Seriously shady company.
I don't understand, who threatened you with a lawsuit? Why did they care about RocketReach?
They only retracted the thread after we could prove (via Google Cache and archive.org) that the page was very recently modified to show such a big revenue and threatened to report them for fraud.
We probably could've deflected the case since the company was public and therefore its revenue was also public, but, as a very small company, we had neither time nor money to spare for an useless lawsuit. And we assume that this was their bet. We switched to a competitor after this, obviously.
[0] It later actually turned out that this AGB change was after our purchase and not yet affecting us, but we didn't know that at the time.
I assume that in the coming years (or decade?) there will be more efforts to ensure the enforcement of EU law for foreign companies that offer services to EU citizens as part of trade deals.
Right now there's e.g. a flourishing industry of data brokers in Israel that illegally collects data from EU (and US) citizens and sells it, a practice which is hard to stop as well since most of these companies don't have offices in the EU.
I think another possible strategy would be to go after the clients of these companies. If they can't legally sell their data to companies in the EU or US their business model would falter. The GDPR actually mandates that you as a data controller validate that companies which process data for you adhere to GDPR principles. Right now it seems this isn't being enforced much yet but I think it will be soon, which hopefully will have an effect on data brokers outside the EU as well.
While accessing any user personal details you need to have user consent to process their personal data. You can't simply buy the dataset and assume it has consent. When you buy data from data provider you need to make sure user gave consent to handle data by third-parties to that provider in accordance to GDPR. Users can revoke the consent, every party needs to be ready to handle that scenario. Any data export outside EU GDPR also needs consent. Moreover the dataset needs to be registered with local regulator.
Consent is only one of the lawful bases for processing data under the GDPR. In practice, it's the one almost everyone tries not to rely on unless they can't avoid it, because it comes with extra obligations that other bases might not.
I guess the information is out there, and doing so also makes it definitively personal for the policy makers / enforcers involved.
That said, the policy makers / enforcers may be genuinely hamstrung. The US imposes its laws globally because of it's status as a global reserve currency (trading in USD requires the transaction to route via the US, thus making the entity subject to US law).
The EU doesn't have such status or power over US companies. The most it can do is try to prevent them from operating in the region.
As a person who almost certainly has his personal information being sold on this platform, I'm not pleased, and would love to see something done to prevent this kind of activity. Unfortunately, that depends on the US government to take action, and the last 12 years haven't been a flying endorsement of the effectiveness of the current government system. (This is not meant as an statement regarding the effectiveness of either President, but rather a regarding the low output from the system as a whole)
US companies operating in the EU are subject to EU law. Worst case the company itself doesn't operate in the EU, however that still leaves its customers (Intel, AirBnB, etc. ) potential targets to apply pressure on.
I generally don’t know in this case. But in general my European friends seem to think that merely having someone from the EU access a website makes that website’s owner have a presence in the EU, even if the server that handled it isn’t. That seems like overreach to me. If that were the case, I’d block EU access for any of my domains, and I don’t think we want a future where that becomes the norm. The ideals of the Internet are free exchange of ideas and information, no country-specific walled gardens.
Wouldn't that already be quite a step? I don't know who they're selling the data to, but it should at least be possible to prevent them from selling that data to organisations with a European presence, right?
Is this correct? How's that enforced? Say, I have a company in Poland which sells some goods for a million dollars to another company in Poland. We both have USD accounts in Polish banks and the transfer is between these accounts. How does the money route via the US?
If Polbank (forgive me for the bastardized names) wants to give 1M USD to Bankpolska, they either need to ship cash (which can be done but is expensive or tricky) or have a specific bilateral agreement betwene them (which can be done and is done sometimes, but linking every bank with every other bank bilaterally does not scale), or need some interbank settlement system that will do that, but there's no such system in which they can participate. E.g. there's Fedwire but neither Polbank or Bankpolska can be direct members as far as I understand (they generally are not members; I'm not certain if it's caused by some strict limitation or just practicalities and costs.)
So the standard means is to use 'correspondent banks' e.g. USA banks that do that for them. Polbank might have an USD account with Chase or Citi, and Polbank can ask Chase (via a SWIFT message usually) "hey transfer $1m from our account to Bankpolska, it's cover for a customer deal #1234" - but this means that the transaction "goes through" USA.
Alternatively, multinational banks may have branches in both USA and Poland and so they can be direct participants and settle this directly, however, then it would involve a Fedwire transfer (in USA, subject to USA laws and limitations) between Polbank USA branch and Bankpolska USA branch.
