[mrmekon]

In my network of friends, which is within the EU and comprised entirely of EU citizens and spans multiple EU tech companies from dinky startups to Giant Unicorn, GDPR has been almost universally approved. We had to implement it, and generally feel better for having done so. The Giant Unicorn employees were dismayed by how little time they were given for such a giant task, but were in support of the law.

Everybody is completely and 100% against the copyright law.

There is a huge difference between the two from my point of view:

GDPR is not a law about "The Internet", it is a law about company records. It applies to Google, but it also applies to the Pakistani food stand on the corner. It affects Google a lot more, sure. I support the concept that a company does not have some inherent right to be a steward of my personal data without my explicit consent. GDPR is also easy enough for even tiny startups to comply with, and is significantly easier for small companies than large ones. It does not create a large barrier to entry for new startups or a rift between the existing small and large companies.

The copyright law, however, is a law about The Internet. It controls how businesses interact with the internet. It sets _technical_ restrictions on how they can do so. It sets technical restrictions that are probably not even feasible, at that. It absolutely does create a huge barrier to entry for small companies, and could possibly enshrine the existing tech giants into de-facto monopolies (I mean, if they aren't already...)

The copyright directive is horrible enough on its own. I don't see why everyone is in a rush to pull in mentions of GDPR to make it seem "worse". For a lot of us, it weakens the argument instead of strengthening it. Not everyone likes GDPR, obviously, but we can _all_ agree that the copyright law is garbage.

[Tharkun]

I disagree with the GDPR "success story" part of your comment. So far it's backfired entirely. The goal was to provide users with more control, and (from the standpoint of such a user) to reduce relentless personal data harvesting.

That hasn't happened. What's happened is more annoying "we use cookies and track you"-banners all over the internet. As a user who doesn't use cookies, these damned things won't even go away and keep coming back. It hasn't given me more control. At all. If anything, it's made me more trackable on the internet (because now I'll have to use cookies to tell people I don't want their god damned cookies).

Online newspapers are the worst. "Here's a front page you can read, and maybe the start of an article, if you want more, you have to give us permission to track you -- or you can just fuck off". What exactly has GDPR solved here? Nothing. Before this nonsense, I could simply tell my browser not to accept cookies from these sites, and I could tell my plugins to ignore their tracking stuff. But at least I could read the newspaper without any hassle. Now all I get is more annoying popups and less contents. Thanks, GDPR.

Yes, I'm being snarky. Yes, I know the idea of the law is pretty solid. But no, I'm not at all happy with the outcome.

[tomp]

Yea, I agree.

AFAIK GDPR does explicitly legislate against all that - dialogues should be "opt-in" and should include a simple "no" option, and that sites shouldn't "ban" you for not clicking "yes".

But unless EU actually starts delivering some hefty fines, the law is just a dead tree.

[ezoe]

But if the site relies on cookies and localStorage and cannot work without it, "no" option is equivalent of "ban".

And it's their computer that allows the usage of cookies and localstorage. All modern web browsers has an option to disable them. It's technically stupid.

[tomp]

Nah, the equivalent is "using the website with degraded experience", not "can't read the article, we'll redirect you to the home page instead".

[reitanqild]

> But if the site relies on cookies and localStorage and cannot work without it, "no" option is equivalent of "ban".

This - unless I misread it - is flat out wrong for most of the cookie warnings I see.

There's no valid reason for a news site to need cookies or similar except for logins.

It can be proved easily by wiping cookies and verifying the site still works.

[RandomInteger4]

I think they're saying that a lot of sites use cookies instead of the web storage api to store the option on the dialog, meaning that even if the dialogue are opt-in, they won't work unless the user enables cookies.

Basically a fundamental misunderstanding of the difference between cookies and local storage on the part of the web developers of many sites; i.e. cookies are sent with every request, whereas localstorage isn't and these sites should be storing the option to not use cookies in the localstorage instead of cookies, and I think I'm repeating myself because I haven't had my coffee after taking a nap, but that's neither here nor there or anywhere.

[Aunche]

> GDPR does explicitly legislate against all that - dialogues should be "opt-in"

That's can't be a real part of GDPR, can it? I don't see how you can fine someone for shitty website design.

