Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet
-
@Polygeekery said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
you have full consent since it was user's own initiative.
It is always the user's own initiative to use any website or service.
But usually the website will tell you what you can do, and even help you with that.
-
@JazzyJosh said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Companies still have a right not to serve EU citizens. What's your issue with this?
News flash to someone who should know better because they presumably work in software: this is an impossible ask for a site on the internet.
News flash to someone who apparently never heard of the term "reasonable effort" before: it's already a solved problem in both American and European legal systems.
-
The only thing more boring than having to implement GEPR compliance is watching nerds on the internet argue about GDPR compliance
-
@JazzyJosh said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Companies still have a right not to serve EU citizens. What's your issue with this?
News flash to someone who should know better because they presumably work in software: this is an impossible ask for a site on the internet.
So websites not serving EU citizens are doing so pointlessly, as they are both still at risk of being hit by EU regulations and making it harder for Europeans to access such websites (thus renouncing on the income brought by most European visitors, only a fraction of which will take the trouble of circumventing the block)?
You think you see big bolded words in your post, but I see manure. blows raspberry
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@JazzyJosh said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU could be doing instead of what they are doing to improve the internet:
If the GDPR only applied within EU borders, it wouldn't achieve jack shit.
It would if Facebook, Google, Microsoft and Apple were headquartered in EU borders but, oh boo hoo, none of them are. But that cheese sure was delicious.
What if we applied it to businesses that had EU Operations, e.g. servers, located in the EU
I wonder if that would achieve the same result that the EU seems to want You'd even have a clearly defined boundary as to when you need to comply with an external law Plus there shouldn't be an argument as to why the law shouldn't apply to you Everyone would just move their servers to Russia/Ukraine/Belarus/Switzerland/Norway/Morocco/Egypt/Turkey/any other country in the world not in EU. I know because this is exactly what happens with every other law that only applies within EU boundaries.
If they're still based in the EU then it wouldn't matter. I doubt they're going to move their entire company to one of those places.
-
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@boomzilla said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
deciding not to serve EU citizens reeks of evilness.
You're going to use the word "evil" for this? Seriously?
Pretty ironic given his previous allergy to the word.
If you read my response, it'll be clearer to you. When in Rome... and this forum is populated by Siths.
Right. You always mean something different when called out than what you said originally. I get it.
-
@Jaloopa said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The only thing more boring than having to implement GEPR compliance is watching nerds on the internet argue about GDPR compliance
There's something even more boring - reading complaints about nerds arguing on the internet.
-
@boomzilla said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@boomzilla said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
deciding not to serve EU citizens reeks of evilness.
You're going to use the word "evil" for this? Seriously?
Pretty ironic given his previous allergy to the word.
If you read my response, it'll be clearer to you. When in Rome... and this forum is populated by Siths.
Right. You always mean something different when called out than what you said originally. I get it.
Because, as per the meme, you have a normal brain, while I'm master of the universe.
-
@Gąska what about reading complaints about complaints about nerds arguing on the internet?
-
@Jaloopa said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska what about reading complaints about complaints about nerds arguing on the internet?
To whom do I direct my complaint about this?
-
@Jaloopa said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska what about reading complaints about complaints about nerds arguing on the internet?
I don't know, you tell me.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
a judge who's trained to be wary of common sense.
Yes, the legal system avoids that wherever possible.
-
@HardwareGeek the worst thing about this topic is that I'm not exactly sure which posts are serious and which are just cheap trolling. Because I would dismiss half of what was said here as obvious bullshit no one could possibly believe, except I do know some people here seriously believe it. Your post is a perfect example.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The problem with the law is it is way to easy to have the best intentions and still manage to "violate" them. For instance, what if I had a technical question on a forum and mentioned my IP because I thought it was germane to the question at hand?
I don't think this scenario falls under GDPR. You don't have a database here, and no processing, and you have full consent since it was user's own initiative.
Forums do use a database.
But do they use a database of IPs contained in posts? Because a database of raw posts is completely different from that. And you know that and you're just pushing all the definitions to ridiculous extremes because you're a programmer who's trained to be wary of the most ridiculous edge cases, and not a judge who's trained to be wary of common sense.
The same judges who ban pools from backyards because "they might drown a burglar" or fine CountDankula? Plus, judges have a really bad track record of making decisions based on technical details.
there is no explicit consent from me to store any of that info.
You agreed for everything you post to be stored on servers and visible to other users, didn't you?
Sure. But if I post my SSN or credit card number on the forum, which is now considered as private and sensitive as an IP address, then posting my IP address is now as legally "dangerous" as posting those. So, now forum admins have to treat IP addresses as if they posted a credit card number, and I would gather most forum admins, to limit liability, would promptly delete any forum post that contains said data.