That's standard practice for pretty much every currency. EUR settlement between two American banks usually (not always, there are various options) goes through EU, RUB settlement usually goes through Russia, etc.
If there's a sufficient need, Polish banks could establish an interbank settlement system through which they could transfer USD directly (e.g. similar to the one they have for transfering Polish zloty), but it's a hassle and has costs, so currently they have not done so because for them it's generally not a problem to route all USD payments through USA.
If you've done a USD transfer, it'll most likely be a SWIFT transfer, and you can ask your bank for the SWIFT routing log. You'll most likely see an NYC bank (or NYC branch of your bank) in the middle.
And when you do request them to remove the same, they ask you to provide ID proof. As if one would provide the same to a company which didn't take your consent for the initial profile data either.
I somehow managed to get hold of the CEO's mail ID got mine removed. But I can only imagine what everyone else would have to do when they want to control their web-presence.
Every time I insisted they take it down, right now. Every time they have complied.
There's so many it's basically pulling weeds at this point.
The scarier companies are the ones collecting pictures of your face to train their private facial recognition software.
(Hell I'm hesitant to post HERE because you can't manage the privacy, content or existence of your comments)
Well played. Absolutely legal but totally immoral
...and they are often run by the same people. They use shell companies to basically avoid take-down requests.
Their goals is to make it sufficiently annoying to take down your information, that most people give up. While at the same time removing it (regardless of the process) for anyone that occupies them too much time - because your individual data isn't valuable enough to waste defending against a take-down.
I suspect a (faux) lawyers letter is easier to get these takedowns processed than the calls/emails that most people try.
They then asked me to provide my address to confirm my identity. Given that I moved quite frequently, and that I'm now asked to share more personal data with a company who's mishandling my data, I wasn't keen on it.
I mentioned that my full name is globally unique, but they refused. I tried to ask them to share some masked data that I can confirm in full (e.g. "give me a partial address and house number, I can give you the full address"). They refused.
They definitely try to make it hard for you, and to dodge responsibility.
In other words, it's not a bug, it's an accidental feature.
I'm a pessimist. You will never remove your personal data. If you get it removed by one company, the others will pop up like mushrooms. Also, from what I've seen, a lot of this information is out-of-date or crap that is just plain wrong.
It's also odd that you would want to give them your NEW address if they are likely validating against your OLD address.
Why didn't you just give them your OLD address to check against?
Yes, but at the same time you do not want them handing over all your data with zero checks on identity right..?
They have >150K extension users, so they are syncing a massive contact list with personal information that they are then selling via their different products like Prospector [3].
[0] https://connect.clearbit.com
[1] https://chrome.google.com/webstore/detail/clearbit-connect-s...
Would you have any proof or evidence supporting that statement?
On the other hand, imagine one day you try to log in to your Twitter/Facebook/whatever-the next-big-thing-is and you can't, because the company has deleted all your data upon your request. You didn't make that request though. Someone else did it, claiming to be you.
It gets even worse when you realize that people can request all the data the company has collected of themselves. What happens when somebody impersonates you and requests all of your data?
You need to have some kind of verification method that leads back to a real identity. Otherwise this can be massively abused. I doubt that even asking for a real ID is enough.
Yes, you need to prove that you're the data subject matching their records before they should act on your request, whatever that request may be. But uploading a copy of your ID card almost never serves that purpose. See also a bigger comment I wrote elsewhere in this thread with sources and examples: https://news.ycombinator.com/item?id=23957503
Don't delete instantly but after X days. Notify owner immediately.
Problem solved.
An interesting exercise: If you have a Facebook account, go to this page[0] or this one[1] and see if you even recognize some of the companies that shared data about you. Not to mention gave explicit consent to sharing your data ...
My list includes companies I never gave consent to (e.g. Amazon, Uber), never signed up for or gave any details to (e.g. Robinhood, Triplebyte) and some I have zero clue about, but the name alone sounds dodgy (Opteo, Mindshare Biddable Digital ...).
[0] https://www.facebook.com/ads/preferences/?entry_product=info...
[1] https://www.facebook.com/off_facebook_activity/activity_list
As an EU citizen and resident, it's abundantly clear to me that getting a DPA to act in my best interest is mostly hopeless. I'm reminded of the CANSPAM Act where a US citizen can send their spam to the FTC and have them investigate it. Only they never will. All spam sent to the FTC just goes into blackhole, and next to no one is ever prosecuted. Even when it's clear who the spammer is.
I don't think many people realize this fact. That a politically motivated entity controls European's access to privacy restitution, and they're rarely motivated to actually do anything. This makes the GDPR is my eyes primarily a joke. It certainly isn't about securing my rights as an EU citizen. It seems more written to benefit lawyers and others who make money because things are complicated.