[the_gipsy]

They should, in theory, fine websites that do install cookies before you give consent, or refuse to give sevice that doesn’t strictly require cookies (e.g. an article).

[Aunche]

If the cookie only stores the preference to not show the dialog box. That should be GDPR compliant.

[RandomInteger4]

You should be using localstorage from the web storage API and not cookies. Cookies are sent to the server with every request. Local Storage is not.

[AdamM12]

How do you suppose the site make money off their visits? To me what you want sounds like freeloading.

[craftyguy]

You seem to have no problem 'freeloading' HN.

[AdamM12]

They don't run ads to generate revenue. Most content sites do.

[makapuf]

You can definitely put ads without deep profiling. They can even be relevant. Just advertise for fishing accessories in fishing articles. Or hardware load balancers on Slashdot. Why not? Better than serving me whatever someone in my family has looked before (that is if I didn't have an adblocker for the past 10 tears)

[usepgp]

There are ads on the front page designed to look like content.

[craftyguy]

There are ads on HN (the "xyz is hiring", and I suspect a non-zero number of articles posted/promoted to the front page are paid ads made to look like content.

[simion314]

The law was not created to piss off the minority of users that do not use cookies or use plugins or extension to protect themselves, the law is intended for all users to be informed and to allow them to protect themselves.

There are many people, like my father that don't even realize that his data was collected and sold behind his back, hopefully we get some fines soon so the websites implement the law right.

What I do if I really want to read a news article I will open it in a private window, accept that crap and close the window when done, but most of the time I will not read that website and go to ones that respect the users like Europen new websites.

[zwp]

> Online newspapers are the worst

Oracle. Here's July's Critical Patch Update page:

http://www.oracle.com/technetwork/security-advisory/cpujul20...

On my my domestic ADSL line the cookie pop-up takes almost 10s to load. It presents 67 checkboxes to select from. There is no default selection, so this requires at least 3 more clicks (at least the non-obligatory cookies are grouped). Submitting the form takes another ~4s -- it even has a progress bar. (Thankfully they aren't using TLS so it's not quite as slow as it could be).

Earlier this summer this component was broken and I just couldn't use oracle.com.

[mariushn]

Same for offline businesses. Go to a bank, they'll ask your consent for handling personal data ("It's a GDPR law"). If you don't want to sign, they won't do business with you. No bank will.

So, it's just one more paper to sign, and doesn't help the actual consumer. I would have expected more of "Don't send me any promotional/survey questions unless I opt in", or "Never share my data with 3rd parties, period".

[bulatb]

> If you don't want to sign, they won't do business with you.

That's illegal. Consent to processing can not be a prerequisite for service. [0] (Otherwise GDPR would have no power, even in theory.)

If the processing is so important that service cannot be provided without it, or wouldn't be legal to offer, it's covered under Art. 6(1)(b), (c), or (f): performance of a contract, legal obligation, or legitimate interest of the business. Consent—Art. 6(1)(a)—is what you use when you just want the data but don't actually require it to offer the service.

Saying "Sign consent or go away" is saying "We could serve you without this, but we want it, so we're lying and saying we can't."

It seems like almost everyone has chosen this weird malicious non-compliance (maximum annoyance but without the compliance) as their GDPR strategy.

Maybe lawyers found a way to claim that left is right and up is down.

[0] Art. 7(4): https://gdpr-info.eu/art-7-gdpr/

[vukk]

Perhaps you should go read the thing, you might be positively surprised. The first thing you want is there, the second is a more complicated question. Sometimes some of your data is actually really needed, e.g. when required by the law. GDPR is a compromise: you have to state explicitly where the data is going and you better keep it safe, under the threat of a possibly hefty penalty.

This ^ is a shortened simplified statement. You can argue semantics or maybe that I'm just flat out wrong if you wish, but that'll mean you read the GDPR, a win in itself.

[kruczek]

> What's happened is more annoying "we use cookies and track you"-banners all over the internet.

Not exactly. What happened on many sites is that along with that notification you are given an option to opt out of tracking and view crazy-long lists of partners with whom data is shared. So on those sites the user is given both choice and greater transparency. (Although I admit usually the choice is presented in such a way that it is easy to accept and difficult to reject - which is actually prohibited by GDPR.)

