[throwaway294566]

Problem as always is, it's all talk and (almost) zero enforcement in Germany.

Complaints to a data protection official take forever, are usually dismissed at first, even if counter to published opinions or decisions such as TFA. And only if you still care after a few years of waiting and at least one appeal you might get a decision, however usually a very cheap one for the perpetrator.

[seppel]

> Problem as always is, its all talk and (almost) zero enforcement in Germany.

I have the exact opposite impression. Even in small start-up, every new external supplier will be judged whether the is any customer data processing in the US. People are super afraid of Google analytics. If you use the Google Fonts on your website you will get an cease and desist letter in no time from scummy lawyers. You pratically need an external company to manage your cookie banner because it is a legal risk.

[throwaway294566]

The first example isn't enforcement, it is due diligence and compliance in companies. That does happen, of course, sometimes in a useful way, sometimes to just have some fig leaf to point at in case of a complaint.

Google analytics and Google fonts are regularly enforced, but not by data protection officials. "Enforcement" of those is, as you've said, done by scummy private lawyers, scanning websites and sending expensive letters ("Abmahnungen") en masse. Basically, due to a weird precedent, those lawyers are allowed to give you unasked advice on your wrongdoing and billing you for it. But that is, afaik, a specialty of German law, and mostly limited to stuff that can be fully automated. So while you can scan for a website using Google Fonts, you cannot as easily scan for someone using Office365. Although you might, maybe, get a hint by looking at the DNS MX records.

[ajmurmann]

What needs to be true about me and my website to possibly be subject to Abmahnungen? Does my website need to be hosted I'm Germany? Do I need to reside in Germany?

[Aulig]

Probably a german address in the imprint. I can't imagine they'd bother with anyone abroad. They're just after easy money after all.

[hutzlibu]

"Probably a german address in the imprint."

Just any adress. Their point is, it needs to be an physical adress - so in case someone wants to sue the website, they have somewhere to send the physical letters to.

In other words, many people got expensive physical letters, to make it in general easier for other people to send them expensive phyical letters.

But yes, as far as I know, this only affects germans. But once we control the EU, who knows.

[ajmurmann]

But if I have no imprint which is a common cause of the Abmahnungen? I am curious because I am a German citizen, but haven't lived there in a long time. Right now I just ignore all of that legal German stuff. What would need to change for me to worry? Moving residence to Germany? The server being there?

[the8472]

> You pratically need an external company to manage your cookie banner because it is a legal risk.

Don't set cookies for visitors. Notify on signup for everyone else.

[Escapado]

Not really feasible in a lot of cases without giving up things the business absolutely wants. I work on an e-commerce site for a large company. Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.

So cookie banner it is and to be sure you don’t get sued you buy that elsewhere.

[f1refly]

> Marketing wants to track all clicks and user inputs and get heat maps to improve the conversion based on their findings. They want to know where their users come from, where they go to see if their campaigns work. They also want google maps integration to find retail stores. They want users who come back 2 days later to retain their shopping cart and their preferences even without a login in case they checkout without an account. They want dynamic A/B testing based on user behaviour and they don’t want to/can’t reinvent all these solutions so they go buy them and the devs get to integrate them - whether they like it or not and some things simply make it so that you need to store some data on the client and communicate it on the client in some way while not being completely anonymous.

Speaking a as user, I don't want your company to know or do any of those things. I'm very glad these practices are getting outlawed and I'd like your marketing team to know they can get hit by a bus for all I care, the world would be a better place without their cancerous doings. Psychological warfare against the general public is despicable.

[Escapado]

I’m with you. In fact I have had more meetings with these people arguing against these practices than I can count. However every single customer facing project I have worked on so far that tries to sell something uses practices like these. Sometimes even worse. I guess it’s a result of being profit oriented before anything else and it works apparently, otherwise it would not be done. So the change you advocate for is one I would like to see too but it challenges structures which are so pervasive I’m not sure they can be easily reversed. If this company got fined for using Google analytics their answer would not be to re-evaluate tracking, they would make their legal department lay out just how far they can stretch it while still getting away with it and the do that.

[majewsky]

> Notify on signup for everyone else.

You don't need notifications for purely functional cookies. If you have a Nextcloud instance that only uses a cookie to remember your user identity throughout a login session, no notifications are required. If you also feed the value of the Nextcloud cookie into a tracking system, that's when a notification is required. And only then.

[mpweiher]

Er..no.

I mean, yes, that's what it used to be, pre-GDPR.

With GDPR, the data protection agencies have grown teeth. And fangs. And claws and talons.

GDPR enforcement is young, and the goal is compliance, not maximum fines. So depending on the offence and the offender, they start with a warning or a small fine. This will ratchet up and the maximum is € 10 million or 2% of the previous year's annual revenue (not profit), whichever is greater!

Microsoft's annual revenue for FY 2022 (I guess they are early) was almost $200 Billion. So the fine for them could be $4 billion. Yes, that's noticeable and not something you want to explain to your shareholders.

And of course this seems to apply to their customers, for whom margins tend to be tighter, and for whom IT is not their main business, but an operating expense in the first place. For example, Volkswaken has an operating profit of around 6-7%. So 2% of revenue is around a third of their profit. And also around a third of their entire R&D budget. Yeah, compliance is the cheaper option by far.

[hyperman1]

This.

There were plenty of EU countries with privacy laws. The laws were all ignored by all but the largest companies in the country. Getting FAANG to take note of local law was basically impossible.

On paper, the GDPR is weaker than what it replaced in my country. I lost some privacy rights with the GDPR, and gained some bureacratics if I want my rights enforced. In practice, the GDPR gets some following, even outside the EU. It has teeth.

