In the background to all this do note that the "number 2" executive at Meta is a former UK Deputy Prime Minister, Nick Clegg [0].
Meta see the regulatory situation in the EU and UK as a potentially existential risk. They know what they are doing is bad and lobbying is their number one tactic. They are at the "cigarette company" level of trying to prevent regulation of a business model that is ultimately at risk of being legislated out of existence.
On the other hand, this seems like an easy way to avoid addressing Europe's lack of it's own tech industry.
If Europe wants more ethical tech, they should make an honest effort to create an environment that supports that. I.e., invest in their own tech industry.
I agree with you, investing in ethical tech is an important step.
However if you look at what is happening today, with everyone having a google/instagram/etc account, and the power these companies have over the competition (because of unethical tactics) it is not feasible to actually compete with them.
Legislation is needed to make *everyone* in the tech industry that operates in europe at the same (ethical) level.
This may not be directly applicable to the linked article, but I'm mainly thinking of the DMA and DSA which will go into effect in a couple of months.
We also need to legislate against walled gardens to let other technologies flourish.
Breaking down companies would also be great. YouTube has been mostly crappy but operated at a loss , only alive due to backing by the Google colossus: how do you compete against that?
> If Europe wants more ethical tech, they should make an honest effort to create an environment that supports that. I.e., invest in their own tech industry.
Which is difficult if tech has been monopolised by US companies that break the laws, so they're addressing that for a start, as to level the playing field (both with GDPR and other regulations such as the Digital Markets Act).
> On the other hand, this seems like an easy way to avoid addressing Europe's lack of it's own tech industry.
The only reason the US has its tech industry is:
- lax laws for everything: from data protection to labor laws
- unlimited investor money that can sustain unprofitable businesses for decades Most of the top HN darling have never been profitable, and have been losing billions of dollars for years. The rest haven't been profitable for most of their existence
On top of that it helps to have a huge largely homogenous market
This made me think of Elephant in Cairo [1] and Pachydermic Personnel Prediction [2]. Specifically, it reminded me of what the classification says about the job of a politician:
> Politicians don't hunt elephants, but they will share the elephants you catch with the people who voted for them.
Along these lines, we'd have something like
> Europeans don't invent new tech, but they will regulate the tech you invented.
As a fellow European, I struggle to feel any pride or happiness about this.
There's really a parallel issue, which is private vs. public interests (companies vs. government / the people).
You see it play out with European companies too, where they exploit populations where either there's lack of regulation or where they can bribe the officials. Profit, see what you can get away with. That's just on the legal front (like this case), not the moral or ethical front.
Good riddance then? Time to find a new business model and maybe fire some people if your service can no longer sustain that many employees, or let a leaner competitor eat your lunch.
- not if it comes at the price of huge invasion of privacy
- Given the incredible amount of data they have, I'm constantly amazed at how bad FB/Amazon/others are at suggesting what I'm likely to be interested in
The endless barrage of insipid GDPR cookie consent banners have corrected a weird English-language blind spot I had: it turns out that the opposite of "accept" is not "reject," but rather "customize settings" or "view preferences."
Those banners are illegal according to GDPR. Once there's a threat of a fine on the horizon all those "insipid banners" quickly change to show you a reject button https://noyb.eu/en/where-did-all-reject-buttons-come
I would be totally fine with a regulation where they had to ask before using personal data to show ads. The overreach is that the GDPR requires that the user be able to say "no" but still use the service -- you can't make use of the service conditional on accepting ads, and you can't require users to pay instead.
Possibly: it's not fully clear yet whether the GDPR requires you to offer people the opportunity to use your site without ad fraud detection, but I'm expecting it turns out it does. And without ad fraud detection ad-supported sites are mostly not practical.
You can have ad models that are immune to fraud. A time-based model such as "your ad here for X days" is immune to fraud, just like ads in print or TV are immune to it. If the ad drives purchases, the advertiser renews; if it doesn't, you may have to lower your price until another one comes up.
It's not immune to fraud: if I offer you ad space on jefftk.com how do you know how much to pay for it? Without some kind of fraud detection, how do you know whether to trust me when I tell you I have 25k unique visitors monthly?
I'm with you that this isn't ideal, but as a choice between the simplest options, I think GDPR was at least an improvement. The prior status quo was 'you can bury it in the ToS in a basement across town' and led to a market where new entrants couldn't compete on more privacy friendly terms.
I'd guess that even now, just allowing a simple 'pay money or <smooth lawyery wording for happiness that incidentally eliminates privacy>' choice would just lead to the same issues again. But it's absolutely like a code smell that tells me there's a more nuanced option somewhere that could be better. However, I'm glad they didn't let perfect be the enemy of good in this case.
