Hacker News new | ask | show | jobs
by throw9394494 1 day ago
I wonder if anyone who are cheering this fine, actually read and tried to implement GDPR. It is a nightmare to be fully compliant for small companies.

It is mostly just a theater (like endless cookie consent dialogs in anonymous browsing), to employ more experts and bureaucrats.

EU is now pushing privacy laws that severely undermine privacy.
9 comments
Telaneo 1 day ago
I have read it. It's really easy to be compliant if don't start from a position of extracting the maximum amount of data from every user out there. If you start from the opposite end of the scale, only getting the data you need for the goals you need to achieve in the interest of the user, you barely have to do anything beyond what you would have done anyway.
link
iliveinberlin 1 day ago
I did, it is easy, you just don't spy on people and have a point of contact and you're good. It becomes hard when you want to spy on people and also remain compliant with the no spying law.
link
dgellow 1 day ago
You can even spy if you want to, just ask for consent
link
CalRobert 1 day ago
Getting consent in a truly compliant way is basically impossible (it should be opt IN, not opt OUT). Though we've trained people to just accept literally everything now.
link
BadBadJellyBean 1 day ago
Why is opt in "basically impossible". That is the definition of consent. Ask BEFORE you do something. It might sound strange but most people really don't want their data gathered by everyone.
link
CalRobert 1 day ago
I agree!!

To be clear, if you ask for consent in a way that is actually legal, almost nobody will actually consent.

link
BadBadJellyBean 23 hours ago
True. I mean why would anyone want to give away their data.
link
DarkUranium 1 day ago
The cookie consent dialogs were never required in this form.

That was literally just malicious compliance in order to get people mad at the law instead of the companies (at least at first, there's also a huge amount of cargo-culting nowadays). Congrats, you've been psy-opped.

link
AlexanderHanff 1 day ago
I wrote this 5 years ago, hopefully it will clear up some of the misconceptions around cookie banners:

https://www.linkedin.com/pulse/truth-behind-cookie-banners-a...

link
veltas 1 day ago
When the official EU websites use the same kinds of annoying dialogs, how is this true?
link
buzer 1 day ago
Official EU website, generally speaking, are not bound by GDPR or ePD. Rather EU bodies are bound by EUDPR. I'm not well-versed on that specific thing, but EDPS and courts have previously found that EC has infringed EUDPR so it wouldn't be weird if their cookie banner was breaking the law as well.
link
AlexanderHanff 1 day ago
They actually are bound by the ePrivacy Directive due to jurisprudence (EU bodies must comply with CJEU rulings).

I actually wrote to the EDPB on 25th May 2018 (the day GDPR came into effect) and forced them to make their own website compliant with the ePrivacy Directive (I still have the email thread, it was quite an interesting discussion).

I also filed a complaint against the Court of Justice on October 1st 2019 within minutes of them publishing their Judgment on the Planet49 case (C-673/17) because their own website didn't comply with the judgment - they fixed it within 18 minutes.

So yes EU institutions get it wrong sometimes, but they generally fix it quickly when they are informed. I currently have a big case ongoing with the EDPS against the European Commission and the European Parliament for hosting live streams directly on social media instead of the official live streaming platform setup for EU bodies (on the basis that forcing people to engage on social media is a breach of fundamental rights because it allows those platforms to infer special category data (political interests and others depending on the topic of the live stream).

EDPS just actually updated me this week that they have concluded their side and are now waiting on the final responses from the Commission and Parliament.

So yes, the rules do work, but you have to be pro-active, armchair activism doesn't work.

link
buzer 1 day ago
I would like to see that thread if possible just out of curiosity.

I looked a bit into EUDPR and the earlier 45/2001 regulation (EUDPR came in effect in December 2018 so a bit later than GDPR). EUDPR explicitly imports Article 5(3) of ePD (via Article 37) and thus whatever case law there is around it. The earlier regulation seems to do this more indirectly (references in recitals), but EDPS view from 2016 is that it effectively does import Article 5(3) as well.

Personally I haven't dealt with EU institutions so far. On general public sector side I did recently seek some clarifications from Finland's Ministry of Justice regarding one of their websites and their responses weren't exactly reassuring.

I asked for the GDPR Article 15(1) information regarding single visit (i.e. information about processing, not actual copies of data) and it took them almost 3 months to give official response. Even after that time they, for example, failed to identify if they are actually the controller or not for some of the processing (Cloudflare challenge). And their stance is that analytics (Matomo) does not need Article 6 legal basis at all, i.e. they seem to think that anonymization step itself is not processing.

link
mrweasel 1 day ago
The companies made this worse for themselves by continuously trying to skirt around the rules and regulations.

When the cookie-law was first instituted I worked for an e-commerce site and was tasked with ensuring that we'd be compliant. It would have been crazy simple to implement, but no, because management, encouraged by the companies selling the tracking and re-targeting solutions kept insisting that I was reading the rules incorrectly. By incorrectly they meant: We want to be able to track and target customers all the time, regardless of the rules. The result was scraping my solution that truly allowed users to opt in, in favour of a commercial solution that just blocked then entire site until you clicked "Okay" and which wouldn't actually stop tracking if you dismissed it somehow.

Yeah, the rules are getting increasingly complicate and to some extend requires experts. That is because of businesses that have failed so miserably in regulating itself.

link
kentm 1 day ago
Yes. It’s very easy actually. People think it’s hard only because they’ve built revenue streams on unethical behavior.
link
tverbeure 1 day ago
> EU is now pushing privacy laws that severely undermine privacy.

Even if it’s most just theater, you don’t make the case at all how it undermines privacy.

link
lII1lIlI11ll 1 day ago
That is likely by design. From the article footer:

"Work with Alexander

Thirty years in privacy. Helped shape the GDPR. Advisor to the EDPB, the European Parliament and the European Commission. If you need this kind of analysis applied to your own systems:

    Website and App Compliance (£500/mo+)
    GDPR Compliance Audits (£3,500+)
    DPO-as-a-Service (£1,500/mo+)
    Privacy by Design Implementation
Book a free consultation See all services"
link
matheusmoreira 1 day ago
Stop spying on people.
link
AlexanderHanff 1 day ago
Absolute nonsense. Any company that was complying with the old Data Protection Directive should have had zero issues upgrading their processes and policies to comply with GDPR there are very few material differences between the two and the previous law existed since 1995 - most of the changes are around accountability (record keeping).

Also cookies literally have nothing to do with GDPR other than the definition of consent - Cookies are governed under and entirely different law which has existed since 2002 (Directive 2002/58/EC).

It bugs me when I see people criticising the law when they actually havent even bothered to research and understand it or even look at the correct law.

link