Policies like this make it glaringly obvious how little our government representatives around the world understand technology.
It almost seems malicious, or at the very least anticompetitive. Who has access to such filtering systems already, or the resources to create one?
GRPR regulations, while I absolutely realize their necessity, have made it difficult for me to expand my side business into the EU. This would just be another road block for innovation.
The greatest irony is EU regulators whining about the dominance of Google, Facebook, etc, while passing regulations like this which make it impossible for anyone to compete with their ilk. Google and Facebook will have no trouble building the automated filters that are mandated by this legislation. The impact of this will be felt entirely by smaller companies with either will shut down, or, more likely, will never be founded.
And companies will neglect the EU market altogether. The great legal firewall of the EU. We can pass laws to make things better without any technical competence! Lets go after cryptography next!
Despite best efforts, there's just no way around the general notion that affecting the tide affects all boats. You take the bad with the good of an internet with fewer restrictions, or you add both bad and good for everyone with restrictions. Even attempts to target legislation tend to have an unquantifiable ripple effect beyond the foresight of naive legislators.
> You take the bad with the good of an internet with fewer restrictions, or you add both bad and good for everyone with restrictions.
One could try enacting clear restrictions that do not require a team of lawyers to divine a meaning, and one of lobbyists to make sure the meaning is correct. You can write regulations that take intention and unlawful gains into account. And, finally, you can get somebody that understands the subject to tell you what can actually be done and what is sci-fi.
But it seems that lawmakers worldwide consider themselves above that kind of concern.
Despite best efforts, there's just no way around the general notion that affecting the tide affects all boats.
Of course there is. You just add a minimum scale requirement before these obligations kick in, so they only affect sites that are big enough both to cause significant problems with illegitimate uploads and to have the resources to do something reasonable about it. Laws are written like this all the time in places with more sensible legal cultures, but the EU is infamous for not understanding why that is useful, and that brings us back to quanticle's point.
> Of course there is. You just add a minimum scale requirement before these obligations kick in, so they only affect sites that are big enough
This is what I'm referencing in my last sentence, "Even attempts to target legislation tend to have an unquantifiable ripple effect beyond the foresight of naive legislators." This naive view doesn't respect the intertwining nature of businesses of all sizes that work in the industry nor does it take into account the chilling effects on growth (the latter being less of an issue). Small businesses lean on larger ones that might be targeted in a myriad of ways including infrastructure, standards, software, employment, acquisition potential, marketing, etc. Targeting them is like targeting me and to say "only affect sites that are big enough" is part of the classist dialog that too often exists in a utopian vacuum that assumes all results are the exact representation of their intentions.
The principle that some things are too small to be concerned about is a long-standing legal tradition, hence de minimis and so on.
In my own country, the UK, many rules do not fully apply to very small businesses and various extra allowances are made financially, precisely because imposing the same rules on a five-person start-up as a 2,500-person international corporation may be disproportionate.
There is nothing at all unusual or naive about this. It's done all the time. It's just not something the EU in particular has ever been very good at understanding or dealing with. For example, by their own admission, several of the key officials involved in the VAT changes a few years ago literally did not realise that many thousands of microbusinesses that would also be covered by the new rules even existed, nor that the new rules would essential cause them to not exist any more. The new copyright regime we're talking about here is a different context but still has the same underlying problem.
It isnt. Being GDPR ready is not that hard. It just takes time and resources, but following the law always takes that. And leave it to businesses to complain about anything and everything.
>It just takes time and resources, but following the law always takes that.
Right, and that's why laws should be worded to minimize the time and resources required to comply with them. Laws like GDPR and Article 13 are like a nominal tax on every business. It's easy for Google and Facebook to throw a few million dollars and a few thousand engineer-hours to take care of compliance with this stuff. It's much more difficult for a 10-person startup with a fixed runway.
Saying "It just takes time and resources to deal with that," is a vacuous statement. It takes time and resources to deal with anything, no matter how large or small. The key factor is how much time? How many resources? And finally, how do the time and resource requirements compare to the time and resources you have on hand?
If you actually looked at how these laws are worded (ie given specific provisions for the capability of a company), you would see that this kind of right-wing capitalist propaganda-like rhetoric holds no water.
> Genetics regulations, while I absolutely realize their necessity, have made it difficult for me to expand my side business into the EU. This would just be another road block for innovation.
When I look at GDPR I see a safeguard against mass surveillance and dystopian add ruled societies.
GDRP is a reflection of a mass surveiled and dystopian ad ruled society. GDRP makes it HARDER for consumers once the’ve consented. All that will happen is that this will be gamed instead.
No it doesn't. Consumers can withdraw consent at any time, they have to give informed consent (i.e. the consent is void and null if the consumer can't reasonably be expected to understand what they consented to) and companies have to keep track of what data they acquired and what they have done with it.
The "consent" popups you see on loads of websites these days actually run counter to the GDPR because they usually opt-in by default or tie consent to uses for which that consent is not necessary. They also rarely provide detailed information about what data is used and what they do with it.
No, it doesn't. In fact, the rules about what must or must not be deleted are more complicated than that and in some respects ambiguous, and as yet there is little useful guidance from regulators to clarify those ambiguities. This is a significant problem with the GDPR.
I can't edit my comment above any longer, but for the benefit of those who are downvoting:
The point is that there may be multiple lawful bases for collecting the same personal data and it may be used for multiple purposes. The fact that consent was one of those bases does not necessarily convey a right to erasure if others still apply after consent is withdrawn.
Moreover, given that one of the other lawful bases for processing is the infamous "legitimate interest" umbrella, which could cover almost anything or almost nothing depending on subjective interpretation, the whole situation is quite ambiguous.
I think they do understand exactly what is going on but they know that upload filters are faulty almost always in favor of people with money. Upload filters like ones on youtube are super biased towards taking down anything that looks like copyrighted content but they also take out a load of legitimate content. Its now up to the content owner to prove that their content was fair use or that its not even the same thing as the copyrighted content.
In the end the big companies win and the individuals lose.
"In the end the big companies win and the individuals lose."
That's how other industries are run nowadays. I'm not saying it's a good thing, but that rather this does not come from cluelesness about tech, but more about bringing tech into the legislatory mainstream.
> Upload filters like ones on youtube are super biased towards taking down anything that looks like copyrighted content
Youtube's filter removed the audio track from a video of mine that was essentially silent to start with. There was certainly no music, TV, movie, etc... in the background.
You were obviously playing four minutes thirty-three seconds of silence by John Cage[1] on repeat in the background! Crystal clear copyright violation!
That actually came up in a now-deleted comment. Incidentally, the audio is back now, though I made no request for review. I wonder if they periodically rescan content when they make changes to the algorithm.
Letting black box "AI" that is often incorrect run wild is way less expensive than having a human intervene to review flagged videos. Hence the rise of machine learning algorithms that can do all kinds of neat things, but fail hard on the plethora of edge cases that exist.
Hence the need for penalties on false positives. Alas, here this won't happen on its own, because streaming platforms need people with money (and their content) more than the reverse.
This is partly because justice systems in the western countries require you to have a lot of money if you want to see your rights preserved.
That aside, the bill is designed to target "the big ones" because publishers want to gain access to profits from advertising. You just need to look at the people who initiated this tragedy.