Beyond that, though, we have many forums, some of them abandoned yet archived, which has IP addresses and full names exposed from decades past. GDPR has no concept of a grandfather clause, so those sites are by default in violation. And, again, because they categorize an IP address as private as a credit card number or SSN, the violation is going to be far more severe than it should be.
You might argue that there is implicit consent
The consent is very explicit. You checked the fucking checkbox!
Not to store my sensitive PII, such as IP address, though.
but everything I've observed about GDPR
Most of what you've observed was panic and extreme overreaction. Unless you mean actual law, actual court cases and/or actual industry practices for managing personal information you've never asked for? If so, I'd love if you could provide some links because I'm at least as interested in this subject as you are.
My observations are based on how companies have prepared for GDPR. I've gotten so many cookie notices and emails about the handling of data from innocuous sites that I know it would scare a non-savvy customer into thinking they are "stealing their data" when in fact they are simply keeping email addresses internally for newsletters which they have been delivering to users for years prior.
These warnings are what is spreading panic and overreaction, and it's to the point every single website has to have a cookie warning popup. And because of the broad scope of the regulation, you've effectively made these warnings as useless as Prop 65 in California where everything containing traces of blue dye or pretty much anything besides dihydrogen monoxide may cause cancer. Which means you can't tell the difference between the cancer dangers of your porcelain toilet seat and a pack of cigarettes, because it all contains the same warning. If Joe's Auto Parts uses cookies on their site, they are required to have the same warning of danger as Amagoogbook, even though the latter would clearly have a greater scope of privacy violations than the former.
That is the big problem I have with GDPR: While its intentions are noble, it fails to actually do anything. Every single site is considered as privacy-violating as Facebook, Amazon, and Google, and to the non-savvy user, that's either going to frighten them or just train them to ignore all the warnings and habitually opt into anything anyway.
-
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
If Joe's Auto Parts uses cookies on their site, they are required to have the same warning of danger
Which isn't even compliant in the first place, because 99% of those warnings have no opt-out mechanism at all. (Yes, except not using the site at all. But even just seeing the warning and going away never to return, the site itself is still non-compliant because that momentary visit left cookies on your computer and your IP address in their logs.)
-
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The purpose of the law is to protect EU citizens. Companies still have a right not to serve EU citizens. What's your issue with this? You want to have your shit cake and let us eat it too.
But that's impossible. Because there's no way to identify a customer is an EU citizen. You might not even be aware you served one until after they start a GDPR action against your company.
I mean you're correct in theory, but if I'm on the Internet selling frobinators, how do I ensure I never sell one to an EU citizen? Filtering IP addresses can't do it. Limiting sales to US dollars can't do it. Asking for an address can't do it. Asking for a credit card can't do it. How?
-
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
When in Rome... and this forum is populated by Siths.
But there's only ever two Siths, a master and an apprentice.
-
@HardwareGeek said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
If Joe's Auto Parts uses cookies on their site, they are required to have the same warning of danger
Which isn't even compliant in the first place, because 99% of those warnings have no opt-out mechanism at all. (Yes, except not using the site at all. But even just seeing the warning and going away never to return, the site itself is still non-compliant because that momentary visit left cookies on your computer and your IP address in their logs.)
And yet by GDPR regulations, from the eyes of EU law, they might as well have skywriten their users' personal information every day for 6 months, while Facebook and Google continue to be within regulations because they had the team of lawyers they need to be just within the lines to continue their unethical data sharing business.
-
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The problem with the law is it is way to easy to have the best intentions and still manage to "violate" them. For instance, what if I had a technical question on a forum and mentioned my IP because I thought it was germane to the question at hand?
I don't think this scenario falls under GDPR. You don't have a database here, and no processing, and you have full consent since it was user's own initiative.
Forums do use a database.
But do they use a database of IPs contained in posts? Because a database of raw posts is completely different from that. And you know that and you're just pushing all the definitions to ridiculous extremes because you're a programmer who's trained to be wary of the most ridiculous edge cases, and not a judge who's trained to be wary of common sense.
The same judges who ban pools from backyards because "they might drown a burglar" or fine CountDankula?
I need citation on the first one. And the second isn't poor judgement, it's poor law. He actually broken the law. A horrible law that should never exist, but still a law.
Plus, judges have a really bad track record of making decisions based on technical details.
Thanks goodness this situation doesn't hinge on technical details!
there is no explicit consent from me to store any of that info.
You agreed for everything you post to be stored on servers and visible to other users, didn't you?
Sure. But if I post my SSN or credit card number on the forum, which is now considered as private and sensitive as an IP address, then posting my IP address is now as legally "dangerous" as posting those.
