The data protection commissioners have their work cut out for them for the next decade.
It's just that the current privacy abuses of software companies are so complex and egregious that it takes a long time to sort things out.
Essentially every US company was doing things wrong for example. Just the other day I was reading LinkedIn's cookie notice which can be paraphrased as "accept our tracking commoner". And this is a bug company owned by MS, the new heroes of open source (and spyware).
Austrian Post sold voter preference data without having the right processes in place and was fined 10% of last years profits.
Noyb.eu is also an interesting organization to watch. They are a non profit taking lawsuits against large incumbents with egregious privacy practices with the backing of the GDPR. They triggered the 50 million € Google fine.
Deutsche Wohnen, the much criticized apartment rental company from Berlin just got smacked with a fine of 14 Million EUR for collecting credit rating data after being warned several times.
It might not have "rocked" the data privacy world, but it is having an impact on how businesses operate.
A lot of businesses (big and small) were getting too cozy with collected data. With little regard to what was being collected and how long it was stored for. GDPR forced businesses to take a hard look at their data and ask some difficult questions, and I genuinely believe it has changed the way people look at data.
Personally, I was professionally shocked to find how some businesses dealt with data - If anything, GDPR forced common sense down some technologically inept management teams.
The effect that GDPR has as far as I'm concerned as a user is that many or even most sites accessed from EU come with a prominent banner warning about PII data collection for targetted ads, including a large portion of sites linked from HN. Maybe this isn't noticed on the other side of the pond, but it has a very profound effect on my usage, as I'm immediately turned away from such sites. OTOH, platform sites without ads such as github, where you supposedly already have agreed to their ToS, and where data isn't being used for ads (for the time being) don't suffer from this effect, yet.
All that I have seen is that now there is one more popup window obscuring the content I'm trying to view, which is especially egregious on mobile.
At this point, I might see one or two lines of text for a news article on initial load between their gommy sticky header, a couple of ads, and their "We're using cookies here, if you don't like it, go screw" popup. Of course that's assuming it's not paywalled.
The net effect of the GDPR, from my perspective as a user, has been to make the internet even shittier to use. There's also the developer side that I have to deal with, but to be honest, after an initial flurry a year or so ago, nobody even asks about whether the software we provide is GDPR compliant anymore.
It's the starting point we needed. Every time some company tries to get away with being unreasonable (see gitlab and ubiquiti from just last weeks) GDPR is one aspect that is quickly brought up. One they can not ignore as easily.
The privacy options we suddenly ot from large companies from companies such as facebook were unheard of before GDPR.
It have already drastically changed how the world handles data, but it is a slow process. It will take decades and more work.
Massive success all in all, thanks to GDPR there is now hope for the future.
No. They weren't GDPR was meant to get conpanies to take the user security and data ownership seriously and change their ways. Unless you are being egregious, you will get a warning and guidance and hit with fines if you continue being stupid. As is sensible.
The GDPR doesn't cover processing of personal data "by a natural person in the course of a purely personal or household activity". So I imagine that at least some instances of recording police officers in public are exempt, especially if you don't follow them around or upload the videos to your local police recordings online community. Of course I also wouldn't argue with the people with the batons.
Fun fact: in east eu laws are bent to protect criminals, as they are essentially those in “power”. In Romania GDPR was used as means to threaten investigative journalists (see Rise Project and GDPR). There are other criminally bent laws that predate gdpr. For instance the government used some obscure privacy “concerns” mandated by the eu (not sure which) to remove ALL traffic monitoring cameras. The result is one of the highest road deaths in the EU and naturally easier to bribe traffic police. Organised crime members are also protected by bogus human rights interpretations, where a mobster gets more rights than and old lady stealing an egg for food.
No, storing cookies needed to make your site work was always needed.
Sending tracking information to third parties required a notice of some kind, no matter if it was in the form of cookies or some other mechanism.
So, no there was never a EU cookie law, it was just a major FUD operation and a lot of people put up completely unneccessary cookie consent popups without understanding why.
GDPR: A well-intentioned EU measure that unfortunately hurts the smallest and weakest and fails to have an impact on the big ones that it should target.
Noble in thought, weak in action
Being honest, some of the most egregious handling of PII is by small companies who don't have the resources to understand that it is PII, or how to store it, or how to be in compliance. I don't think it's failing in that case. A small company wouldn't google how to build a bridge then DIY it, but that's what's happening with storing PII. If I had a dollar for every article I read where a doctor's office had records on an un-restricted FTP server...
Its funny how we let this all slide when it comes to tech. Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"
But that's exactly what happens in the world though. In some poorer countries like China, street vendors are literally using gutter oil to make food.