I hate it that people don't talk about what problems the law intends to solve. You will be able to quickly reduce the answer to special interests. At that point, a legislative process should stop immediately. Will be interesting if the european institutions are able to do so.
Centralization loses. Publicly available content loses. A global community loses. Individuals are too many, faster and more clever than any one company can ever imagine to outmaneuver, it just means our shared internet culture becomes more localized and hidden.
And that's the problem. Piracy decentralizes easily -- it has been that way since before the internet was even common.
What these rules do is destroy user generated content. Because your external HD can hold every Hollywood blockbuster in the last five years but it's nowhere near big enough for all the user generated content on YouTube.
What part of the GDPR makes things difficult for your side business? Every discussion I run into has people claiming this sorta thing, but my reading of the text make it fairly clear that for 90% of non-despicable use cases there's really not that much of a problem...
My "despicable" side business is (was) making Android apps with Admob ads. I needed to update my app to allow EU users to opt out of targeted ads. Why Admob doesn't just add this functionality to their widget they place in my app is beyond me. In order to update my apps, I need to target a newer version of Android. It's not that it's very outdated, they were targeting Android 5.0, and get updated every 6 months or so. But a change in the Android API has made this very difficult for me. Being a side business, I had to make the choice - let go of the $600/mo I was making from ad revenue, or continue with the constant barrage of code updates required from Google for my apps to work. I decided to let it go. My app would still be on Google Play, even though I couldn't update it, if it weren't for GDPR. They pulled it due to non-GDPR compliance. So, yeah, GDPR has costed me $600/mo. I'm sure there are a lot of others with complex stories about how these regulations affect them. BTW I support GDPR and privacy as a whole, and wish my native USA would take privacy more seriously. It is the details of the implementation that are lacking. I also suspect that Google uses policies (such as putting the burden of Admob GDPR compliance on the publishers) to try to push out small developers.
I mean, I empathise with your problems, but this very much doesn't sound like "GDPR makes by side business impossible". It sounds like "exploitative user-data abusing ad vendor abuse s their lock-in to exploit people's personal data" kind of problem, so I'd say things are working.
FYI, "allowing EU users to opt-out" is still wrong, they would have to explicitly opt-in to targeted ads. At least, in so far as ads are targeted based on personal data.
A client, a large pharmaceutical company, asked me to remove everything that could potentially violate the GDPR from their Android / IOS app. Apple rejected the update despite me stating the reason for the update, because the app could have been a website instead. Some of the functionality I had to remove was mobile specific, like reading measurements from a medical device etc.
I mean, that's just shoddy reasoning or laziness of the client. If you make a medical app like that, you clearly have a lawful basis for processing based on the "contract" lawful basis. So the only issue would be taking care how it's used, and having a policy in place for handling that data.
My specific issue was the EU representative; as the sole "employee" of my company, I will not pay a lawyer based in the EU to represent European users with privacy / data concerns. They could just contact me directly.
Ok, that's one I'm willing to concede is annoying for single person companies and there should probably be some fix for dealing with that. On the other hand, I understand why a legal representative within EU jurisdiction is desired.
For the record, your EU representative isn't required to be a lawyer or even legal expert, though.
Isn't the unspoken rule to just ignore GDPR until you're big enough and EU starts bitching at you, at which point you just pay them off and spend some resources on compliance?
How is GDPR a problem at all? Is it so hard to avoid personalized tracking of unregistered users, ask users for their consent at sign-up time and implement a button for them to export and delete their data?
The irony is most sites use cookies to click on the "this site uses cookies" and as I block them I get the same message ad-infinitum on every fucking site... and I'm in NZ NOT the EU
> But how does one avoid asking every time when cookies are blocked? What other implementation option is possible? This is what cookies are for.
Local storage? Detect if cookies are blocked? Or, simply don't use cookies for purposes other than providing the service - which exempts you from the need to show the message?
Cookies don't matter. Personally identifiable information matters. Storing a "seen_cookie_notice=true" flag is fine (assuming the banner itself indicates that interacting with it will set the flag) as long as you don't use it for anything else.
I wish browsers had a "do track" option which told every website: yes I consent, do what you want, just don't show me a popup. These cookies banners and GDPR popups have ruined the web.
So ads that follow you everywhere and inescapable email signup forms haven't done it, but "cookies banners and GDPR popups have ruined the web". Got it.
I know you are being sarcastic, but honestly yes. I'm not too bothered about being tracked and having targeted ads. It doesn't negatively affect my experience. My ad-blocker takes care of most of the ads anyway.
These intrusive popups and banners, on the other hand — especially the new post-GDPR in-your-face ones which I have to dismiss before I can even read a simple article — have ruined the user experience of the web. And my ad blocker doesn't seem to be able to block them.
There are lists that can block these popups, if that's really your main concern. Still, I think saying that they're the bigger problem than the pervasive tracking they try to protect their users against, including only casual users, is a bit much.
How do you propose the website remembers your preference except through the use of a cookie? Cookies are the only way to keep client side state in a cross browser way. Keep in mind, cookies for non tracking purpose are allowed under the cookie law.
Kia ora! The "issue" here is that most sites which want to cater to worldwide audiences pretty much try to comply with influential legislation to stay on the good side. And GDPR/EU regs wield a big enough stick and come from a large enough region that you can't ignore them unless you want to block your site out completely to traffic coming from the EU. So they try and just do a worldwide rollout, irrespective of where you live. Of course, you can always implement this selectively but maybe more tricky to small and medium businesses, so they play and safe. Probably. I am speculating here.
The "EU" as a market is only important to the largest players or as an after thought once you have a solid footing in e.g. the US for one simple reason. The EU has too many languages so you can't just target the entire population in one shot like you can in single language even larger economy in America. Even if you wanted to target the entire EU, in my personal experience I can tell you that some web services work well in a place like Germany yet fail hard in France so most small to mid-level players are only going to go in places where they make the most money and it may be years before they ever end up in say Italy or the Netherlands. All that adds up to the EU regulations having a much smaller impact on most startups than you seem to believe. And that impact will be zero on the ones who look at the regulatory landscape as it exists now and just decide to stay out.
Edit: I see somebody chose to express disagreement via mouse rather than keyboard. Interesting.
As a European who has never been to an English-speaking country yet has always preferred English versions of everything (and all my friends are bi- or tri- (or more) lingual, reading something in English or in our mother tongues is a near-zero difference for us) I wonder what is the actual proportion of Europeans who can not be targeted by a service in English... I've heard learning English is not particularly popular among e.g. Italians but in Scandinavia and in France almost every "millennial" is more or less fluent in English and comfortable with it.
PS: I didn't downvote, I never do - I'm a downvote-hater :-)
Don't worry, it happens even when you allow cookies. Because a good part of the news sites will ask you again (in a couple of days/visits) if you have disallowed them. In case you accidentally clicked the wrong thing, I guess is their excuse. Accept button is a single up-front button, where as Rejects are hidden behind Manage...
Needs to be cracked down on.
Is it so hard to ... implement a button for them to export and delete their data?
Yes, it is. Although we're constantly updating the code, my team's responsible for a web site for which the data model is nearly a decade old. And the overall business process that it feeds is about 25 years old. We don't know everywhere that the user's data goes in order to export it. Building the support to do so is pretty big. And being able to expunge their data on request is huge, given that data models were constructed without thought to a requirement that the user data be purgeable. It turns out that the requirement isn't quite that broad, but then the legal advice to help determine where it does need to be done isn't cheap.