And the website owner has just as big problem then. Which is no problem.
So, now forum admins have to treat IP addresses as if they posted a credit card number
Do they? It's still just content of your post that they don't do anything with except show other people as you wanted to.
Beyond that, though, we have many forums, some of them abandoned yet archived, which has IP addresses and full names exposed from decades past. GDPR has no concept of a grandfather clause
For a reason.
so those sites are by default in violation.
Yes, and the owners should do something about it.
And, again, because they categorize an IP address as private as a credit card number or SSN,
No they don't. It is private information, but not the same kind as CC or SSN.
the violation is going to be far more severe than it should be.
And what should it be in your opinion?
You might argue that there is implicit consent
The consent is very explicit. You checked the fucking checkbox!
Not to store my sensitive PII, such as IP address, though.
You consented to storing all contents of your post. And then decided to post your PII. They didn't even ask for your PII. You just decided to put it in a post that you knew will be and agreed to be stored and published.
but everything I've observed about GDPR
Most of what you've observed was panic and extreme overreaction. Unless you mean actual law, actual court cases and/or actual industry practices for managing personal information you've never asked for? If so, I'd love if you could provide some links because I'm at least as interested in this subject as you are.
My observations are based on how companies have prepared for GDPR.
And how companies have prepared was in large part panic and overreaction. Example: I've got a GDPR consent request from my building administration. They asked for consent to process PII that they already had full rights to process because it's required by law for them to possess and process that data.
I've gotten so many cookie notices and emails about the handling of data from innocuous sites that I know it would scare a non-savvy customer into thinking they are "stealing their data" when in fact they are simply keeping email addresses internally for newsletters which they have been delivering to users for years prior.
You're just reinforcing my point now.
These warnings are what is spreading panic and overreaction
Yes, panic tends to spread panic. That's why it's so bad.
and it's to the point every single website has to have a cookie warning popup. And because of the broad scope of the regulation, you've effectively made these warnings as useless as Prop 65 in California where everything containing traces of blue dye or pretty much anything besides dihydrogen monoxide may cause cancer. Which means you can't tell the difference between the cancer dangers of your porcelain toilet seat and a pack of cigarettes, because it all contains the same warning. If Joe's Auto Parts uses cookies on their site, they are required to have the same warning of danger as Amagoogbook, even though the latter would clearly have a greater scope of privacy violations than the former.
The cookie warning thing was stupid, I agree. Though it did have a positive effect of making people aware that cookies are a thing.
That is the big problem I have with GDPR: While its intentions are noble, it fails to actually do anything.
At the very least, it made companies inspect themselves regarding what kinds of personal data they store and where. That alone is a huge win for data privacy.
Every single site is considered as privacy-violating as Facebook, Amazon, and Google, and to the non-savvy user, that's either going to frighten them or just train them to ignore all the warnings and habitually opt into anything anyway.
Do you have any better idea? No, doing nothing isn't a better idea.
-
@Benjamin-Hall said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@dfdub said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
How much? $2? $35?
Add two digits and you're in the right range. I don't know how you think web developers make their living if you think they'd write a bill for less than 400€. For a more complex website, they'd certainly charge four figures for any change.
And you need to consult lawyers to understand what compliance means. So you don't just need web developers, you need lawyers (starting at hundreds/hour) to understand if you're even compliant to begin with. And then to check off on any changes against all the other regulations. And that's expensive.
So instead, what you get it cargo-cult compliance--a bunch of pop-ups with no fundamental changes (or ones that don't do what they're supposed to).
No, you don't need lawyers. Oh, wait, you're in the US.
Of course you need lawyers...
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The problem with the law is it is way to easy to have the best intentions and still manage to "violate" them. For instance, what if I had a technical question on a forum and mentioned my IP because I thought it was germane to the question at hand?
I don't think this scenario falls under GDPR. You don't have a database here, and no processing, and you have full consent since it was user's own initiative.
Forums do use a database.
But do they use a database of IPs contained in posts? Because a database of raw posts is completely different from that. And you know that and you're just pushing all the definitions to ridiculous extremes because you're a programmer who's trained to be wary of the most ridiculous edge cases, and not a judge who's trained to be wary of common sense.
The same judges who ban pools from backyards because "they might drown a burglar" or fine CountDankula?
I need citation on the first one. And the second isn't poor judgement, it's poor law. He actually broken the law. A horrible law that should never exist, but still a law.
Residents told to take down paddling pool as it could pose safety risk
Residents of a block of flats in Strood Kent, were warned the 12ft pool could pose a health and safety risk should someone try to break into a nearby home.
Plus, judges have a really bad track record of making decisions based on technical details.
