Meta see the regulatory situation in the EU and UK as a potentially existential risk. They know what they are doing is bad and lobbying is their number one tactic. They are at the "cigarette company" level of trying to prevent regulation of a business model that is ultimately at risk of being legislated out of existence.
>Fine for Meta more than tenfold from € 28 million to € 390 million. Third case on WhatsApp pending.
Starting to get into a range for the fine that makes sense. Give it another tenfold increase and I'm content.
If Europe wants more ethical tech, they should make an honest effort to create an environment that supports that. I.e., invest in their own tech industry.
> Politicians don't hunt elephants, but they will share the elephants you catch with the people who voted for them.
Along these lines, we'd have something like
> Europeans don't invent new tech, but they will regulate the tech you invented.
As a fellow European, I struggle to feel any pride or happiness about this.
You see it play out with European companies too, where they exploit populations where either there's lack of regulation or where they can bribe the officials. Profit, see what you can get away with. That's just on the legal front (like this case), not the moral or ethical front.
I do not like these sensationalized titles on HN.
This story shows the DPC for what it is: a regulator that was captured from the beginning. The idea that the DPC might sue EPDB is astonishing and shocking.
This comes as I read of Irish plans for a watered-down Northern Ireland Protocol. That would certainly please the UK government; but it risks subverting EU law. If the Irish government is bent on circumventing EU law, perhaps they should just get out of the EU.
Morals and ethics so easily get tossed out the window when nerds feel like their end of year bonus could be marginally threatened.
Facebook was threatening to leave EU earlier, I wonder if that will make them act on those threats.
Either way, it's great that you are comfortable with Facebook's tracking and even get value out of it - in which case you will be able to opt-in once the changes required by this ruling get implemented. Those who don't feel comfortable with it can opt-out. Everyone wins!
I am not a hat wearer but now I might become one because I saw some cool hats I like. This was by accident because I wasn't in the market for hats.
I don't believe privacy exists when using modern tech which is why I make all my Facebook posts public. I don't ever want to kid myself that what I am staying stays private to only my friends and family. I have not encountered a downside to Facebook tracking, but maybe you can point one out.
> Or voluntarily opt into getting tracked?
Yes, this would be fine with me
> Meta is now prohibited to bypass the GDPR via a clause in the terms and conditions. Meta has to get "opt-in" consent for personalized advertisement and must provide users with a "yes/no" option
Yes, because Meta does not have explicit, informed consent from existing users.
How is that supposed to work? FB is required to provide a service at a loss? If I were FB I'd work to actually make a yes/no contract - yes, or get lost. You can use EU social networks - oh wait, there aren't any! I guess in line with other EU decisions, EU citizens can switch to VKontakte :D
For example, manufacturers are required to avoid use of harmful substances, and follow health and safety regulations, even though it'd be more profitable not to. Sweatshops and child labor would be more profitable, but these business models were rejected by the governments too.
Ofc if I/FB choose to shut down or alter my service for everyone under these conditions, the other angle is that EU govt has decided that it knows better than mere proles who want to explicitly consent to the exchange. It's less like manufacturers avoiding harmful substances, and more like e.g. govt of China requiring Apple to alter Maps to display "correct" information under threat of a ban.
Yes. Although how much of a loss it would be is debatable. Unless you upload lots of media, the costs of providing you the service top out at a few cents a month, so it can trivially be subsidised by even untargeted ads.
> You can use EU social networks - oh wait, there aren't any!
Maybe the long-term objective is that we actually get some social networks that are sustainable without misusing people's personal data?
I guess Facebook's solution could be a pop-up asking whether you want to continue using it as before or if you want to deny access to your personal data and pay $50 a month.
This has been ruled as being valid by courts.
I don't see a problem paying for Facebook, WhatsApp and Instagram. I used to pay for WhatsApp back in the day.
Heck, I even pay for WinRAR.
Probably they will go for "Please choose between 50 horrible autoplaying spammy ads or 4 personalized"
*without consent
It's perfectly acceptable under GDPR to do targeted advertising, as long as you have a user consent to it.
China: I'll bring the hardware!
US: I'll bring the software!
EU: I'll bring the lawyers!
