Hacker News new | past | comments | ask | show | jobs | submit | mziel's comments login

I don't see how shadow profiles can be justified under GDPR and ePrivacy. If have identifiable information (just "some" ID will do, but also IP and various other fingerprints) then you need to allow for deletion/takeout/opt-out. Current strategy of implied consent ("if you're on this site you agree") is strictly not allowed.


It's not. Well, as long as the GDPR applies. So, if we assume there are a 5 billion profiles on fb (2 billion actual users, and everyone else that use the Web at least occasionally - I'm not sure if 5 billion total is a bit high) - compliance with GDPR would render some 100s million high value profiles illegal. Applying the GDPR to the remaining profiles would require an entirely new business model for Facebook.


You also need to make sure you implement true deletion instead of a DB flag (and still use that stuff on the backend).


And that's not even getting into logs or backups, which will probably be a problem to delete from for smaller companies (since I'm assuming that facebook couldn't keep logs or backups for 30 days since that would be massive)


That's not true in the UK, there's no ID card here. IMO it's quite a nuisance, for example you need to always bring 2 documents to verify your identity and address for a variety of situations (opening a bank account, even opening a new savings account at the SAME bank, renting a new place, new job, mortgage, requesting information from the government).


Don't get me started on the UK and the ID card. It's stupidity at the highest level. There is a de-facto "ID", your national insurance number (like a social security number). Except it has no ID features, and cannot be changed. So much, much worse than an ID card. As far as practical ID for bars/clubs, people usually just use a driving license, or are forced to use a passport. Complete idiocy.

(However to get back onto topic, most people in the UK will have a passport, otherwise they should have a NINo allocated at birth. For the people who have neither, the GDPR is the least of their worries.)


Fun fact, in Lithuania people are allocated personal number (similar to NINo?) on birth. ID and/or passport is mandatory regardless.

However, personal number is not guaranteed to be unique because of how it's issued. We have funny stories once in a while when people with similar (or even identical) names happen to have same personal number. A photocopy of ID in important governmental or banking actions.


... and a surprising number of official documents have errors in them, minor address or name misspellings, that make them invalid for this purpose.


This is the case with most organisations. You have a finite amount of resources and attention, therefore you need to prioritise.

Most GDPR chatter started picking up only in the last few months (of course big orgs have been preparing for the May deadline for a while already).


IP addresses are identified as personal data in GDPR. They're not exposed in the frontend, but HN might use them e.g. for logging.

Also things like deletion, takeout and consent/opt-out need to be supported (provided that HN falls under GDPR).


Regarding "they got the users’ permission initially" this is true for the users that signed up for it, not anybody in their social graph. GDPR treats data about a user as data belonging to this user. Those people have definitely not consented to having their data mined for this use case.

Next (as I understand) the consent was for research purposes, not for the CA targeting. So under GDPR Cambridge Analytica could be fined 4% of global revenue or €20M - whichever is HIGHER [1]

[1] https://www.gdpreu.org/compliance/fines-and-penalties/


Looking forward to May (when GDPR officially comes into force). Provided that it doesn't end up like the cookie law (and there are explicit provisions in GDPR and ePrivacy to avoid that) this might shake up the ad industry:

* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service

* Opt-in/out separately for every activity (no more "research purposes")

* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)


What we are seeing is that the ad providers are considering themselves "controllers" under the GDPR and the tracking of device ad identifiers as critical to their business. Hence, their plan is to inform of the collection via a privacy policy but not to offer users the opportunity to affirmatively consent to allowing their advertising ID to be tracked. It's dispiriting.


I'm pretty sure that this kind of behavior will be shot down by EU or Local courts. The GDPR contains parts where it explains what kind of reasons might lead to overriding of legitimate or critical interests.


If this is the case, I imagine a lot of profitable sites will be geo-banning EU users who don't subscribe to a payment plan as a non-profitable drain on resources.


Sounds like a good business model. Look at what US tech companies don't want to abide by EU law. Copy their app, but without all the privacy issues, make it free for all, incl EU. You already know what to copy, you don't need to do any research. Development and business risk is much less.


> business risk is much less

Minus the part where you're giving away your product for free with legally mandated nothing in return.


That's a possibility.

The GDPR does forbid hinging service quality/availability on consent but I don't think it forbids putting it behind a paywall as alternative.


The GDPR does forbid hinging service quality/availability on consent

Although this is one of the areas where it seems some sort of challenge is inevitable. Requiring businesses to give people more control over data about them is one thing. Requiring businesses to do things that make no business sense, like providing services to people despite getting nothing in return, is something else entirely.


It doesn't forbid you to provide free service, to my understanding, you can charge for the service but you can't provide a worse free experience when a user opts out.

Additionally, this does not affect data that is necessary to operate the service. When you run a GPS tracker app then it is entirely okay to ask for the right to process someone's position as part of that contract (as long as you don't share it with a third party).


There doesn't seem to be any problem with either totally free or paid services. The potential problem is with business models that are free in financial terms but instead rely on some form of data or advertising for their source of revenue.