Thanks goodness this situation doesn't hinge on technical details!
"Your honor, this website owner had IP addresses stored on the server and it was in plain sight for anyone to see."
"Defendant, is this true."
"Well, yes, but--"
"GUILTY! I will have none of your technical mumbo-jumbo!"there is no explicit consent from me to store any of that info.
You agreed for everything you post to be stored on servers and visible to other users, didn't you?
Sure. But if I post my SSN or credit card number on the forum, which is now considered as private and sensitive as an IP address, then posting my IP address is now as legally "dangerous" as posting those.
And the website owner has just as big problem then. Which is no problem.
You completely whooshed over the point. My point is if someone volunteers IP or their first name on a public forum, it shouldn't be considered the same as if they volunteer their credit card number on said forum. The former is acceptable if the person doesn't have a problem with their name being on the internet. The latter is unacceptable because there is never a good reason to do that.
So, now forum admins have to treat IP addresses as if they posted a credit card number
Do they? It's still just content of your post that they don't do anything with except show other people as you wanted to.
It's PII now! Yes, they do!
Beyond that, though, we have many forums, some of them abandoned yet archived, which has IP addresses and full names exposed from decades past. GDPR has no concept of a grandfather clause
For a reason.
So, if I had a forum from 2000 that had someone's name on it, I should be fined to bankruptcy?
so those sites are by default in violation.
Yes, and the owners should do something about it.
Even if it's on archive.org?
And, again, because they categorize an IP address as private as a credit card number or SSN,
No they don't. It is private information, but not the same kind as CC or SSN.
Show me where they make that distinction.
the violation is going to be far more severe than it should be.
And what should it be in your opinion?
First off, start with a cease and desist. Make the owner aware of the violation. They were following the spirit of the law and shouldn't be considered as guilty as the likes of Facebook whose entire company motto and business plan is about fucking over people's data.
You might argue that there is implicit consent
The consent is very explicit. You checked the fucking checkbox!
Not to store my sensitive PII, such as IP address, though.
You consented to storing all contents of your post. And then decided to post your PII. They didn't even ask for your PII. You just decided to put it in a post that you knew will be and agreed to be stored and published.
Let's see what the judges start saying when these cases come to court. Maybe you're right, and there's nothing to worry about, I'm just saying the way GDPR was written out and enacted sets a worrying precedent about this kind of stuff.
but everything I've observed about GDPR
Most of what you've observed was panic and extreme overreaction. Unless you mean actual law, actual court cases and/or actual industry practices for managing personal information you've never asked for? If so, I'd love if you could provide some links because I'm at least as interested in this subject as you are.
My observations are based on how companies have prepared for GDPR.
And how companies have prepared was in large part panic and overreaction. Example: I've got a GDPR consent request from my building administration. They asked for consent to process PII that they already had full rights to process because it's required by law for them to possess and process that data.
Exactly! Who's fault is that? They were told to do that by the lawyers who actually studied GDPR and saw a lot of scary language about what could happen if they didn't do that. The regulation was written so broadly, every website besides zombo.com had to put scary notices about how, according to the EU, they are as bad as Facebook for having a contact form.
and it's to the point every single website has to have a cookie warning popup. And because of the broad scope of the regulation, you've effectively made these warnings as useless as Prop 65 in California where everything containing traces of blue dye or pretty much anything besides dihydrogen monoxide may cause cancer. Which means you can't tell the difference between the cancer dangers of your porcelain toilet seat and a pack of cigarettes, because it all contains the same warning. If Joe's Auto Parts uses cookies on their site, they are required to have the same warning of danger as Amagoogbook, even though the latter would clearly have a greater scope of privacy violations than the former.
The cookie warning thing was stupid, I agree. Though it did have a positive effect of making people aware that cookies are a thing.
No, it made people paranoid about cookies. They're now aware of cookies and think that they are always scary data stealing monsters.
Every single site is considered as privacy-violating as Facebook, Amazon, and Google, and to the non-savvy user, that's either going to frighten them or just train them to ignore all the warnings and habitually opt into anything anyway.
Do you have any better idea? No, doing nothing isn't a better idea.
This is about as good as nothing. People are going about their business, still using Facebook, still using Google, complacently opting into everything because that's what they were doing even before GDPR. You know, Facebook did have a privacy policy before GDPR. They also were well-known to be a bank of big data that was used for marketing. You'd have to have lived under a rock to think otherwise. The only thing that came as a "shock" was the Cambridge Analytica thing, but that is already being investigated by the FTC for privacy regulations in the US, independent of GDPR.
