If no one wants to pay for your product, the market has spoken. Too bad.
We must correct the insanity and digital economic imbalance that spyware businesses have created.
According to who, you?
> It’s spyware.
How is it spying when the people are freely giving away their data?
> If no one wants to pay for your product, the market has spoken. Too bad.
Very true, however it's not clear how a truism about something else relates to the topic? Was this supposed to be persuasive about collecting digital data?
> We must correct the insanity and digital economic imbalance that spyware businesses have created.
Fair enough, but that entails not creating or fostering an imbalance by constantly providing the internet with your personal information.
Spyware is illegal. So it’s just a matter of defining the data collection practices of internet companies as spyware.
>How is it spying when the people are freely giving away their data?
It’s not “freely given away” when you need a team of attorneys to understand what you’ve agreed to and you have no audit rights. Point me to the public FB page where they clearly and easily define all points of data they collect.
> Fair enough, but that entails not creating or fostering an imbalance by constantly providing the internet with your personal information.
Quite absurd to take this position after big tech companies ruined the internet economy with their spyware model. Is it your position that these companies were just responding to consumer demand to unknowingly give up their data in exchange for free services?
>Very true, however it's not clear how a truism about something else relates to the topic?
The only reason we have this spyware economy is because tech companies thought it easier to grow their enterprise off spyware than selling a legitimate product at a price.
The ruling has proved that no, people are not freely giving away their data. One of the infringing issues is that the system "Fails to properly request consent."
If a business model depends on spying on users, it's not sustainable, and moreover, it's illegal in the EU. People are not giving their data away freely if they have a) no way of understanding the consequences of clicking a single button, b) get tricked into consenting using dark patterns, and c) their refusal to consent isn't even obeyed (TCF loads tracking scripts before users can consent).
In general, one of the requirements of the GDPR is that all information on usage of provided data has to be written in simple, comprehensible terms. Please tell me how you knew the implications of giving consent on a IAB site, namely your data being shared and sold across thousands of companies. If even techies fail to understand that, how can anyone expect that of ordinary people, our parents, kids?
It should be clear that with a law like the GDPR in effect, the IAB is acting unlawfully.
Or, to put it more briefly: "How is it spying when the White House employees freely hung up our gift painting with the bug in it on their wall?"
And at this point the free market can’t resolve this. The spyware model has absolutely ruined the internet economy. There is no way to compete against a spyware company with a paid product.
Is it "spyware" if I get someone to install it so that I can track my own activities?
Is it "spyware" if it is someone else's idea to install it and get data related to me but I know about it and I am OK with it?
> Collecting and selling digital data is not a legitimate business enterprise.
a whole international industry, legislators across the planet, entrepreneurs, employees, voters, users and clients disagree.
> If no one wants to pay for your product
who doesn't want to pay for the product?
It's not like the GDPR was one guy's idea that got formalized into law overnight. It's has its roots in existing data protection legislation that is decades old as well as previous, failed attempts (ePrivacy directive aka cookie law), so there's equally a significant number of people who disagree with nonconsensual data collection.
Just browsing a website shouldn't be grounds to start tracking users.
Plagued Europeans? Are they seeing additional consent pop ups beyond the ones all the rest of us are tortured with?
Anyway, I'd prefer if we had privacy laws like this in the US too.
We use a consent pop up for non-advertising related cookies. And I'm trying to figure out if we are no longer in compliance.
I expected the answer is site and consent management system dependent, so where I really couldn't avoid one of these sites, I'd manually object to all legitimate interest first before pressing it. Such a PITA and probably pointless ultimately, but hey..
Only half joking here.
> All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.
It's not just that they need to find new ways to screw users. It's that since they screwed users, they also must lose their ill-gained data. Which will probably be a nice deterrent against them pulling the same shit again.
Edit: loose -> lose
This is going to be fun.
Not if the consent form looks like this:
[Register] [Accept]
I really hope also pass at least the part of DSA where they make terminal signals for opting out of tracking legally binding.
Yes, the logic is frustrating: the big advertising companies have been trying malicious compliance for political reasons. It’s not like they couldn’t build better systems if they were trying to honor the intention of the law.
However, if DNT/GPC (which can signal opt out but not much else) becomes legally binding (as they very well might, with DSA), that'd be a huge win for me personally, because I don't see my self ever consenting, and reading consent dialogs isn't worth my time.
As I understand it, GPC is already legally binding in California thanks to CCPA.
I guess the big corporations didn't like it and lobbied for the next-worst thing, the cookie popups, hoping that it would become a big failure.
I love that idea. Something like Apple's nutrition labels but with check boxes next to data uses. However this is only good if it's legally enforceable since there is no API that would prove/verify data is used the way it's been given permission to.
At best the companies will have to delete months of data, the rest being stale or already fed through some ML loop that extracted any useful value from it.
In effect this just encourages them to keep this practise going. This has to be treated like fraud.
Why isn’t anyone going to prison for this? Happens regularly with fraud.
This ruling should make it a lot harder for advertisers to hide behind the IAB though. One would hope that opens members up to more substantial fines in the future.
Unfortunately, there are reasons they want these cookies on there so badly that justify the cost to figure out how to comply with the policy and try again.
I mean, if you take a news website like The Independent, there's not a chance in hell that a competent design and engineering team would sign off on all the bullshit that is dumped on top of the page. It's always added on at runtime.
I wonder if this judgment opens them up to civil suits.
Attribution in advertising is something which can last months for some products, and it's doubtful that a large proportion of companies import from GA and will lose their ability to gauge current performance compared to the past.
The U.S. is never going to accede that its intelligence agencies cannot access data gathered by its Tech Giants. All claims and soothing words to the contrary are a false belief.
My town messed up on one of the billboards, though, and for a while commuters got to see "Booze it and Loose It!", which conveys a somewhat more carefree message.
there is no data collected via TCF:
https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...
CMPs are the popups that save the preferences and thus enable the collection of the data.
IAB only provides a spec.
The TCF is a spec, the industry agreed on this spec, built implementations and used it as justification of tracking. I think it's fair to call data collected by ads loaded under the idea that a valid implementation of the spec was proof of GDPR consent as "data collected through the TCF".
Anyway, this is the press release, not the ruling. See C.2 of the ruling if you want to nitpick the way this is actually being ordered.
https://www.gegevensbeschermingsautoriteit.be/publications/b...
If the true purpose of ads is just an innocent venture in creating beneficial user experiences with helpful suggestions, then we can improve that system by orders of magnitude by getting rid of distortions associated with paid placement.
Then we can reap all of the benefits without having to worry about the experience being compromised by the distorting effects of self-interest, associated with privileged placement in exchange for payment.
If only. Generally they just manage to show me ads to buy more of the stuff I just bought. Or something I looked at and decided not to buy.
So the screwing is not done by the advertisers but by the kind of ads and the third party access to data.
Also companies like Google seem to have a very clear stance wrt to both, while companies like FB in the past have been pivotal in political landslides, screwed-over level personalized political influencing...
Users are getting screwed by IAB, because IAB does their best to remove users that freedom.
Consent must be given consciously in informed way - therefore NOTHING can be pre-checked by any dialog to make it comply with GDPR.
They just need to somehow ban dark patters, or standardize the dialog. To be honest, just one high profile case that interprets dark pattern as 'uninformed consent'(therefore not legal under GDPR) would be enough.
well, the difference is quite important.
It seems like we’ve still given cake to the glutton, though, just without a cherry on top.
