[1] https://en.wikipedia.org/wiki/Max_Schrems
At this point, I wonder why the EU doesn't consult him personally prior to enacting some law. It's not as if they don't consult with others as well.
Because it costs companies a lot of money to merge to EU-only market, while waiting for the wheels of justice to grind buys time (for EU-only market).
The EU is never held accountable for the laws they make, and i m not aware with them consulting with local entrepreneurs. It seems only lobbyists and politicians have access
If your "Tech" can't work without siphoning up and selling people's personal data to the highest bidder, Good.
If your product isn't addressing this, you're probably at a growing competitive disadvantage.
Of course it is. The tech sector is practically non-existant here, and if something works out, they leave for the US. Isn't that what being accountable is?
That's the point: we need real data protection in US law for non-US citizens as well. Currently, US lawmakers treat EU citizens' data as US state property. Obviously, that's unfair.
I don't agree that Europe can't change anything in that regard. Deeming US-based services illegal and banning US-based companies doing business in Europe because of the way EU-customer data is treated in the US would speed up better regulations in the US tremendously.
It's a fact that big corporations are ready to bend over backwards to the foreign governments, even when they require "immoral" [1] things, so they would have no problem complying with actual sensible requests [2] if they are forced to do it.
[1] Chinese censorship rules, ... [2] Data protection, ...
Maybe it would, or maybe it would spur a tariff-war between the EU and US and a great deal of resentment between traditional allies.
> they would have no problem complying with actual sensible requests
Morality and sensibility don't play a role in modern big corps. The real question is: do these requirements impact their bottom line? Chinese censorship rules don't, but EU's data protection rules clearly do. Hence, their willingness to comply will adjust accordingly (i.e.: US corps will fight tooth and nail to prevent that from happening).
I think it would do way more damage on the EU side than anything. Imagine having to migrate applications overnight because hosting with AWS has been outlawed, even with all the protections in place (e.g. location in EU, encryption etc etc).
I thought this was the goal the EU was working towards. There was even that policy recommendation for building a firewall similar to the Chinese one. It didn't amount to much, but we seem to be going down a path like that.
Why would the US listen to the EU on this topic though? EU countries are trying to use privacy as a way to limit the reach of these US companies, but we don't have anything comparable to replace them with. Those US news sites that blocked EU visitors? They're still blocked and you can't really blame them - they don't make much money from advertising to European users, so why take the risk and cost of implementing GDPR? I understand it, but parts of the internet are still unavailable to me. And I don't seem to have any more privacy anyway.
Data protection is good, but at this point I find it difficult to believe that this is the actual goal of EU politicians.
"The CJEU ruled that the Privacy Shield does not provide adequate protection, and invalidated the agreement. The court also ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. This decision has significant implications for U.S. Companies and for the U.S. Congress because it calls into question the adequacy of privacy protection in the United States."
While I find it hard to believe that European countries are that much more privacy focused... the reason for the divide is that European countries, in or outside of EU, have stricter rules on user data... and much more recourse for users.
Having those rules creates an advantage for any company that doesn't operate by those rules while serving people located in the countries covered by those rules. The goal was never to "limit the reach of US companies", but to prevent uneven playing field.(EU was specifically created to keep markets competitive)
What's worse is that US government, that is legally barred from snooping on people in US, says that data of people not physically present on US soil is fair game to do as they wish.
The unstated assumption being that the data in question belongs to those citizens.
If I write about an orchard, the writing doesn't somehow belong to that orchard. If I photograph a wedding the copyright is still held by me. It's not obvious if we're instead talking about a name or an email address that the subject of your data should magically become the owner.
Ultimately there's nothing to stop the US from wiping it's ass with any treaty- that's the major advantage of being a superpower. America lives by different values as is their right.
Yes we need to silo the EU from the US.
In a more reasonable world users would pay money for the services they want to use.
Of course it needs to be noted that most users don't even understand that they are selling themselves. And of the few who do most still think it's better than paying money.