My better idea is to have GDPR better target websites that are intentionally being coy and opaque about their practices. If you have a contact form with a submit button, even with a disclaimer that you don't share with third-parties, that should be clear enough that you're consenting to send a message to someone that will be stored somewhere for someone to read. If, on the other hand, you're doing something shady, like forwarding that contact info to some data collective for big-data analysis without your knowledge, that's the kind of shit GDPR is supposed to suppress. But, instead, it's all smoke and mirrors, and because it's broadly targetting everyone, we still can't distinguish the good guys from the bad guys because now everyone has to put a big warning up, regardless.
-
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
My better idea is to have GDPR better target websites that are intentionally being coy and opaque about their practices.
Except that websites that are "intentionally coy and opaque" would argue that "being intentionally coy and opaque" is ill-defined, and claim they're being discriminated against.
I don't know where that whole "I could be sued to bankruptcy!" scarecrow comes from. There are already lots of laws that have the same effect on paper. With that kind of reasoning, nobody would operate any fast-food joint, because what happens if they accidentally serve peanuts to someone who's deadly allergic to them?
In the real world, any law can be abused, and anyone can attempt to sue for anything, but the most judges aren't insane and understand proportional response. Nobody will fine you 1 million dollars just because someone posted his own name in your forum ; at most they'll only ask you to remove it.
-
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The GDPR came into effect because businesses where being extremely nonchalant and cavalier about personal data. It was necessary.
No one is arguing otherwise. In fact, I believe I specifically said that the goals of the GDPR are laudable, but the implementation of how they tried to solve this problem is awful. (You'd think that anyone hanging out on a forum like this would be quite well aware of the concept of "good idea, bad implementation.")
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
If the GDPR only applied within EU borders, it wouldn't achieve jack shit. Right now, it applies to all EU residents and only to EU residents, which is entirely reasonable and fair in my book.
So Facebook is an "EU resident" now? Funny; I'd always thought they were an American company...
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Unfortunately we don't have anything similar to shield US startups against the GDPR
You still got it wrong, the GDPR is to shield citizens from abusive US
startupsmega-corps.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Jaloopa said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
actively looking for an excuse to harm American businesses
I know this might come as a shock, but not everything is about America
True, but this is. It's about harming the competitiveness of American Internet businesses because the EU has never managed to produce their own Facebook or Google.
If it's about harming the competitiveness of a business whose entire business model has been to break existing consumer protections laws left, right, and center, then yeah, fuck them. Breaking the law shouldn't give you an edge.
That's just like Uber tried to get away with running illegal taxi services everywhere because not operating inside the law would give them a competitive advantage.
-
@topspin said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Unfortunately we don't have anything similar to shield US startups against the GDPR
You still got it wrong, the GDPR is to shield citizens from abusive US
startupsmega-corps....by beginning from the premise that anyone with a website is to be treated a (probably) abusive mega-corp by default. And therein lies the problem.
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The GDPR came into effect because businesses where being extremely nonchalant and cavalier about personal data. It was necessary.
No one is arguing otherwise. In fact, I believe I specifically said that the goals of the GDPR are laudable, but the implementation of how they tried to solve this problem is awful. (You'd think that anyone hanging out on a forum like this would be quite well aware of the concept of "good idea, bad implementation.")
Of course, I fully expect anyone hanging out in this forum to be completely blinded by hubris and arrogantly think they can do better. I'd like to ask you: you have companies gathering shitloads of data carelessly, whether you like it or not, just by clicking inadvertently on a link pointing to one of their web pages. You wish to stop this. How do you do this? If it's "reasonable" (where reasonable means carefully assessing what it being taken, why, how, by whom, etc.), it's impossible to enforce due to the sheer scale of the internet. The internet is also not territorial (unless we want it to be. We don't). Mild penalties do not discourage large companies. Therefore, the internet only allows harsher approaches and that's what we get. Which in this case is still reasonable, because if you infringe on the GDPR, you get a strongly worded letter first and then maybe a hefty fine. No company will be brought to bankruptcy ever with the GDPR. And in practice, most people do not care about their data so they allow collection of cookies, but if you do care, you have the option to deny them it.
-
Oh, and companies had two years to comply.
-
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
The problem with the law is it is way to easy to have the best intentions and still manage to "violate" them. For instance, what if I had a technical question on a forum and mentioned my IP because I thought it was germane to the question at hand?
I don't think this scenario falls under GDPR. You don't have a database here, and no processing, and you have full consent since it was user's own initiative.
Forums do use a database.
But do they use a database of IPs contained in posts? Because a database of raw posts is completely different from that. And you know that and you're just pushing all the definitions to ridiculous extremes because you're a programmer who's trained to be wary of the most ridiculous edge cases, and not a judge who's trained to be wary of common sense.
The same judges who ban pools from backyards because "they might drown a burglar" or fine CountDankula?