Those services will have to obtain an opt-in for users and can't deny services based on opt-in, yes.

Essentially the GDPR makes such a business model almost unsustainable. IMO rightfully so.


I have very mixed feelings on this one.

Personally, I value my privacy. I don't tend to use services like Facebook, mostly because I don't want to encourage that sort of perpetual surveillance or volunteer that much data about myself (or encourage my friends/family/colleagues to do so for me) to be used for purposes I don't fully understand.

On the other hand, apparently there are literally billions of people in the world who disagree with me. Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.

Requiring such a business to allow users more control over how data about them is being processed is one thing, and there are pros and cons that reasonable people can debate in that area. But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.


>But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.

I would say that being popular does not correlate with being good and moral. Being successful does not correlate with being good and moral either.

>Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.

The patient is not always right. A lot of people would give up privacy for facebook because in the faustian bargain, the short-term benefit outweighs the long-term consequences.


Hopefully it specifies opt in instead of opt out. I can't tell you how many things I've forgotten to do while being conscientious because it was just so out of the way.


GDPR wants absolutely undeniable consent including that if you give consent, the corporation involved has to keep proof that you consented. It is very much opt-in.


Yes it's opt-in, and consent also has to be as easy to withdraw (at any time) as it is to give.


their interpretation isnt nessiarily going to hold up.


Can you elaborate on what you mean by "doesn't end up like the cookie law"? I'm an American and don't have much awareness of this other than I've noticed that sites in the EU like the Guardian tend to have annoying banners saying they use cookies at the bottom of their splash screens.


You can read more about the cookie law here: https://www.cookielaw.org/the-cookie-law/

Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.

This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).

With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).


But what's the alternative approach to the cookie law? A yes/no consent page before your site, and if you click no, the user doesn't get to access it? Because that's basically the same thing, but even more annoying.


If you click no, a single, non-tracking cookie (i.e. "optout=true", not a session ID) is set, and you get to use the parts of the web site that don't require cookies to function (which, for 99% of the cookie banners I've seen, is all I wanted).

Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.

So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:

a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes

b) stop tracking users unnecessarily in general

As it is written, the options are:

a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong

b) slap an annoying banner on your web site

One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.


Which is why there is the "And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service)." point - you're not allowed to deny access to a newspaper article if somebody does not consent.


Unless you are charging for the content, I suppose.


Not tracking users.

From what I understand, the GDPR also disallows denying users access to a site if they don't consent to an unrelated data collection.


Websites in the Netherlands (and German public broadcasters) already follow the original ideal:

Before accessing the website, you get a choice between yes and no.

If you select no, the site will not do any tracking, no analytics — some sites disable ads in that case entirely. You still get to access the site.

If you select yes, you getthe tracking.


Honestly asking... Does anyone ever click yes?


Probably, because many other sites implement it as "yes means you get to go to the site, the no button is a link to google.com"


No, you could outlaw degrading functionality, which is what they are doing in the new law.


How do you do this for services where functionality is reliant on tracking etc? E.g. some of Google's services.


You can only degrade when the users denial exactly relates to the function of the service.

I have history turned off in google maps. I can’t name the points I make, it tells me I need to turn history and tracking back on. I hope that becomes an unjustifiable degrade.


I may have understood wrong, but it seems to me that for your maps degrade, the tracking may relate very much to the function of the service. How is the server supposed to remember the name you gave to each point without tracking you? Remember, there are many round-trips to the server when you're scrolling and resizing a map. They could always move point-naming override client side, but that's a pretty big change.


You don't do these services without obtaining the user consent first. Simple as that.


IMO the cookie law was good and (ianal) but a banner in your face is not consent, not in an opt-in way at least.


If you're made aware of the terms and can choose to leave, that's pretty much consent. Do you sign a paper agreeing to all the terms when you enter a car park? Of course not! It's a class of contracts called contracts of adhesion. [0]

[0]: https://en.m.wikipedia.org/wiki/Standard_form_contract


EU consumer rights specify many (types of) terms that are considered unfair in various common contracts, so if they're included in a standard form contract offered to consumers, they're automatically considered null and void. I.e. it's a general legal principle that because such contracts aren't negotiated, there's one-sided leverage, and certain classes of terms are inherently abusive to consumers, therefore even if a consumer "agrees" to them and signs a contract including these terms, they shall not be considered binding.

GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.


The cookie banner does not put me in a "take it or leave it" position. By the time I get to learn of the terms—by any reasonable definition a prerequisite for consent—the other party has already set a bunch of cookies.


Contracts of adhesion are almost universally derided as being quite one sided and shitty to people.


How is GDPR different in this regard?


But op-int for what? For being tracked? Using you data? Just showing you an ad?


You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.


Defend it? What happened with "innocent until proven guilty"?


This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.


> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws

Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.

> This is a corporate regulation, not a criminal case.

That doesn't matter in most EU countries.