This ruling, should Google comply in the end, will not change anything. Google will store the data in the EU and that's it. I don't think they share user data with the advertiser when they show an ad. So they could still show ads of US companies. And that's a niche business only anyway because when Europeans do business with Amazon, Disney, and the like they deal with the respective European subsidiaries already.
>Of course it needs to be noted that most users don't even understand that they are selling themselves. And of the few who do most still think it's better than paying money.
This is such pretentious snobbery. In a world where you have to pay for search engine I am still dirt poor working some shit entry-level job/doing manual labor because when I was a kid I couldn't even afford interned and had to hitch off a neighbour, having free access to Google, tons of free learning material, messaging boards, etc. is what got me out of that situation.
I pay to avoid advertisement, but that's a luxury I can afford now days, and I have almost no concerns about privacy - I don't care at all that Google knows my interests, browsing history, purchase history, etc.
The concerns about data collection I see are mostly blown way out of proportion and most people rightfully don't care TBH.
In the meantime Google is using this information to manipulate your desires and actions and you can be sure as hell that it is using data about your behavior and interests to improve it's position in the market. Google buys companies and stocks and they have an advantage few of us can ever hope to have.
I promise you, Google knows you better than you know yourself and it's using that knowledge to further it's own interests without caring much about the people, countries or economies it's hurting.
I also don't care that Google,NSA, KGB, CIA, ChIna knows my browsing history or what files I have on my PC but I care if this groups know everyone browsing history because they can affect me indirectly by blackmailing, manipulating key individuals or entire populations with targeted ads or propaganda.
Is the same with fake news like "WiFi is illegal in Japan because causes cancer" , this fake shit won't affect me directly but affects people in my family so it affect me indirectly and I have to reduce the damage done.
The US CLOUD Act allows US law enforcement to force Google to hand over data; even if that data is stored outside the USA.
It is highly likely that processing and storing analytics data only in the EU is not enough to "fix" Google's issue here, because the USA still has juristiction.
See the recent Akamai / Cookiebot case.
>In a more reasonable world users would pay money for the services they want to use.
But would people actually be willing to pay? They rather use adblock and other services to circumvent ads rather than pay for YouTube premium.
Of course they wouldn't pay as much as they currently do. But the world would be a better place, if they didn't. In Google's case it's more indirect, but in Facebook's case it's obvious. It's well known that Facebook has a negative impact on the mental health of many. Most of the turnover created created just ruins the planet for no good. People in the Western world lived a reasonable life in let's say 1970. The same level produced with the technology of 2020 would reduce destruction of the planet a lot. We would all work 6 hours a day and in the free time we could could walk an hour to the office and an hour back. Or do something else good for physical and mental health. Without a cloud-based GPS tracker and activity cam of course because normal mortals couldn't afford those. So what? I don't see how surveillance capitalism has improved or will improve the situation in Africa either.
I assume that this regulation is also coming to other services soon and analytics isn't the only service that needs to be replaced when a business is in the EU and can't ignore these rules without risking fines. The team at Fathom wrote about alternatives for lots of services here: https://usefathom.com/blog/degoogle
I think all the big ones can comply, but gambled they would be able to come up with creative constructs to get around the requirements. Wrong play it would seem.
Fathom did the right thing, isolate by region. Which is handy for a lot more than complying with the GDPR.
And companies could easily copy their data in a click if they need to. A much saner approach should be limiting what the company is allowed to do with the data.
Perhaps we should have some sort of GENERAL rules or legislation specifically for DATA to define what companies, based in or with customers in a region, can and can't do for the PROTECTION of the data and end users, so the companies can stay compliant with this REGULATION.
It is about having some rights. So say if you are from USA then Google or NSA should follow the laws , but if say I am a politician from some other country the Google and NSA employees can just read my emails and then blakmail me (or grab my paypal code and grab my money) because US laws only protect US citizens, terms of service are not laws and we know that we can't attribute morality to Google,Apple or NSA.
this is a new level of conspiracy theory.