I need citation on the first one. And the second isn't poor judgement, it's poor law. He actually broken the law. A horrible law that should never exist, but still a law.
Residents of a block of flats in Strood Kent, were warned the 12ft pool could pose a health and safety risk should someone try to break into a nearby home.
Note how there's no mention of "judge", "government", "police" or anything of that sort here. It's just a private landlord being paranoid about hypothetical potential liability. Also note how the word "burglar" only appears in the headline and nowhere else. None of the actual people involved ever used it.
Plus, judges have a really bad track record of making decisions based on technical details.
Thanks goodness this situation doesn't hinge on technical details!
"Your honor, this website owner had IP addresses stored on the server and it was in plain sight for anyone to see."
"Defendant, is this true."
"Well, yes, but--"
"GUILTY! I will have none of your technical mumbo-jumbo!"That's not a case of a bad judge, that's a case of a bad lawyer.
there is no explicit consent from me to store any of that info.
You agreed for everything you post to be stored on servers and visible to other users, didn't you?
Sure. But if I post my SSN or credit card number on the forum, which is now considered as private and sensitive as an IP address, then posting my IP address is now as legally "dangerous" as posting those.
And the website owner has just as big problem then. Which is no problem.
You completely whooshed over the point. My point is if someone volunteers IP or their first name on a public forum, it shouldn't be considered the same as if they volunteer their credit card number on said forum.
Why?
The former is acceptable if the person doesn't have a problem with their name being on the internet.
And the latter is too. I mean, if they did this, they clearly wanted to do this, didn't they?
The latter is unacceptable because there is never a good reason to do that.
There's never a good reason to eat California Reaper either, and yet I don't hear people saying it's unacceptable.
So, now forum admins have to treat IP addresses as if they posted a credit card number
Do they? It's still just content of your post that they don't do anything with except show other people as you wanted to.
It's PII now! Yes, they do!
So what if it is? It's still a post that you're not extracting data from, and usually not even aware there's any data in it, especially personal data.
The question isn't whether it's PII. It's whether it falls under GDPR rules for storing and processing PII. And if it does, what the rules say to do in this situation.
Beyond that, though, we have many forums, some of them abandoned yet archived, which has IP addresses and full names exposed from decades past. GDPR has no concept of a grandfather clause
For a reason.
So, if I had a forum from 2000 that had someone's name on it, I should be fined to bankruptcy?
Have, or had?
so those sites are by default in violation.
Yes, and the owners should do something about it.
Even if it's on archive.org?
There are two ways to interpret your question. Are you asking what to do with data stored on someone else's website out of your control, or are you asking what to do with data stored on your own website when you're owner of archive.org?
And, again, because they categorize an IP address as private as a credit card number or SSN,
No they don't. It is private information, but not the same kind as CC or SSN.
Show me where they make that distinction.
In several places, though not directly, and it's fairly contextual. IP usually falls under "processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security" from recital 49, though not in the specific case of posting your IP on a forum.
the violation is going to be far more severe than it should be.
And what should it be in your opinion?
First off, start with a cease and desist. Make the owner aware of the violation. They were following the spirit of the law and shouldn't be considered as guilty as the likes of Facebook whose entire company motto and business plan is about fucking over people's data.
And this is most likely what will happen in practice. I mean, it happens with aggravated assaults; why not privacy laws? The problem is, if it was codified that the first action against a given company must always be a notice, it would create a huge backdoor for all the shady companies to exploit - they'd just close down and open up again whenever they get an angry letter.
You might argue that there is implicit consent
The consent is very explicit. You checked the fucking checkbox!
Not to store my sensitive PII, such as IP address, though.
You consented to storing all contents of your post. And then decided to post your PII. They didn't even ask for your PII. You just decided to put it in a post that you knew will be and agreed to be stored and published.
Let's see what the judges start saying when these cases come to court.
Exactly. As we say over here, stop pouring fire out of your ass.
but everything I've observed about GDPR
Most of what you've observed was panic and extreme overreaction. Unless you mean actual law, actual court cases and/or actual industry practices for managing personal information you've never asked for? If so, I'd love if you could provide some links because I'm at least as interested in this subject as you are.
My observations are based on how companies have prepared for GDPR.
And how companies have prepared was in large part panic and overreaction. Example: I've got a GDPR consent request from my building administration. They asked for consent to process PII that they already had full rights to process because it's required by law for them to possess and process that data.
Exactly! Who's fault is that?
I'd say it's the administration's, for not actually figuring out what they have to do to comply.
They were told to do that by the lawyers who actually studied GDPR and saw a lot of scary language about what could happen if they didn't do that.
