GDPR is much more comprehensive than that, but most importantly it gives data privacy regulators real teeth to enforce with (fines up to 4% of global revenue).
The only way Americans (or anyone else besides EU citizens) will get GDPR protection is if GDPR-style regulation is enacted into law.
The downside with trying to use dark patterns: The courts say "Nah that doesn't count. Ergo you don't have consent, ergo fine!"
If FB actually leaves it like this, then they clearly believe that there's a lot more to be gained by not complying with GDPR
Limiting corporations power would be one thing but I don't expect any politician to move in that direction when either they're lobbied/bribed by the same entities they should limit, or face the risk of having their career destroyed (search for "mccarthysm").
Yes, the federal government is as bad (in reality, worse) than you say, but that's no reason to not take action against the thousands of other players that are blatantly following in their footsteps in terms of data collection.
Lol, that could not be further from the truth, you have no idea of the amount of data private companies gather, the government has nowhere near as much data as Facebook, that's why the NSA has programs to incorporate Facebook data, the reason being that it's much better than anything they have got by themselves.
Same for fire safety,road safety, air transport safety regulations, I am sure that many business people would benefit by ignoring this laws, so let's do what is better for some business people and who cares about society.
Related to GDPR specifically, don't collect personal data that your product does not need, is it hard? Maybe you need to put a bit of effort to be in compliance but if your product is hones then you are fine, if you are not honest and you were collecting data in the hope you maybe could sell it later then I understand why you don't like it,
At this point private corporations 'helping' the government is exactly the worrying part because the government at least has some decorum and is keeping up some pretenses and you have to really be in the wrong place, at the wrong time and have an ethnicity that somewhat matches the supposed crime.
Meanwhile with corporations it's starting to look like a free for all between machine learning, big data, hidden internal Terms of Service kangaroo courts and so on. You can get blacklisted, flagged, (shadow)banned and not even know it. And then government or other corporation buys that Big Data DB and real fun starts.
If the government actually wants to capitalize on the data it has there is a lot of instant red tape applied. You can't just get arrested, told you're a terrorist and put in jail for 10 years with 0 process, 0 appeal and 0 documents (well, except with Gitmo but it's a special case).
Meanwhile the corporations can turn you into a functional half-leper in the modern increasingly online society and deny you business arbitrarily (or even secretly) as hell because their deep learning said so (and what they feed in there, what comes out, who made it and how - you don't get to know that), they don't care enough to admit a mistake and the most appeal opportunity you get is customer support ran by lobotomy patients. There's 0 recourse to being shadowbanned, hellbanned, blacklisted, whatever, sometimes even 0 contact option other than making a new account (which breaks their ToS in itself) and unlike the government that has watchful eyes on it from all sides for abuses you'll be told it's "a private business so they can do anything" or that you deserved it because it's a Cool and Good Company.
There was a story that some Palestinian guy got arrested because Facebook translated his "good morning" in some Arabic dialect into "attack them"[0]. If it wasn't the Israeli police arresting him but instead Facebook doing some deep mind big data crap and covertly flagging him as a potential terrorist then he might have found out 5 or 10 years from now that he can't get a plane ticket because some airline or other secretly sourced Facebook's DB and he has no way to even find out where that flagging came from because corporations are free to be secretive in their decision making.
Government also follows some logic (simplistic, biased, populist, racist or reductionist - sure, but still), while corporations can just spit out a verdict with 0 explanations with a link to 20 page ToS written in pseudo-lawyer pseudo-English and say that a video making fun of a mass shooter is suitable for advertisers and one of eating a carrot in a silly hat or swinging a banana around (it's not an euphemism, I mean an actual banana) is not[1].
[0] - https://www.theguardian.com/technology/2017/oct/24/facebook-...
Congress should convene a hearing about how current and incoming EU laws are thinly veiled protectionism against US corporations and what should be done about it.
The GDPR, while a pain, are a response to decades of an industry that should have known better.
I wonder if you know that the US passed legislation a few weeks back that lets the US government request any data on any user of an American company even if that user and their data are not on American soil. (Possibly thanks to GDPR) companies may object to that request if it contradicts local laws.
But yeah. Go on pretending that the EU lives to target American companies. From a European's point of view, American companies are not fined enough as they view privacy, data, sovereignty etc. as some abstract concepts that don't apply to them.