However on the other hand, as you say, there are sites which only give notification without giving any choice - which is also prohibited by GDPR. So I'd say the law is good, now we need to see it enforced and actually punish sites which do not follow it.

[pbhjpbhj]

AIUI the "allow being tracked to gain access" is unlawful.

[Tharkun]

Apparently "allow being tracked to gain more access" somehow isn't. As far as I can tell that's what every major newspaper in Belgium is doing. I suspect they've got folks in their employ who speak legalese.

But then newspapers in Belgium are pretty horrible in general. They're exempt from paying VAT, even for content they sell online. Online-only news sites don't get this exemption and have to charge 21% VAT, so the entrenched newspapers have something of an unfair advantage there. But anyway, that's a different rant entirely. Just an illustration of their general scumminess.

[tensor]

Is it ok to say "you get a discount if you allow being tracked"? As a practical matter, these places need to earn money to exist, so either you get served ads or you pay directly. It's highly unreasonable to expect free service.

[Bjartr]

And the GDPR says "good riddance to you if you can only make money by tracking people without the tracking itself being part of your value to them".

Not all business models deserve to succeed.

[betterunix2]

IOW the EU is picking winners and losers in the market. If your business model is based on building models of user behavior and monetizing that, you will not be allowed to succeed. If your business model is based on holding a monopoly on the reproduction or display of entertainment, you will be allowed to succeed, at the expense of tech companies whose technologies might have otherwise made your business model obsolete.

The most likely outcome will be a distorted market in Europe and European tech companies becoming even less relevant and even less able to compete in other regions of the world.

[pluma]

Yes, it's codifying ethical standards into law. I take it you think the US banning slavery was overreach because it made certain business models illegal? You may disagree, but the basis of the GDPR is that privacy and control over your own personal data is a human right, so violating that right is no legitimate business model.

[tensor]

What? You can make money by charging people for it. Don't want to pay for newspapers for example? Without ads you can either pay up directly or not enjoy the publication.

I don't understand where this entitlement for free stuff comes from.

[Bjartr]

I don't know why you think I was advocating for free stuff. I was not. I'm happy to pay for content I want. It's what time companies should be doing instead of not charging, tracking invasively, and selling user data. If you can convince people to pay for your content then the market is telling you you don't have a viable business.

[pbhjpbhj]

You can serve ads without unsolicited harvesting of PII.

[Dormeno]

This paper says it is lawful.

https://www.iabeurope.eu/wp-content/uploads/2017/11/20171128...

[MiddleEndian]

You may be interested in http://prebake.eu/ to block them.

[sleavey]

"By using these filters, you are allowing sites to set cookies by default, without you first being notified, and are agreeing to allow the sites you visit to set cookies."

Does lack of interaction with a (blocked) cookie banner give implicit consent to be tracked?

[scaryclam]

No, since implicit consent is disallowed by the GDPR.

[sleavey]

I'm a bit confused why the filter list's page says that then. I'm not sure why they need such a disclaimer, even if what it said was true.

[TheCoelacanth]

The page is about the pre-GDPR cookie law, not about GDPR. Under the pre-GDPR cookie law, requiring an opt-out rather than an opt-in was allowed. Under GDPR, it is not.

[MiddleEndian]

The user I replied to has cookies disabled anyway, so that should not be an issue in this case.

[DavidVoid]

Or alternatively https://www.i-dont-care-about-cookies.eu/

[davidhyde]

I 100% agree with this. GDPR is a shining beacon of success and it blows my mind that it came from the same clowns that made the cookie law. They covered my internet with cookie banner graffiti and now they want to mess with something as fundamental as a hyperlink.

[emilfihlman]

GDPR is absolutely not the shining beacon of success. Let's review at some glaring, obvious and 100%-lets-make-this-law-shite points:

1. Application and enforcement: GDPR is 100% arbitrarily enforced, it is a "trust us, we could do no harm, trust us" law, that is extremely well suited to adding other such "trust us" laws.

2. Absolutely ridiculous overreach: on a technical level, GDPR is braindead. It applies ridiculous, stupid and unnecessary restrictions for no purpose.

3. You just added an obligatory "lol accept this or GTFO" thing to all sites.

[ahartmetz]

1. OK, so all laws that aren't consistently enforced are useless. What about copyright?

2. "For no purpose" - you know the purpose, you just pretend it has none because you don't like it.