Nah, doubt it. They probably just heard that everyone is doing it and thought they should too. Or maybe they really have shitty lawyers, in which case, it's the fault of shitty lawyers. What kind of lawyer makes such a fundamental mistake?
The regulation was written so broadly, every website besides zombo.com had to put scary notices
Well, almost every website besides zombo.com has stored personal data without consent.
about how, according to the EU, they are as bad as Facebook for having a contact form.
Nothing like that ever happened. First and foremost, EU never said Facebook is bad.
and it's to the point every single website has to have a cookie warning popup. And because of the broad scope of the regulation, you've effectively made these warnings as useless as Prop 65 in California where everything containing traces of blue dye or pretty much anything besides dihydrogen monoxide may cause cancer. Which means you can't tell the difference between the cancer dangers of your porcelain toilet seat and a pack of cigarettes, because it all contains the same warning. If Joe's Auto Parts uses cookies on their site, they are required to have the same warning of danger as Amagoogbook, even though the latter would clearly have a greater scope of privacy violations than the former.
The cookie warning thing was stupid, I agree. Though it did have a positive effect of making people aware that cookies are a thing.
No, it made people paranoid about cookies. They're now aware of cookies and think that they are always scary data stealing monsters.
FWIW, half the time it really is scary monsters
stealingcollecting data. But honestly, I didn't really notice this panic. People's behavior didn't change at all. But it became much easier to explain that whenever they access a website, the website also accesses them (in a limited form).Every single site is considered as privacy-violating as Facebook, Amazon, and Google, and to the non-savvy user, that's either going to frighten them or just train them to ignore all the warnings and habitually opt into anything anyway.
Do you have any better idea? No, doing nothing isn't a better idea.
This is about as good as nothing.
But still better than nothing.
People are going about their business, still using Facebook, still using Google, complacently opting into everything because that's what they were doing even before GDPR.
So? I don't care about other people's data; they can do whatever they want with it, just like with their money. I care about the possibility I have to not have my internet history shared with 567 "partners", and also to review (and often delete) all the data different companies have on me.
My better idea is to have GDPR better target websites that are intentionally being coy and opaque about their practices.
That's a goal, not a method. Describing goals is of little value, especially if they're the same for everyone involved, including GDPR commission.
If you have a contact form with a submit button, even with a disclaimer that you don't share with third-parties, that should be clear enough that you're consenting to send a message to someone that will be stored somewhere for someone to read. If, on the other hand, you're doing something shady, like forwarding that contact info to some data collective for big-data analysis without your knowledge, that's the kind of shit GDPR is supposed to suppress.
The problem is defining exactly what's the boundary between these two scenarios. Also, access to your own information - and thus forcing everyone to catalogue information they've collected - is just as important as not having it shared around in my opinion.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@HardwareGeek the worst thing about this topic is that I'm not exactly sure which posts are serious and which are just cheap trolling. Because I would dismiss half of what was said here as obvious bullshit no one could possibly believe, except I do know some people here seriously believe it. Your post is a perfect example.
The whole "US" side of these arguments could be jeffed into the Poe or Noe thread in its entirety.
Oh mah gawd, you make consumer protections laws because you were so lazy that you didn't create companies that shit on consumer protection, you cheese-eating-surrender-monkeys. You just want to fine US companies because the law obviously only applies to those and not to EU companies.
I'm not sure if there's anything left to do other than just trolling back.
-
@The_Quiet_One said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
then posting my IP address is now as legally "dangerous" as posting those.
If you post that yourself, you've already given permission though. How much more explicit do you want to get?
-
@Zerosquare said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
I don't know where that whole "I could be sued to bankruptcy!" scarecrow comes from.
Trolling ADA lawyers? A nearby restaurant was sued because the sidewalk in front was something like 5 degrees out of compliance. (it had too much of a slope)
-
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Of course, I fully expect anyone hanging out in this forum to be completely blinded by hubris and arrogantly think they can do better.
Where did I say that?
I'd like to ask you: you have companies gathering shitloads of data carelessly, whether you like it or not, just by clicking inadvertently on a link pointing to one of their web pages. You wish to stop this. How do you do this?
Not sure, but I'll tell you how you don't do this. You don't go well beyond the bounds of reason and inventing a previously nonexistent notion of extraterritorial jurisdiction. You don't apply one-size-fits-all rules scaled to be able to hurt megacorporations which will then inevitably be used against tiny startups at some point. And you don't steal money from other countries by legally requiring them to purchase services from inside the EU.
None of those things are actually related to solving the real problem, and none of them are in any way justifiable.
If it's "reasonable" (where reasonable means carefully assessing what it being taken, why, how, by whom, etc.), it's impossible to enforce due to the sheer scale of the internet.