Avoiding personalized tracking of unregistered users means you can't use Google Analytics or something equivalent. Not that it's impossible per se, but these tools have a strong added value, so...
I admit this is a very amateurish view but I don't really understand why do people need Google Analytics or anything like that at all. As a webmaster you can log every request a depersonalized way recording the fact of a request to a particular HTTP resource from a particular country originating from a particular website as a referrer at particular time. You don't need any 3-rd party service for this and this doesn't mean tracking any particular user.
I'm not a fan of GDPR, but no, it doesn't mean that. It only means that GA can't be used in a way that allows you to correlate the data back to a particular individual. You can still use it in aggregate, and you can even follow individual threads through the system; you just can't know who the user was.
The problem with GDPR is that the actual scope of it applies to is rather unclear, and the regulatory guidance hasn't been reassuring as to what the actual extent will be in practice.
For example, do email addresses on the comments on a blog site fall under that protection? If so, there are some agencies in charge of enforcing GDPR that are violating GDPR on their sites...
EMail Addresses are protected by the GDPR. Passwords are too.
THat doesn't mean you can't use email addresses without asking; ie if the comment system uses emails to notify people of replies or moderative actions, then it's totally legit to collect it for exactly this purpose.
You only need consent if the personal data collected isn't strictly necessary for the operation of your site, ie if you use tracking cookies and sell emails to advertisers.
> For example, do email addresses on the comments on a blog site fall under that protection?
That is not unclear at all. They absolutely do.
That doesn't mean you can't have them, but it means you need consent, you need to be clear about how you will use them and you need to let people withdraw consent.
You can't win an argument about whether something is unclear by proving (let alone merely asserting) it is so. This is something a lot of people seem unclear on.
The only people unclear on this point are people who have failed to do even the most basic research into what GDPR says. It is blindingly obvious that an email is information that can be used to identify a person.
I'm not arguing with you. If it is clear, then it suggests people saying it is not clear are basically trolls. Surely you can see that telling an apparent troll to admit being a troll is unproductive. You might be right, or you might be wrong, but you can't win that debate because it's about inner motivations and perceptions and not verifiable facts.
I'm not debating what's clear or not to me. My point is that it's subjective and if someone says a thing is unclear, you can not necessarily make it clear to them or force them to admit they are lying about their perception. Arguing with confusion is like debating whether someone is in pain when they act like they are. It could be they are lying. It could be they are not. It could be they are particularly stupid.
I want to emphasize - you can be right or wrong about the GDPR, but that's not the same thing as being right or wrong about whether people are confused by it.
I think it should be obvious that debating feelings or perceptions or emotions of other people tends to lead to unproductive interpersonal interactions, but perhaps others have not noticed this phenomenon. I can't imagine winning a debate with someone over whether they are trolling or not. Even if it's really obvious, nobody can see inner motivations for sure.
You seem to be making the same mistake a lot of people (especially those from countries with no regard for consumer protection or privacy) do with regard to the GDPR:
It's not about e-mail addresses. It's about personal information. It's not about what data you can have. It's about how you can use data.
You don't own my personal information, I do. If I give my information to you, you can only use it in whichever ways I consented to when I gave it to you. If you want to use it for something else, you need to ask me again. And you can't just give me a blanket CYA contract to sign just so you can decide later.
This is precisely how it would work in normal everyday social interactions. If I go to a Mom & Pop shop and give them my number so they can call me when my favorite brand of soup is back in stock that doesn't mean they can call me to tell me about random new stuff they carry or give my number away to someone else.
Personal information is owned by the person it is about. It gets murky with aggregates (but the GDPR helps you figure out which ones are still considered personally identifiable) but it's blindingly obvious for things like "enter your e-mail address".
Do you have an e-mail input in a contact form? I'm going to assume that'll be used so you can respond to me although it'd nice of you if you say that explicitly right there on the form. If it's a comment form, why do you need my address? Who will it be shown to? What are you going to do with it? Where will it be stored and how can I tell you to delete it later? That's why you now need to think up a Privacy Policy: these are questions you always had to answer for yourself but now you're legally required to make conscious decisions about this.
Is this too much of a hassle? That likely means you didn't have any good reason to collect that information in the first place. Great! Personal information is a liability and it's better to collect less of it than more. Although that may disappoint future Zuckerbergs, collecting people's private information (even if they give it away voluntarily) imbues a lot of responsibility on you if you don't want to be completely careless. And the GDPR is an example for a policy that gives that responsibility teeth and punishes companies who are careless.
You don't want to store passwords in plaintext. You don't want to hoard credit card details or medical data. Personally identifiable information is no different. The GDPR just provides ways for you to store and use that information legally, in addition to reiterating that privacy and control of your personal information is a human right.
they write the official website in understandable language, in plain and simple English, not in weird lawyer talk. They have examples for companies as well. What to do, how to act etc..
Forming your opinion about these laws based on what the big American data companies tell you about it is about the same as asking tobacco companies what they think about health laws.
It really isn't that hard to just take 30 minutes and read the website from the EU. Literally every comment here talking about 'stupid old lawmakers that don't understand the internet' has not even read the bloody document. I've seen Youtube comment sectioned that were better informed than HN about this.
I think people compare it to the GDPR based on amount of internet big-brother it imposes and other prior-restraint requirements on internet businesses. Telling someone to compare the wording is unrelated to the general concerns of oversight. The unfortunate part is that these contrarian opinions are assumed to have been formed from big American companies and people who haven't read the documents. You shouldn't so quickly assume ignorance.
I tend to put GDPR and this Copyright bill in different camps. The copyright bill is insane. GDPR is... also a bit insane, but the hard parts shine light on what we probably should have been doing which are now hard to do because we've spent so long ignoring the ethical elephant in the room. GDPR is very far from perfect, but I think it's still directionally good. The copyright bill is just bad.
GDPR is very good in fact. If you read through it as a person, it is basically the way we should have operated from the start. Reading it while wearing the hat of my role in my company, I can see all the points where we are collecting data without a well defined process and clear understanding from the end users. It is hard to fix this, but it is for my own good as a person.
GPDR is essentially some guidelines published by OCDE in 1980 turned into law. So yes we should already be operating like that from the start.
I get the feeling that to some countries GPDR is not a big deal and to others is a nightmare, depending on the business culture.
Can you explain to me how the deletion policies work?
If you ask for your data to be deleted does that include your address in my contacts? Does it include your messages to me? Does it include your posts that appeared on my feed?
In the physical world all of those would be mine. Addresses: It would be my paper address book with your address written in it. Email: would paper letters you sent to me that I keep in my files. Your posts in my feed would be postcards I received from you keep in a scrapbook or shoebox.
It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
I think that the best way to view the deletion policy is to imagine what would happen if someone stole the data. If it is anything that could get you sued over then that is data that needed to be deleted.
This will likely cover a bit more than if it was physical objects. To be fair, most physical paper address books would not include millions/billions of addresses, and would unlikely be stolen by accident. The only one that has billions of paper letters are the post office which is regulated. The physical world is not very different to GDPR if one includes the context of how many book shelves of information is being stored on companies databases.
I don't think that's correct. A business has the right to retain records that are necessary for them to do business. From the lawyer that advised us in this, his call was that Order History data doesn't need to be expurgated even though it contains the person's name and address, etc. There are any number of business reasons dictating that we need a record of this stuff (e.g., auditing for sales tax compliance; being able to handle customer returns in the future, or fraud claims from the credit card processor).