Now, most countries have close to 0 protections for non-citizens' data - particularly, the USA has 0 protections for a French person's data sitting on a Google server. If a US government agency wants to read this French person's data (of any kind, including, say, medical records), they can ask Google for access to it and, if Google agrees, they can just use it. If Google doesn't agree, they only need a warrant against Google, not against the French citizen in question.
The same is NOT true for a US citizen's data - which is more or less sufficiently protected, at least theoretically. But foreign nationals' data that happens to reside in the USA has 0 legal protections from the US government.
On the other hand, the US government can not (legally) obtain data that resides in France or Russia, unless they work with the French/Russian legal system to obtain access to that data.
Explain how? If the US govt orders "copy the data from FR to US, or else" and the French govt orders "you can't do that, or else" then what is the company to do? They are breaking the law no matter what. Something has to give.
They can ask and/or force a given company to hand data to them in many cases in most jurisdictions.
> Does logging constitute user data.
Logging of user-data? yes
> A much saner approach should be limiting what the company is allowed to do with the data.
GDPR does also regulate what a company is allowed to do with data. The thing is: whether the GDPR applies and is enforceable depends on where that data is stored.
This decision is a great example of this: The decision isn't made because it's not allowed to export data at all, instead it explicitly references US law which forces the affected companies to violate the data protection guarantees provided by the GDPR.
That's not what this is.
The EU is not saying "data MUST stay in the EU", it's saying "Data can only be transferred to a jurisdiction which has equivalent data protection".
>It's not like the enforcers could walk into the datacenter and plug in the usb drive and get the data.
No, they send a request for the data and threaten to jail anybody who even reveals that a request has been made.
>And it's even hard to see what all constitutes user data. Does logging constitute user data.
Article 4 of the GDPR: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
>A much saner approach should be limiting what the company is allowed to do with the data.
That's exactly what the GDPR is...
plausible.io is hosted on AWS - an american company
snowplowanalytics.com seems to be hosted in digitalocean as well
as I understand they are equally illegal now.
[Self-hosting and maintaining is not an option for the vast majority of mom-and-pop shops]
For me, it makes no sense when companies like plausible say they have EU based hosting when they pay for hosting from a US-only company (DigitalOcean)
For our self-hosted version, you can install it with any cloud provider and in any country you wish. Even in the USA.
https://plausible.io/privacy-focused-web-analytics
All of the data that we do track and collect is kept fully secured, encrypted and hosted on renewable energy powered server in Germany. This ensures that all of the website data is being covered by the European Union’s strict laws on data privacy.
International companies must comply to the local laws and regulations. EU is so large market that they will implement anything EU requires. For example, AWS can host and collect EU data and fully comply with EU regulations, never moving data to the US. With AWS customers can determine where their customer data will be stored, including the type of storage and geographic region of that storage.
> Max Schrems, honorary chair of noyb.eu: "Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options."
> In the long run, there seem to be two options: Either the US adapts baseline protections for foreigners to support their tech industry, or US providers will have to host foreign data outside of the United States.
> No penalty (yet). The decision is not dealing with a potential penalty, as this is seen as a "public" enforcement procedure, where the complainant is not heard. There is no information if a penalty was issued or if the DSB is planning to also issue a penalty.
We need more trials related to GDPR breaches. While having the legislation is a huge achievement, it needs to be backed with enforcement.
If there is no enforcement, a third long-term solution arises -- just ignoring the law until you manage to get the necessary amendments to it in order to keep operating as before without fear of penalty.
My bet is that they would entirely stop doing business in the EU, because I'm suspecting that data collection is the cornerstone of google/facebook/etc's business model.
They cannot properly advertise if they don't collect data.
To me it's a bit similar to what happened with China. China doesn't want the US to get data on chinese people, but their solution was to just block those companies.
The EU uses courts to protect itself, but I guess the result would be a bit similar.
https://www.enforcementtracker.com/
I agree we need more enforcement, but it's reassuring to see the current levels.
I routinely see the loudest complainers about the onerous nature of GDPR compliance suddenly get vague or stop posting when you ask for details of precisely what bit is so hard for them in particular. Note lack of those details in this present discussion, for example.