Which, coincidentally, happens to be Lizardman’s Constant.
https://slatestarcodex.com/2013/04/12/noisy-poll-results-and...
So you have to first got to "legitimate interest", uncheck all the individual "purposes", because usually there is no "object all". Once you've done that (with "object all" if you're lucky), you then have to go to individual vendors, because objecting to all the purposes does not cover all the vendors. Yeah. Again, if you're lucky there's an "object all", but usually there isn't. So gotta uncheck all those. There's lots. And often there isn't even a good scrollbar indicator to show how far you've gotten. If there is it's just depressing.
Then you can hit "Reject All". And it's not entirely clear if "Reject All" doesn't turn the LIs back on, because, once again, that dismisses the dialog.
These are the kind of classic "Spell checking. It's impotent!" type of situations. For long bits of text, I can see how somethings might slip through. When it's only 4 friggin words, and it's a campaign being slapped up on multiple billboards for everyone to see, one might think letting someone else review/approve would be a good idea. Thinking it might have actually done that and still nobody caught it is even more funny/sad.
Ads have been around for as long as there has been trade. So, thousands of years. Pervasive tracking has been around for less than thirty years. But yeah, "how in the world will we ever be able to show ads to people and pay for software?"
I’ve seen this phenomenon before but never so explicitly. When you can’t convince someone that something is bad, you re-define it as something they do consider bad.
Some examples I’ve seen:
- Some speech is so hateful and racist that its opponents wish to define it as “violence”.
- Facebook offers advertisers the ability to target the demographics their ads reach. Some have tried to term this as “selling your data”.
In this case, it’s clear the average person doesn’t hold data collection in such low esteem as yourself, so you must redefine it as “spyware” in order to convince them.
This subtle shift is in interesting to me, but it leaves me unconvinced. Words are not violence. Facebook does not sell data. Data collection is not the same as spyware.
https://en.wikipedia.org/wiki/United_States_free_speech_exce...
I'll reconsider not defending free speech from getting a "hate speech" exception when so called "free speech" proponents start talking about getting rid of the copyright exception instead of just wanting to say racist stuff.
It makes complete sense to want to expand the scope of terms that are associated with laws if you don't believe the law is accurate enough. Language evolves through social changes, and so do laws.
My point is only that speech is not violence. One does not need to change the meaning of the word violence in order to place sensible restrictions on speech. It is a cheap rhetorical trick.
The only thing people are hiding behind here is that users agree to it in some novel length TOS that they don't read and don't understand.
At which point I'm free to decide I wasn't interested in their content anyway.
It has been proven countless times that it's possible to extract learning data from models. I can't see how you can prove the opposite, except, maybe, with federated learning (but even then, you need to good "ratio" of noise)
Is "innocent until proven guilty" not a maxim in European justice?
Most importantly, tens of billions have already been made using this ill-gotten data.
Another example: You get consent from me, count your distinct visitors for January and I revoke my consent tomorrow. You do not have to change your visitor count retroactively.
In case of a data breach, the controllers (i.e. the 1000+ companies) would be required to provide notification to the respective supervisory authorities of the affected users [33] -- although due to the one-stop-shop mechanism, that notification will be considered already done. But on top of that they would also be obligated to inform the affected users themselves [34].
Article 34 also includes this stipulation: The communication to the data subject [..] shall not be required if [..] it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.
Note that these requirements are on the controllers, not the processor. IAB in this case is the processor. So if the data authority were to consider this a data breach, the controllers would not get away scot-free.
> Other definitions are also used, such as the World Health Organization's definition of violence as "the intentional use of physical force or power, threatened[4] or actual, against oneself, another person, or against a group or community, which either results in or has a high likelihood of resulting in injury, death, psychological harm, maldevelopment, or deprivation."[5]
There's no doubt that hate speech _does_ commit psychological harm, for example, but the article contains way more nuance than I have time for in this post so I implore you to read the article -- "violence" is just not as simple and limited as physical harm.
That's what this conversation is devolving into, a fluidic interpretation of violence? Seems like a strawman argument; change the topic to violence, then argue a truism that violence is bad... all the while maintaining a pretend causal link between privacy and violence?
Sorry. Not. Persuasive.
That said, for the sake of civility and moving past this distractio... I will concede the point you seem so adamant to make, violence is not so simple. But again, not on-topic here, and it adds nothing to the conversation.
Objectively ads have added more money into the internet economy than ever before. Curious where you're getting your numbers. 20 years ago "YouTuber" wasn't even a profession. The idea some rando with a microphone and a camera could make millions was unheard of. It's only possible with ads.
That is why we have subject matter experts providing guidance for people in a world too complex to grasp or even care about everything they have to deal with. People _shouldn't have to care_, as long as they can trust on those experts to do the right things. We're the experts. Advertising companies are ruining the internet for everyone, some people are just too unaware to realise it.
Sounds like projection. Though I'd agree that most internet users don't like ads, what's true is that most internet users don't like paying for things. Using YouTube as an example, the most popular site on the internet, the vast majority of people do not pay for YouTube premium even though it's available.
At the end of the day no one is stopping you from going back to circa-2000s internet, using IRC, going on plain text websites, using BBS, etc.
I think the idea that people would be able to even make this decision themselves is too optimistic.
> Objectively ads have added more money into the internet economy than ever before
Is that good though? Is there some actual value being created by this or is it simply that ad money has been flowing out of other places like print and TV, and into online advertising?
One, a children’s toy that sells for $9.99. The other a very similar children’s toy that uses lead paint, instead of a safer paint, but is otherwise very similar. It is not clearly labeled as having lead paint. The lead paint toy sells for $4.99.
If people buy the cheaper toy, does that mean people are “choosing” lead paint over the more expensive toy? No! It means people are unaware of the lead paint, or are unaware of the dangers of lead to children.
Lead paint has very obvious, bodily harm to children. Do ads harm children? Perhaps, but even if they did, there's no cost to visit a free-site without ads, or pay for a site without ads.
Because it spells out the nature of the non-paying option as spyware.
The group that is against ads including images on the sides of buses (basically the argument is usually something along the lines of that it encourages unnecessary consumption or similar) is so small as to be irrelevant. You should consider "ads" in the context of this discussion to be "bad ads", where the limit for what constitutes "bad" is of course different from person to person, but for the sae of discussion assume it is "bad enough".
Give me the models and a week, and I'll dox some people with them.
An analog example would be stealing paint and painting your car with it. Should the paint be stripped off the car and given back? I don't know, but the victims are entitled to compensation, which isn't happening in the Google/Amazon case.
No, nobody said it's the same thing. It is an example of misleading business practices.
No, I’m not. You can tell, because I never made a comparison between the two.
What I did was make a hypothetical that was more extreme, with an analogy of the underlying reasoning, to make my objections to that reasoning more apparent.
But, that’s absolutely not a comparison, so no.
So I can murder someone, and say "Innocent until proven guilty", and forbid anyone from discussing whether I'm a murderer, until I'm actually judged guilty?
But ok, sounds like you're nitpicking on my words, so let me rephrase the comment you're replying to.
"Considering that we have dozens of research papers showing that public models contain PII, how can we trust that FAANG's private models doesn't without auditing? It sounds safe to assume it does contain PII"
In many European countries it's in fact against the law to publish the name of a suspect until a court has found them guilty. And is some it's even illegal to publish the name at all.
So you want a regression, why exactly? If you don’t want to be tracked stop using sites that track you and install ad block.