This is a common misconception, but the GDPR applies to the physical world as well. The regulation only talks about "personal data in a filing system", which is a generic term.
> It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
>If you ask for your data to be deleted does that include your address in my contacts?
I'm assuming that "my" in this sentence means a business, since individuals are not subject to GDPR, and that the thrust of your question revolves around, say, a customer support portal.
Yes, addresses have to go unless you have a legitimate business reason to keep them. For tax purposes or to prove something in an active court case are both examples of a reason you could keep the address at least temporarily.
>Does it include your messages to me?
No, they could be anonymised instead. If the messages contain PII you might need to sanitize them.
>Does it include your posts that appeared on my feed?
Same as the previous question.
>It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
This is defined on, like, the second page of the GDPR document. Article 2 "material scope" point 1.
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
GDPR kicks in when you start processing this stuff automatically. If you want to handle your entire businesses paperwork via a set of paper ledgers with humans in front of them, that'll make you GDPR immune.
Listen man, I read the GDPR document /once/ almost a year ago now, and I remember the answers to your questions off the top of my head. I'm not a lawyer either, I'm a software engineer.
If someone told you GDPR was complex, they lied to you. The legislation is dead simple and most of the document is actually not about what businesses need to do but about what the EU bureaucrats need to do. You only need to read about half of it, the rest is irrelevant to you.
If this matters to you, just go read the damn thing. Trust me, it's a fricking revelation to do so, you'll be staggered by the amount of bullshit people spout about it and the amount of needless fretting and hand-wringing they do once you know how simple it is. Don't get me wrong, the implementation may be hard for some businesses, but I'll also tell you straight up, there are lots of businesses voluntarily making their GDPR implementations harder and more expensive than necessary because they didn't bother actually reading the law and are instead going off third-hand chinese-whisper information, which is a crazy way to run a business.
> I'm assuming that "my" in this sentence means a business, since individuals are not subject to GDPR
No; tokyodude is asking what happens if you request that (for example) Google erases your data, and he has your email address in his Gmail contacts. Does Google, as the data controller who ultimately stores tokyodude's contact list for him, then have to purge your email address from tokyodude's address book?
> Listen man, I read the GDPR document /once/ almost a year ago now, and I remember the answers to your questions off the top of my head. I'm not a lawyer either, I'm a software engineer.
This condescension is obnoxious and unwarranted. Just take a look at the complexity of the conditions at https://gdpr-info.eu/art-17-gdpr/ dictating when the right to erasure applies. Point (b) seems to suggest that it applies by default if the basis for originally processing the data was the subject's consent... but that the controller can override that if they have another legal ground for processing. So can they just argue they have a "legitimate interest", under article 6(1) point (a), in preserving tokyodude's address book? I have no idea.
Meanwhile, point (f), linking to article 8 about children, is saying - I think - that a data controller must honour an erasure request if it's about data they collected from a child, even if they have another legal ground for processing that data. So even if the legitimate interests argument above would hold, if you're a 12-year-old, I think you absolutely can demand that your email address be purged from tokyodude's address book and he can't do anything about it?
How about your actual emails to him? Can you demand that Google deletes them from his inbox? As far as I can see, the answer logically ought to be "yes"; Art 17 (1) (f) applies and I don't see any exception that would let Google wriggle out of the obligation.
But I'm not sure if any of the above, because this stuff is vague and complicated. If you truly think it's simple, I invite you to walk us through the answers to the scenarios I've explored above, supporting your assertions with relevant references to the text of the law. I do not expect you to be able to do so.
> Point (b) seems to suggest that it applies by default if the basis for originally processing the data was the subject's consent... but that the controller can override that if they have another legal ground for processing.
Yes.
>So even if the legitimate interests argument above would hold, if you're a 12-year-old, I think you absolutely can demand that your email address be purged from tokyodude's address book and he can't do anything about it?
Yes.
>How about your actual emails to him? Can you demand that Google deletes them from his inbox?
Covered in recital 18.
I totally agree with all your interpretations, well done. See what I mean about it not being that complex?
Not that you shouldn't run all this past your company lawyer to make sure they agree mind you. After all, companies keep lawyers around for input on exactly these kinds of issues, might as well get your moneys worth.
It's ok for you as a software developer to be unsure about some of these things, you're not a trained lawyer. What I'm being condescending about is software developers wailing "oh it's impossibly byzantine, oh it's impenetrable, oh woe, oh drat, oh heavy is the burden of being me in a GDPR-compliant era". Software developers regularly read documentation more complex than the GDPR legislation. Jesus, you'd think it was written in latin the way some people on hacker news cry about it.
I think part of the issue here is that a plain English reading of the GDPR implies such appalling totalitarian overreach that most people find it hard to believe that it can really be what's meant.
I mean, you've just agreed with my reading that the GDPR gives me the power to reach into your personal inbox and censor your records of communications with me. That sort of power for bad actors to carry out historical revisionism on what until now we'd've thought of as someone else's data is unprecedented and - at least to me - a pretty frightening threat to freedom of information and a culture of truth. And meanwhile we've got people running around Hacker News saying "GDPR is all wonderful, it's just common-sense privacy protections, and if your business isn't spying on users without their consent and selling their data you'll be fine".
You're clearly confident that the (to me, somewhat dystopian) interpretations we discussed just above will hold up in court. I'm not, even though they worry me and seem to me to be the most straightforward plain English reading of the bill. That doubt - and associated anger at the failure of the EU to bring greater clarity to these sorts of points before now - seem to me to be reasonable, and not a worthy target for condescension.
>I mean, you've just agreed with my reading that the GDPR gives me the power to reach into your personal inbox and censor your records of communications with me.
That's quite literally the opposite of what recital 18 explicitly says?
recital 18 clearified absolutly nothing for me. My plain reading of recital 18 is that it has to do with personal records stored on paper or my own computers. it in no way covered emails I received from you via Gmail and whether or not you can demand Google delete emails you sent to me from my Gmail account.
> I think part of the issue here is that a plain English reading of the GDPR implies such appalling totalitarian overreach that most people find it hard to believe that it can really be what's meant.
Do you think this level of hyperbole is necessary?
In what sense do you think I'm being hyperbolic? I'm pretty sure I mean every word of what I wrote literally.
(Though perhaps "authoritarian" would be a better choice of word than "totalitarian"; I mean it only in the broader sense of "infringing unjustly on individual freedom" and not in the stricter sense of "mandating total subservience to the state" that a Google 'define:' search yields as the first result. I thought it was correct to use "totalitarian" in the former sense, but don't have time to confirm; if I'm wrong, and that word choice is what you take issue with, then I'll concede that it was an erroneous word choice and I should've written "authoritarian" instead.)
I disagree. One's GMail contacts is a clear (ha) example of a fuzzy scenario that I think is ... questionably handled by the language at the link you reference. It's difficult especially because it's a weird hybrid of a very personal or household activity that runs inside a commercial activity.
From the text:
> 1 This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity
Ok!
> and thus with no connection to a professional or commercial activity.
...wait, GMail is clearly a professional or commercial product. An online addressbook in GMail... does that count as having a "connection" or not? My purpose of the addresses is personal. But it's clearly connected (at least by tcp, haha) to a commercial activity.
