[kall]

I too think these consent solutions are problematic, but the law as it is use here is a catastrophic overreach, if applied broadly.

If you take the article at face value, it is illegal to create any kind of TCP/IP connection with a server that is operated by a company which does not operate exclusively in the EU.

This is a strong interpretation, but it‘s really not far off from what the court did here: they declared it illegal that an IP Adress (!) was transmitted (not stored?) to a company that could potentially (?) be subject to non EU subpoenas.

If NOYB managed to make the entire internet illegal just so they have a sharp axe to go after the things they don‘t like (Google Analytics, cookie "consent" banners), congratulations. They have built a slope so slippery it should have an ICU at the bottom.

[bbu]

It’s not noyb who built the slope, it’s the ever greedy companies trying to trick people I to all kinds of shady shit. Everything they get they deserve and I truly hope trustarc, onetrust and whatever their names are end up in bankruptcy.

[kall]

Sure those companies can go to hell, but is it really worth it?

In my view there is no crime bad enough that it justifies having laws on the books that criminalize everyone just so we can selectively enforce them against the bad ones.

It may be worth noting that this doesn‘t involve a fine, only that they cease the activity. That is my personal silver lining as someone operating services within the EU that clearly are not lawful.

[floatingatoll]

Yes, it’s worth it. The web was a better place without tracking cookies and without targeted advertising.

[kall]

If you honestly believe this cause is worth a scorched earth approach, fair enough.

It‘s literally a scorched earth, because it will be pretty tricky to provide even gopher services to a global internet until we develop a TOR like alternative to TCP/IP.

[floatingatoll]

Please detail your claim that implementing Gopher in a GDPR-compliant way is “tricky”. It’s difficult to tell if you seriously believe this or if you’re exaggerating for polemic effect, and those details will help evaluate the merit of your viewpoint.

[kall]

I am both exaggerating and serious. Say you are a US company and you run a gopher site. You are not allowed to have the IP addresses of European visitors transmitted to you, that is what this decision is saying right? You are not allowed to allow them to establish a connection to you at all. This seems impossible, but this is how I am reading this. I would (honestly) like to for someone to point out my error here, without any "they probably won't do this because it doesn't make sense" arguments.

I don't know what makes a US company eligible to be sued in a EU member court. I guess you have to be doing some kind of business with European customers, so a non profit blog may be ok?

How do you solve this? You have to create a legal entity not connected to you that can purchase a server within the EU and then somehow syndicate your content to them without establishing a strong legal connection.

[kall]

Sure those companies can go to hell, but is it really worth it?

In my view there is no crime bad enough that it justifies having laws on the books that criminalize everyone just so we can selectively enforce them against the bad ones.

[marcosdumay]

Yes, that's what they did. But the IP address wasn't from the company sharing it, it was from a 3rd party. It doesn't support your second paragraph.

[kall]

Do you mean it was the processing by Akamai, not Cookiebot that was problematic?

If so, that's my point. As far as I understand what Akamai does, they where probably just the conduit for establishing a TCP/IP connection to the Cookiebot service. The court neither felt the need to establish that Akamai stored the data, nor that it left the EU. The mere fact a non-EU company was involved in the connection was enough. I'm probably wrong, and I would like to know how, to maintain my sanity.

[marcosdumay]

> conduit for establishing a TCP/IP connection

You mean an ISP? No, Akamai isn't an ISP.

Cookiebot is unambiguously using its own trustworthiness to let Akami access their users' personal data. There's nothing fuzzy or dubious here.

The only news is that what many people expected to be perfectly legal, that is doing that with a confidentiality clause and never having the data leave the EU actually wasn't, because of a different detail.

[kall]

It‘s a CDN, so it very well may be a "conduit". Maybe they offer edge computing services, I don‘t know. I‘m almost certain they don‘t offer data processing services though. They provide hosting-like services and process data in the normal course of that operation.

If I serve images from Akamai (or Cloudinary, FileStack…). Do you think that‘s problematic?

Do you think apple is is deceiving me when I download a song from iTunes?

[marcosdumay]

> It‘s a CDN

Yes, the GDPR has rules that very clearly apply to CDNs, hosting providers, and etc.

What is new is that Akamai breaks those rules. I don't know the situation of the other ones you cite.