The most ignorant fucking statement I have read on HN in a long time. The 2016 GDPR is an update to the 2002 EU Data Protection Regulation. It has nothing to do with taxes, profits or crippling any company. It is an enforcement of the EU Charter of Fundamental Rights.
They are changing their terms of agreement to now say that people outside of the US are doing business with the US company. This means that only people in the EU will be covered by the GDPR. Probably that's what they should have been doing all along, but there were probably massive tax advantages to running their international company in Ireland.
For what it's worth, I'm a huge proponent of GDPR and I would probably do the same thing -- at least initially. They have a lot of users and GDPR is really tricky to implement when dealing with any manual processes. Limiting your exposure is common sense.
I'm looking forward to seeing what actually happens to Facebook when GDPR comes into force. You know people are going to exercise their rights and I just can't imagine they are prepared. As I've been going through this stuff in my job I can't see any easy ways to sweep this under the carpet -- you not only need to inform the user about what's going on, you actually need to record the lawful basis that you've told them you are using. If you just say, "Oh I have consent" then the user can withdraw consent. If you actually needed that information (like the user's name!) then you are absolutely screwed.
I fully expect some thoughtful users to nail them to the wall. And when that happens, I expect them to implement everything world wide because it will be a lot easier/cheaper than maintaining different processes all over the place.
The consequences for violating GDPR are quite severe -- up to 20 million euro, or 4% of global turnover, whichever is greater. Again, this applies to US companies even if it's a single record of EU personal data.
Furthermore, individuals are fully entitled to sue in the event of a data breach, and there is legal precedent in the EU for compensation of between 10-15k euro per person.
As to the question of EU law applying in the US, just look to financial regulation like Sarbanes–Oxley to see it going the other way.
This means that I can bankrupt small, careless companies that hold a few hundred users data?
A bank with zero US financial system exposure can’t be penalized under FATCA because they have nothing to penalize. FATCA only works because banks have exposure to US assets.
The unintended consequence of FATCA is that it is dramatically harder for a US person to do any business with European banks — banks have closed accounts in order to reduce operational risk. So this “good law” (occurring to Democrats that passed it) actually made it much more difficult for Americans overseas and American companies who need overseas banking.
GDPR could be considered similar — it won’t have any jurisdiction if the company involved has no EU presence, but it could result in companies denying services to EU persons based on operational risk.
People should have thought this through much better.
If you are a non-EU company and you don’t have any legal entities in the EU even if you deal with EU customers (retail) the application of GDPR isn’t going to be relevant at least initially.
(The fear for example is that PayPal etc. will force you to comply in the usually blind and deaf PayPal manner for fear of EU retaliation)
If you are a non-EU company with no legal entities in the EU but you are dealing with EU companies and process data for them those companies would have to ensure you are compliant this is a purely B2B route.
If you are a non-EU company with EU legal entities this is the vector the DPAs will use to go after you.
The GDPR is currently in a retarded state with near zero official guidance and definition for things that matter. And as far as non-EU companies go GDPR is well in a though spot. GDPR does not trump lawful data retention and data access requirements in the EU those fall under then final jurisdiction of the high court but there is no way for them to influence non-EU law.
And SOX is a terrible example SOX affects a tiny portion of companies and those who need to comply are huge and there are clear definitions, requirements and arbitration channels which the GDPR lacks.
P.S. we’re talking so far about the periphery of the EU, Canada, Australia The US etc... when you’ll find a way to make Alibaba and China at al comply let me know please.
This is part of why I think GDPR is a disaster for startups. It's a massive regulatory burden which big companies will be able to comply with but small startups don't have the legal horsepower to handle.
Typical EU regulatory overreach.
Though they have a lot of users in the EU (population 700M), it seems that once they figure out how to do it for their 250M (?) EU users, expanding it to 2B users is not a huge stretch.
You are probably counting 'Europe the continent' rather then the EU (where the GDPR will come in effect) which is rather lower at 525 million or thereabouts.
Schrems has basically single-handedly proven that Safe Harbor, and I think the Privacy Shield, too (soon to be decided) have been violating the EU Charter of Fundamental Rights and the right to privacy under the European Convention of Human Rights.