> 2 Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
Ok ... wait, social networking clearly involves commercial entities (e.g. twitter). So my personal actions for personal non-business uses of twitter are not regulated. Fine. But twitter itself is?
> 3 However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Ok so the regulation applies to the controllers/processors (e.g. GMail, twitter).
So: the regulation does not "apply" to me for my personal use, but my (personally defined for personal use) GMail contacts could get deleted by the other person?
I am definitely not a lawyer, but this does seem at least somewhat contradictory, or at least would benefit greatly from a few more clarifying sentences.
Comparison to complex documentation is not apt to your pro-condescension argument. Complex and vague can be very different.
Documentation can be complex, but if it's rigorous and not vague, I am totally fine with that. Software can be very complex. When it is complex, I would hope the documentation has sufficient detail to cover their intricacies. I'm glad that the postgres documentation is huge and complex -- it has to be.
I do however complain pretty often about vague documentation haha. I feel like it's pretty common for people to complain about an under-documented quirk shooting them in the foot (e.g. mongodb and durability back in the day).
One last thing: If your interpretation is right (and it seems plausible, maybe even likely), then I really need to locally archive my emails and contacts more often haha.
I think your interpretation is correct. In particular, I think that your first two quotes from the text are saying that the "personal or household" user themselves has no obligations under the GDPR. It's coherent to include social networking in here; without that clause, a child writing on Facebook about how another child smells bad would presumably themselves be a data controller and subject to an erasure request, whereas with the clause, Facebook can be compelled by a regulator to remove the post but the child who posted it cannot.
Or at least that's my interpretation. Like you, I remain uncertain and troubled.
>One last thing: If your interpretation is right (and it seems plausible, maybe even likely), then I really need to locally archive my emails and contacts more often haha.
I mean, yeah, you probably should if you care about it. Most office exchange servers are configured to allow some users to "unsend" emails. Outlook dutifully deletes the email from my co-workers inboxes, but my thunderbird client simply tells me that someone sent a recall request and lets me choose what to do with it.
The things sent digitally from me to you end being my property and end up being your property immediately as long as the sending is not part of some business arrangement, but if it is some business arrangement that business is regulated, and when it becomes your property if ever can be dependent on many different factors of your business.
> If you ask for your data to be deleted does that include your address in my contacts?
If that address is visible to you because I gave you access to my data, then yes.
If that address is visible to you because I gave it to you and you put it there by yourself, then no.
> Does it include your messages to me?
No. Messages I wrote to you are yours. I gave them to you. You can keep them. They get deleted when/if you ask for your account to be deleted.
> Does it include your posts that appeared on my feed?
Yes. My posts are mine. If I make them public or share them with you, you can look at them, copy them, do what you want with them (depending on the license). If I remove my account they get deleted from my account. If you made a copy for yourself, you can keep the copy.
> It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
> Can you explain to me how the deletion policies work?
Disclaimer: The GDPR hasn't been the law of the land for a year, so there is little precedent.
It is fairly simple, the GDPR requires that companies that control identifying information about you (or somehow delegate this), have acceptable reasons for doing so (user consent/other law/etc). When some entity controls your information the GDPR gives you certain rights. The key point here is that the company is controlling your information not you, whereas the scrapbook is under your control. The loss of control of the information creates in my mind a moral obligation to treat it a certain way. One of the rights that the GDPR confers on the data-subject is the having data deleted, this right is not absolute and if you have any other grounds (e.g. AML regulation) for keeping the data then you don't have to delete it. Additionally, deletion doesn't have to be immediately consistent, so you won't have to go into old backups and delete the data there.
TL;DR: If someone asks you to remove something, just delete it from your SQL database, and that's it.
There are two key costs for startups implementing the GDPR:
1. Privacy by Design - Make some efforts to design the information systems in your company in a way that promotes privacy.
2. Demonstrating compliance - This tasks scales with company size, you might start out with a boilerplate privacy policy, but as you grow want to be more diligent.
The real issue with GDPR is that it's extremely under specified and we're left to educate guesses to find out what and what's not illegal until the matter is settled in courts.
For example a service provider can collect emails under the Article 6(b) clause to provide its services. But what happens when a user exits the contract? There's a conflict there because the provider need to keep hold of the email (to avoid user cancelling, asking for deletion then registering for another free trial) while the provider might not be holding consent anymore (Article 6(b) no longer applicable and consent subject to withdrawal at any time)
> The real issue with GDPR is that it's extremely under specified and we're left to educate guesses to find out what and what's not illegal until the matter is settled in courts.
Best practice now may not be best practice in future. Sure, there could be guidance produced. In fact there is, it's just usually by the enforcing bodies.
> what happens when a user exits the contract
> to avoid user cancelling, asking for deletion then registering for another free trial
You can be sued for six years in the UK. Other jurisdictions I'm not so sure about. If you're providing a service and have agreed a jurisdiction and can be sued in that jurisdiction, there's your lawful basis.
The right to be forgotten only applies where the basis is purely consent. If you withdraw consent, and consent is the only basis, your data should be deleted. But if you're providing a service, then another basis applies: contract and legitimate business interest.
I think you'll find you have a legitimate business interest and a lawful purpose there for maintaining the email addresses -- as long as you don't later change the purpose and include them on a mailing list.
> So what's the best practice there? We're all taking guesses. And that's not the hallmark of a good law.
It's largely down to the enforcing body. The ICO (UK enforcing body) generally only fine after a major incident or you've failed to stop doing something really bad. Or you've set up a business that is egregiously scummy. You can read the list of fines online. [0]
It helps to see it more like fire legislation -- there are many ways to prevent and contain fire. You can seriously reduce the risk of fire and the consequences if one happens.
Breaches are similar. If you have a data breach, something's gone wrong. If you're not taking serious mitigation to prevent that from happening, then maybe you shouldn't be taking user data in the first place.
You can keep hold of data for a good business reason such as the one you stated. A hash of the e-mail address is probably reasonable, but you might also want some logic to detect users who use g-mail style addresses, i.e. "exampleuser+label@gmailcom", which allows one gmail account to have many forms of the e-mail address, in which case hashes don't work.
This is another class of an example I have seen cited around from time to time - a user signs up, performs fraudulent behaviour and then demands the records of this behaviour are removed and continues to perform fraudulent behaviour. You have a good business reason to store this data so therefore the user cannot demand you remove the data.
You shouldn't keep it longer than is necessary however. How long would work to deter this behaviour you describe? I'd say 30-90 days should be sufficient.
But why? People are affected by the practical application. Even if you argue that intent matters once it reaches a court or regulator, that is long past the effect.
Because when a law is pushed by corporations, aimed at individuals, you're not likely to have much recourse, as an individual targeted by such a law. The hammer is going to drop on you and that's that.
A law such as the GDPR, which is targeted at corporations primarily, is worded in such a way that no company is going to get massive fines if they seriously tried to comply, but for whatever reason failed to do so. They're going to get a dozen written warnings, guidance on complying etc. before they have to pay anything. Small businesses don't even need a data protection officer.
Why this discrepancy between laws targeting individuals vs corporations? Because corporations control the flow of capital, control a large part of our politicians, can blackmail with outsourcing etc. None of this power is usually available to an individual.
Ah, you're saying it matters during design. Sure. I am talking about after passed, the intent matters very little. Too often on the GDPR and other legislation in effect, the intent is used to judge effectiveness which is invalid. When a law on the books is not working right, what it was trying to do is not an argument in favor of it working right.