So why don't you address the underlying issue instead of denigrating the meme? If you have something to say about it, that is.
But what you say is actually accurate, the globalized world (excepting russia) has settled to these roles for these 3 players. EU is more of a legacy player without an army (or strong production base) that still "upholds ideals" and sells this image for worldwide PR. But you see where this ends up, countries bribing EU politicians to improve their world PR by association.
When calculating fines under the GDPR the supervisory authorities have to take in to account whether the violation was intentional, previous violations and compliance with previous orders.
In other words, if they don't stop now the fines will get bigger.
That is the point.
Edited for you: you can't make use of the service conditional on accepting personalized ads
I'd guess that even now, just allowing a simple 'pay money or <smooth lawyery wording for happiness that incidentally eliminates privacy>' choice would just lead to the same issues again. But it's absolutely like a code smell that tells me there's a more nuanced option somewhere that could be better. However, I'm glad they didn't let perfect be the enemy of good in this case.
You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.
How more clear can I write this?
Stop spreading lies and bullshit.
It’s a BS feature and they might as well default to not let apps track. Is anyone going to click yes?
If they give the choice, they can put out real-world proof out there that nobody wants them, as demonstrated by low single-digit acceptance rates.
They can use this proof in the future to default to "no" without possibility of opt-in.
There are companies (outside and inside of Europe) misusing personal data given to them and there were not enough regulations about this.
Now there is, so I'm happy.
If a random country made similar laws only for their companies I would also be happy, for the users located in this country.
It just happens to affect me and the people I know so I'm even more happy.
I'm quite happy our elected officials are putting an end to the abuse.
Maybe that's their strategy, but it's manipulative and a sneaky way to obtain what they want while avoiding [SOMETHING]. Where something is lawsuits? regulations? outrage? No idea.
- Given the incredible amount of data they have, I'm constantly amazed at how bad FB/Amazon/others are at suggesting what I'm likely to be interested in
It doesn’t because tech companies like META and it won’t be fixed so long as your narrative remains the norm. We can fix this but not by letting these companies get away with it
I'm happy for you that you are much more optimistic about these things, and I hope for all our sake you are not disappointed. From point of view, I can only be pleasantly surprised. To disappoint me at this point would be an ultimate new low.
If they offer the service for free, the tracking still need to be opt in.
“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
This basically means that if providing the service is made conditional on consent of personal data processing despite the processing not being necessary for the service, then the consent can’t really be considered to be freely given.
Ads without fraud detection are worth very little, and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.
But you did work there, and you keep saying the same things over and over again.
> and (my interpretation is) the GDPR requires consent (including the ability to say no without consequences) for that.
You posit your incorrect interpretations as if they were fact. And you keep on conflating several things into one. Even though you've had plenty of time to, you know, read something about the things you're talking about.
1. Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.
2. No, fraud detection doesn't mean your ads are personalised. No, fraud detection doesn't mean that your ads must be personalised.
3. No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.
And yet, here we are, again, when you keep saying that these three disparate things are one and the same and that "GDPR is an overreach that prevents sites from showing ads". You keep repeating the same falsehoods over, and over, and over again. Please, stop.
My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising. If before a service can show any ads they need to offer the user a free choice on whether to see ads, where there are no consequences for clicking "no" other than that they don't see ads, users will overwhelmingly click "no" and the site will not be viable.
(I additionally think that it should be legal to offer services that are supported only by personalized ads, where users can choose between (1) using the service and having personalized ads vs (2) doing neither. I've argued that elsewhere in this discussion, but that's a bit of an aside to my main point.)
While I don't think the GDPR as-written prohibits such services, with the decisions coming out of the data protection agencies in the more privacy sensitive European countries I think the GDPR as-interpreted does make them economically non-viable for most sites because viability requires effective fraud detection.
If a service is going to show ads even if the user has clicked "no" and consented to nothing, it needs to be able to run the full ads stack without relying on anything that requires user consent. This includes:
* No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]
* No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2] and follow-up rulings on applications such as analytics [3], fonts [4], and CDNs [5].
Together these rule out all commercially available adtech options I know about.