If you want rules to be respected then you must be able to enforce them. Poorer places just can't afford to enforce those rules. If rules aren't enforced equally then people won't follow them, because if they have additional costs that their competition doesn't then they'll likely be outcompeted.
But I don’t think McDev above was talking about a software startup in the poorest part of the world. I have implemented GDPR in a small non profit open source SaaS business. A funded startup should have no issue doing the same.
> Imagine if someone said "Food safety regulations only hurt the small businesses, they don't have the resources to wash a cutting board after cutting chicken while McDonalds serves unhealthy but legally safe food"
But that's exactly what we do. The health inspector doesn't come to your home to verify that you wash your cutting board, even on the day you have a dinner party to entertain business clients. Depending on local law you may or may not be expected to follow the same rules as McDonalds (getting a food service license etc.) when you hold a high school bake sale, but people commonly don't actually do it and governments commonly don't actually enforce it in those circumstances.
Because it's more important, and justifies a higher compliance burden, to ensure that the company serving billions of hamburgers isn't giving people food poisoning than the individual serving four.
I believe your being down voted because it is common knowledge that food service legislation only applies to those selling food, and therefore intentionally doesn’t apply to dinner parties.
My experience with startups lately is if it’s a greenfield project that started within the past 3 years then they’ll do everything by the book: sometimes even down to storing email addresses as hashes in the database, requiring a user to login first for the software system - and the company - to know their email address).
Older systems which depend on having PII and even financial information as cleartext in the database are the problem - and its essentially technical debt with far-reaching consequences, so no-one will fix a system that uses tenants’ customers’ SSNs as a primary-key (yup).
I am aware of a legacy system powering a local business which runs on Rails 1 on a version of debian from 2012 and stores users passwords in plaintext, downcased.
I have tried to explain so many times that this system needs to be replaced urgently not for security reasons but because no one actually knows how to use rails 1 anymore.
I have a Rails 1 product making $10K a year but I don’t have even the ability to log into the box anymore so if even the tiniest thing falls over that revenue is permanently gone for me.
You're right, but they probably can't afford to do it right. And since enforcement on this is lackluster it makes sense for the companies to just ignore it altogether, because if they get caught then it probably doesn't really matter if they took some steps to help privacy or none at all.
I think there should be some exceptions to it for small companies based on the impact of the PII. Eg if the company handles email addresses or first names then that should be far less strict than if a company handles medical information, home addresses or credit card information.
On the other side, we should have audits in companies to see how the personal data is handled. Particularly in ones that deal with sensitive information.
The simplest way to comply is to not obtain and store personally identifiable information at all. Luckily this is also the cheapest. So I don't really buy that you "cant afford to do it right".
If you want to obtain and store personally identifiable information, then you have to mange it properly, just like selling food, medicine, financial services etc. need to follow certain regulation.
Note that all the competitors in the space will have to follow the same regulation, so it is not like it put you at a disadvantage.
I don't want to live in a world where inviting people over for dinner is practically illegal because of food safety regulations. And I don't want to live in a world where I'm not allowed to write down my friends' birthdays and phone numbers.
I'm not sure if we have passed the line of too many regulations, but I know it's out there.
1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.
2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).
> here should be some exceptions to it for small companies
This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.
>1) it's a cost of doing business. Costs of doing business change over time. Step changes as a result of regulation are typically introduced with windows to allow businesses time to respond. If you can't reasonably cover the cost of the change then...capitalism. You will fail and someone else will succeed. No one is guaranteed a profit.
Except that foreign companies won't have this same limitation. The end result is that all of your online services will be provided by foreign companies, which ironically is already the case in the EU.
A foreign company that's beyond the jurisdiction of the EU can abuse GDPR as much as they want. If they get caught then they'll just lose their business. The EU can't actually fine them, but that same company likely outcompeted EU companies for years.
>This would effectively become a get out of jail for companies that want to outsource their (lack of) privacy with sufficient arms-length plausible deniability.
They can do the same thing with foreign companies though. If you can set up a system where you would use your small companies to escape regulation, then the same can be done with companies run by foreigners.
>2) Sounds like a business opportunity? GDPR/Privacy as a Service. e.g. https://privaon.com/ (first search hit).
And said business opportunity is additional inefficiency on businesses in the EU that their global competitors don't have to follow.
You're getting downvoted because you're incorrect: it doesn't matter where a company is from, if they're conducting business with people in the EU, they're bound by it. Which is why several non-EU companies have paid fines and plenty are implementing GDPR-based privacy measures (and I speak from experience here).
I recently did a stint as a contractor at one of Australia's "big 4" banks. I can assure you that they are so active in the privacy space, and foresee more and more GDPR-like regulations, that they've created their own privacy framework based on GDPR plus likely similar frameworks to come in other jurisdictions. It is one of the biggest funded projects in that bank (it helps that Australia recently had a negative spotlight on the banks' behaviour. Thanks Royal Commission!).