3. No, that's explicitly forbidden.

[joshuakarjala]

3. No, you cannot serve any EU customers if there is not option to "opt out" of any unnecessary processing

[notemaker]

The reality however, after GDPR was implemented, is 95% of the time GTFO or click accept.

[Jnr]

Wait till mid 2019 when EU countries will actually start enforcing it. Unofficially there is a change period so probably no one will really be touched by it in the first year.

[13415]

...which means these sites are not GDPR compliant and might be fined heavily in future.

[Nursie]

In theory, very true.

I've noticed quite a few US sites, particularly some large news orgs, have been going the "accept this or leave" route, and some are going the "accept this or click on the entrance to our insane maze of links that will confuse you until you give up"

They are non-compliant, guess we'll see what happens.

[droithomme]

> No, you cannot serve any EU customers if there is not option to "opt out"

Josh buddy. By chance, have you spent any time at all on the internet using so-called "GDPR compliant" sites?

[AnssiH]

> and now they want to mess with something as fundamental as a hyperlink.

Unless I'm missing something, basic hyperlinking seems to be excluded from the scope of the new directive, and it is instead targeting services that reproduce the publication more substantially.

Recital 33:

> This protection [granted to press publications] does not extend to acts of hyperlinking.

Article 11, paragraph 2a:

> The rights referred to in paragraph 1 shall not extend to mere hyperlinks which are accompanied by individual words.

http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//...

[garaetjjte]

And now it is covered also in GDPR banner graffiti…

[Jnr]

Cookie law is still relevant. The only difference is that now companies can actually get penalties for not complying with those rules. Previously it wasn't really enforced. Without consent no 3rd party scripts and content that can track visitor should be loaded, and once the change period of 1 year passes, a lot of sites ignoring this will start receiving well deserved penalties.

[Matticus_Rex]

I'm having trouble figuring out what world you live in. The GDPR has accomplished nearly nothing at huge cost. Maybe the upsides will look better a few years down the line with some enforcement history, but this GDPR Compliance Coordinator strongly doubts it.

[Dormeno]

> GDPR is a shining beacon of success

I can't browse the internet with cookies disabled anymore because of all these horrible banners taking up the screen to take my consent.

For people who care about privacy, it's made the experience worse, not better, I even send a DNT header and still get this.

I am blocked from accessing certain sites, so now I have to route my connections through countries outside of the US, this is not a success for people like me.

If they had involved technical people, we wouldn't see such horrible implementations.

[deltron3030]

>GDPR is not a law about "The Internet", it is a law about company records. It applies to Google, but it also applies to the Pakistani food stand on the corner. It affects Google a lot more, sure.

It's about full stack owners vs. people who depend on modules to operate, not size of the company. And controlling or maintaining consistentcy across all those modules might be difficult when it comes to GDPR. Just think about plugin pipelines that many small businesses build with Wordpress and similar, where every service that sits between your app and your database needs to be compliant if you want to comply with GDPR.

The pakistani foodstand might be a full stack owner like Google, but in small, he controls his stack and can manually delete all records if neccessary.

But if you use modules/services you can't really reach into the DB's of your module providers.

[charleslmunger]

I am not a lawyer, but GDPR explicitly covers the plugin pipelines - they're "processors". The requirements for processors are basically that you can only use processors that are compliant with GDPR themselves. Any well designed regulation disallows skirting liability by subcontracting out functionality. Is that really unreasonable? It describes pretty clearly how to be a compliant processor, and it's basically saying that you have to have a contract with the "controller" that requires you to fulfill the same responsibilities that the controller would have under GDPR if they were doing the work in house.

https://gdpr-info.eu/art-28-gdpr/

[deltron3030]

> The requirements for processors are basically that you can only use processors that are compliant with GDPR themselves.

How can you be sure that the compliance isn't just marketing? There is no official cert body or institution for GDPR afaik. Isn't it all trust based at this point?

Actual certification would require a huge continous investment, where a outside body would constantly monitor and proof your code and its side effects.

>Any well designed regulation disallows skirting liability by subcontracting out functionality. Is that really unreasonable?

