[jeffbr13]

Docker Hub[1] is also blatantly in breach of the GDPR. Wording on the pop-up:

> We and our advertising partners use cookies on this site and around the web to improve your website experience and provide you with personalised advertising from this site and other advertisers in AdRoll's network. By clicking "allow" or navigating this site, you accept the placement and use of these cookies for these purposes.

It’s not a modal, but supposedly ignoring it opts you into the tracking, with the only choices being “Allow” or “Learn More” and the [x] button also being labelled “Allow”.

IANAL, but it’s not informed individualised consent if there’s literally no opt-out, and there’s not a lawful basis unless advertising-cookies are suddenly the enabling technology behind downloadable containers.

I’d report them to the Information Commissioner‘s Office myself if I didn’t think they were about to fold anyway, after their piss-poor sunsetting of Docker Cloud and painting a target on their own back for a few adbucks.

[1]: https://hub.docker.com/

[scoom]

The opt-out, is to navigate away and not use their service. Which matches the GDPR - if you need the data to create a contract - like 'we use your data in exchange for your use of our site' then you can keep it.

> there’s not a lawful basis unless advertising-cookies are suddenly the enabling technology behind downloadable containers.

Yes they are. Advertising cookies are how those downloadable containers are provided. That's an enabling technology. It wouldn't exist otherwise in the technology ghetto of the EU.

[akvadrako]

Your legal analysis is incorrect. From the UK ICO's guidance¹:

> The ‘consent’ is a condition of service

> If you require someone to agree to processing as a condition of service, consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won’t even count as valid consent. Instead, if you believe the processing is necessary for the service, the better lawful basis for processing is more likely to be that the “processing is necessary for the performance of a contract” under Article 6(1)(b). You are only likely to need to rely on consent if required to do so under another provision, such as for electronic marketing. It may be that the processing is a condition of service but is not actually necessary for that service. If so, consent is not just inappropriate as a lawful basis, but presumed to be invalid as it is not freely given. In these circumstances, you would usually need to consider ‘legitimate interests’ under Article 6(1)(f) as your lawful basis for processing instead.

And in regards to tracking specifically:

> You are also likely to need consent under ePrivacy laws for most marketing calls or messages, website cookies or other online tracking methods, or to install apps or other software on people’s devices.

[1] https://ico.org.uk/media/about-the-ico/consultations/2013551...

[IshKebab]

The GDPR does not accept lack of action - dismissing dialogs, ignoring them, etc. as consent. You have to give clear, free and affirmative consent.

You basically have to have a modal "do you consent to tracking? [yes] [no]" dialog. Which obviously nobody who does tracking wants to do, but that's kind of the point.

[danjoc]

>Docker Hub is also blatantly in breach of the GDPR.

Truth is, no one cares. GDPR is an overreach designed to shake down American mega-corps. Docker has no money so the EU isn't going to do anything to them.

>I’d report them to the Information Commissioner‘s Office myself if I didn’t think they were about to fold anyway

I'm sure they're inundated with complaints from unsuccessful companies trying to shoot down their biggest competitors already. Adding one more to the pile is only going to waste your time and that of EU regulators.

[8bitsrule]

"overreach"

You mean, like Google continuing to compile Location statistics while assuring users they're not?

"designed to shake down American..."

Or, it's not just a scam after all ... for whatever reason, some places in the world feel a need to protect themselves from US ...

... and they're actually trying to protect their citizens. Unlike 'our representatives' (hah!) in the US Congress.

[GenericsMotors]

> Truth is, no one cares.

You will, if you have EU customers.

> GDPR is an overreach designed to shake down American mega-corps.

The GDPR is the result of mega-corps (American ones in particular) not giving two shits about how their users' personal data is handled. Cry all you want now that the milk's spilled, it won't change the fact that this legislation was not conjured in a vacuum, but as a response to the way corporations behave when not obliged to care about personally identifiable information.

> Docker has no money so the EU isn't going to do anything to them.

A formal reprimand might suffice. Contrary to the naive american view I see here on HN, EU data regulators don't immediately try to shut you down by barging into your company's office with a SWAT team.

> I'm sure they're inundated with complaints from unsuccessful companies trying to shoot down their biggest competitors already.

How sure? 100%? 50%? Less? What are you basing your assertion on?

> Adding one more to the pile is only going to waste your time and that of EU regulators.

There's a characteristic nearly all government departments share: they may be slow, but they're steamrollers. They'll get to you eventually.

[thayne]

> Truth is, no one cares. GDPR is an overreach designed to shake down American mega-corps

And yet it hurts small startups that don't have the resources to become fully GDPR compliant more.

[jonbronson]

This is just inaccurate. GDPR is derived from warranted concern over rampant data abuse. And it's actually much easier to make a startup GDPR compliant than it is to overhaul a large company with rigid systems already in place. If anything, GDPR favors startups.

[pluma]

It hurts small startups trying to perpetuate the same blatant disregard for human rights as American startups have done in the past. It doesn't hurt small startups that are privacy-aware and treat their users with respect.

Not giving users a way to delete their accounts was never okay. Tracking user behavior without consent was never okay. Holding users' data hostage was never okay. Not giving people a way to correct the data you keep about them was never okay.

US startups have been playing on easy mode by getting to ignore human rights and just follow the local letter of the law even when going international.

If anything you'd think HN "classical liberals" would love this as it evens the playing field, allowing for fairer competition between already privacy-aware EU companies and the previously unfairly advantaged US companies entering the EU market. Of course this assumes you think privacy and data ownership should be protected as human rights in the first place.

[thayne]

> Not giving users a way to delete their accounts was never okay. Tracking user behavior without consent was never okay. Holding users' data hostage was never okay. Not giving people a way to correct the data you keep about them was never okay.

Sure. If being GDPR compliant just meant you just don't have to do those things, it wouldn't be a problem. But with GDPR you now have to spend time (=money) understanding what GDPR means (probably with a lawyer's help) and ensuring that you are in fact compliant. "I try to protect user's privacy" isn't good enough when the EU could effectively put you out of business if you aren't. You'll have to deal with Data Access Requests, most of which are from trolls. You may need a DPO, which might require hiring someone. I'm all for protecting privacy, but the GDPR adds quite a bit of burden, which large corporations will be able to eat, but will set back smaller corporations. Really medium size companies are in the best position, since they have the resources to meet GDPR obligations, but don't have to do massive overhauls like the big corps do.