So far, it seems a safe assumption that the excuse makers are abusing personal data, and they know they're abusing personal data.
Perhaps one day a clear exception will show up.
I wrote up a thing here a few years ago with my actual on the ground experience of getting us compliant: https://reddragdiva.dreamwidth.org/606812.html
tl;dr anything that might vaguely constitute personal data, down to Apache logs, must either be in a writable database for redactability, or deleted.
Since then, our legal team - who are not your legal team! - has advised:
* 30 days for operational purposes is fine actually.
* Go feral on anything over 30 days. You need a named person responsible for GDPR redactions.
* If you want to do analytics on those Apache logs, do them quickly and into a form that doesn't contain personal data.
I'm in the UK, which is no longer in the EU, but the GDPR laws still hold here.
We retain certain access records that can potentially be used to identify individuals indefinitely. These records have demonstrably helped us to defend against attacks on our infrastructure and to prevent attempted fraud on multiple occasions, sometimes years after the records used were first collected. We include these general purposes for processing but do not disclose exactly how we use these records for these purposes in our privacy policy.
So, are we compliant because there is a demonstrable legitimate interest in keeping these records? Is holding that personal data indefinitely, knowing that it mostly won't be needed, disproportionate and a GDPR violation? I'd love the people who think the GDPR is simple to show me verifiable, authoritative answers to these types of questions, because so far we haven't found any lawyer who can, nor found any information from any relevant regulator that we could point to as a clear indication either way.
2. You can store identifying data of website accesses etc for at most 30 days without worry
3. Beyond that, you can only store data that's absolutely necessary, e.g. metadata associated with actual purchases and transactions, but not every access.
4. Usually, you'll have to delete that 2 years afterwards, in some exceptional situations up to 30 years are possible
What I'd do: 1) disclose, 2) delete logs after 29 days, 3) copy all logs associated with a customers transaction into a separate storage location, shared by customer, transaction and date, so you can delete it 2 years later.
For example, if the personal information you're talking about is IP addresses, it seems like you could cook those down to non-identifying information pretty quickly - eg zap the last octet. Furthermore, I'd think you would want to cook it down promptly so you can store the current use of the IP block rather than what it might be used for in a few years. (Sidenote: I personally get hassled based on my IP address block way too much, so keep in mind you're harming legitimate customers if this is what you're doing).
Another example - if you're keeping personal details on people who have committed fraud (or not) and referencing that years later, then I'd say that falls squarely in the purpose of the GDPR and you should not be doing that long term.
Or you're doing something else. But without describing exactly what you're doing, you don't make a very compelling case.
And this has been a regulation you've been required by law to follow for quite a few years now. Have you just not been worrying about it?
You're asking questions that, as other commenters have noted, are plausibly a valid case, but are quite specific to the precise details of what you're doing and how you do it.
It's not only your business model, but also the business model of all third-party services you are using on your site.
Also, part of the reason why it's not that hard is that the GDPR is pretty much one of a kind. Imagine the US and maybe some countries in Asia having similar but different implementations of privacy laws, and you having to work with them simultaneously. Or even different laws in each US state (CCPA?). Imagine every country requiring you to store user data only the user's country of origin, thus managing a separate database for each country.
> Note lack of those details in this present discussion, for example.
your comments so far have been apocalyptic GDPR fan-fiction, but are notably short on the actual details of what you're doing and how you do it.
That's why treaties like Convention 108+[0] exist, to provide a common framework for implementing data protection laws.
[0] https://search.coe.int/cm/Pages/result_details.aspx?ObjectId...
There is relatively little non-public information about about users kept. The email address, date and time of a few first time actions (like creating the account, verifying email address, going to an edit page, etc), some account settings like language. They do keep some data short term, like track of the ip address a given user signs in with. I'm not certain how long this data is kept for but apparently up to 90 days. This is one of the tools used to check for certain types of abuse by logged in users, like sockpupetry.