The GDPR does somewhat turn handling private data into "guilty until proven innocent".

Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.


This isn't a criminal case.


Most of European constitutions don't limit this principle to criminal cases - actually most of the time it specifically says that it especially applies to interaction with government on top of criminal cases.


The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.


TL;DR: sites were obliged to provide information and ask for consent when using marketing cookies. That is, cookies required for the site to work (e.g. session) were fine, but tracking/analytics were not. Everyone started to show banners saying "we use cookies [OK] [what cookies?]", users just got used to clicking OK on them, and almost nobody has any clue what this was all about.

You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.


I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit

Hello. I have moral objections to excessive tracking, and none of my businesses use things like retargeting based on tracking pixels, even though this would almost certainly improve the conversion rates for our online ads significantly.

There, now you've seen a case where a business self-regulated out of potential extra profit in exactly this area. :-)


Thanks!

Sad you don't link to your businesses in your profile; now that you made me want to check them out and maybe reward with money.


Ah, the perils of pseudonymity! Thank you for the nice thought all the same. :-)


Explicit consent is the principle I'm most curious (and pessimistic) about. It's one of those things that are very easy to describe in everyday terms, but almost impossible for legal enforcement to work with.

There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."

When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.


Its pretty easy: The law says, that you always have to set a willing action to opt in. There can be check-boxes, but they need to be unchecked by default ("privacy by default"). Simple. I have already received multiple communications from Banks and credit card companies, and they are all very explicit about it and it was very easy to see the choices and the effect of the law.


I guess I can't go forward without reiterating the argument, so I guess I'll stop. But, I think considering it easy is naive, considering the mountain of experience to the contrary.

Some things are hard to solve with laws.


At least in Italy, this has been the way it works for years. When I sign something privacy-related I get at least two boxes: one for the treatment of my information for functional purpose (that is, "we can't even take this paper back if you don't give us permission"), the other for research and marketing purposes (that is stuff not essential to the performance of the service). It's working quite well, in my case at least.


It's even harder to solve without laws. And it needs solving.


And, are Italians now enjoying better privacy than the rest of us?


Note: the following questions are not because I'm trying to figure out how to work around GDPR. They are to help figure out just what the meaning of it is. Imagining hypotheticals that try to work around a law is a common method in legal circles for clarifying the law. My employer does not keep any data that would be problematic, and compliance looks like it will be pretty easy for us [1].

> Explicit consent for non-essential data use, [...]

This raises a bunch of questions. Anyone know the answer to any of these?

1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

> [...] you always need to provide opt-out without degrading the service

2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?

3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.

If they say they are, I just send them to a page that says EU people are not allowed to use my site.

What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.


>1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

If you use the data for bank transactions or paypal subscriptions it's essential.

If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.

>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.

Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.

>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?

GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.

>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.

If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.


EU citizens outside the EU.

Where is this specified? It's not what I understood from Recital 23†; as far as I can tell, it applies if the business is established in the EU or if the user is in the EU, but not to EU citizens outside the EU (if the business is foreign).

https://gdpr-info.eu/recitals/no-23/


I read your link, and I think it depends on what "being in" means in the phrase "data subjects who are in the [European] Union". It could refer either to physical location (as in "I am in Germany") or to membership (as in "Germany is in the EU"), or possibly to both. I would also expect it to refer to physical location after reading this, but I'm most definitely not a lawyer.


Germany is not a data subject, so I don't think it can be read that way. Others agree: https://www.linkedin.com/pulse/gdpr-does-apply-eu-citizens-g...


> What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?

I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.


> 1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?

IANAL, but intuitively, I'd say no.

In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)

Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.

In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".


I will repeat my comment as you seem to be repeating the same argument.

It's not "consent" as understood by GPDR and ePrivacy. You had no recourse not to give it, therefore it was not willing and informed. Implied consent ("agree or leave") is not deemed sufficient by GDPR. According to the law you can't condition the service you're providing on collecting unrelated (to that service) data.


GDPR is a new law that's not even codified in most of the EU. FB is an USA company.


GDPR has been there for 2 years [1] and will start to be enforced come May. Facebook has a presence in the EU, since they're selling data about European users to European companies. Therefore they need to comply with European law.

[1] http://eur-lex.europa.eu/eli/reg/2016/679/oj


It's not "consent" as understood by GPDR and ePrivacy. You had no recourse not to give it, therefore it was not willing and informed.


It's not "consent" as understood by GPDR and ePrivacy. You had no recourse not to give it, therefore it was not willing and informed.


Not true, you can leave the website. The website of course has to not track you until you don't leave.


Again, this is not deemed sufficient by GDPR. According to the law you can't condition the service you're providing on collecting unrelated (to that service) data.


The GDPR doesn't apply to US companies. While the FB has EU offices right now, they're there for convenience only. They can close them next month and stop caring about the EU law.


| they're there for convenience only. They can close them next month

Citation needed? Facebook gets revenue from their ad network, which is used by European business customers and targets European users. Therefore they need to comply with European law.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: