As a French guy, these type of comments make me smile. The GDPR is basically just the implementation of the French law "Informatique et Liberté" into the European Level. (You can read on HN many Germans saying that it's actually the implementation of the Datenschutzgesetzt. The truth is: these two laws are extremely similar.)
This law has been in application since 1978 [1]. And in 2018, we have adtech companies like Criteo. [2] I have one of my best friend who started his adtech startup in France. Everything is good.
There's is a lot of implicit contracts (you filled up our sign up form? Well, then you chose to give us your data. ...) The only things you have to do: know which data you collect and give the ability to people to update/delete their data. That's all.
I don't understand the fear. I don't understand what is "vague" about it. It's so simple and low barrier that Microsoft decided to make it the rule for all of their users. But thanks to the hysteria, they made a PR stunt out of it.
The irony here is that American users are so used to being endlessly surveiled without consequence that they are genuinely shocked that the rest of the world refuses to put up with this bullshit. This is completely normal to them.
The GDPR is just another step in a global fight by people all over the world to regain their data sovereignty and protect themselves from endless surveillance. The momentum at the international level is very clearly for data sovereignty. Russia and many Asian countries are following closely behind. And while everybody was freaking out about the GDPR nobody seemed to notice that China passed even stricter online privacy laws [1] earlier this month. Singapore [3] and Malaysia [4] are up to speed and even Thailand [2] will likely soon require minimum standards. (Edited to add more links.)
The end result is like so many other things: American companies will end up blocking everybody but American users who they know they can exploit without consequence. American users will celebrate their exploitation as freedom from Big Government. Everybody else will move on and just shake their heads.
Read the thread again. Nobody has a problem with data protection but the fact that the regulation is not actually clear, hence creating more work while simultaneously being rather ineffective. How is that good for the user?
Also it's hilarious to claim China has better privacy when that government tracks everyone using facial regulation with real-time threat scoring and national social rankings called a "citizen score". A late payment on a single bill gets your face and contact info on a giant billboard so go ahead and try complaining about your data over there and see how far that goes.
"Clear" regulation is a fantasy. Every established boundary of regulation people enjoy in Western civilization was once and unclear, untested boundary that laws and courts had to cope with.
If folks find ambiguity in the GDPR, do NOT get into American Fintech. Here's a great question: what are the technical requirements mandated by the US government to become a bank?
How can the regulation already be ineffective? It's literally been in effect for one day. You'll have to refine the standard anti-regulatory tropes in this case.
Get this: not everybody is consumed by paranoid fantasies concerning their government. And while your shallow understanding of China based off a few western-oriented articles here and there may validate your own biases do understand they have no real relation to reality. In reality, there are no extraordinary consequences for missing a single bill. On the other hand if you're sued in court over a debt the judge -- not unlike American judges (!) -- can use public humiliation to try to modify your behavior.
The regulation is ineffective because billions of people have already given consent to Facebook and Google because they just want to get on with their lives and aren't about to stop using their services.
>>> People have already faced various punishments for violating social protocols. The system has been used to already block nine million people with "low scores" from purchasing domestic flights. While still in the preliminary stages the system has been used to ban people and their children from certain schools, prevent low scorers from renting hotels, using credit cards, and black list individuals from being able to procure employment. The system has also been used to rate individuals for their internet habits (too much online gaming reduces ones score for example), personal shopping habits, and a variety of other personal and wholly innocuous acts that have no impact on the wider community.
>>> Authorities vowed to collect the personal information of debtors and publish it in public places such as newspapers, train stations and other high-visibility platforms. The Supreme People’s Court reported in January that by the end of 2017 it had publicly listed the names of nearly 10 million people. They had been blacklisted from various activities, with 9.36 million of them prohibited from buying plane tickets and 3.67 million from buying high-speed rail tickets.
I'd say if you put it on a indoor table, a measly cubic centimetre of sand can make a (small) pile, and a random estimate on the internet states that there are 8000 grains of sand in a cubic centimetre.