If the EU actually cared about my privacy rights they would allow all Europeans access to restitution without mediating it through national agencies. I want to be able to hire a lawyer and directly take abusive firms to court over GDPR violations. I shouldn't have to act via some pre-court mediator who gets to arbitrarily determine if my claims have merit.
> Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
> Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
I'd made a subject access request because they'd sold my personal email address linked to my business position to random spammers. That association didn't exist in any legitimately accessible data, only in the linkedin data breach.
I'm sure some of them will get caught, but how long will that take?
What will ultimately help with privacy is not leaking out this data in the first place. Push browsers and other such services/devices to stop leaking enormous amounts of information on the user.
That's not to say that GDPR isn't useful. It certainly is, because it stops the big legal businesses from doing it, but it also has the downside of harming European online businesses.
Rocket Reach and similar companies may be outside the reach of GDPR, however, all the advertisers and global platforms who actually want to target EU customers are within the reach of GDPR so it's illegal for them to buy data from Rocket Reach.
You shouldn't have to guess where your personal data is going, and how it's being used. When the GDPR was first coming into force, I remember getting bombarded with all these notification emails from all these companies coming out of the woodwork that I didn't recognize. But I don't think I've ever been notified by email, SMS, phone or smoke signal since then.
The biggest flaw of the GDPR in my opinion is that it leaves the definition of what's considered personal identifying information with too much wiggle-room for creative interpretation. Maybe it's hard to pin down exactly, but there's often too much emphasis on the word "identifying", as if it's otherwise OK to gather every intimate online detail and build a profile that is a unique identity in and of itself. It's even worse when real-world decisions can be based on it without your knowledge.
I recently had my own rude awakening learning about these data brokers and risk analysis services. The matter itself was relatively trivial, but I didn't realize the extent of this before and the scope of what personal information they're gathering. And it doesn't matter if you think it won't affect you, since you've done nothing wrong. From what I read elsewhere, even exercising fundamental consumer rights may be held against you. https://news.ycombinator.com/item?id=21440526
Note that this is the totally normal approach for Civil Law systems: you define the general principles of what the menace is, and leave it down to the courts to determine whether or not those principles have been violated. In essence, you can view it as every case being decided on the basis of the mischief rule as exists in many Common Law systems.
Which is true and obvious. Why anybody ever thought the GDPR would have teeth outside the EU is beyond me. It was always laughable to me that anybody believed that the EU had made a law that applied to every company in every country in the world.
- They email me some marketing
- I respond with DSAR
- They acknowledge receipt of DSAR
- 6 months pass
- I bump the email thread
- They respond saying they have deleted my data as per my request (I requested access, not deletion)
- I point this out
- They apologise and offer £100 to drop the complaint
- I refuse and complain to ICO
- Obviously nothing happens
GDPR is toothless.
If you've got actual stuff in the EU, it's easy. You get fined under GDPR and if you never show up to argue your side in court or an administrative hearing or whatever, they seize your real estate or bank accounts or physical servers or whatever, and sell it to pay your fines.
If you're US-based, how does it work? Hmm, if you're a modern shop you probably have stuff hosted by big companies, like servers on Amazon's AWS or code on Microsoft's Github. Then the EU could presumably tell those companies to stop hosting your stuff, or they'll become liable for fines as an accessory to the violation. Microsoft and Amazon probably have a lot of bank accounts and physical stuff in the EU that could be seized and sold, so they couldn't simply ignore the fine. They'll probably drop you as a customer immediately once Europe starts making them pay fines, and maybe try to sue you in the US court system to try to recover those costs.
I've never heard of this happening though. So maybe this isn't actually a thing.
If all your stuff is on US soil, and you're careful not to use providers with any European presence, how would they do it? Does the EU have some way to order all European ISP's to blackhole traffic from your company's IP ranges? When your executives come to Europe for vacation or conferences or whatever, could they get hauled off the plane in handcuffs and taken to a European jail over your company's GDPR violations?
Again, I haven't heard of this actually happening. But it seems to me that would be how they'd do it, if they really wanted to prevent overseas companies from simply ignoring GDPR.
If there's no threat of enforcement, why bother with GDPR at all, unless you're planning on having seizable stuff like real estate or bank accounts or physical servers in Europe someday?
and no, those aggregators don't process PII / Personal Data.
Data frugality ftw.
O Tempora O Mores
FWIW I'm really glad that EU courts lack this jurisdiction - any gain from privacy would more than be wiped out from losses to free speech, especially with the extensive history of libel tourism.