The majority of information about a user that the site stores is publically displayed information clearly voluntarily submitted, with implied consent for use, like what pages the user edited and when (public info), information they choose to add to their user page etc.
But never the less, Wikipedia is potentially a pile of GDPR violations, despite pretty clearly not doing the sort of stuff the GDPR is trying to restrict.
Potential violations include:
#1. When an anonymous user edits the site, the edit is publicly attributed to an IP address, which is kept forever. IP Addresses are considered personal data under the GDPR. It is not feasible to only keep these address for 30 days, as all edits need to be attributed to something. It is not at all clear that keeping the IP address indefinitely for this falls on the correct side of the legitimate interest line here. So this could well be a GDPR violation.
#2. What about users requesting deletion? While the project can delete the user-pages, and even rename the account to something non-specific (like renaming away from being the User's real name), it is likely to not be terribly difficult for someone to identify the renamed user, especially if they ever left a signed message on a talk page. Retroactively modifying such past edits, and editing other people's posts that referenced your old username would be too disruptive. But it is not 100% clear that what Wikipedia reasonably can do is enough under the GDPR.
Also, technically speaking as a rule Wikipedia never actually deletes revisions from the database unless technical reasons require it. Deleted articles are no longer visible but are still stored in the DB. Even copyright violations are normally only rev-deleted (can be restored by admins), or Suppressed (can be restored by oversight users). This sort of not-actual deletion might not actually be enough under the GDPR.
#3a. Let's say a user submits a data access request. Wikipedia could provide them with their own email address, profile settings, non-public temporally logged information about the user, like the IP addresses used to log in. They could provide a copy of the user pages, and even the complete history of them, as well as all the edits the user has made, possible even edits that are not currently public. (Like articles that have been deleted, edits that were suppressed, etc).But is that all really enough?
What if other users on some talk page end up talking about this user, without specifying the username (so Wikimedia Foundation cannot easily find the reference), but the prose is sufficiently specific to clearly identify this natural person? The posts could potentially even reference other interesting data about the person, like their religion. While Wikimedia foundation may not have the sort of AI needed to parse the conversation and extract the personal data and associate it with the user in question, by the strict letter of the GDPR it still counts as personal data, and there is no infeasibility exception to disclosing it, so if the user later find this conversation, and then wants the relevant data protection agency to go after Wikipedia, the agency technically could justify issuing a fine here. Is is likely to actually happen? Of course not! But it could if for some reason the relevant people at the agency has a personal grudge against Wikipedia.
#3b. Once again a data access request: What if the user is actually a also public figure. Surely they would also need to be given a copy of their article, and possibly the complete history of the article. But there could well be other articles that reference this person and it is not necessarily feasible to automatically find all of them, especially if any don't explicitly link to the subject's main article. Once again, strictly speaking not providing any personal data contained in those other articles would be a violation of the letter of the GDPR, despite not violating the spirit.
------------------------------
These are only a handful of edge cases I can come up with. In all of these scenarios Wikipedia is being very reasonable, and is not trying to collect any more personal data than needed to run their site, and is being fairly reasonable in trying to balance user's rights to with practical considerations. But they still have multiple places where it could be argued they violate the GDPR nevertheless. They are not an evil company trying to collect personal data and mine it for profit or sell it. But the extremely vagueness about details contained in the GDPR makes it so it is hard really have any idea for sure if they are on the correct side of it or not.
This is true despite the fact that no data protection agency is likely to every try to take action against the Wikimedia Foundation for such violations, simply because in practice their actions are good enough, and trying to attack something like Wikipedia will likely piss off the population that want the agency instead going after Facebook, or companies who have massive data leaks they try to hide.
One might argue that Article 85 might be interpreted to protect Wikipedia under freedom of expression and information. Or perhaps one might say that the data qualifies for processing under the Article 6 1(e) because identifying users modifying a public resource is a necessary part of the task of developing Wikipedia itself, which is a task in the public interest (questionable, but not impossible to try to argue). But let's say it was not actually Wikipedia in question, but some other forum of user provided content with similar limitations, that might not qualify for extended protections for freedom of expression and information, or as a task in the public interest?