But since its enforcement can be completely contrary to the intent, intent only matters to the enforcers if they want it to matter. The actual enforcement, whether intended or not, is what really matters.
> But since its enforcement can be completely contrary to the intent, intent only matters to the enforcers if they want it to matter.
Right, and my argument is that with legislation intended to serve the people, (GDPR), enforcement is likely to be much closer in line with the intent than say Article 13, which is the other way around, (serving corporations, not people).
Enforcers are newer as aggressive when protecting individuals as they are when protecting corporate interests. Apart from corruption, this is simply because of the leverage corporations have that individuals lack, (control of the flow of capital).
> I tend to put GDPR and this Copyright bill in different camps [...] GDPR is very far from perfect, but I think it's still directionally good
Depends on the context. I tend to see how one begets the other. GDPR is good by intent, but is bad by implementation. The copyright bill is bad by both intent and presumably implementation. And since it turns out that only implementation matters, many would agree that we'd be better off without both and recognize that solutions to the problems the GDPR attempts to (heavy-handedly yet ambiguously) fix can have more measured steps towards remedies.
> GDPR is good by intent, but is bad by implementation.
What is so bad about the implementation? Genuinely asking, I went through making a few companies compliant - and companies that were treating their data and security responsibly, had only little or even no issues at all to get their things in order.
One of the great things about the GDPR is that it clearly defines WHO is responsible if something goes wrong. The generic mindset seems to be that accidents and incidents happen, but as long as you did reasonable effort to prevent this from happening, there's little to fear.
Several things, but I'll be brief. Basically the same problems its predecessor had: lack of enforcement, inconsistent enforcers across countries, subjective enforcement, attempts at global internet governance, and not providing substantial benefit compared to the costs. They took those implementation failures and instead of scaling back and doing a measured approach to understand what went wrong, they exacerbated it by adding more burdens on businesses and increasing scope chilling many businesses into spending money out of fear of compliance or regionalizing their online presences. All of that with hardly any practical effects makes it a clear net negative, and couple that with the fuck-with-the-global-internet mandate they were given and we've ushered in a scary internet big brother, cheering the whole way. All to prevent tracking and data sharing. Compare the harms, compare the results, compare the costs, and it becomes clear that while we all want the implementation to achieve its goals, in practice it is more bad than good.
You should be wary of using your personal business anecdotes to justify impositions on the rest of businesses. The "I can't see any problem means there aren't any problems" is not an inclusive mindset.
How can you possibly have complaints about how GDPR is enforced? No regulators have enforced it yet, the first GDPR case ever is expected to be heard in late February.
This reads like a generic batch of "law bad" mumbo jumbo with "gdpr" dropped in like a mad lib.
It would be prudent for Wikipedia at this time to shut down service in the EU, and simply put up a banner indicating that they can't comply with XYZ regulation.
Regular folks in all walks of life, and also the bureaucracy would immediately be effected. It would be a 'shock' to Europe and a powerful signal of how vital these resources are, and the real extent they are messing with them.
Basically, everyone would become aware of the issue, in a very material way, and get a taste for he chaos this law might imply.
Kind of like internet 'gilet jaune' as a crude metaphor.
I'm kind of surprised there hasn't been action like this done already, now its probably too late anyhow, EU is fucked. SOPA and PIPA had massive protests like that. Maybe Google for example isn't protesting because they know it helps them a lot actually, since they can expect to see no competition from the EU ever again.
Afaik wikipedia has no copyright or something. So somebody would create a read-only copy (less than 100GB, I guess), call it wikipedia2.com and everyone would use the copy..
For this purpose clever people invented search engines. These would detect missing content in the original wikipedia and funnel all traffic to wikipedia clones. Nobody would notice the difference. And no point would be proven.
Regular folks would
learn to use a proxy, like any good Chinese or Vietnamese citizen. We’ve proven average people can get pretty technical when the interests are aligned (think P2P).
a) 'Regular folk' have never heard of the term 'proxy' and would struggle quite a lot with it. Though I agree, after some time, they'd figure it out.
b) The point is not to 'block Wikipedia' - it's to inform Europeans of the consequences of their legislation. If they even had to think to use a proxy to use a common service, the point would be made.
If they're serious about that, then why are they reinforcing the monopolies of the two greatest offenders, YouTube and Facebook? YouTube and Facebook already have the market dominance and engineering talent necessary to build whatever content blocking filters that are mandated by the EU's boneheaded regulations. This regulation will hurt them, sure, but the worst outcome for YouTube will be a bunch more videos that are "unavailable in your country". Same thing with Facebook -- it already shows different posts to different users based on geography; this will be merely one more criterion to filter posts on. What this will kill is all the companies that could compete with Google and Facebook. No one is going to found a media-sharing startup when even a single slip up can leave them liable for an eight or nine-figure sum.
My theory is that, despite their rhetoric, the EU is actually okay with monopolies. Monopolies are easier to extract rents from, in the forms of fines and taxes. It seems like the EU would rather have a single Facebook, a single YouTube, a single Google, etc. than many competing smaller firms.
What's you definition of a content farm? This bill essentially targets online online medium you can upload and share content on. This should be reworded to the EU is serious and wants to go back to Web 1.0
Maybe that's not a bad thing. Most of the policies that have emerged from the EU and US recently would mostly affect the users of large platforms like YouTube and Facebook. If content creators were to host content on a website they own, they would have complete control (well mostly, the web host would be responsible too, but that worked pretty well before) over their content and what they can and can't share.
I agree, kind of. My projection for a future with stricter copyright laws is a rise of or at least stronger development of subcultures that produce their own content which slips under the filter radar because of non-mainstream memes and references.
Also more poeople will be attracted by subcultures because the mainstream becomes more regulated and boring as nobody will be able to freely mix and advertise it.
Though what would really happen is that the media industry will be able to exert more control over influencers and we get sth. like a TV 2.0.
This does a very good job of explaining how small content creators are practically powerless now on the web in terms of protecting their content being stolen.
There are obviously some serious problems with ad-driven businesses on the net. But they have also done a lot to put technology in the hands of poor people. Any plans to replace them with paid-only services need to figure out some way to make them available to people on very limited incomes.
You would have to be at the extreme bottom end of the scale to not be able to afford the cost of hosting some content on the internet (maybe 3 euros per month?). It is something you could find space for in your budget unless you are literally starving and have absolutely 0 space in your budget for anything. If that were the case, I doubt this hypothetical person would be spending a lot of time on the internet in the first place.
And let's not forget these ads are all clamoring to make people spend money on things they "didn't know they needed", so it's not like they're materially doing someone who is very badly off any favours.
That's literally the only redeeming aspect of ad-driven model I'm aware of. It's good you point this out, personally I don't have good alternatives if one were to just burn advertising industry to the ground (something I fantasize about).
Still, advertising is a Red Queen's race; once a party achieves some advancement (like animated ads, video ads, tracking, etc.), everyone else has to follow suit. The relative situation of player is ultimately unchanged, but the baseline is more user-hostile. So there's plenty of possibility for regulators to simply roll adtech back to 1990s, and advertisers would still make their money.
As with most interesting problems, this legislation hasn't been written with a focus on what sort of end-results are easiest to arrive at a technical solution for.