Not quite. It applies to people who are "in the Union".
There is a very large overlap between "EU citizens" and people "in the Union", so most of the time there is no need to make the distinction but it is there.
LOL, yes.
I'm sure they also do not meet the legal requirements of North Korea, Saudi Arabia, and many others.
Likewise, various EU corporations do not meet the legal requirements of non-EU places like those. Would he prefer that they did?
Even more interesting, since he expects the US to follow EU law, how does he feel about the EU following US law? The US has that Patriot Act, and lots of EU companies are not compliant. Maybe he should report a few EU companies to the FBI.
China is the most straightforward example, companies cannot operate unless they basically do it through an - implicitly Chinese state controlled - partner company. China also has a literal Great Firewall monitoring, modifying or stopping all cross-border traffic. So yes, you have to play by their rules if you want access to the market.
US, EU and other western countries also require you to follow their - much more lenient - laws and rules for access to their market, but for now it's rarely enforced through blocking etc. Saudia Arabia, Russia, India, Turkey and other "second world" countries block a lot of services that don't follow their laws or government commands. Same thing: follow da rulez or our market is closed to you.
North Korea has their own exclusive "internet" and blocks all access to the regular internet except for a few highly monitored and controlled locations like universities and government institutes, which are not connected to the NK internet. Not comparable at all.
> Even more interesting, since he expects the US to follow EU law, how does he feel about the EU following US law? The US has that Patriot Act, and lots of EU companies are not compliant.
This is effectively already the case for a large part. All non-china global IaaS companies are US, so everyone has to play by US rules and law. I don't believe for a second that the NSA cannot get the data from the European Google/Amazon/Microsoft data centers.
https://en.m.wikipedia.org/wiki/Wholly_foreign-owned_enterpr...
Likewise, EU companies should follow US law when they are doing business in the US.
Businesses should not operate in jurisdictions where they can't meet the legal requirements. At the very least, RocketReach should geoblock itself in Europe.
Asserting a bunch of rights around personal privacy is great, but I've yet to see any compelling evidence that the relevant courts and bureocracies are capable of enforcing the law effectively. EVERYBODY is cheating.
Every time this is brought up on HN, the response is to wait for when the big fines start coming.
It's been two years. They're not coming.
The GDPR also has a "pull-in" effect on companies outside the EU that (often illegally) sell personal data because their clients in the EU (the data controllers) have to prove that these companies (their data processors) adhere to the GDPR if they want to do business with them. If a EU company buys personal data from a company outside the EU or sends personal data to that company they are liable if this data gets abused or if the personal data was not acquired in accordance with the GDPR. The whole "privacy shield" mess was about the question whether EU companies can still send personal to the US based on a self-certification process US companies go through (turns out they can't).
Some of the data brokers already feel this pressure and will be forced to change their business models unless they want to lose their clients within the EU. Sure there are still EU companies that do business with these data brokers today, but most of them know that they're exposing themselves to considerable risk and are already looking for alternatives.
https://www.enforcementtracker.com/
Over time I expect them to go up further as companies can no longer claim they did not have enough time or were not aware of the law (that never was a defense anyway but DPAs tend to be lenient. So far).
Since the GDPR has come into effect I see in my practice that companies are a lot more aware of their responsibilities towards their users, have better processes and security in place. Is it perfect? Not by a long shot but the improvement is immense and as time goes by and more companies end up setting an example of how things should be done and those that don't end up getting find I expect this trend to continue.
What I like most about the GDPR is that it steers towards compliance, not towards making life of businesses unnecessary harder.
Contrary to you I think the GDPR is a resounding success, the only thing that would make it much better still is if other areas of the world would take up similar legislation so the playing field would level.
From what I can understand of German/Google translate, the third from top:
https://www.enforcementtracker.com/
Link to .pdf:
https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180927_DSB_D5...
Is the Austrian Authorities making a 300 Euro fine to a "common citizen" making "illegal" use of a dashcam (it seems - but I am not sure about it - that the issue is that the car is not - how? - visibly marked as videorecording?).
Anyone more familiar with German (and legal German) can clear the matter/explain?
> The private person used a dashcam to make recordings of public road traffic and then published them on YouTube as a compilation.
What a PATHETIC thing this GDPR is. Fully agree that we should admit that GDPR is a massive failure (who would have thought!)
Greetings from a European.
All the big European companies I've worked for seemed to put lots of effort into complying.
I’m curious how a class action hasn’t been formed around Verizon and Oath’s behaviour?