The point I'm trying to make is that if you have European customers, then the GDPR applies. Therefore, "foreign companies" competing for EU customers, definitely do have this limitation. Fines have been issued for companies that don't comply, and the sizes vary immensely (e.g. over 200 million euro for British Airways down to 118 euros (not millions, 118) for the Data Protection Authority of Saarland).
Google has so far only received a 50M euro fine from France, and a tiny one from one of the other countries. Depending who you ask, there are different stories for why Google hasn't suffered larger fines. One story is that the law is toothless and we need something stronger. Another story is that enforcement in complex situations takes time, and we'll see bigger Google fines down the line. And then the final story is that Google is actually complying with the law.
AFAIK Google has gone to great pains to attempt to comply, at least within the advertising and analytics space. I've seen significant product updates in Google Ad Manager, Google Analytics, AMP, BigQuery, etc to allow for consent, right of removal, designating a DPO and more.
Are users any better off now because those companies got fined? Did those companies stop collecting user data? Has online privacy improved because of those fines? Nope!
I think there's an argument to be made that GDPR had some effects. For example, you can now enable or disable ads personalization on Google at https://adssettings.google.com. I don't think that was there before GDPR. Google also presumably did explicit opt-in for EU users, since otherwise they'd have already faced some pretty massive fines.
It may be that most users consented, but I think the take away from that should be that most users do not consider ads personalization a significant violation of their privacy.
>Are users any better off now because those companies got fined?
Yes
>Did those companies stop collecting user data?
Maybe not google so much, but other companies certainly stopped or collect a lot less. And it's still early, and there is plenty of low hanging fruit for GDPR enforcement to hit.
>Has online privacy improved because of those fines?
The full effects remain to be seen, but yes, it has improved. Maybe not for you, but for me it certainly has, in particular with German businesses I use.
Aside from regulations, it also fueled and still fuels public discussion, especially in the tech space. Where half a decade back everybody would have ignored e.g. GitLab's email informing users and customers that they are going to roll out third party tracking, but this time around the backslash was so swift and hard GitLab went back to the drawing board (goof for them!).
On top of that, the EU inspired similar laws around the world including most the (somewhat lenient) California Consumer Privacy Act that comes into effect next year.
The GPDR is a large compliance burden. The bigger your company is the less this hurts you because it’s very approximately a fixed cost. So the GPDR kneecaps small companies while being a painful but bearable expense for large ones. On net it helps the internet giants by reducing competition.
This is no different than anything else. All sorts of unethical and exploitative arrangements are helpful for small firms’ bottom line, but easier to handle properly with larger scale.
Dumping toxic byproducts in the river. Forcing employees to work unpaid overtime. Keeping fraudulent books and evading taxes. Selling illegally dangerous products. Not following local building codes. Facilitating third-party fraud or money laundering...
Being a small business should not be license to do whatever you want, irrespective of the harm to customers, business partners, or others in the society.
In the case of data protection specifically, companies (perhaps especially small companies) are very cavalier with all sorts of data including personally identifiable information, financial information, communications, ...., and this causes serious harms when that data is misused directly or stolen by/leaked to/sold to someone who misuses it.
If a company cannot afford to stay in business while treating data carefully, then perhaps they should not be in business.
You're assuming that treating data carefully and complying with the law are the same thing. You can easily do the former and not the latter. More to the point, you can easily have already been treating data carefully and still have the compliance burden of paying lawyers to verify that fact put you out of business.
So what you're really saying is, if a company cannot afford to stay in business while navigating a legal framework designed for companies the size of Google, then perhaps they should not be in business. The result of which would be to have only companies the size of Google.
The same goes for any other kind of regulatory compliance.
No small company has to pay lawyers to validate that they are complying with GDPR. It’s just that if it turns out they weren’t, the fines for violations can be quite steep, so a risk-averse company is going to be proactive about it.
There are many types of regulations which are much stricter with more up-front costs than GDPR, which companies of every size manage to cope with (or sometimes don’t, and go out of business). The technology industry has just gotten used to not being held accountable when it harms people, so now that some sensible consumer protection regulation comes down (some) people are freaking out.
Not what I would call a kneecapping, or even a burden.
Compliance cost at the place I work in the UK was negligible. We have personal data on every customer, had to make some one time code changes, and ongoing costs are essentially zero. Frankly, compliance was trivial and little different to Data Protection - which was also trivial to comply with.
If you're data mining everyone to death and selling it off to multiple unnamed third parties, compliance may well be more challenging. Hardly surprising as that's one of the things it's trying to constrain.