This article characterises that as 'magic wand regulating' -- I'd hate to see an alternative where EU directives contain explicit technical implementation guidance!
> As with most interesting problems, this legislation hasn't been written with a focus on what sort of end-results are easiest to arrive at a technical solution for. This article characterises that as 'magic wand regulating' -- I'd hate to see an alternative where EU directives contain explicit technical implementation guidance!
There are multiple ways to create bad legislation. One is to require a specific solution, but another is to require a result that no known solution can produce.
This is not really about technical solutions. It's about an understanding of how computers work. The underlying assumption is that companies _will_ build technology that is as good as the law requires it to be. Large companies very well might, but this is a killer for small businesses.
That's 70% of the entire energy contents of the gasoline. You don't get anywhere near that kind of efficiency even on large electrical generators. 16.2 kWh is way more realistic.
Let's just use the standard HN response here: your business model is not my problem. If you can't make that car, maybe cars shouldn't be permitted to exist.
That'll however require that all data uploaded with your service will have to go via such black box, so you'll essentially perform mass surveillance for them.
Well, ok, the definition of a "black box" pretty much dictates what it does internally is not known to you, so you can never be sure what data it does/doesn't send out.
"rather than taking in the criticism and warning from knowledgeable experts, they're just adding in duct-taped "but this won't do x" for every complaint where people warn what the actual impact of the rules"
This is pretty typical of committee-planned anything, corporate or bureaucratic. They take concerns and "address" them. As long as everything has been addressed...
People underestimate what a big pain in the ass internet has been for the EU bureaucrats in the last 5 years.
They can't just remove users freedom in one hit, they need to do it slowly: cookie laws, gdpr, copyright. And of course they always put a little bit of "sense" in every rule. This is a classic tactic that has been used by State organizations for maybe thousands of years. You can find examples in ancient Rome, medieval cities, nazi germany, post-1917 Russia.
The problem is that while modern democracies had a way to get rid of laws made using this tactic, the nations under EU's rule don't.
The reason is that while you only need one good cycle of elections in one nation to get rid of a malicious national law, when it comes to getting rid of EU's rules you need multiple good cycles of elections in numerous nations, then you also need to convince a good amount of bureaucrats, and then you also have to remove the local interpretation of the EU directive.
When people say that the EU is bad, it's not just because they want the vote from the stupid poors or they don't understand democracy. There are good reasons derived from political science and in favor of democracy to not accept the current way the EU impose its will on european nations. I hope this post was easy to understand.
>But leave it to Americans to proclaim something that is good for people bad because it inconveniences corporations.
I just read the GP post again and I don't see anywhere he indicated his nationality. I understand this legislation is stressful and it may cause you to need something to lash out on but bashing someone's imagined country of origin isn't going to change anything and misdirected anger will probably only make you feel worse.
Furthermore, many of the posters I've seen criticizing the GDPR law have in fact claimed to be citizens of EU countries.
Addendum: I find it disheartening that I wrote this to help the parent poster recognize his misplaced anger and to state facts yet some other people also in an apparent act of misplaced anger/sadness/frustration take the time to down vote me. Hacker News you are better than this.
> had a way to get rid of laws made using this tactic, the nations under EU's rule don't
"Under EU rule" the EU is made by its member countries, as opposed to what some people say.
Of course they do. It's an EU directive. Some countries already said they don't intent to move forward with it (Italy and Poland come to mind)
> when it comes to getting rid of EU's rules you need multiple good cycles of elections in numerous nations, then you also need to convince a good amount of bureaucrats, and then you also have to remove the local interpretation of the EU directive
And guess what, this amount of discussion, coming and going is actually helping (people see the BS) in this case.
> Of course they do. It's an EU directive. Some countries already said they don't intent to move forward with it (Italy and Poland come to mind)
You make it sound as if Directives are optional. They aren't. They must be implemented by a deadline set by the Commission, or the member state is open to legal action either domestically or in EU court.
It forbids letting users exchange their information for access to a service. (Because you can't disallow access if they don't agree to data collection). You can say any such deal is inherently bad and users shouldn't have that option, and you might even be correct, but it's still a restriction of freedom.
> Because you can't disallow access if they don't agree to data collection
Yes you can, if the data is necessary to provide the service. If the data is just generic spying for profit, completely unrelated to the service provided, then you shouldn't be asking for it in the first place.
Please remind us on democratic freedoms of Russia slowly eroded. Or on slow progress of Nazism in face of majority pro-democratic populace. Neither happened.
> Remember when the EU was just supposed to be a trade union rather than an organization that can pass laws that effect every person in Europe?
The EU was never supposed to be just a trade union, that's a key distinguishing difference between the EU and the EEC. (Though even the EEC was in large part motivated by a long-term vision of a United States of Europe.)
<rant> To be sure, we do some pretty stupid shit in the US, for example a senior Senator having no fucking clue how FB makes money.
But of late the EU is looking like it's taking the lead in peak dumpster-fire status. I can't imagine anyone with an IQ above freezing temperature and a heart beat buying into the Article 13 stuff, it's simply mind-blowing.
Of course the porn filter stuff in the UK is a close second in stupidity.
And let's not forget our Five-Eyes friends in Australia with the fantasy land crypto backdoor legislation.
All of this leads one to the conclusion that what's needed in representative government is not term-limits, but age limits. The Septa and Octogenarians running things are not mentally capable of comprehending the world as it actually exists. People need to know when it's "time to go fishing"....</rant>
You will find that the Swiss comply with most EU laws, including GDPR in most instances. And so is/has/will the UK. You really can't sit next to one of the largest trading blocs in the world and ignore it, unless you don't intend to do deal with them/ conduct business with them in any shape or form. Good luck in your quest to find, freedom or whatever else you're trying to find.
You guys might be interested in my startup. We are going to provide a copyright content registration service as well as a vetting service for 3rd parties to upload user posts which are then scanned against the registered content.
Are you going to assume all of the liability when you get it wrong as well?
What I don't understand yet is why any of the content holds would help you by providing lots of useful metadata. It seems much more lucrative for them to find your violations and sue for more than they could have gotten from subscriptions and/or ads. Plus, if the site goes out of business fighting/paying, that's one less competitor for their own streaming service.
I suspect an entity like Google could offer such a service, based on its enormous reach, compute resources, and a similar system already implemented for YouTube.
Played right, this could offset some lost ad revenue.
Is anyone doing this already? Content FIlter as a service? Presumably, everyone's going to need it now, and it makes no sense for every social network permitting video/audio uploads to build their own.
I wonder if the ardent pro-EU supporters on HN believe that the incompetence and deadening hand of the EU bureaucrats only extends to GRPR regulations.
With the Great Firewall in China and Regressive laws in the EU, the US feels like the only place where users have the freedom to choose what their internet should be. Unfortunately, they have to deal with clicking on cookie notices, GDPR and now this.
By freedom, I assume you are a big supporter of the "Restoring Internet Freedom Order" and can't wait until you can choose to add the YouTube or Netflix packages to your internet connection for $20/mo each.
I paid for my car. I still have to pay for gas on a regular basis. I still have to pay tolls on many roads and highways.
I paid for a CD once, a long time ago. I still had to pay for electricity for the stereo. And that damn greedy electric company chose to charge me more for listening to it when I wanted to. Sure, I could have played my music from midnight to 6am, to take advantage of my evil utility's lower rates at night, but I chose to listen during the day.