Well, only screwed if they want to keep their account? I can assume that resulting in Facebook closing down your account.
All in all, I doubt millions of people will request data under the GDPR. But I guess the fines are significant enough to worry about it.
It sure seems that way and I find it amazing. It has been known for a long time that the GDPR will come into effect in May. Maybe they thought they could lobby it away?
Can someone explain this as my understanding is that only EU residents are covered by GDPR. So EU based companies do not have to comply with GDPR for non EU residents.
So this change to the user terms seems to me to have nothing to do with GDPR. The EU privacy law cannot be applied to non EU residents.
Edit: Is further backed up by Recital 22 [2].
[1] https://www.gdpreu.org/the-regulation/who-must-comply/ [2] https://gdpr-info.eu/recitals/no-22/
Why?
From what I can tell it does three things. Limits the secret data collection market to the government and bad actors, limits new companies by creating an additional artificial cost of entry through regulation, and sets up infrastructure to allow government to block any arbitrary site.
Edit: Another tool given to them is the potential to destroy any small business anywhere on the globe. Think about that.
Facebook is still going to legally operate out of Ireland to dodge taxes.
> When Facebook’s product designer for the GDPR flow was asked if she thought this hyperlink was the best way to present the alternative to the big “I Accept” button, she disingenuously said yes, eliciting scoffs from the room of reporters.
I wonder if I could live with myself if this was my job. Although I guess if I got paid really well I would end up justifying it to myself somehow.
You are in the company, you have a job to do, everybody else is doing it. Other people share your concerns, but in the end, you have a feature to deliver and you don't want to fail your team. Some people is really concerned, they try to change things, they quit, they are tired of the pressure of going against the managers and making it more difficult for their own teams. Peer pressure, management pressure, etc. is an important factor. I don't think that the people that do this things get paid better than anyone else.
I have been in too many situations where your team is in the "hamster wheel" and is just doing without thinking. Fast-growing companies have the incentive to run forward, quite often without so much direction.
It is easier to not join a job that you don't want, that to not do it once you are already in. So, think before joining if that is what you want to do. Once in, you will see that they are not evil people, that they are trying the best to do their jobs. And that to change things is hard, even when is in the company best interest, so much harder when the company will lose revenue.
In the end we are all moral agents and responsible to refuse to do ethically questionable work.
You don't get fired on the spot in most companies for refusing to do something or asking to be assigned to another team.
And a skilled engineer has other options for employment with a comparable salary.
For a very good explanation of how this happens, see Richard Cook's short talk "Resilience in Complex Adaptive Systems"[3].
[1] https://en.wikibooks.org/wiki/Professionalism/Diane_Vaughan_...
[2] http://www.rapp.org/archives/2015/12/normalization-of-devian...
There is the answer!
I am starting to see this attitude quite a lot lately - it is easy sitting on the sidelines thinking "Why are these people doing this?! Dont they have morals?! They should quit immediately or be ashamed of themselves! If people refused to implement this then we'd not have this problem!" And people comparing people working at these companies to Nazi prison guards is frankly offensive.
Couple of things to consider:
- Your moral values are not necessarily the same as their moral values.
- Even if they are the same values, it is not always so easy to just walk out of a job. If you are young, living in a cheap house-share, single with no real responsibilities, then sure, yeah walk out and feel good about yourself if you want - I am sure you can sell an iPad or two to keep you in noodles and rent until your next gig. But if you have responsibilities outside of work (perhaps family & kids, mortgage etc - and if you are in the US you have crippling/potentially-bankrupting medical insurance/bills to consider too) then quitting on a whim like this will not be so viable. Do not underestimate the physiological value of a well-paid, steady job that you generally find acceptable (e.g. comp, perks, hours, commute, opportunities, prestige etc) - I wager most people would find it difficult to "throw away" an otherwise decent job when it is all said and done.
- If you do quit on moral grounds, where is the line? Is what we're seeing here today with Facebook "the line", or is what we're seeing with Google & the military AI "the line" (both targeting of a different sense...), or what about the next Facebook outrage that is even bigger and even worse than this one? Do you hold your quitting "in-reserve" for the next bigger and more-outragey outrage? Perhaps you've gone too early this time? Or too late?