So many left-wing people are convinced that if it weren't for those meddling russians the status quo would remain. It's mind boggling. Foreign powers have attempted to sway elections before and they will do so in the future.
In a way it very much reminds me of Germanys 'stabbed in the back' conspiracy theories at the end of WWI. Any rationalisation to avoid the cold, hard truth.
I'd bet money on two terms for trump at this point. The left has learned nothing from this.
You mean Criteo the company that has lost over 50% of their valuation since last year because of cookie and consent issues? Yea it's going really well for them. https://finance.yahoo.com/quote/CRTO/chart?p=CRTO
The difference is that France is insignificant in the adtech market. The real money is in the US and spread out across Europe, with Asia soon to overtake. The existing rules you point to weren't affecting global operations where Criteo and others made their money.
It's strange that you think the business models are going to fly in Asia. China and many Asian countries are laying out privacy regimes that are even more strict than the GDPR. Take a look at China [1] or Thailand [2]. Pretty soon it will be the case only in America that adtech companies can collect and sell endless personal information without consequence.
What are you talking about? China with it's national real-time citizen tracking using 'social credit' scores, facial recognition, and internet firewalls really cares about your privacy?
Ok, spend all your time going after the ad company and ignore the government which is 1000x worse and will control your life or toss you in a cell. Good luck with that.
He's not ignoring that? He's pointing out the laws are stricter when dealing with private companies. You are talking about two completely orthogonal laws or standards.
In this more specific case, it's very difficult to judge China's policies with an even tilt because private Chinese companies are ad hoc lifted to "public status" when they're convenient for the government to leverage.
But China grants legal exemptions without especially good or consistent oversight over those countries. The net result is an awful lot of folks who get a legal exemption for a specific aspect of their business and then tend to run roughshod in other less scrutinized areas.
>very difficult to judge China's policies with an even tilt because private Chinese companies are ad hoc lifted to "public status" when they're convenient for the government to leverage.
How is this different from any other western government?
Having worked at a high profile government contractor, my observation is that you don't get the same kind of leverage other folks report. Also, the bidding process is cuthroat and subject to public scrutiny here.
Now if you're taking about security contractors, that's different and the same the whole world over I guess.
First of all "insignificant" is far fetched. Small? Yes. But not insignificant.
Second... I don't see how valuation matters. Did they loose money? Went out of business? No. VW lost valuation during the whole diesel gate scandal. Did that make VW a less relevant? No.
And the last thing that I wanted to mention: I said "this is just an implementation of an old French law into the European Level". And I was mentioning the French law itself, not the European Law.
The cookie issue that you're mentioning is related to the ePrivacy directive, which is solely European Law, that was passed one or two years before the whole lost of valuation. My point was just that the GDPR doesn't affect anybody.
> I don't see how valuation matters. Did they loose money?
Do you know that they are a publicly traded company? Losing money is exactly what happens when the stock price falls. When you lose more than half of your value, going out of business is a serious risk.
The stock price usually reflect the "feeling" of the investors. But it does not make a company loose/win money. It's just what the investors think the company will make in the future, but investors (as often) can be wrong.
It only affects the ability to make more money by issuing new shares.
But the "bank account" of the company doesn't get divided by two. Customers don't start paying only half the price for their service.
I looked up information on how to legally comply with GDPR and it's a lot more complicated than you're making it out to be. You have to show regulators the well-defined pipeline for any personal data, and justify to them why that data is being collected.
There are also extra procedures you have to follow that could be really complicated depending on the business. This is even worse for small businesses. I can definitely understand those people who want to just wash their hands of it, especially if they don't get much business from Europe.
As I said other comments, I'm not sure if people on HN have a problem with the GDPR, or just with the concept of regulation itself.
Also, when I read about "complicated rules for small businesses". It reminds me about American republican politicians explaining how taxes on the rich will affect the average joe's taxes.