Why?
The internet is also not territorial (unless we want it to be. We don't). Mild penalties do not discourage large companies. Therefore, the internet only allows harsher approaches and that's what we get.
Because there's no such thing as proportionality?
Which in this case is still reasonable, because if you infringe on the GDPR, you get a strongly worded letter first and then maybe a hefty fine. No company will be brought to bankruptcy ever with the GDPR.
That's adorable.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
I mean you're correct in theory, but if I'm on the Internet selling frobinators, how do I ensure I never sell one to an EU citizen?
What if frobinators are illegal in the US because they come from Cuba? Can you prevent sales to the US?
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
When in Rome... and this forum is populated by Siths.
But there's only ever two Siths, a master and an apprentice.
Boomzilla and the alt?
-
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Oh, and companies had two years to comply.
Even setting aside the many, many obvious problems with that statement as it relates to existing companies, do you seriously not see how your glib dismissal completely ignores the reality of increased barriers to entry? This makes it that much more difficult to get a new website up and running, no matter which way you chose to go with it.
-
@admiral_p said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Oh, and companies had two years to comply.
American companies, by and large, didn't even start hearing about it until we started discussing it on this forum, maybe 2 months before the enforcement started. The EU did a great job getting the word out.
And I'm sure some Eurofreak will call me paranoid, but maybe the EU never told US companies so they could maximize the fines. Because everything they do has the end goal of fining US companies as much $$$$ as possible.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Because everything they do has the end goal of fining US companies as much $$$$ as possible.
Yet strangely, pretty much every US company that isn't some local news site for a town of 25 people has bent over backwards to accommodate the evil EU consumers. Are they all so gullible?
-
@Zerosquare said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
With that kind of reasoning, nobody would operate any fast-food joint, because what happens if they accidentally serve
peanutshot coffee to someone who'sdeadly allergic to themstupid enough to put the coffee cup in her lap while driving?
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
If the GDPR only applied within EU borders, it wouldn't achieve jack shit. Right now, it applies to all EU residents and only to EU residents, which is entirely reasonable and fair in my book.
So Facebook is an "EU resident" now? Funny; I'd always thought they were an American company...
And if Facebook didn't deal with US users it didn't.
Also, I thought they're an Irish company. At least that's what their taxes say.EDIT: Nice, I've managed to work through all 60,000 posts in this topic since yesterday, and added my own bullshit, too.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
And this is most likely what will happen in practice. I mean, it happens with aggravated assaults; why not privacy laws? The problem is, if it was codified that the first action against a given company must always be a notice, it would create a huge backdoor for all the shady companies to exploit - they'd just close down and open up again whenever they get an angry letter.
Another Euro-defense that consists of ignoring the language of the actual law and saying "just trust us" in a reassuring tone.
-
@blakeyrat European people think 'rule of law' is a far-right concept.
-
@coldandtired said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Yet strangely, pretty much every US company that isn't some local news site for a town of 25 people has bent over backwards to accommodate the evil EU consumers. Are they all so gullible?
If paying the extortion is cheaper than serving the market, they pay the extortion. If it's not, they don't.
US companies are nothing if not practical.
-
@pie_flavor said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
@blakeyrat European people think 'rule of law' is a far-right concept.
Yeah and British people are ok with having a constitution that isn't actually written down on paper anywhere.
Americans aren't. And shouldn't be. We have no culture of that, we never will, and if the EU expected the US to adopt this law in good-faith they should maybe have taken that into account.
But of course that's assuming the goal is something other than simple fining US companies are much as possible as often as possible.
-
@Gąska said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
That's not a case of a bad judge, that's a case of a bad lawyer.
You think there are any other kind?
-
@masonwheeler said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
And you don't steal money from other countries by legally requiring them to purchase services from inside the EU.
LOL WTF?
Are you high?
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
American companies, by and large, didn't even start
hearingcaring about it until we started discussing it on this forum, maybe 2 months before the enforcement started.Fixed. And it's nothing GPDR-specific, or American-specific. Even when they're warned years in advance, companies always claim they "didn't know" and "didn't have enough time". For examples, see what happens every time the support for an OS (or major piece of software) ends.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
If paying the extortion is cheaper than serving the market, they pay the extortion. If it's not, they don't.
So what's the problem? It's just another business cost. I'm pretty sure there are just as many hurdles going the other way as well, like having to translate everything into ancient measurements.
-
@blakeyrat said in Good article on what the EU *could* be doing instead of what they *are* doing to improve the internet:
Because everything they do has the end goal of fining US companies as much $$$$ as possible.
No, everything they do has the end goal of fining you as much $$$$ as possible. You personally, blakeyrat.
Fuck you, give us money.