Fines for larger companies are either too small to matter or will be negotiated down.
Larger companies also have a much easier time gaining consent (like Google and Facebook) that clears their usage while smaller companies struggle. This can be seen by the constant consent popups on every website. Users click yes on the major sites, then deny the rest.
> Larger companies also have a much easier time gaining consent (like Google and Facebook) that clears their usage while smaller companies struggle.
I feel the opposite may be true. When the law came to pass, I took some time to review my privacy options on Google and Facebook, since they are a big impact for me.
On the other hand, when I click on a link on HN to some random news paper, and get presented with a five-step process to start to see my options, I don't usually bother and dismiss it as soon as I can, probably with some 'opt-in' consent. Since I'm not planning on viewing the site again, I consider it a minor annoyance.
Just because they're small and weak doesn't mean bad data policies can't cause harm. If you have 100 customers you're the little guy, but if your 100 customers are political activists in authoritarian states, it's kind of a big deal if you leave a .csv file containing their personal info on your http server, isn't it?
In the end whether a penalty is just depends on the significance of the offense and whether the bad actor has reformed. The GDPR does give regulators discretion over whether to issue fines or take legal action, they don't immediately wreck people.
People need to remember that while laws are very rigid in drafting, they typically grant a lot of flexibility to the humans that enforce them... and humans often just opt to ignore them. So you can't just look at the law in terms of what it appears to read as, you have to also look at how it's applied in the real world. That can of course mean that a law like the GDPR has unintended negative impact, but it also means that sometimes the impact is not the negative you'd assume from reading it.
No, fuck small companies playing fast and loose with other people's data.
The smallest and weakest is not the small company or website operator, but the individual consumer, aka me and you.
Complaining that your small startup cannot collect and sell data nillywilly is like complaining that you can cannot run a startup from your garage that sells homemade miracle cancer vaccines you have vicariously tested, but only on stray cats in your neighborhood.
On top of that, the actual big fines so far for the most part targeted big and/or well-established and/or serial abusers. The small companies only have been "inconvenienced" in so far that they now have to think about what data to collect, about how to collect it and how to get consent, about whom to share it with and about how to store it reasonably secure. Something they should have done in the first place.
"A well intentioned" is a complete miss of a description. The bill is doing exactly what intended. It's evident a bigger corp. can pay bills easier than smaller.
At the time, everybody who pointed out that this was exactly what was going to happen got flamed hard. I hate that cynicism usually proves the correct stance.
You have misunderstood the requirements of the GDPR. CNIL, for example, has made it explicitly clear that so long as an effective retention policy is in place then PII does not need to be removed from backups on demand.
Well that's just a crock. You simply have to have a policy that says how long you retain backups for, and what you would do if you needed to delete PI if required to do so under GDPR.
Yeah, they were meant. Yet wherever I go on the web I am being asked to opt-out from tracking since default I am opted-in - this is clear violation of GDPR, however is seems nobody is trying to enforce this.
Opt-out is typically covered by a ton of shady UI patterns, so it is hard to do this. Another clear violation of GDPR is punishing those who does not agree for tracking by serving them crippled content or no content at all.
And just to make it clear: I am strongly against extraterritorial laws like GDPR or FATCA. US does not have any rights to enforce their regulations outside US, similarly EU does not have any rights to tell people outside EU how their websites should look like. This is clear abuse of the economic and military power that US/EU have.
GDPR has some good points (like PII data storage rules), however some of its regulations, like the once that force open forums to provide "right to be forgotten" for posts, are pure crap.
The unfortunate vagueness of this regulation does not help either - real live example from Poland: if school teacher takes home pupils copybooks, which are signed with a pupil first and last name, does this mean that GDPR rules apply to the teacher (getting consents, proper handling and storage for copybooks, etc.)? Some lawyers claim they does not, some say they does, some have no idea. As a result in some schools pupils are forbidden to sign anything that enters the school building with a full name... Overreaction? Probably. But you never know when some mean parent would want to use GDPR against the school.
Have you considered that almost everyone was abusing your privacy before and it takes a long time to sort things out? At least now you know you're dealing with assholes.
I don't see why your example from Poland is bad. Teachers are now thinking about the privacy of their pupils - this is mandatory in today's world.
> if school teacher takes home pupils copybooks, which are signed with a pupil first and last name, does this mean that GDPR rules apply to the teacher
I don't see how you could possibly claim that this is a kind of automated processing or a structured filing system.
So it's another example of fear without knowing the basic principles of the GDPR.
it was never about principles or good intentions it was always a tax because the various governments felt they had missed the boat on making money from their subject's data.
The only companies worth fining are rich as F, unless you plan to take 10% of market cap they won't care. The other companies will just go bankrupt, which might be desirable.