Some of these same sort of concerns technically apply to any sort of online public discussion forum, even ones that are very much not trying to collect personal information, beyond the bare minimum they need for accounts and anti-abuse. Even this very forum we are on right now can potentially suffer from the "other people talking about you in an identifiable way", but admins cannot find the conversation to provide it to you for an access request problem.
On point 1, I think legitimate interests covers this fairly well, but it would be arguable for sure.
On point 2, the right to erasure is not absolute so the fact that data are not purged from the database is not relevant. Legitimate interests also come in to play here.
On point 3a, the GDPR only mandates that data subjects are given access to personal data, so the WMF need not collate the information to send to them. Surfacing rev-deleted data might be more tricky, I suppose, Wikipedia has policies against posting personal data of other users and such edits will be oversighted where it's brought to admin attention (see WP:OUTING).
On point 3b, again the legal requirement is to give access to the data. Rectification and erasure is also straightforward (edit the page, ask for other edits to be revdeled/oversighted if the violate WP:BLP). Like you say, Article 85 offers wide protection here, too.
They wrote about it here: https://usefathom.com/features/eu-isolation
To quote directly-
> SCCs and "TOMs" not enough. While Google has made submissions claiming that has implemented "Technical and Organizational Measures" ("TOMs"), which included ideas like having fences around data centers, reviewing requests or having baseline encryption, the DSB has rejected these measures as absolutely useless when it comes to US surveillance (page 38 and 39 of the decision):
> "With regard to the contractual and organizational measures outlined, it is not apparent, to what extent [the measure] are effective in the sense of the above considerations."
> "Insofar as the technical measures are concerned, it is also not recognizable (...) to what extent [the measure] would actually prevent or limit access by U.S. intelligence agencies considering U.S. law."
The reason I uninstalled the hacker news app 'Materialistic' is because it regularly crashed and was probably unvoluntarily siphoning off pii data through the crashlytics module.
They completely isolate EU analytics from their US databases, which you can read more about at https://usefathom.com/features/eu-isolation
Aside from this, unlike other startup analytic solutions, they've actually spoken to lawyers to read through the fine lines of the law and ensure their solution is legal. Go get it!
Any alternatives?
Detailed analysis:
https://gdprhub.eu/index.php?title=DSB_(Austria)_-_2021-0.58...
Now if that was really true, it shouldn't really matter for them to drop this service. Instead, I think we will see them investing millions to overrule this.
If it were a free service "for the hell of it", Analytics would have long been discontinued.
They will have to store EU data in Europe, and European authorities will forward relevant data to the relevant US authorities. At least that’s the way the EU courts seem to be leaning. Google will likely appeal and waste everyone’s time, and maybe win. But they will only make calls for antitrust action louder if they were to do so.
Sarcasm doesnt translate well in written comments on the internet.
Not for the first time, mind you.
My former company and current one decided to move out from GA to snowplow as you have much more control on your data and do not so much depend on Google to be gdpr compliant.
https://snowplowanalytics.com/blog/2021/01/05/the-top-14-ope...
I am located in Germany, but if I would start a SAAS site today, I wouldn't try to sell to the EU. Just isn't worth the trouble.
Over time, many people in the EU will start using VPNs to get access to the latest web sites without GDPR restrictions. Even today I have to use a VPN to access some websites (mostly news sites), but I suspect it will be much worse if noyb succeeds.
If you're located in Germany then the GDPR applies irrespective of where your users are. It applies because you - as a data controller or processor - are in the EU.
You would have to be established outside of the EU in addition to not targeting EU users in order to not be bound by the GDPR.
What trouble? It's really not rocket surgery to be compliant with the GDPR if your business model isn't to sell (or profit from) targeted advertisements.
There's tons of fearmongering about it, though - by companies whose business model it is to sell targeted advertisements, and by companies whose business model is to sell GDPR compliance consultancy services.