This is because otherwise there (mostly) wouldn’t be any service you can use without tracking, because that tends to be the most profitable way to operate. What services still can do under the GDPR is provide a payed version without ads (and many do successfully). It’s just that if they provide a free version with tracking, they also have to provide a free version without tracking.
jeff. We've been through this multiple times already. You working for the ad portion of Google has made you madly in love with ads to the point that you pretend that not letting you siphon and sell my personal data wholesale means you can't show ads. This is not true. Multiple people have told you that already, across a multitude of threads.
You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.
I left Google six months ago, and don't work in ads anymore.
Ads without fraud detection are worth very little, and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.
> I left Google six months ago, and don't work in ads anymore.
But you did work there, and you keep saying the same things over and over again.
> and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.
You posit your incorrect interpretations as if they were fact. And you keep on conflating several things into one. Even though you've had plenty of time to, you know, read something about the things you're talking about.
1. Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.
2. No, fraud detection doesn't mean your ads are personalised. No, fraud detection doesn't mean that your ads must be personalised.
3. No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.
And yet, here we are, again, when you keep saying that these three disparate things are one and the same and that "GDPR is an overreach that prevents sites from showing ads". You keep repeating the same falsehoods over, and over, and over again. Please, stop.
I agree with your #1, #2, or #3 and you're right that I've been saying several different things in different parts of this thread, where it's not entirely obvious how they fit together. I do have a coherent view, though -- let me walk through the whole thing and try to clarify.
My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising. If before a service can show any ads they need to offer the user a free choice on whether to see ads, where there are no consequences for clicking "no" other than that they don't see ads, users will overwhelmingly click "no" and the site will not be viable.
(I additionally think that it should be legal to offer services that are supported only by personalized ads, where users can choose between (1) using the service and having personalized ads vs (2) doing neither. I've argued that elsewhere in this discussion, but that's a bit of an aside to my main point.)
While I don't think the GDPR as-written prohibits such services, with the decisions coming out of the data protection agencies in the more privacy sensitive European countries I think the GDPR as-interpreted does make them economically non-viable for most sites because viability requires effective fraud detection.
If a service is going to show ads even if the user has clicked "no" and consented to nothing, it needs to be able to run the full ads stack without relying on anything that requires user consent. This includes:
* No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]
* No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2] and follow-up rulings on applications such as analytics [3], fonts [4], and CDNs [5].
Together these rule out all commercially available adtech options I know about.
But let's say you decide to build something fully in-house, or you use some future ad product from a startup run by very careful Germans. What do you still need to do?
The GDPR requires you to have one of several legal bases for any personal data you process. With "consent" out of the picture, almost all of them are irrelevant for ads, with the potential exception of "legitimate interest". [6] Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
The ad industry has historically thought that sites did. For example, the TCFv2 categorizes this under "Special Purpose 1", with users having "No right-to-object to processing under legitimate interests" [7]. On the other hand, points 52 and 53 of the recent Microsoft ruling [8] read to me as saying that since users do not visit sites to see ads that sites cannot claim that they have a legitimate interest in using personal data to attempt to determine whether their ads are being viewed by real people. This is not fully settled; among other things the Microsoft ruling was on the interaction of GDPR and ePrivacy, and ePrivacy is stricter on some points. But I think it's more likely than not that when we get clarity from the regulators it will turn out that the kind of detailed tracking of user behavior necessary for effective detection of ad fraud is not considered to be within a publisher's legitimate interests.
If they just defaulted to "no" with no option to opt-in this would prompt the argument that people love targeted ads and Apple is the bad guy for not allowing them.
If they give the choice, they can put out real-world proof out there that nobody wants them, as demonstrated by low single-digit acceptance rates.
They can use this proof in the future to default to "no" without possibility of opt-in.
> They can use this proof in the future to default to "no" without possibility of opt-in.
Maybe that's their strategy, but it's manipulative and a sneaky way to obtain what they want while avoiding [SOMETHING]. Where something is lawsuits? regulations? outrage? No idea.
The Irish DPC is supposed to be an independent regulator. In practice, it has acted as an arm of Irish economic policy.
This story shows the DPC for what it is: a regulator that was captured from the beginning. The idea that the DPC might sue EPDB is astonishing and shocking.
This comes as I read of Irish plans for a watered-down Northern Ireland Protocol. That would certainly please the UK government; but it risks subverting EU law. If the Irish government is bent on circumventing EU law, perhaps they should just get out of the EU.
Them "leaving", as in having no legal/corporate presence in, the EU wouldn't remove obligations under GDPR. They would have to block all access from EU citizens to do that.
* Governments can reach Apple and Google, and thus force them to remove the apps from their app stores.
* Diplomacy. EU and USA will have a lot of negotiation to do pretty soon. USA doesn't like how EU handles big tech and privacy. EU doesn't like how USA's preferred treatment of domestic electric cars in the "inflation reduction" act that went into effect a few days ago. If Meta pulls out of EU to dodge enforcement, the EU diplomats will surely bring that up, and work a solution into whatever treaty comes out of this.