The reality is that many rules only apply to big businesses. And small businesses are exempt of many rules. My favorite one is the "Data Protection Officer", everybody on the internet™ says that you need one. The reality? Most small business won't. The article 37 explains that the Data Protection Officer is when a business is "collecting data on a large scale" [1] Second of all, people interpret that as "Hiring somebody", you don't. It's just a role, take your CEO, and now he's your "Data Protection Officer", ...
> It's just a role, take your CEO, and now he's your "Data Protection Officer"
Congratulations, you're uncompliant. Thanks for playing "GDPR is easy".
> (5) The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.
Expert knowledge just mean that he/she read the entire directive. The same way that most employer in europe have read their country's labor law.
The reason why they say that is because the "Data Protection Officer" is the person liable for GPDR violation. The same way the CEO is liable for many wrong doing a company could do. They require no certification, no degree for a person to be a "Data Protection Officer."
The "GDPR is easy" brigade is very keen on telling people that it's easy to just read the actual text, so let's try that.
Just having read the GDPR doesn't count for "expert knowledge", it's just knowledge. "Expert" is something more. How much more? Funny you should ask, welcome to GDPR limbo.
Also, it doesn't say expert knowledge merely of GDPR, it says expert knowledge of "data protection law", vague and unbounded, certainly not limited to the GDPR. GDPR is probably the most restrictive you have to comply with, but the text literally requires you to have to have expert knowledge of the others, too. Finally, there's the little "and practices". It's not enough to read it, you have to be an expert in how data protection law is used in practice.
Before you have processed even a single byte of data, you're literally uncompliant simply by being blasé about how you name your DPO. It seems unlikely that anyone will get busted simply for this, but low likelihood of enforcement is not the same as compliance, and why would they include this paragraph if they didn't feel it was important? People who actually care about being compliant need to think about this.
I support GDPR, but to be fair about Data Protection Officer, that position sounds like a liability, no one will want that title unless they are appropriately compensated for it, so most likely this will be a dedicated person who will be paid just to be responsible for things being complaint.
Perhaps in early stage of a startup a founder will take the title to save cost, but he/she will want to lose that responsibility as soon as possible.
>There's is a lot of implicit contracts (you filled up our sign up form? Well, then you chose to give us your data. ...) //
AIUI that's one of the main changes, that explicit consent is now needed to retain data and specific details of how it will be secured, who it might be passed to, must be given. Also that if the service being offered doesn't need the data, that the company offering the service can't insist on having it.
It is a big thing for micro-businesses and SMEs in the UK - despite having data protection laws already - it does change the complexion of how one handles PII and the embedded assumptions. We're talking about businesses many of whom have paper bookings diaries - the diary apparently needs to now be secured, whilst it's always sat on the counter before; that's a costly structural/workflow change (unlock the diary for every phone call!).
Giving people the option to delete their data is a bit like allowing someone to get their money back two years after eating a meal at a restaurant.
Given the EU assertion of global jurisdiction, the GDPR seems like a bit of a trade war and it's surprising more commentators aren't treating it as such.
The US should be inspired by this and give online retailers the opportunity to collect and remit sales taxes.
> Giving people the option to delete their data is a bit like allowing someone to get their money back two years after eating a meal at a restaurant.
I'm sorry the analogy is totally flawed. On one hand you have something consumable: food, on the other side that can be made eternal: data.
When making an application that collect data, you just have to make a form/button to give the ability to update/delete data. It's no more different that when you make an adult website, you have to make a page "Are you above 18?"
Sometimes, it sounds to me that people on HN don't have a problem with the law X or Y. They rather have a problem with the concept of regulation in general. (See the comments on all the posts about Germany requiring Uber drivers to have a car insurance with a higher liability.)
But if you want to give an analogy to normal business, a more suitable one would be: "Giving people the option to delete their data is a bit like allowing customers to get their money back on their gift card they purchased 2 years ago"
>I'm sorry the analogy is totally flawed. On one hand you have something consumable: food, on the other side that can be made eternal: data.