> If you don’t want to be tracked stop using sites that track you
Can you even tell that before being tracked? The GDPR attempts to make tracking opt-in so that you have a way to consider the downsides before agreeing. There's technically no problem with targeted ads and data collection as long as users are given a clear description of what data they're sharing and how it will be processed.
> install ad block
The same people behind all this illicit data collection would rather not have you do that.
Yes, if you get market advantages from harming people, you will eventually be required to at a minimum give it up again.
I’m really not even sure what your point is. You just want others to do what you want?
By your reasoning, malware should also be legal and it's up to people to learn the ramifications of it and how to protect themselves. We should not force others to miss out on the "benefits" of malware wouldn't we?
Source?
> people should learn to trust trusted entities
When advertising corrupts the market there is no such thing as trusted entities. Find me a modern, 4K HDR TV that doesn't have advertising or advertising-related data collection in a big-box store without going for niche options such as professional digital-signage displays.
> Government intervention is unnecessary.
Companies who had their computers ransomwared would disagree, and so will consumers who had their payment details compromised or sensitive pictures disclosed. I wonder, in your mind, where do you draw the line? Violence? You could argue violence also doesn't need to be outlawed and it's up to everyone to build their houses like bunkers, always wear armor, drive a tank and carry guns to defend themselves.
Those companies have transformed the internet, and its users, by offering services for free, in exchange for user data. We have raised an entire generation (two, maybe?) of people taking that model for granted, nicely illustrated by completely ad-dependent YouTube superstars.
Of course, we cannot simply ban all advertising and start charging for everything. But I'm of the firm opinion that, in order to go forward, we have to leave this business model behind, as humanity. The only way to achieve this is by making it unattractive via legislation.
What exactly are you proposing? Anyone who wants to pay for email can do so already.
It's very trivial to not use any of Google's services or be tracked. Install uBlock, and don't go to any Google or subsidiary service. Done.
What exactly is the issue?
I propose that we try to move humanity past this way of generating revenue, because it's wasting productivity and resources, encouraging shady behaviour, and leads to less freedom overall.
We have social networks manipulating users into staying on the platforms as long as possible, scrolling down infinite feeds, to expose them to as much advertising as possible, thus wasting productivity.
We have big players such as the IAB and its members tracking and spying on users to obtain more data to sell, as an alternative revenue stream to charging for their services.
We have quality journalism disappear in favour of whatever generates the most clicks, in order to expose more readers to advertisements. YouTube stars pushing hidden ads on children. Advertisers crossing ever more boundaries of privacy, by aggregating data from thousands of companies, with basically no oversight by anyone.
That is the issue. I think we should do something against that, and I think "something" may be to nudge the market into another direction, from ad-based to transaction-based revenue sources.
Your argument is "People have free choice, so anything that they do is legal."
The excuse of the perpetrators is "I'm not the one (directly) responsible for your poor economic situation, or your lack of education, so it's fair and moral for me to offer you a terrible proposition that you absolutely would not make if you were in a better economic situation." This is just where extreme capitalism gets you.
The list of examples is endless. Scrip. Children working in mines or cleaning chimneys. Click-through TOS. "Free" email. Indentured servitude.
At the end of the day it's no different than "You need to get on this boat to america, or this gentleman here is going to cut your wife's throat. Hey, it's not me doing the cutting. I'm the good guy. I'm trying to keep you safe. But its your choice."
It really depends on what we mean by "choice".
Of course, the reality is that if they _did_ use "good" ads, then the free version wouldn't make enough money (at least not in today's ad market). So either the free version couldn't exist, OR it would need to be subsidized by the paid version being even more expensive.
But this problem could go away if "bad" ads weren't allowed or possible. Because then the price sites get per impression on those ads could go up, as advertisers can't simply pay more for precisely targeted ads.
Now, there are a few risks with this: 1) There is every risk that money on the regular web dries up, as targeting is more effective in apps and other siloed environments. We have already seen this to some extent 2) If online advertising is less efficient because of worse targeting, then traditional advertising will again be relatively more attractive, so some of the money would leave the internet economy that way, returning to traditional advertising.
1 and 2 taken together might mean that a lot of "free" content (and I use scare quotes) will simply disappear. And I think that's a risk we should be willing to take. And not only that: I'd go so far as saying that even if 90% of internet users answered in a survey that "I don't care about tracking ads, I just want free content", that's not something regulators should care about at all.
This is a bit circular. People would rather use a free service than a paid service. So long as free services exist it will be hard or impossible for paid services to exist or thrive.
>At the end of the day no one is stopping you from going back to circa-2000s internet, using IRC, going on plain text websites, using BBS, etc.
There's no reason that we should have to make this choice. We don't have to live in a spyware dystopia so that we can have cheaper internet services. This spyware economy is less than 20 years old, and we should throw it out.
Of course. If a paid product wants to thrive it needs to be better. People do use paid search engines, email, maps, etc. most people don’t because most people don’t value it that much.
> There's no reason that we should have to make this choice. We don't have to live in a spyware dystopia so that we can have cheaper internet services. This spyware economy is less than 20 years old, and we should throw it out.
I don’t think there’s a dystopia. If you want to regress you can do so alone. We have irc and bbs that won’t track you. I’m sure there are also some plain text sites you can peruse.
Not really understanding why you want to change things for others. Just change it for yourself and then you’re good.
Can you find me one? The only one I know about is Kagi which is in beta and invite-only.
The problem with the current status-quo is that as long as advertising powered by illicit data collection is possible in practice, it's not viable for a paid service to compete.
> Just change it for yourself and then you’re good.
It doesn't matter what you do if ad-tech scum will track you anyway and create a shadow profile by tricking your friends into giving out information about you such as how Facebook infers social graphs (including non-users) by sneaking into people's contacts lists.
Coal mines that used indebted servitude out competed mines that did not, and if people didn't want to go into indebted servitude they could always choose to not sign the contract. The market spoke and the customers choose of their own free will to go to the company store, paying more than they earned, and increased their debt year after year.
The problem with YT Premium specifically is that it still requires a Google account, agreeing to their "privacy" policy and provides no guarantee that Google isn't still going to stalk you.
> That being said, who are we to say what's valuable?
We can infer this based on whether enough people pay for the content. There's a reason you don't see a Patreon or other way of paying for the vast majority of clickbait content.
Good luck with that. Instead, you should treat all the sites that have ads as inaccessible and personally use the small percentage that fit your needs.
Everyone wins.
No. I'm conpletely fine with ads. This isn't about ads vs.no ads. This is about "bad" ads. The wholeseale trading in people's information. It's a transaction where the price (Being their PII sold somewhere) isn't visible to the buyer.
The reason we ended up where we are now where a site MUST use horrible adtech, is this: Because there exists ways of displaying pinpoint targeted tracking ads through unscrupulous adtech companies then that's what sets the baseline revenue for ads. Show ads that are 1/10th as efficient? You'll get just 1/10th the revenue. It's what a website has to do.
So if I'm a site that wants to show "ethical" ads, I can't. Because the ad market is such that ethical ads don't make money. If, however, bad ads don't exist - then ethical advertising could be able to make more money again. The endgame of all this isn't forcing all sites to either die or become paid services. To me the important outcome is to level the playing field between those that display (or want to display) "better" ads.
At least according to what I have read, before "bad" ads existed, the overall advertising budget of the corporate sector was roughly the same as it is now. This means that ad-supported business models were just as viable without all this crap.
