.
Particularly interesting is that it is not allowed under GDPR to have a free version of an app with the condition that it shares personal data (in this case for targeting and profiling for ads) as the consent of the user is not freely given in this case - in a "Take it or leave it" situation, consent cannot be seen as freely given.
Interesting indeed, it is what several German online newspapers do - they let you choose between a free version with tracking and a paid one without one. I find this argument a bit weird though:
> Sharing Grindr's users personal data with advertising partners for online behavioural advertising purposes was not necessary for the performance of the Grindr's services.
Charging money for your services is also not necessary for the performance of the said services. Still businesses are luckily still allowed to charge money. Why can't data be considered as a means of payment in this case?
So offering people with no means to pay another way to access the service (in exchange of something quite worthless to them, their "data") is now exploitation?
Interesting, because said practice from German news sites seems to have the blessing of the data privacy authorities. Sadly I can't find the source. It must have been one of the data privacy newsletters I receive.
So the Norge argument here would go further and I would like to see this challenged to the European Court as this would provide a final verdict.
Currently I feel that different countries see these things quite a bit different.
On the other hand it would only mean that you can't have a free version refinanced through advertising, but would need to find other ways of converting users into paying customers while still providing a striped down free app for generating reach.
Why can't organs be considered as a means of payment?
Not sarcasm - I think that while it's obviously a different scale, the reasons are similar and boil down to "we don't want that as a society" and "the environment this creates is not conductive to a free and informed rational decision". Many people don't understand the value of their data and the risk it poses, there is an information imbalance, there is a power imbalance (the company sets the terms, and you only get to take it or leave it).
The pre-GDPR situation also showed that the market doesn't really work, because everyone was collecting your data, people have limited energy and incentive to care because it doesn't cause immediately visible pain. It's similar to workplace safety - we don't allow employers to create easily avoidable dangerous situation in exchange for extra pay either, for similar reasons.
Most importantly, data grabbing is not necessary for advertising, it's just slightly more profitable and thus everyone does it, eventually pushing the "good" (privacy-friendly) players out of the market. If we want to change that, we need a de-facto ban (which a properly implemented GDPR would be, because so many people will click "No" if given a truly free choice that showing the popup won't be worth it).
Should we consider all our data as important as our medical history and sexual orientation? And also as important as an actual organ, as the OP was implying?
> Why can't data be considered as a means of payment in this case?
One of the biggest reason would be that using data as payment has demonstrated to push out companies that don't want to collect data. Data as a mean of payment is less clear to the consumer about the costs, and there is no real good way to inform the public outside of an massive investment into the general education that focus on privacy, data laws, how data is gathered, why it is gathered, how it get traded and used, and what the outcomes are. The value added through data is also not taxed which creates an unfair advantage compared to other payment methods.
It’s quite amazing that something most people see quite worthless ("my data") is suddenly seen by the society as priceless (since I can’t buy it with money).
The 'data is payment' thing sounds terrible. What if it really goes south and this data is involved in some identity theft? Then the criminal justice system needs to get involved at enormous cost to tax payers. Therefore, there actually is an interest of the state that all this data should not be roaming around freely.
I was about to mention how well-written Norwegian legal texts are until I noticed the “edit” links. So, instead, I’ll say this is a well-written wiki article.
I wasn't aware of the rule against "Take it or leave it". Just yesterday I encountered a similar situation, visiting a popular German website (Heise online).
It communicates that European societies (through their elected representatives) disapprove of the "paid for with your data" business model.
Yes this is limiting the free market but it's a conscious decision.
It's still allowed to process data for your own analytics (e.g. to improve your offer) and make use of third party services. What the GDPR aims to prevent is your data being shared with the whole world way beyond the entity with which you originally interacted.
If that means services cannot finance themselves through advertising anymore then so be it.
I was on Tinder for about a week. I was receiving dating spam for a year - not "a phishing email". Hopefully Tinder will be the next up against the wall. They're shameless.
Good. Grindr is probably the best example of extremely high brand & network value vs shockingly poor security & application quality. The company demonstrates zero integrity and needs to be shut down or fined to death. It would send a proper warning to the industry, though long overdue.
Why people use apps website for personal stuff like that is beyond me. Just because some hip looking company is making an app/website doesn't mean it is secure or good data custodian.
I think what's particularly scary about Grindr is just how much trouble even being on an app like that can get someone in. For example, a colleague of mine is from a country where being LGBT is not really tolerated, in the United States he uses Grindr.
I can imagine an oppressive government buying dating app data to blackmail their users. I noticed in the Tinder TOS thread people complaining about how impossible it is to meet folks in real life.
You can still have friends, friends have friends you can go out with. I'd say from a mental health POV you should be doing social things anyway.
With respect, that is easy to say when ~50% of the population is a potential partner and is easily determinable. When you are gay and the majority of guys are straight, finding partners organically is near impossible (unless you're in a gay bar or something).
I'm not condoning Grindr's actions or that people shouldn't use it with care, but it really has become a key part of LGBT networking in the modern era.
I think it depends on where you are, the city I live in has a very large gay scene. So I've had guys just try to chat me up while I'm at a restaurant or something, I don't mind.
The only time it was a bit weird is when a co-worker told me I look like his husband, not okay to say at work.
Arguing that guys shouldn't use grindr because it puts them in danger and then saying they should chat people up in real life seems bizarre to me. Even in my fairly liberal western country assuming a random guy in a normal bar is gay could put me at risk. Why take that chance when apps full of gay guys exist?