But let's say you decide to build something fully in-house, or you use some future ad product from a startup run by very careful Germans. What do you still need to do?
The GDPR requires you to have one of several legal bases for any personal data you process. With "consent" out of the picture, almost all of them are irrelevant for ads, with the potential exception of "legitimate interest". [6] Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
The ad industry has historically thought that sites did. For example, the TCFv2 categorizes this under "Special Purpose 1", with users having "No right-to-object to processing under legitimate interests" [7]. On the other hand, points 52 and 53 of the recent Microsoft ruling [8] read to me as saying that since users do not visit sites to see ads that sites cannot claim that they have a legitimate interest in using personal data to attempt to determine whether their ads are being viewed by real people. This is not fully settled; among other things the Microsoft ruling was on the interaction of GDPR and ePrivacy, and ePrivacy is stricter on some points. But I think it's more likely than not that when we get clarity from the regulators it will turn out that the kind of detailed tracking of user behavior necessary for effective detection of ad fraud is not considered to be within a publisher's legitimate interests.
[1] https://news.ycombinator.com/item?id=34096210
[2] https://trustarc.com/blog/2022/11/30/schrems-ii-decision-cha...
[3] https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...
[4] https://www.theregister.com/2022/01/31/website_fine_google_f...
[5] https://www.theregister.com/2021/12/08/germany_cookie_servic...
[6] https://gdpr.eu/article-6-how-to-process-personal-data-legal...
[7] https://iabeurope.eu/iab-europe-transparency-consent-framewo...
[8] https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989
However if you look at what is happening today, with everyone having a google/instagram/etc account, and the power these companies have over the competition (because of unethical tactics) it is not feasible to actually compete with them.
Legislation is needed to make *everyone* in the tech industry that operates in europe at the same (ethical) level.
This may not be directly applicable to the linked article, but I'm mainly thinking of the DMA and DSA which will go into effect in a couple of months.
We also need to legislate against walled gardens to let other technologies flourish.
Breaking down companies would also be great. YouTube has been mostly crappy but operated at a loss , only alive due to backing by the Google colossus: how do you compete against that?
previously, not sure now
Which is difficult if tech has been monopolised by US companies that break the laws, so they're addressing that for a start, as to level the playing field (both with GDPR and other regulations such as the Digital Markets Act).
The only reason the US has its tech industry is:
- lax laws for everything: from data protection to labor laws
- unlimited investor money that can sustain unprofitable businesses for decades Most of the top HN darling have never been profitable, and have been losing billions of dollars for years. The rest haven't been profitable for most of their existence
On top of that it helps to have a huge largely homogenous market
> The less severe infringements could result in a fine of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
* Governments can reach Apple and Google, and thus force them to remove the apps from their app stores.
* Diplomacy. EU and USA will have a lot of negotiation to do pretty soon. USA doesn't like how EU handles big tech and privacy. EU doesn't like how USA's preferred treatment of domestic electric cars in the "inflation reduction" act that went into effect a few days ago. If Meta pulls out of EU to dodge enforcement, the EU diplomats will surely bring that up, and work a solution into whatever treaty comes out of this.
2. Lowest effort DNS blocker to exclude the 90% who don't care enough to circumvent.
2. Let the lack of network effects and time do the rest.
Sure, a few will hold on, and there will probably be a temporary "buy a phone with fb installed for 10000$" market, but given time, Facebook/Whatsapp/etc. will be dead in Europe.
Correct, however most countries have various related criminal offences. (e.g https://www.legislation.gov.uk/ukpga/2018/12/section/170/ena...) It's extremely unlikely any of these would be relevant in this context though.
> I do have a coherent view, though
It's strange that you agree... and yet your coherent view keeps on repeating the same lies, falsehoods, and keeps conflating things.
> My main view is that it should be legal to offer advertising-supported services where users can't just opt out of the advertising.
Let me re-iterate: You can still have ads on your site. GDPR does not preclude you from using ads on your site. GDPR doesn't care if you have ads on your site. Nothing in GDPR prevents you from having ads on your site.
I mean, come on. Go to spotify.com, download Spotify, and you will disover (undoubtedly to your surprise) that it offers exactly two tiers: ad-supported, and paid.