The problem is that the tracking and whatnot is perceived to increase value, so the ad spending shifted to prefer the more invasive and "targeted" types of ads. But if we outlawed invasive, targeted ads and the tracking required to generate them...yes, there would be a certain amount of redistribution of ad spend, but overall, it doesn't seem like it would actually dry up and blow away.
So there's no good reason to think that getting rid of the really bad stuff would reduce the overall amount of ad-supported content out there.
> It doesn't matter what you do if ad-tech scum will track you anyway
Stay away from sites that use trackers and you won’t be tracked. I recommend turning off JavaScript and sticking to plain text sites.
That's not enough. If your friends give Instagram and the likes access to their contacts to "find friends", then they unintentionally leak your social circle too, and data warehouses sell this info to the highest bidder, lowest bidder, and everyone inbetween, and government agencies also tap into this for mass surveillance. Even the goddamn Mastercard sells transaction histories to Google. Everything's scraped and sold, doesn't matter if you use the internet at all.
Any notion of user consent to this is ridiculous, because barely anyone understands how much is truly collected, shared and linked together from various sources, and then used and abused. That's why Google, Facebook et al fight so furiously against legislation like the GDPR that mandates informed (!) consent.
Exactly. There’s no issue.
> There's a reason you don't see a Patreon or other way of paying for the vast majority of clickbait content.
The vast majority of content, clickbait or not doesn’t have a patreon to begin with. Most patreon have social media presence which includes ads. Sounds like the worst of both worlds.
The content is clearly not valuable enough for people to pay for it, and in fact it's called "clickbait" for a reason because people clearly feel cheated by what they got as opposed to what they were led to believe they were clicking on.
In a market where consumers of the content pay for it, this wouldn't fly. In a market corrupted by advertising, this flies and the by-product is wasted time, computing resources, pricing out good content from the market (as you can't compete with free) and the risks associated with advertising (the ads aren't properly reviewed, scams, spam and malware can and does fall through the cracks) and data collection.
This also subverts the entire market and is the reason you can't even buy a good TV or appliance anymore without going for niche, commercial-grade products. Do you want to live in a society where you literally can't buy a TV that doesn't spy on you or show ads?
Advertising in its current form is absolutely out of control and ends up being a tax that we all pay for both in time (whether watching the ads or playing cat & mouse with countermeasures such as AdBlock, Pi-Hole, etc) as well as money (as it's ultimately part of the price of the goods we all buy).
> Exactly. There’s no issue.
Except all the work and energy wasted on creating trash content only intended for ad impressions? The world would be better off without it.
Just because you don’t like it doesn’t mean it shouldn’t exist.
In fact, let's imagine a system where one side provides ads that you can watch to accumulate a monetary balance and the other provides content (including the aforementioned trash).
Do you think people will still watch and choose to pay for said trash content? Or will they choose to spend that money on better content, or even cash it out and buy a meal or drink?
They are also totally annoying and I suspect there primary purpose was to annoy users and not actually comply with the GDPR. It was a way for these companies to fight the GDPR with a war of attrition. I'm glad you see with this round hasn't worked... Yet.
I suspect that based on this ruling, things will not get better, as in providing a less annoying user experience and more compliance with the GDPR. Instead I predict another round of pseudo compliance and a more annoying user experience. Eventually they'll start a policy campaign in earnest stating that the GDPR is unworkable.
Most ad-tech, and programatic advertising, is not compatible with GDPR. I think that is intentional on part of the EU - and something I am a fan of personally.
The industry needs to shift - contextual ads or other innovations - others have done this. They refused to self-regulate all these years and had opportunity to move away from their invasive practices.
My hope is that ever more aggressive enforcement will finally lead us to the point where the dams break and everyone scrambles to get compliant at once.
The sooner, the better. But I realize that the legal system needs to ramp up the pressure, they cannot start with company-destroying fines on day one.
These rulings and fines keep me in good spirits, because I think we're actually getting there. Slowly, but still.
I predict all of this to fail, at considerable expense for the IAB and its clients. The GDPR is popular amongst us EU residents.
My fear is that is legislation works in EU anything like it does in the US is that things that the people like but the corporations do not like... Well, corporate interests win out. I suspect that the whole reason the GDPR was allowed to pass was the corporations figured they could ignore it. Now finding out they can't they will fight in earnest.
I do hope I just being old and cynical and I'm ultimately wrong.
This ruling puts Google and FB in a much more powerful position - because they do not have to rely on standards like TCF to pass consent signals.
Instead of going after publishers and website owners who integrate these popups in the first place - they went after the inventor of the spec.
See also page 126 for a summary of the ruling. An editorial of my favourites:
> order the defendant to
> a. prohibit, via the terms of use of the TCF, the reliance on legitimate interests as a legal ground for the processing of personal data by organisations participating in the TCF
> d. take technical and organisational measures to prevent consent from being ticked by default in the consent interfaces
> e. force consent management platforms to adopt a uniform and GDPR-compliant approach to the information they submit to users
IMHO, if they were really serious about this, they would have to go after the actual controllers (not the inventor of the spec) - mainly the actual websites that implement these (misleading) banners in the first place. It's beyond me how they can qualify the IAB as a controller when they never collect, process or store any of TCF data.
If this wasn't so politically charged I'd say the IAB has a solid shot of getting this overturned in court.
https://iabeurope.eu/blog/want-to-join-the-iab-europe-team-n...
Even if you were to give IAB the greatest possible benefit of the doubt, the fact that they didn't appoint a data protection officer makes it clear just how little they care(d).
Unless you're fresh in the job market and still believe in the good of people, maybe.
I'm surprised that ICCL very assertively states that all data collected through TCF must be deleted. The Belgian DPA only mentions a €250.000 fine and gives IAB two months to present an action plan [2]. Interesting to see how this plays out. :)
[1] https://iabeurope.eu/all-news/apd-ruling-clears-way-for-work... [2] https://www.dataprotectionauthority.be/citizen/iab-europe-he...
2) In application of Article 100, §1, 10° DPA, order IAB Europe to permanently delete all TC Strings and other personal data already processed in the TCF from all its IT systems, files and data carriers, and from the IT systems, files and data carriers of processors contracted by IAB Europe;
Page 114.
[0] https://www.gegevensbeschermingsautoriteit.be/publications/b...
The maximum fine for such a breach is 4% of the company's global revenue.
Microsoft, in 2021, turned over $168Bn. Google turned over $181.69Bn. Amazon turned over a staggering $457.96.
Between them they had a combined turnover of $807.65Bn, making them liable for a fine of up to $32.3Bn per year (assuming revenue is flat and they all get hit for the maximum penalty and don't do any kind of damage limitation).
The EU general budget in 2019 was only €148.2Bn. So such a fine would actually cover nearly 20% of the running cost of a 27 member multilateral trading entity with a population larger than the United States.
> their fine is 250k euros
massive disconnect between reality and imaginary worlds.
When the EU sets a maximum fine level, that's there to give their courts discretion to drop the hammer on companies that have clearly been abusive. Expected practice there is more generally to lead with something that's more of a warning. Then, if they do it again, they can escalate toward the maximum.
The 32.3 billion figure there was the maximum possible fine for the combination of Microsoft, Google, and Amazon. Personally, I'm unclear on whether anyone besides IAB is currently being fined, but in either case, the point here appears to be to send the message "what you're doing isn't OK, clean it up now" rather than "all your revenue are belong to us".
For now.