[that_guy_iain]

Enforcement is a major issue for most countries. I once asked for a data export from GitHub and GitHub said becuase I couldn't prove 2fa I couldn't prove I owned the account. The account was in my name with my profile picture, I can prove who I am via Passport. I'm legally entitled to know what personal data they have of me and to get an export. The Netherlands were very wishywashy and basically too lazy to do anything about it, probably because they were overworked.

GDPR, mostly seems like an annoyance to developers while providing little actual benefit to users since countries aren't willing to enforce it and even if you do take it to court yourself the courts aren't doing much. In once case, a German court found that a company breached GDPR by using Mailchimp but because they stopped using Mailchimp they didn't fine them, for the breach. That is realistically a complete joke of a judgement. And honestly, there are lots of judgements that are basically similar.

[bboygravity]

Who would have thought that uploading business data (trade secrets) and personal data straight to servers that are known to be accessed by the NSA would be incompatible with GDPR? /s

The kicker is that EU companies are essentially paying to upload their trade secrets to their direct competitors in the US.

[beebeepka]

I've made this argument to employers several times. They do not worry because MS/Google are too big to care for our stuff.

We're a minority

[dgellow]

GDPR fines can be massive, look at the list here: https://www.enforcementtracker.com/ (sort by the fine amount)

[throwaway294566]

Yes. But there is too few of them, and usually in situations where other companies can still wait and see. "We aren't Facebook", "We are too small to be noticed" and "but we had them sign a waiver" are still prevalent in most companies.

For things to change, there would really need to be something like:

- data protection fines the whole of the customer list of Amazon/Google/MS cloud

- data protection fines a high-profile company a lot of money for using Office365

- a court forces a public institution to cease using Office365 (no fines possible there)

- enforcement accelerates to a point where, from complaint to fine, things take only a few weeks, instead of a few years, so that lots of medium and smaller businesses are hit. Currently enforcement seems to be starting with the big cases, and being bogged down in the complexity of those.

[marcosdumay]

There's nothing wrong with persecuting the large perpetrators first, and only going into the smaller ones once the large get under control. In fact, it's the cost-effective way of doing it.

Besides, the GDPR is not extremely clear, so setting the boundaries in a very public way is a good thing.

[tarjei_huse]

> - a court forces a public institution to cease using Office365 (no fines possible there)

AFAIK, in Norway, most fines have been directed at public institutions.

[throwaway294566]

Don't know about Norway. But whether fines apply to public institutions is up to the member states, and most member states, including Germany, have decided not to fine their public institutions for GDPR violations.

[andsoitis]

> have decided not to fine their public institutions for GDPR violations

Because they’re too Byzantine to make enforcement practicable, or because they’re not seen as a privacy risk (the government in Germany should know lots about you), or something else?

[throwaway294566]

The official argument is that fining public institutions is a game of taking from the right pocket to put in the left pocket. It's the state fining itself. Also, officially, public servants are thought to obey the law as a matter of cause. A certain interpretation of the law can just be made an official order to all subordinate government agencies, and any civil servant disobeying that interpretation is at fault for not performing their duties and treated accordingly.

However, that all leads to the obvious workarounds: the official interpretation is usually the most lenient possible, compliance is put off to some time next century due to lack of personell/budget/willpower. And if something is found to be amiss, the data protection officer may order a government agency to fix whatever is wrong, but can neither fine nor discipline a civil servant. Because disciplining is up to the direct disciplinary superior, which cannot be (due to them being independent) the data protection officer.

[hobofan]

So 3 enforcements in Germany in all of 2022, and the highest fine in Germany was 35mil. 35mil is how much for Microsoft? The yearly Office 365 fees of one of their DAX customers?

[Vloeck]

The possible fine for Microsoft would be 4% of the sales revenue of the whole company, which would amount to 6.8 billion dollars (at 170 billion dollars revenue in 2021)

[majewsky]

The big fish all have their EU branches incorporated in Ireland for tax reasons. Filter by Ireland and you'll see some larger fines and some more well-known company names. And even then, it's a well-known contention within the EU that the Irish data protection authority is dragging their feet on investigations and fines because of the "tax reasons" part.

[jeroenhd]

It's nothing, but once one of their customers gets a 5 millioj euro fine for using Office365 for sensitive data, the impact will be significantly higher. Microsoft can take the hit but most of its customers can't.

Microsoft's incompatibility with the GDPR puts some of its customers at risk. A fine or two and businesses might stop paying for those lucrative cloud subscriptions.

[aliqot]

This will literally, not figuratively, but -literally- never happen. A smaller business will never be punished as a signal to Microsoft.

[someweirdperson]

A websites using wordpress got fined for including google fonts. Not the organization that provides wordpress using google fonts by default.

Likewise, a company using O365 to store customer or employee data will get in trouble, not Microsoft for offering that service.

[aliqot]

That's not what's being discussed. My comment asserts with certainty that a small business will never be punished as leverage against the upstream big corp.

[jeroenhd]

The fine is not to send a signal to Microsoft. The fine is a punishment for letting Microsoft process personal information when it's know that they do so in a way that violates the GDPR.

The €100 fine to that one website that included Google Fonts wasn't an attempt to get Google to put Google Fonts in a European holding or whatever. That was never going to happen. It was to punish that website for breaking the law.

Before anything like this will hit the news, there would first be a massive lawsuit that will probably take months or years. I wouldn't be surprised if Microsoft would throw lawyer money to the company involved just to make sure the lawsuit doesn't end setting a precedent against their product.

Never underestimate German courts and their willingness to uphold privacy laws when they get challenged.

[permo-w]

even with all it's flaws, I love the EU. 746 million euro fine on Amazon for not respecting data privacy principles

[Rexxar]

It's not massive at all when you compare the fines to the profits of this companies.