It's GDPR-compliant.
> it needs to be able to run the full ads stack without relying on anything that requires user consent
You can do that. Again. To re-iterate:
Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, it doesn't mean that you can't have ads at all.
> No cookies or other client-side storage, not even for detecting ad fraud. See the recent CNIL decision against Microsoft. [1]
This is, of course, a blatant misinterpretation of that decision bordering on a lie. And a false generalisation.
> No network requests to any server operated by a US company or any subsidiary of one. See Schrems II [2]
Exactly. Because the US literally said: we don't care about user privacy and we assert the right to view and peruse any data of any citizen of any country in the world if they use American companies.
It is just amazing to me that for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.
> The GDPR requires you to have one of several legal bases for any personal data you process.
Yes. Of course. Why do you want it any other way?
> With "consent" out of the picture, almost all of them are irrelevant for ads
Not all ads need to be personalised ads. No, personalised ads are not a requirement. No, if it doesn't mean that you can't have ads at all.
> Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.
> The ad industry has historically thought that sites did.
No, The ad industry has historically thought that users' data is a free for all buffet with no consequences. They are now facing those consequences, and you go out of your way to protect the status quo.
Why do you think Spotify is GDPR compliant? For example, if you look at https://support.spotify.com/us/article/gdpr-article-15-infor... they say "we use your personal data to tailor advertising to your interests" and their declared legal basis is "Our legitimate interests here include using advertising to fund the Spotify Service, so that we can offer much of it for free."
I agree there are tons of ad-supported services where if you decline their consent banners they still show you ads. But I think somewhere between "extremely few" and "none" of them are actually GDPR-compliant.
> for a person who keeps saying "I care about privacy" you complain about everything that improves privacy.
Where am I saying "I care about privacy"? My recent privacy writing is https://www.jefftk.com/p/privacy-tradeoffs and https://www.jefftk.com/p/preparing-for-less-privacy
I think there are commonly significant tradeoffs involved around privacy, and "maximize privacy over everything else" is not my view.
> > Is detecting ad fraud or other invalid traffic something a site has a legitimate interest in?
> No, fraud detection doesn't mean you need to collect personalised data beyond what's necessary for fraud detection. No, fraud detection doesn't mean you can willy-nilly use that data in anything other than fraud detection. No, fraud detection doesn't mean you can use that data for personalised ads, sell that data to third parties, or keep that data indefinitely long.
You're not engaging with my point. I agree that if you say you're doing something for "fraud detection" but it isn't actually needed for fraud detection than the GDPR prohibits that. But what I wrote in my previous message is that even "actually trying to do fraud detection and nothing else" is very likely not something courts will consider to be within the legitimate interest of companies.
I've said all I had to say here: https://news.ycombinator.com/item?id=34268322
For a person who writes things like "I rarely see enough concern over is that you can't trust the future to keep things private", you do sure go out of your way to defend arbitrary bulk data collection for the most mundane of things, ads. Oh, and the defeatist "we can't expect to keep things private, so to hell with it, no consent for any private data is necessary".
I have nothing to say to you further.
Adieu.
Final food for thought, not that it will convince you: https://jacquesmattheij.com/if-you-have-nothing-to-hide/
It seems like the free-for-all with regards to personal data and decriminalisation of spyware has led the online ads market into a near-optimal situation with regards to targeting & fraud detection, but 1) is it a trade-off people are willing to accept (the GDPR being enacted suggests not) and 2) can there be alternatives that give both sides what they want?
The problem is, this requires the readings agency to build up a representative panel of people, and track their behavior. This is pretty coarse, but it works in a relatively centralized world like traditional TV where there are only a few dozen channels. On the web, however, people visit so many different sites that the panel would either have to be extremely large or you would only be able to generate reasonable ratings for the largest sites, probably both. This would be yet another force pushing hard toward internet consolidation.
Another option is that you could somehow build a new technology into browsers with some sort of privacy preserving API. I used to work in this area [1] but I am pessimistic about it: it's very hard (and may not be possible) to build something that gets all three of (a) minimal load on the users browser (b) actually useful fraud detection and (c) sufficiently private (with a separate question of whether usage would require consent under GDPR).