I implemented GDPR consent management for some US publishers with EU exposure. As part of this I evaluated vendors and various systems like the IAB framework.
IMHO it was clear it was not compliant. It could never know the potential adtech it was going to load in advance (and therefore could not ask someone to consent), and it still allowed ads/adtech/trackers to load in page before asking for consent.
They ignored anyone who pointed this out.
The writing has been on the wall for a long time that GDPR informed consent is to be interpreted in a narrow sense (i.e. actually being informed, not just clicking). And we know EU legal measures often take a long time but can bite hard. So here we are now!
[Edit]: Note that the decision can be appealed - so it's going to be a long while before we get a final verdict.
Of course with underfunded government privacy enforcement bodies, that process takes a long time. And then there is Ireland.
The problem I think until now has basically been that sites that rely on tracking ads know they are in violation. They don't want to comply, because it would be too costly.
Basically, a meeting at one of these businesses (I'm imagining) has a conversation where people say "Ok what do we do about the cookies? Unless we at least write the X and Y and Z tracking cookies, we can't keep the lights on so we cant't risk users just clicking 'Reject all' and getting dumb ads. What should we do? I think we should use that dark pattern dialog which leaves X Y and Z on for 75% of visitors who just click the biggest button. That at least buys us some time. If regulators complain we can always change it".
A regulation that was scary enough would see sites prefer shutting down over using a dark pattern. For that to happen, the fines not only need to be big enough to be fatal to the business, they have to actually go further and be personal fines to key employees.
In particular, the random number should be a point on an interval that is split into regions proportional to the size of the companies, so bigger companies are more likely to be selected.
Is there a name for such a weighted random system? It seems like it could be used in some non-deterministic electoral systems too (which isn't as bad an idea as it sounds).
Companies will think twice about their approach of "claim compliance until proven otherwise and then take the wrist slap".
Put CEOs in prison and you'll see lasting change. As long as they can harm billions of people and only pay a modest fine in return, they will not change.
What would happen is that most of these major tech companies would simply ban all EU users.
If the EU wants to be shut out of most of the tech world, fine. Because that would absolutely be the result of if all "tracking" was effectively blocked or stopped.
From a technical point of view, the tracking scripts are often loaded to begin with (where your IP address & browser fingerprint is already leaked) and declining tracking merely "asks them nicely" with no guarantee they'll obey the signal or whether the already-collected data (from just loading the script) will be deleted.
Edit: Apparently it's been picked up since last time I looked: https://www.theverge.com/2022/2/1/22911965/yahoo-japan-europ...
Laughable really. How the hell do you reconcile all this data and make the bean counters happy that yes: this is the data we collected through the popups over the years.
[0] https://github.com/InteractiveAdvertisingBureau/GDPR-Transpa...
For example, HN probably collects my IP address under LI. Now it may be illegal for it to do that.
Nearly every website opens with an annoying cookie popup, often blocking the content (or reducing it to a fraction of my screen on mobile).
I've never once clicked "Yes, track everything", except by accident when tricked into it by deceptive UI (eg. a button designed to look more inviting than its less invasive counterpart).
I get that wasn't the intent, and there are less intrusive ways for companies to comply. But the result we ended up with is a mess.
On one hand our Data Protection Authority gets that done and on the other hand the European commission is about to start legal action against Belgium for GDPR infringements https://www.brusselstimes.com/news/belgium-all-news/173086/e...
And we just passed a law that permits our IRS to have our bank account's data.
And there is an ongoing project to store and register citizens' health data in one single database, available to insurers and government agencies.
Over the last year there's been drama and real concern around the DPA https://iapp.org/news/a/belgian-dpa-director-resigns/ with director resigning and claiming pressure from the authorities post resignation (as PI rummaging through here trash bins).
We have a guy who single handedly decides if databases projects are OK with GDPR and privacy laws and he's the one providing the software solutions.
Belgian surrealism at its finest.
I know there are people from the north on HN, I wonder what are their view on these matters ?
How much data is being collected through these pop-ups?
So now they're being asked to delete their records of who opted in or out, because that data was illegitimately acquired.
[edit] This could also have implications regarding data collected through other systems based on the assumption that an opt-in was valid.
I'm also a local guide on Google Maps with a real photo, and my real name on the profile.
No different than getting spam snail mail that gets delivered to every house. Sure - you toss it in the recycling every week but someone will read it eventually and it’s basically nothing for the company to send out.
Personally I'd refuse to add a dark pattern cookie dialog, but I'm in the privileged position of being able to switch jobs.
But regardless, I'd probably send the ethics hotline an email saying that regulations are violated. Perhaps I'd send an email to the relevant regulator too, just in case.
This isn't something that's inflicted on us by web developers (on the whole); it's done by accountants. So fines are the most appropriate remedy.
No judge wants to impose a fine that bankrupts a company; but fines that start gently, but double after each offence, are much more likely to cause the accountants to smell the coffee.
Discussing how we can make achievable improvements now is also important.
Hey, lets have sex.
<Silence>
WARNING: DO NOT ATTEMPT
You seem to have gotten confused as to the fundamental nature of consent.
See the problem is it isn't put in writing. Putting things in writing gets people to pay attention.
If you're not familiar with Northern European culture, I'm quite sure the companies can expect literal inspectors in their offices expecting clear answers to where the data is and what was done with it. They will be pleasant but firm, focused and unswerving. Infractions and evasions will be carefully noted. These notes will then form the basis of further lawsuits. These people are not fucking around.
You do inspections. You demand proves of compliance, and when said proves are deemed inadequate you sanction them until something adequate is provided.
Like everything else with law its fuzzy and ongoing.
If you then get a letter from the regulator stating that you were in violation, and have to delete some data, and you answer that you did, and signed it -- then you're likely up to criminal charges if that was a lie.
This is not a line most executives are comfortable with crossing.
If any subsequent GDPR shenanigans come up, and they found you intentionally lied to the regulators, you're in some deep shit.
There might or might not be auditors visiting you after the first letter. If you lie and are found out, your career is over, and you might wind up in prison.
It's not perfect for enforcing privacy, but it's much better than not having such a ruling.
Enforcement isn't the real crux of the issue, it's that for some reason it's uncouth to come out and say: this regulation is targeting known liars that we should expect to ratfuck the system as hard as possible.
If that was the commonly accepted understanding of those conmen, enforcement methodology would get solved quickly. Which is why they work so hard to not be seen as ratfuckers.
Engineering leaders now have ammo to push back against illegal roadmaps foisted on them.
It was about the practical effects that came about after the legislation was introduced. I hardly believe webmasters around the world coordinated a premeditated, mass conspiracy to annoy their visitors. I rather think the mess results from a misunderstanding on the part of businesses about what is actually required by the various legislation, complacence by the poor chap who's just trying to publish a site, and, yes, dark patterns on the part of platforms providing elements of the stack.
e.g. Those annoying banners aren't needed if you construct your site to not use cookies at all, until they're actually required for functions a user explicitly requests. Platforms have no business asking for my consent in the first place to cookies they know darn well do not serve any bonafide interest for the user.
While the outcome isn't optimal (for the moment) we now at least see what's happening.
Actually it's the website operators that did that. The GDPR doesn't mandate all these cookie popups.
GDPR declared war on trackers. The popups is the trackers fighting back. We are civilians caught in a warzone. I for one hope that GDPR wins; but there's a way to go yet.
> there are less intrusive ways for companies to comply.