- If you do quit on moral grounds, will you do it again at your next company? How many times can you burn your bridges before you've run out of employers?
This all assumes that everyone that had a hand in this had perfect knowledge of "the big picture". Not everything is as black-and-white as it seems from the outside. This will have evolved and grown from thousands of individuals' contributions, bit-by-bit over time. Did every single one of those individuals know the "big picture"? I doubt it. Where do you draw the line on who did know and where responsibility lies? The execs giving the orders? The engineer designing the algorithm? The junior engs implementing it? How about the people maintaining the servers, or the person who drew the original "like" button, or the people serving food or cleaning toilets at Facebook HQ - are they complicit too since they are all critical roles to play in making facebook work? Should we be calling for the cooks at Facebook to quit too, since if they didn't agree to serve food at Facebook, they'd not be able to recruit any staff and we'd not have this problem! The cooks should be ashamed! Why dont they just quit! The cooks are as bad as the nazi prison guards, just following orders. Right? Right? Of course not. You cant blame the cooks for doing the job they were employed to do any more than the people employed to write code (and obviously it goes without saying that there is zero comparison to Nazis possible here - this is not genocide).
What you can blame is the advertising industry, the lack of regulation, and people's naivety for signing up to this sort of thing. Perhaps if we all just shopped less we'd not be in this mess.
</rant>
How would they apply the law? They can't be prosecuted if they fail to uphold the same law. Saying "we'll apply the law in spirit" is just moral posturing IMO.
I suppose I'm asking if their API provides read/write access to privacy settings. If so, there's a big opportunity here.
More generally, I'd like to see governments mandate that all FB user's privacy settings be reset to the max, and force Facebook to realistically inform users who want to loosen them about why they might want to do so.
Not a frequent user of FB, though I still have a profile.
So would the GDPR have any protection for an Facebook-expatriate in the US who does not agree to the new terms, or would they still have no standing in European court as they are not citizen / residents?
So it would protect a US national in Berlin, but not a German national in New York.
Ironically, EULAs ar not really enforceable in the EU. So had this been the other way EU citizens would also have been protected.
- European citizens only currently living in the EU ?
- European citizens worldwide ?
- Everyone currently living in the EU ?
As a European living in the US, I'm wondering.
Consensus appears to be that if you are physically present in the legal jurisdiction of the EU, and not a tourist, it applies.
That said, its recognizes that there are situations that are impossible to account for completely (wifi on flights, VPNs, airports, etc.)
* Consent is gained granularly, prominently, and separately from other terms and conditions * Consent is opt-in and individuals can refuse to consent without detriment
That money is not coming out of their pocket or paycheck. If Facebook ceases to exist tomorrow, the user does not have more money in their pocket. So long as that's the case, the users overwhelmingly will not care. They've been demonstrating that for the past 14 years. Essentially nobody thinks Google is just magically free either, users understand advertising. People have been listening to 'free' radio and 'free' TV for generations.
So no idea, basically.
If the Irish entity has a licence for the IP, and 70% of the value of their licence is transferred elsewhere, than how does this not realise that value to the Irish entity and not be taxable?
I am obviously not learned in this area, but the sleight of hand to move such a huge amount of value from one entity to another seems to me to create a huge tax liability now that the value would be leaving the tax domain.
Also, the headline is misleading: it makes it sound like FB is trying to get around laws. Really, all it’s doing is applying laws in the required jurisdictions, which is how things always work. Where’s the controversy?
Yes. Previously anyone not in the USA or Canada had a legal agreement with Facebook Ireland Ltd. So there was an Irish/EU company which was processing personal data for lots of people (inside & outside the EU). The GDPR says it applies to (i) people in the EU or (ii) companies in the EU who process any personal data. So if Facebook Ireland Ltd did something against EU law with the personal data of (say) someone from South Africa, then EU law could take that up.
BTW The GDPR never mentions citizenship, merely presence in the EU. non-Europeans in the EU are covered too.
Perhaps as just if (EU IP | EU LANGUAGE | EU PHONE NUMBER | EU LOCATION SET) == EU.
Just to be safe for a massive 4% of global REVENUE fine.
What will Facebook do then?
Genuinely curious. Not sure how this works as I'm not a bizguy.