I bet Facebook will still happily provide service in a region, even if the only customers for their ads there are groups like companies with no footprint in the country, foreign regimes that would like to influence elections, and locals who’ve figured out ways to evade local laws.
Punishing companies directly that do business with Facebook/Meta would probably be the strongest deterrent. If we can sanction countries, why not companies?
That's how sanctions are usually implemented. See: Russia and Iran, trickling down to their state businesses and armaments industries, tricking down to their suppliers. The only difference here would be there isn't a nation-state as the starting point.
1. Force Apple and Google to remove the apps from stores.
2. Lowest effort DNS blocker to exclude the 90% who don't care enough to circumvent.
2. Let the lack of network effects and time do the rest.
Sure, a few will hold on, and there will probably be a temporary "buy a phone with fb installed for 10000$" market, but given time, Facebook/Whatsapp/etc. will be dead in Europe.
Except politicians will have to come out as supporting a ban on the most popular apps that tens of millions people use every day. Which outside of HN circles would probably be unpopular (see how the proposed Tiktok ban was received in America). And have sites ever even been blocked for GDPR violations before / in which member states would mandating ISPs block sites on that basis even be allowed?
They could press criminal charges against all Meta executives and extradite them from the US. Of course this is ridiculous and will never happen for a number of reasons, but it shows that the EU doesn't have literally no teeth.
America requires dual criminality for extradition. America has no privacy law similar to GDPR so that couldn't happen + I think GDPR violations are a civil thing only (?).
The sad future of the internet is companies picking a country and keeping all their servers and employees local. It's up to other countries to block; nobody is going to extradite over cookie warnings.
I like Facebook targeted ads. They're more interesting than generic untargeted ads. When I was shopping for an electric bike Facebook showed me ebikes of the type I wanted (cargo) for weeks. It's convenient. Yesterday I made a comment on a hat ad (I didn't think any man except Walter White should wear a pork pie hat) and now all my ads are for hats. I didn't realize their were so many kinds of men's hats. I don't feel like my privacy was violated
It seems like everyone would be best served by a catalogue of ads that you could search through at your leisure. We could even call it a "magazine"?
Either way, it's great that you are comfortable with Facebook's tracking and even get value out of it - in which case you will be able to opt-in once the changes required by this ruling get implemented. Those who don't feel comfortable with it can opt-out. Everyone wins!
I am not a hat wearer but now I might become one because I saw some cool hats I like. This was by accident because I wasn't in the market for hats.
I don't believe privacy exists when using modern tech which is why I make all my Facebook posts public. I don't ever want to kid myself that what I am staying stays private to only my friends and family. I have not encountered a downside to Facebook tracking, but maybe you can point one out.
>I don't believe privacy exists when using modern tech
It doesn’t because tech companies like META and it won’t be fixed so long as your narrative remains the norm. We can fix this but not by letting these companies get away with it
Stopping Meta would only solve a small percentage of the problem. Hackers stealing our data is also a huge problem. My philosophy is to assume that I don't have privacy online or even offline due to facial recognition software. I've decided to accept it instead of fighting it like I used to.
> Meta is now prohibited to bypass the GDPR via a clause in the terms and conditions. Meta has to get "opt-in" consent for personalized advertisement and must provide users with a "yes/no" option
It's not like they haven't been fined before, and continued doing shady shit. I'm sorry, but I have such a low opinion of Meta/Facebook/theZuck that none of this means anything positive to me. I am a much more pessimistic person regarding these kinds of things that I give no credence of benefit of doubt. I also don't trust these legally-binding orders as they are only legally binding until some sharp tongue lawyer figures a way to weasel out from under them.
I'm happy for you that you are much more optimistic about these things, and I hope for all our sake you are not disappointed. From point of view, I can only be pleasantly surprised. To disappoint me at this point would be an ultimate new low.
Simple for you and I, but not so simple if you're a lawyer working for Meta that can twist words and interpretations of those words strung together into sentences in a legal contract. At the end of the day, you and I don't matter in our interpretations. It is the lawyers and judges. Who do you trust?
"The decision would still allow Meta to use non-personal data (such as the content of a story) to personalize ads or to ask users for consent to ads via a 'yes/no' option. Users must be able to withdraw consent at any time and Meta may not limit the service if users choose to do so."
How is that supposed to work? FB is required to provide a service at a loss? If I were FB I'd work to actually make a yes/no contract - yes, or get lost. You can use EU social networks - oh wait, there aren't any! I guess in line with other EU decisions, EU citizens can switch to VKontakte :D
FB isn't required to operate in the EU, but if they want to, they're required to follow EU law. It's FB's problem to find a way to be profitable while following the law. It's normal that companies have to find a way to live with the cost of regulations, and if they can't, leave the market or go bust.