These intrusive ways are companies not complying. This is what is currently being litigated, an industry pulling out all the stops to not comply with the GDPR.
This ruling is a major victory along the way.
Then we could just set it in our browser settings.
No. Freely and unambiguous given informed consent means that the users need to actually be able to understand what they consent to. Encrypting the information in a 500 page novel, obfuscating it beyond human ability to understand or interpret it, is not informed consent.
ToS are not currently under the same requirement of Freely and unambiguous given informed consent. They just require consent, which for now has been interpreted to mean basically anything that a lawyer want it to mean. People have given away their spiritual souls and first born child in ToS, through the ability to enforce such contracts is open to debate.
- "First, the consent of the data subjects is currently not given in a sufficiently specific, informed and granular manner"
- "Second, the legitimate interest of the organisations participating in the TCF is outweighed by the interests of the data subjects, in view of the large-scale processing of the users’ preferences (collected under the TCF) in the context of the OpenRTB protocol and the impact this can have on them."
- "In the absence of systematic and automated monitoring systems of the participating CMPs and adtech vendors by the defendant, the integrity of the TC String is not sufficiently ensured, since it is possible for the CMPs to falsify the signal in order to generate an euconsent-v2 cookie and thus reproduce a "false consent" of the users for all purposes and for all types of partners. As indicated above248, this hypothesis is also specifically foreseen in the terms and conditions of the TCF" - no way to verify consent
- "The Litigation Chamber also finds that the current version of the TCF does not facilitate the exercise of the data subject rights, especially taking into consideration the joint- controllership relation between the publisher, the implemented CMP and the defendant. " - no way to revoke consent, or request your data
As to why the system ran for so long: yes, enforcement is (too) slow.
- Many complaints were made to several European DPAs in 2019.
- Litigation commenced 13 October 2020
- Interim Decision 8 January 2021, amended 23 February 2021
It looks like IAB made a lot of procedural complaints when it became clear their arguments were rejected
[0] https://www.gegevensbeschermingsautoriteit.be/publications/b...
I hope that they get fined billions for keeping it illegal for so long but I doubt it.
You can of course retain outside help to advise you but there's no guarantee that they are right and many of the consultancies and providers were incentivized to compete on maximum opt ins. Maybe the CMPs and the adtech companies can fight it out in court over whether the CMPs misled the adtech companies or they just gave the adtech companies options which the adtech companies misused.
The ruling is not just "fix your language", though that's what the industry will be incentivized to try, again. They all bandwagoned on hiding secondary opt out checkboxes under "legitimate interest" and this wrist slap tells them it's not ok:
> Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR)
> Fails to respect the requirement for “data protection by design” (Article 25 GDPR)
The route to complying is clear. Don't track without opt in. Know where the user data is going, not just "whichever vendor happens to be in the winning ad". Don't use dark patterns to encourage the opt in. It's the industry's attempts to bury its head in the sand because it hurts their bottom line and their search for increasingly convoluted workarounds that is making this complicated.
I guess it is the opposite. GDRP requires clear and understandable text in privacy policies.
We call that a privacy agreement. But having a proper privacy agreement that lists what data is collected and what happens with it is far from the only part of the ruling
But put those civil servants in a committee in Brussels with not as much short term pressure, and they can work out regulations that achieve the right thing.
Just kidding.
There's your error. GDPR is not about online advertising.
Things regulated by GDPR:
* CCTV in public spaces.
* Medical records.
* Employment records that businesses keep about their employees.
* Credit reports.
* Government records like voter databases and housing information.
* Trawling public business filings to send direct-mail spam.
* The loyalty card issued by your grocery store which tracks your purchases.
* The CRM database used by the sales guys in your SaaS company to keep track of hot leads.
GDPR regulates a wide array of data collection, and outright banning is not the correct solution for most of them. So it's about what obligations are attached to data collection and processing. Online advertising is only a small part of what's being regulated.
Even online, there are modes of data collection which are permissible. E.g. collecting anonymous site statistics for your own internal use. The obligations get harder and harder to satisfy when your business practice is to spread data hither and yon to whomever will pay a nickel for it.
Actually, this is not left blank at all...
--------------------
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
Keep your consent requests separate from other terms and conditions.
Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
Be clear and concise.
Make it easy for people to withdraw consent and tell them how.
Avoid making consent to processing a precondition of a service.
https://ico.org.uk/for-organisations/guide-to-data-protectio...
The idea was to let users decide for themselves, case by case, whether they wanted the tradeoff of being tracked for the rewards (including things like saving your preferences).
The tracking industry didn't want to be banned and wouldn't give up without a fight, so they looked for a loophole in this fake consent spam.
So how do you define, in law, when a person legitimately wants a company to process their personal information, and when it should count as illegal tracking? The GDPR actually makes an attempt at defining this (doesn't just leave it blank), but many adtech companies just ignore this and break that law. See the article for an example.
If they keep doing it, they can't say they intended to follow the law, and they'll be punished more severely.
If the EU would do that intentionally there would quickly be a complaint at the WTO.
In reality, as long as Google, Facebook, etc can make money in the EU, they are not going to leave.
But also, I would strongly encourage the United States to do this. Extradition is obviously far more complicated, and as you say, could just lead them to excluding the geographic region that holds them responsible.
This move is basically clarifying that you can't simply claim legitimate interest for most advertising purposes, which the TCF was encouraging/facilitating.
The ICO in the UK doesn't work like that, AFAIAA. You first get a polite letter; then a firmer letter containing helpful advice on how to come into compliance.
After that, you join a huge queue of companies awaiting legal enforcement action. The ICO is deliberately underfunded; it always has been. The government passed data protection laws, but they reserved the power of enforcement to an agency that was crippled from the start.
I welcome this court decision, obviously.
[Edit] Most of the penalties levied by the UK ICO used to be against local governments and government agencies. They were rarely against commercial operations. I see that there are some companies (that I've never heard of) now appearing in the list.
So now that we have confirmed that they do indeed process PII and use the consent string as the unique identifier that ties the whole profile together we can start doing what you want. Going after the companies that attach other datasets to the consent string.
Before this ruling, the companies/controllers would have said that we process no personal data, thus GDPR doesn't apply. Now we have a ruling, saying that this is not a valid excuse.
That is not correct. These companies use TCF because the GDPR applies. If it did not - they would not have to use it. The GDPR automatically applies as soon as cookies come into play - regardless of what is in the TCF string.
The main thing here is not that PII data comes into play but that the IAB is the controller. Until now the controller was/is the website that actually controls (and passes to 3rd parties) user data. That is why you have to agree to joint controller agreements if you want to integrate the TCF frameworks on larger web sites.
Some background in IPs: The ruling mentions the reason TCF is PII because it can be combined with IP addresses. No one challenges IP addresses as PII data anymore. There were many ruling that classify IPs as PII - specifically in Germany (even pre GDPR).
If someone says "Do not track me", it's a bit disingenuous to interrupt them with a dialog asking them all the ways they might want to be tracked. It's either an attempt at coercion (we'll keep wasting your time until you give in) or an attempt to gain fraudulent consent through trickery/mistakes.
I'm convinced pro-GDPR views are always ideological in nature. It's impossible to read GDPR or related case law from the perspective of trying to comply with it and not be disgusted. Every single requirement is vague and subjective - words like "appropriate", "necessary", "reasonable", "proportionate" etc aren't just a part of this law, they are the entire essence of it. And even the occasional term that looks precise often has totally unintuitive definitions, like the way they define large random numbers as "personally identifiable" even though there's no database that links these numbers to any actual personal identity.