But what if this industry, especially the small business world is based on subcontracting out functionality? They're basically ignoring an existing ecosystem and methodologies that developed over a decade in that space.

>It describes pretty clearly how to be a compliant processor, and it's basically saying that you have to have a contract with the "controller" that requires you to fulfill the same responsibilities that the controller would have under GDPR if they were doing the work in house.

If its so clear, why isn't there an official cert body or institution? Afaik there is none. Compliance refers to the interpretations of the GDPR text, not real logical safety on an technology level, the laws aren't detailed enough for that. To cert or guarantee safety they'd have to monitor code repos and analyze side effects of the code on a constant basis.

I think the correct way to handle data privacy is on an individual level, within the operating system and browser, making sure that your privacy settings are respected. A page that doesn't conform to your settings just wouldn't load, you get the internet you deserve.

Everybody should also have the opportunity to learn the basics of using an internet connected device, similar to driver licenses. The individual level would be a much better fit, and potentially real solution and not just a castle in the sky.

GDPR relies on trust, one little bug that results in a privacy issue and you can close up shop as business. It's a setting where those that employ cyber warfare to hack competitors and have those resources win. Politicians who brought you GDPR are the same ones that wage wars on drugs. Total morons.

[charleslmunger]

From the link:

makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.

Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.

You can subcontract, in the same way that a any other business has to subcontract with businesses that obey relevant laws. They didn't ignore history or the present - they added new responsibilities to subcontractors, and described requirements for those contracts.

The subcontracting provisions I think are actually very reasonable and well defined. Things like the Right to be Forgotten have other issues around free speech, but the controller -> processor relationship seems pretty well specified.

[Nursie]

If you're using that many modules that you don't understand what's happening with your customer's data and can't easily control where it goes or what it's used for, I'm sorry, but I don't want to do business with you.

[Matticus_Rex]

Who do you do business with, then?

[malvosenior]

> I don't see why everyone is in a rush to pull in mentions of GDPR to make it seem "worse". For a lot of us, it weakens the argument instead of strengthening it.

I have the opposite feeling. A lot of us rejected to GDPR on the basis that it's not the government's domain (any government) to impose its will on the internet. Even if the content of GDPR is well meaning it opened the door to further laws, such as the new copyright law.

By saying "GDPR is a good idea, but the EU has no right to police the internet" it saves us from further legislative efforts.

By saying "GDPR is a good law but the copyright law is bad" it means we have to have this debate over and over and the message to law makers is a tacit green light to keep going down this path.

[throwaway122378]

Can you elaborate on the specifics of the copyright law?

[mrmekon]

It's all still up in the air, and the wording is vague. GDPR's wording is also vague, as EU laws are. When we read between the lines, GDPR's vagueness sounds promising (hard to over-reach, easy to understand intentions), and the Copyright Directive's vagueness sounds terrifying (easy to over-reach, hard to understand intentions).

https://en.wikipedia.org/wiki/Directive_on_Copyright_in_the_...

A big difference is in the boundaries. GDPR is bounded by your customer records. One customer, one collection of personal data. There's a hard upper limit: about 7 billion. Companies tend to scale with customers, so generally bigger companies will have bigger customer bases and bigger employee bases to handle protecting the records.

The Copyright Directive's bounds is user content. One customer, any number of potential infringements. A single person can run a company with 100 customers who upload 10,000 images each per year. Managing the customer base is pretty easy, managing the data storage is pretty easy, GDPR-protecting 100 people's data is pretty easy. But 1 million potential copyright infringements per year, each one of which could even be claimed by multiple rights holders. Your risk exposure grows with data, not with people. That one-man show probably can't handle tens of thousands of take-down requests, nor build an AI Machine Learning Cloud Native Copyright ID Blockchain System to automate it.

[tomp]

It's even worse. Copyright Directive is technically bound by copyrighted content, which can grow indefinitely even without the company doing anything!

E.g. imagine a company like Snap, say that they have a constant number of users and users post a constant number of snaps per day.

Therefore the amount of content posted/stored on the site doesn't grow, but you still need to be able to keep scaling the system, as the amount of copyrighted content that you should be able to potentially recognize continues growing!

[walterbell]

Thanks for the concise scope analysis. This should be a mandatory subsection on the first page of future Internet regulations.