As you just said, it is not easy for people to meet people in a culture where looks and small talk with romantic intent is frowned upon, puts peoples jobs in danger and is generally already going extinct. Plus grindr is used for hookups, and it makes it a lot easier, something that does not have a safe equivalent in real life.
I wasn’t there so I wouldn’t know the tone and context, which can make a difference but... In general, how’s that problematic?
Also, strangers talking to you does not mean they’re sexually or romantically interested in you. Some people are just platonically social. Moreso in some places than others.
There are alternatives, but due to their bad business practices ( such as illegally collecting and selling their massive database of user data, and probably things I’d never think of) impossible to overtake. Consider existing brand awareness, and ongoing massive marketing spend.
We're also deep in a pandemic where olden times means of socialization are pretty restricted. I'm not gonna walk into a bar in 2021 to be assaulted by smoke, sound, and covid. Just the smoke and sound has been enough to keep me out of them for over a decade now.
Smoking in bars is also forbidden here. Many pubs don't play music; and in these COVID times, I often find there's just one other person in there, reading a paper.
>I often find there's just one other person in there, reading a paper.
That sounds pleasant. Smoking restrictions here vary greatly on a city by city basis. Unfortunately the bar scene in my city likes to pretend we aren't in a pandemic and only a few have decided to brave a smaller customer base and ban smoking.
And we also lived fulfilling lives before the invention of the smartphone, tv, printing press, sewer system or agriculture. What exactly is your point?
There’s a user need. In this case it addresses the needs of a minority that’s been, until recently, highly oppressed. You don’t get to just say “things were fine before this existed”.
When something imperfect solves a real problem you don’t get to just say “oh just don’t use it”, especially when it’s not a problem YOU have. Talk about privilege!
Why are you on HN instead of sharing your bad opinions with your friends in person? You have zero reason to be online, conversations existed before the internet, you know...
By gauging the situation and, where appropriate, behaving in a slightly playful, attentive and flirtatious manner towards anyone that catches your fancy (not limited to bar patrons btw.)
The whole point to Grindr is that you can meet so many people online. It's not about replacing flirting, which you're suggesting. People flirt on Grindr -- don't worry. I think you need some experience in how the hook up scene works to really understand it....
Not true, depending on the product. I'm sure the PreP ads I see on Grindr have no problem advertising on a gay hookup app.
But more to the point, Grindr got in trouble specifically for selling data to advertising networks presumably so they could also be targeted outside Grindr. Knowing someone's sex, sexual orientation, location, age and hobbies is great targeting data.
IANAL but the lawyers I've worked with have said unpaid violations lead to cutting off business relations until fines are satisfied.
I'm sure it's more complicated but the general idea is economic coercion.
Now given that, the class of proximity based apps are all regional (such as dating, dog walking, delivery, etc).
I have no idea if Grindr has a market penetration in Europe to make it worthwhile. Companies have been known to completely vacate markets instead of honor fines or fees.
>Grindr is incorporated in the US, I'm not sure how they plan to enforce this fine.
You put the company on a black list, then banks or other companies in EU or that have business in EU can't send them money or work with them, I am assuming they offer some subscriptions and other paid features so the banks not working with them will hurt.
Maybe someone for Norway can pitch in about how this works.
Even though Norway is not a EU country, it's part of the EEA and various other treaties with the EU and hence they ended up implementing GDPR, it seems possible that they end up being having authority to enact EU/EEA wide enforcement actions.
As far as the average person is concerned, EEA members like Norway are practically in the EU. You've got free movement, open borders due to the Schengen area, and so on. Meanwhile all the exemptions from EU law mostly concern comparatively niche areas like fishing.
"Although not a member of the EU, Norway is a member of the European Economic Area (EEA). The GDPR was incorporated into the EEA agreement and became applicable in Norway on 20 July 2018. Norway is thus bound by the GDPR in the same manner as EU Member States."
From a systems point of view, the "boiling over" of agitated Grindrs data is no surprise as the source of obvious data abuse, similar to the way that the data on compulsive gamblers is used and abused, I suspect. Yet this is only a tip of an iceburg.
In My Own Opoinion - this "surveillance capitalism" is a huge, stinking cancer on free society and is only getting started.. history will show this is absolutely true. "I have nothing to hide" people can get a free Grindr subscription for all I care.. this is a rotten situation.
Unfortunately, data collection and data sales (either of the data directly or via targeted ads) is how many modern internet companies generate revenue. It’s easy to claim that they should just charge money directly for their product but their would-be customers seem to rather pay with their data than a monthly fee.
In fact, anecdotally, it’s often the vocal critics of data-funded tech companies who post an archive.is version of every paywalled article.
Oh man, that’s such a false equivalency. Because someone thinks journalism should be done in the open, particularly when the topic of commentary, doesn’t mean they want their private information (location, sex partners, whatever) sold to the highest bidder without their informed consent.
that is attacking a strawman that the comment did not make. It IS a paradox that people want information to be free but not if other people use it for advertising.
At the time of writing, TFA mentioned a fine of 6,500,000NOK in the first paragraph rather than 65,000,000NOK - probably where the confusion comes from.
The HN headline is also "wrong" (or at least imprecise) - the fine amount is in NOK, so the euro figure is ~6.418 million depending on exchange rates.