Even this announcement about a new ruling is a fog of confusion. Why is asking users for consent, a key piece of GDPR compliance previously, suddenly not OK? Why is this being phrased as "freeing users from consent spam"?
This sort of thing wrecks the EU in the eyes of people actually building things. It makes it seem that this is a part of the world without rule of law of any kind. You can invest hundreds of millions into GDPR compliance and years later discover it was all in vain, without any warning whatsoever. You're being constantly trolled in courts by random academics and "civil liberties" organizations who don't seem to care about actual civil liberties issues like mandatory medical interventions but who define advertising cookies as a grave threat. Dealing with the EU gets ever more painful and if this keeps up, people there are gonna discover they're being denied services or simply charged more as a "GDPR litigation premium". And then they'll be stuck, because the home grown EU software industry is stillborn.
It would be amazing if there would be no ads outside google search. But that will not happen. That is a void that will be filled very quickly.
There will be no content then, so the inside of google will be equally empty
It isn't like laws prevents all crimes, the goal is to reduce illegit data usage, there is nobody who thinks it can ever get completely stamped out.
There have been highly public cases of that blowing up spectacularly for those companies; cases where it becomes public and nothing really happens; and - I'm sure - many many more where nobody outside the company ever found out.
Is there some aspect of this situation in particular where you're trying to ask something more specific than that?
When? In a century?
It took them years to reach a conclusion that even a layman skim-reading the GDPR would reach in an hour.
Google kept promising us their own framework and consent system. They kept pushing the date to unveil it and as we ran out of time I had to build my own, and many others jumped into the IAB framework because of so few options (and it came down to the wire there too despite knowing for years this was in the works).
>> they cannot start with company-destroying fines on day one
I think they can - and the GDPR fines are linked to revenue - and I think they have no choice. Companies need to take this seriously.
>> Slowly, but still
I'll take slowly over backwards.
Certainly not. The courts would take a very dim view of that. You need to show through a series of regulatory interventions and escalating fines that you afforded those companies due process and that the fines are reasonable.
The maximum allowed under a law is virtually never reasonable in a first-time enforcement.
This is how laws work and why the "law as code" people are not going to succeed. The US leaves this to the enforcement stage, e.g. many tests in US law for ascertaining enforcement include things like the reasonable person test (https://en.wikipedia.org/wiki/Reasonable_person). Proportionality is a well enshrined standard in EU law in particular, and cuts both ways - it's why this ruling is not the maximum fine out the gate.
Or let's take this clause from the DMCA (regarding what is considered obsolete and therefore the library may format shift): "For purposes of this subsection, a format shall be considered obsolete if the machine or device necessary to render perceptible a work stored in that format is no longer manufactured or is no longer reasonably available in the commercial marketplace."
Asking for consent is still OK. Just the way how IAB has been doing it is not OK as it was found to not constitute explicit consent.
And before you say that explicit consent is not defined there are easily accessible guidelines from the European Data Protection Board. https://edpb.europa.eu/our-work-tools/our-documents/guidelin...
zero chance of this ever happening.
And, no, it's not different because the tech companies are serving up bits and bytes. Same mechanism.
no comparison whatsoever with some websites. what you're writing about has to do with state overreach.
Also this is not criminal law where someone is innocent until proven otherwise. Companies have to prove themselves that they comply with the law. Like food companies have to log cleaning to show they follow the food regulations, as one example.
These people will be frighteningly competent
Maybe kidding? Seems the only way to get a single-issue topic on the agenda these days.
The signal in traditional voting is very diluted.
You vote on a person that you think supports some of the things you care about. You are not allowed to weight in on individual issues in a way that matters.
The person works for several years, and the only feedback you have on that process, the only tether that holds that person accountable, is whether you vote for them the second time.
If you are in a first past the post system, and in a safe seat, vote for one of the no-chance-of-winning candidates who best represents your views. Although they won't win, the fact that they are getting votes will be noticed and the main 2 parties will respond by adopting some of their policies. E.g. in the UK as more people vote for the Green party, other parties will become more Green to get those votes back, even though the Green party has only ever got a single MP.
There are laws and then are how laws are enacted. Hint: pay attention to how homegrown EU companies are treated.
EDIT: https://www.enforcementtracker.com/ Look here specifically. Sort by fine amount. Look at the companies that are being fined the hardest. It's not just the US that is being targeted. There's this island nation that recently decided they didn't want to be part of the EU...
I think the argument of like "well the law was passed to harm US companies specifically because US companies specifically do this" ignores that this is a undesirable behaviour with significant negative externalities, so this feels a bit like complaining that encouraging green energy at the expense of fossil fuels is discriminating against Russia and the middle east.
Once we get past the tech companies the next biggest fine is for H&M, for surveillance of call center employees, not just at workstations (which is probably also not allowed), but in their private lives, disclosure of that detail with managers, and targeted harassment from that information. This seems pretty egregious, and not political retribution against the UK.
Next up are some Italian companies fined in Italy, UK companies getting fined _by the UK_, and Vodafone subsidiaries getting fined everywhere. You could argue Vodafone is a UK company being unfairly targeted, but from what I remember of coverage of the (Spanish, I think?) ruling, they're a repeat offender in this regard.
> a way for the EU to control US companies, extending their power beyond their jurisdiction
How are they extending their power beyond their jurisdiction, considering that this is something done in the EU to EU citizens?
US companies inject all sort of trackers and spyware into browsers of EU citizens and you talk about jurisdiction?
These were often not even listed in the framework. There was little-to-no compliance/auditing that I am aware. It was business as usual for many ad networks.
Or maybe I could vote for the labour party, which are centre left economics, pro-EU, pro-housing expansion, pro-healthcare investment, pro-environment, somewhere down the list is internet privacy
The idea that there's a party that (a) both has the same views on all issues as you do, (b) has sufficient votes to get seats and (c) orders issues in the same importance you do, for everyone, is clearly not valid. More parties = more choices, and this is often better, but ultimately we'd end up with de facto direct democracy to have a party with the exact views for every person.
Similarly, even for myself, I consider internet privacy important. Maybe I should vote the for the pirate party then? Except I consider the environment more important and our pirate party is so small that it hasn't even considered a position on non-privacy related issues, never mind have an adequate plan for how we're going to make a transition from a heavily fossil fuel based power supply. Even on that environmental issue, I think the green party's anti-nuclear stance has historically been a mistake, but if the others are just going to build more gas plants, I'll deal with it.
There's an analogue that has happened in the U.S. Let's say that my little white town passes a law that forbids jaywalking. Protects pedestrians... Makes it easier to drive... Sensible law right? But in practice, it's the 1940's and the cops ONLY ticket black people. In practice, it's not a law against jaywalking - it's a law to drive out all the black people and make the white town inhospitable to anybody with skin tone.
GDPR claims to protect the people but is used as an economic weapon.
They don't need to know what data was collected. GDPR requires you to track all data and mark where you got it from, so the companies are legally required to track this for you, they should already have a switch where they can delete this data at the notice of the user, so they should have no problems honouring such a request from the government.
The government don't know if the data was deleted, but a user will know if a company has data the user didn't agree to give to the company, in which case that company is violating GDPR regardless how they got that data. That wont always come up, but if it does the government will go after those companies.
> how will the Council know if the end-tracking companies deleted their data?