For example, manufacturers are required to avoid use of harmful substances, and follow health and safety regulations, even though it'd be more profitable not to. Sweatshops and child labor would be more profitable, but these business models were rejected by the governments too.
I was not asking about the letter of the law, that's obvious from TFA. I was asking about how it is fair in any way. It's kinda like a user comes into my store and I say "I can give you a haircut bundled with you giving me $30, yes/no", the user says "no, I'll only pay you $10", and EU says I am still required to give them the same haircut with the same quality.
Ofc if I/FB choose to shut down or alter my service for everyone under these conditions, the other angle is that EU govt has decided that it knows better than mere proles who want to explicitly consent to the exchange. It's less like manufacturers avoiding harmful substances, and more like e.g. govt of China requiring Apple to alter Maps to display "correct" information under threat of a ban.
Yes. Although how much of a loss it would be is debatable. Unless you upload lots of media, the costs of providing you the service top out at a few cents a month, so it can trivially be subsidised by even untargeted ads.
> You can use EU social networks - oh wait, there aren't any!
Maybe the long-term objective is that we actually get some social networks that are sustainable without misusing people's personal data?
"Users therefore need to be provided with a yes/no ("opt-in") consent option, otherwise Meta may not use their data for personalized advertisement."
I guess Facebook's solution could be a pop-up asking whether you want to continue using it as before or if you want to deny access to your personal data and pay $50 a month.
I don't think this is true, many news sites either offer the option to accept cookies and show ads or offer a subscription without ads and tracking cookies.
I'm not sure I ever got on such a website! They usually ask you to disable ad-blockers in order to accept ads, but they cannot force you to accept personalized ads.
According to gdpr they must still offer the same service regardless of the user opt-in. Remains to be seen if FB can follow the GDPR there. Also not sure whether that point of GDPR is compatible with other kinds of trade agreements.
Probably they will go for "Please choose between 50 horrible autoplaying spammy ads or 4 personalized"
Those websites are in violation of the GDPR. Article 7 item 4:
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
This basically means that if
providing the service is made conditional on consent of personal data processing despite the processing not being necessary for the service, then the consent can’t really be considered to be freely given.
Have any of these companies (meta, google, etc) actually had to PAY any of these fines? I hear about them getting the fines, but usually they can weasel out of them or just delay them indefinitely.
Getting fined 400 million over some trivial thing- that's behavior I'd expect from the mafia or maybe Genghis Khan. It's not like they killed anyone. They just resisted the stupid checkbox.
Well, first of all, it's not "prohibited", it's "prohibited without a consent". Second, less personal data - less useful (relevant) ads, less revenue for Meta - less investment in R&D, less open source/research, more focus on "gathering contextual portrait". Which... won't end monopoly if that's what the general public on HN wants (hard to say what this whining is all about). Maybe more advertisers will go to Google instead (if the ruling is only about Meta).
I'd wager that if you would put it to a referendum, the vast majority would prefer access to Meta's services for free to GDPR in Europe. Max Schrems isn't helping anyone.
I'd wager the vote would be way more nuanced if it came with a form where you can log in with Facebook and get a dump of all the data they captured on you, including what's been inferred by machine-learning models or stolen from other people's contact lists.
EU is first, with foolishly predictive tech regulation before it emerges. Like e.g. the requirement for AI to explain itself. GPT can surely explain to you very elaborately how they came to the wrong medical conclusion
But what you say is actually accurate, the globalized world (excepting russia) has settled to these roles for these 3 players. EU is more of a legacy player without an army (or strong production base) that still "upholds ideals" and sells this image for worldwide PR. But you see where this ends up, countries bribing EU politicians to improve their world PR by association.
So even if the fine sticks and doesn't get overturned on appeal, that's 390 million over 4 years of blatantly breaching the GDPR, so on average ~97M/year. This means it's merely a cost of doing business and they should continue.
They have also been ordered to stop doing what they're doing, and will face additional sanctions if they don't.
When calculating fines under the GDPR the supervisory authorities have to take in to account whether the violation was intentional, previous violations and compliance with previous orders.
In other words, if they don't stop now the fines will get bigger.
Also, overall, with the lively debate on buying gas from a guy cosplaying Sudetenland while working to dismantle nuclear, tantrums thrown over suggestions by the US that one should fund one's own defense, pillaging of foreign tech companies via the equivalent of a predatory traffic stop while regulating their own out of existence, I am starting to despise EU bureaucracy/governing institutions more and more. They are truly working to make it a dying continent.
Meta see the regulatory situation in the EU and UK as a potentially existential risk. They know what they are doing is bad and lobbying is their number one tactic. They are at the "cigarette company" level of trying to prevent regulation of a business model that is ultimately at risk of being legislated out of existence.
0: https://about.meta.com/media-gallery/executives/