You're not understanding the analogy. What does a user get out of using Google's services? They get access to a suite of products (search, email, cloud storage, online productivity apps, videos, and so on) that are maintained by a rather expensive group of employees and run on a rather expensive collection of hardware. When you use those services you pay for them by letting Google collect information about your use of those services. The value you get from those services is often intangible (you watched a cat video or looked through a photo gallery of your sister's new kid), though sometimes monetary (you don't have to pay an ISP for an email address if you use gmail.) When you choose to no longer use the services and demand that Google delete all the data they have gathered are you going to return that intangible value and pay them for the money you saved by using their systems? How would you do return the experience of watching a stupid cat video? It's exactly like eating a meal but insisting the restaurant give up the value, i.e. the money, that they got from you.
You're right. I didn't get the analogy. After your explanation, I now get it.
But still, the analogy is flawed then. If I give the restaurant money, the way the use they money afterwards doesn't affect me. They cannot take more money from my bank account or from my pocket. The only thing they can do is invest it and make more money, but it does not affect me.
When I give my data, the way they use my data – after I've "eaten there" – can affect my life. They can send me spam, they can put me into database of "people with suspicious behavior", ...
The law is more about giving a second chance: I could have given information in the past, and you could have sent me commercial emails in the past. But now I've realized I've made a mistake and I don't want you do that anymore.
If you want an analogy to real life: it's more about giving 5 years of jail to a burglar. They committed a mistake, so they have to pay for it, but they should have the right to get out after having paid, and live a normal honest life.
FWIW, this last analogy is probably not going to sound very convincing to an American audience, as convicted felons here have their lives permanently ruined, including after they've paid their debt to society in full. As an expat, people are surprised to hear I'm the only person who can request and provide my (empty) criminal record from my home country.
Google generates money not by collecting data but by showing targeted ads (they need personal information to do good job at targeting).
They actually do provide option to opt out, remove information about you but they make a quite a hassle to opt out and block features that could otherwise work, to encourage you to opt back in. For example you don't agree for Google to your location history? Fine, you don't have location history in Google Maps even for places you searched 5 seconds ago.
Anyway, to turn things around, yes they provide you services for free, and you're paying for using them by have targeted ads, if you decide to not use those services anymore you can't get an offline version of their tools that doesn't phone home, so why should they be allowed to keep your data in perpetuity?
Targeted advertisements is one way that Google uses data about its users to generate cash. Just like users use Google Docs to create invoices, use Google Search to find solutions to problems, and use Gmail to send resumes and receive job offers. The exchange here is the use of the service for the gathering of the data. How it's used post exchange is not relevant. Is a person who decides to cease using gmail going to quit the job that they used gmail to, in part, get?
The fair result of a person choosing to stop using a company's service is that they get to stop paying for that service, i.e. Google doesn't get to collect data about your current and future activities.
The difference is that your data is still valuable whether it is week later or 10 years later. While it is unlikely Google does it, the data also can be sold to multiple parties and that doesn't diminish its value.
People truly underestimate how much information about them is actually worth.
Yes it is. The customer paid for their past use of the service with their data. Wanting to take that data away after having used the service is exactly like wanting a refund for a product you consumed.
Regardless, GDPR requires that you do this. Data's value is massively inflated in the minds of "technologists" and it is time that price came down to reflect the realities that the rest of the world wants.
Sincerely hoping that this marks the end of the data gold rush
The first part doesn't make sense. This is no different than exporting your data if you stop using a piece of software. Giving data back isn't really an issue of contention, nor is privacy in general.
This law has been in application since 1978 [1]. And in 2018, we have adtech companies like Criteo. [2] I have one of my best friend who started his adtech startup in France. Everything is good.
There's is a lot of implicit contracts (you filled up our sign up form? Well, then you chose to give us your data. ...) The only things you have to do: know which data you collect and give the ability to people to update/delete their data. That's all.
I don't understand the fear. I don't understand what is "vague" about it. It's so simple and low barrier that Microsoft decided to make it the rule for all of their users. But thanks to the hysteria, they made a PR stunt out of it.
--
[1] https://en.wikipedia.org/w/index.php?title=Data_ownership&ol...
[2] https://en.wikipedia.org/wiki/Criteo