That doesn't matter, all they need is to ask the companies and the companies to say that they deleted the data. That is how everything else works with GDPR. When you ask a company to delete your data you don't know the company deleted it, they could still store it but keep it hidden etc. The government asking this is exactly the same.
If it later comes up that companies has a lot of data about users that they can't explain how they got, or that traces back to this case where they said they deleted it, then those companies will get huge fines. Open violations of laws where there is no question that the company knew they were breaking it are a very different case from companies toeing the line, the fines would get much higher.
It's you that fails to understand the GDPR: that situation is not possible. In this case, the IAB is acting as the data controller for this data. As per GDPR requirements, when they share this data (for whatever purpose) with third-party processors, they must ensure through their contracts that the processor can comply with data deletion requests coming from users through the IAB.
If they cannot comply with that, both the controller and the processor are in violation of the GDPR, the controller doubly so because the GDPR requires them to audit their chosen data processors for GDPR compliance.
There could be a tipoff, for example, from an employee. And if that whistleblower is right, then the company will suffer huge fines.
Or any other numerous ways that someone might be caught for a crime.. it lets go with whistleblower, as that is easy to understand.
Edit: maybe as addition in the last point in parentheses: The EU parliament is purposely weak, as the EU is a union of states and the member state government want the power in the council and don't want to give up power.
It points at a clear weakness of democracy.
And yes, I personally would like to have a stronger EU Parliament relative to the Commission and Council. However there is no reason to let the national government escape with "it's EU law" after they approved it. (And yes, Council doesn't require unanimous vote for most items anymore since the Lisbon treaty, thus it is possible your government voted "no", but that then is democracy and they have to convince other governments ...)
(Just a side note: I like GDPR and think it is to large parts good and push my government to support it)
Normal people don't care about cookies or consent popups and merely find them annoying/frustrating. I've never, ever heard anyone praise these popups outside of Europeans posting on Hacker News. That's a small community and it's a bubble convinced of its own purity.
Here's why democracies don't do this kind of thing: democratically elected governments are expected to generate economic growth and jobs by voters. Constantly levying massive fines on companies who aren't actually upsetting most citizens, via ultra-vague laws that create "tails we win, heads we also win" outcomes for the bureaucracy, is something that most mature democracies realized don't work out well in the long run. So they don't do it.
The EU has no such concerns because it's not accountable to anyone, for anything, despite what sometimes people like to try and claim. Result: a stagnant economy with an ever shrinking proportion of global GDP that tries to cover up its damningly consistent failure to produce successful tech firms by pretending it's too morally righteous to do so.
Signed,
A European. But not an "EU citizen".
it's via QMV, not unanimity
so no need for "your" national government to approve it
https://web.archive.org/web/20171125221345/http://www.votewa...
In general you have somewhat of a point, but then it is democracy that the government would be responsible to argue for their point and convince others.
"EU did it" is a cheap excuse.
The EU represents 300M people, and has the economic and political weight to make a dent.
The same goes for other international issues, such as climate change, corporate tax evasion, cyber crime, etc.
Data protection laws existed before GDPR. GDPR itself is not that different from Swedish data protection laws, for example.
Everyone ignored them for years (in case of French laws, for decades, apparently). So, the next step is to pass and enforce the law through the EU.
The enforcement of GDPR is still up to national civil services/judiciaries, in this case it was a cooperation of multiple national protection authorities.
Even the legislation itself necessarily involved national governments and national civil servants in national ministries
GDPR being an EU level legislation has more to do with the absolute nightmare it would be for the internal market to have 27 different standards and the drastically lower leverage available for enforcement than disinterest in the subject
• Austria: Datenschutz-Grundverordnung (DSGVO) • Belgium: algemene verordening gegevensbescherming / règlement général sur la protection des données (RGPD) • Bulgaria: Общ регламент относно защитата на данните • Croatia: Opća uredba o zaštiti podataka • Cyprus: Γενικός Κανονισμός για την Προστασία Δεδομένων • Czech Republic: obecné nařízení o ochraně osobních údajů • Denmark: generel forordning om databeskyttelse • Estonia: isikuandmete kaitse üldmäärus • Finland: yleinen tietosuoja-asetus • France: règlement général sur la protection des données (RGPD) • Germany: Datenschutz-Grundverordnung (DSGVO) • Greece: Γενικός Κανονισμός για την Προστασία Δεδομένων • Hungary: általános adatvédelmi rendelet • Ireland: An Rialachán Ginearálta maidir le Cosaint Sonraí / General Data Protection Regulation (GDPR) • Italy: regolamento generale sulla protezione dei dati (RGPD) • Latvia: Vispārīgā datu aizsardzības regula • Lithuania: Bendrasis duomenų apsaugos reglamentas (BDAR) • Luxembourg: règlement général sur la protection des données (RGPD) / Datenschutz-Grundverordnung (DSGVO) • Malta: Regolament Ġenerali dwar il-Protezzjoni tad-Data • The Netherlands: algemene verordening gegevensbescherming • Poland: ogólne rozporządzenie o ochronie danych • Portugal: Regulamento Geral sobre a Proteção de Dados (RGPD) • Romania: Regulamentul general privind protecția datelor • Slovakia: všeobecné nariadenie o ochrane údajov • Slovenia: Splošna uredba o varstvu podatkov • Spain: Reglamento general de protección de datos (RGPD) • Sweden: Dataskyddsförordning • The United Kingdom: General Data Protection Regulation (GDPR)
The EU is our saving grace far too often.
And with Brexit, the biggest obstacle to that has been removed - the UK never wanted to be part of a Federal EU (because we always considered ourselves part of the British Empire/Commonwealth). There are other EU countries who aren't wildly enthusiastic about a Federal EU too, but it was always the UK being the most loudly opposed to it.
Just look at what happens whenever some EU treaty needs ratifying by national referendum.
this is false. very few european countries want a federal, unified state.
so nothing of meaning will happen until a lot of things change.
"Ever closer union"
that never stopped it before, just look at the "Constitution for Europe"
rejected by the French and Dutch electorates
it was then rejigged slightly and then pushed through as the Treaty of Lisbon (without pesky referendums)
As a result, the EU agreed a set of guarantees [1] that the Lisbon treaty would not be used to do either of these things (to Ireland specifically), and only then did it pass in Ireland.
An EU army has more widespread opposition these days, so hasn't been raised since. Minimum corporate tax rates did not pass through the EU, though this year the US led an effort that is going to result in them globally via other avenues.
[1]: https://www.iiea.com/images/uploads/resources/230535195500_L...
Almost all law coming out of the EU is really beneficial for the people, in my experience. Making a law like the GDPR and implementing it is hard work that doesn't grab headlines and first gives us a few years of annoying popups, but in the end it will actually improve privacy for EU citizens.
And national politicians can't do this anymore, because they have to be in the news each day and be in constant campaign mode because the next election may come sooner than expected. They need big words and shiny results.
If we make the EU more democratic, will it become less effective too?
This is probably the first time I'm hearing somebody claiming EU was effective ;)
However you are right - the fact that there is less attention on EU legislation enables different dynamics.
However I think it is quite different between countries how well they do. Here in Germany I am quite optimistic that the new government will do quite a few good things ... but maybe I'm too optimistic, but lots of good signals from my pov
Where is that (pardon my inquisitiveness, and feel free not to answer)?
Instinctively it feels wrong not to be able to vote for a representative you can identify; but I can't formulate a coherent reason why it's wrong.
Of course, we no longer have MEPs! I often forget this - that's how much difference the MEPs made to my life.