It's not rocket surgery but it's also not trivial. Every time GDPR comes up on HN there are always people saying something very similar to "GDPR compliance is easy if you don't do dodgy stuff" and implying that anyone who thinks it's not a trivial matter must be doing something bad. This is dismissive and often seems to be based on wishful thinking about what these contributors wish the regulatory requirements said instead of what they actually do say.
The GDPR is nearly 100 pages long, in the standard English language printed version, just for the main document without all the supporting material or any additional material published by the individual regulators.
It contains ambiguities that invite broadly applicable questions like what "legitimate interests" actually means in practice.
It contains requirements to document various information and processes and to share that documentation with various parties under various conditions.
It contains provisions that could potentially conflict with other good practices (for example, the use of tamper-proof data structures for auditing or the use of diverse backup strategies for resilience) again with ambiguous if any guidance on how to reconcile competing good intentions. You can argue that this point is a stretch because it's unlikely any regulator would actually go after a data controller or data processor that was obviously doing reasonable things and trying to comply, but we are talking about legal obligations and the penalties that can be imposed are an existential threat to any small business so I think caution is fair here.
Ask a lawyer -- a real one who is an expert dealing with these kinds of regulatory compliance all the time -- how easy it is for any organisation to be sure it is fully compliant in this kind of environment, even if it has no interest in doing anything that anyone is actually likely to object to, and even if the people responsible for running it have nothing but good intentions. I doubt you're going to see the kind of one-sentence "It'll all be fine, just don't do anything dodgy" reaction we often see posted in HN discussions about the GDPR.
There are a lot of popular services you apparently can't use, like Stripe, and a lot of rules to follow, especially if you store any kind of personal data.
If the European market with half a billion people isn't worth it for you, right, whatever I guess? I'm sure someone else will be happy to fill the gap that you so generously leave for them :)
I'm more likely to just stop using those sites with GDPR violations than try to work around it with VPNs.
If following the basic principles laid out in GDPR is too much of a hassle for you, you should probably not be in business anyway. It's not rocket science.
Even if it would scare me (it really doesn't), as an EU citizen I would care about surveillance by the EU, not by the US.
> Imagine someone following you everywhere in the real world, even getting into your apartment and noting down everything you do.
To do what? Collect a lot of useless information? I would bother me if someone I know does it. I don't care if some abstract entity in a different country thousands of miles away does it.
(People's privacy is protected by constitutions. That is orthogonal to the ability of people to choose how to use their data)
You 'd still be liable for GDPR by non-europeans since you are located in germany
It's like the EU is pushing entrepreneurs to emigrate.
it's one of these:
1. blocking business with the EU
2. just ignoring the local regulations
3. big enough to actually implement GDPR
3.1. implement it partially
3.2. implement it erroneously
3.3. implement it fully
GDPR brought us the wide usage of HTTP code 451 Unavailable For Legal Reasons, the myriad of cookie stuff, endless legislation and litigation. It also split the internet into one more part. Unfortunately the part that was split off was never too successful or important to the rest of the planet.
But it also brought us a new way of thinking about data, and what personal data means. It's just that the implementation sucks big time.
Companies lying through their teeth pretending that ePrivacy & GDPR forces them to have a cookie banner.
Companies (and clueless HN posters) that lie to you, telling you that GDPR is impossible to implement, and that if you even get the slightest thing wrong, you'll get fined the maximum fine.
Fines have always been a last resort, or for egregious and willful violations of the GDPR. Your company doesn't implement it properly and it goes all the way to a court ? For almost all cases, the court will simply tell you "you have X days to be GDPR compliant". Said X being more than 90.
Yes, the way companies are "implementing" GDPR compliance sucks, even though GDPR compliance is not that complicated. That should tell you that those companies think it is more profitable to annoy you than to have a privacy-compatible business model.
Github, for example, gets it right. It only stores data it needs for fulfilling the services it provides to you, so there is no need for cookie banners and similar. That's exactly how the GDPR intends it to work. The problem is companies dragging their feet and trying to fool you into thinking it's the fault of the GDPR that they don't respect your privacy. Incredibly backwards, but sadly it seems to work.