That utility was really evil, too. I wanted to install an electrically powered utility in my old house. It was a dryer. But they made me go out and find some third party to "prepare my electrical network" for the product I had already purchased. I had to find an electrician to come and install a 240V circuit in my house. I already pay for electricity, but they couldn't even be arsed to come fix my wiring for me.
Don't get me wrong. I love net neutrality. But I don't think my preferences should be enforced upon the entire population. I also hate fishing. I don't care for tripe. But I also don't try to enforce that preference on others.
My mother barely uses the internet at her home, but she pays the same price I do. I am a very high bandwidth user. I definitely free-ride on the average user who consumes less bandwidth. It's not fair. I should pay more. But I don't.
I paid for a CD once, a long time ago. I still had to pay for electricity for the stereo. (...)
Irrelevant, you already pay Netflix and your ISP.
A better analogy would be: I paid for a stereo, but now I have to pay for listening to it because it's a Sony, whereas I wouldn't if it was a Philips.
My mother barely uses the internet at her home, but she pays the same price I do. I am a very high bandwidth user. I definitely free-ride on the average user who consumes less bandwidth. It's not fair. I should pay more. But I don't.
Also irrelevant, Net Neutrality doesn't in any way prevent ISPs from charging for the bandwidth you consume. If they don't, it's their decision. It only prevents them from charging more depending on where the bits go.
> Irrelevant, you already pay Netflix and your ISP.
What did I pay my ISP for?
I can pay for cable television. I can pay extra for HBO, or not. I can only get NFL Sunday Ticket on DirecTV. Where is the outrage?
Why is the coax that comes into my house and hooked up to my cable box less deserving of outrage than the coax that comes into my house and connects to my modem?
I can pay Comcast $30 for "basic cable". This brings every piece of equipment and signal into my home necessary to watch any programming that Comcast has to offer. There are no technical limitations, but there is some flag in Comcast's system that indicates I am only allowed to watch the channels included in basic cable. If I want, I can call them up and add the HBO package. With no technical improvement, simply an update to my customer record, I can near-instantly see this content.
I cannot purchase cable HBO without paying for basic cable. I have to pay my cable provider a premium for the privilege of paying them for HBO. I could, of course make a contract directly with HBO and stream, though that is theNetflix scenario.
I have a dumb wire coming into my house. Depending on the deal I make with my cable provider, I can have different content available by using that wire.
My internet is a dumb wire coming into my house. I can make a deal with my ISP to have certain things possible on that wire. I have a customer record. They block certain ports. E.g. I cannot run an email server using my connection. If I purchase a business package, they will update my customer record to indicate such and I get a static IP and can now send email. They are allowed to do this.
Both of the above are about dealing with a single entity. So all of these prices are bundled into one payment to one entity.
I can purchase or lease content. One way to do this is Netflix. Another would be to purchase media, e.g. a Blu-ray disc. They are mere providers of content. If I want to consume the content I need to purchase a compatible platform. If I lease content from Netflix I need basically any computer and an internet connection. If I purchase a Blu-ray, I need to buy a player of some sort.
When I purchase my Blu-ray player, there are license fees baked in there to various patent-holders for the privilege of decoding that disc. It's all bundled up into one price, though, for fees and hardware. The purchase of a Blu-ray player is a completely different transaction with a completely different entity than the creator of the disc. The hardware manufacturer is under no obligation to sell me a player, but they do. They are also under no obligation to make their hardware support multiple formats. Despite this it was very easy to find a VHS-DVD player for a while there. I don't think anyone offers Blu-ray and laserdisc.
When I lease my internet connection, that is a different transaction with my ISP, a different entity than the content provider (Netflix). The ISP is under no obligation to offer me a contract to serve all content equally to me, though that has been a common contract for a long time.
Among the actors A, B, and C, there is no obligation on C when A and B make an agreement. There is no obligation and should be none on my ISP when I make a deal with Netflix. Similarly there is no obligation between Netflix and me when I make a deal with the ISP. And similarly with the purchased content and the hardware manufacturer.
If my ISP (who, as a matter of fact IS my cable provider) charges me like my cable provider, that does not seem terribly unreasonable from a business relationship perspective.
All that said, another element of argumentation is that different content providers may subsidize their content. This is, of course, already the case. Netflix gives ISPs streaming boxes for free to optimize delivery of content. A subsidy doesn't have to give cash. I'm sure Google has similar boxes for Youtube content.
Now, what of the nightmare scenario? This is where one content provider pays an ISP to not host anyone else's content. Netflix pays Comcast to not support Youtube. This is different than Netflix paying Comcast on behalf of its customers (it already does in the form of its streaming boxes, which reduce load on Comcast's network - that is very much a direct subsidy). Netflix shouldering a cost on behalf of its customers is just a transfer, we would pay for that in the Netflix subscription (and we do! We pay Netflix. Netflix sends boxes to ISP for "free"? No we pay for those streaming boxes which by definition are a subsidy to Comcast). That's fine. Netflix paying Comcast to block a competitor's content? That's different. And if we need to deal with it, we can. Anticompetitive behavior is already something that we have legislation in place to prevent. And we can use that infrastructure in the case that one actor in the market is distorting it. As we did when Intel made exclusive deals with OEMs to block AMD out of deals. As we did when Microsoft bundled IE for free. As has happened in many other cases.
Now, all that said, I like net neutrality. Actually, I freaking love it. I want it very badly. It is a good thing for me. I benefit from it. But me wanting something is an insufficient threshold for me to support it as a policy. I would love to pay no taxes for instance. I would be better off if most people were not allowed to drive (so long as I get to be one of the lucky few). I would be better off if a lot of things happened, and vanishingly few of those things are good policy. Now, before the strawman cometh, my argument is this:
"I want" or "I receive a specific benefit" is a poor justification on its own for a policy. Similarly "Two of us want" or "two of us receive a specific benefit" is a bad justification. This holds for very large N (certainly more than half of the population - see the case of 51% enslaving 49%).
I am not saying that net neutrality is the same as me paying no taxes, or the other items I mentioned.
My argument is this:
Agreements between party A and party B should not be expected to impose arbitrary obligations on party C. Net neutrality says exactly that: "Because I paid Netflix for a service, Comcast is required to enter into a contract with me to deliver that network traffic to my home"
I would be mighty miffed if Comcast forbade me from watching Netflix. Still doesn't mean that I have the right to impose that obligation upon them.
Of course, that "nightmare scenario" is exactly what happens; since Comcast, like every major ISP, is also a huge content producer and distributor - including with their cable service, and with Xfinity On Demand, which is a direct competitor to Netflix - they are distorting the market by charging for access to other services, just like MS did by bundling IE.
So you can make an hypothetical argument using a spherical ISP that doesn't follow net neutrality and also doesn't own a content distribution service, but in practice the two can't be separated.
Where is the nightmare? Before formal net neutrality laws were enacted and since repeal, the vast majority of ISP contracts are unlimited and unmetered. There are instances of violations, and these have pretty much uniformly been handled by the FTC anyway.
Again, noncompetitive behavior is covered under existing legislation. But "no extra for Netflix because I like Netflix" is not an argument that carries weight. Charging extra for something that incurs cost is not anticompetitive. Comcast can distribute its own content for much cheaper if everything stays on its backbones and doesn't require peering with other networks. Why the hell shouldn't they be allowed to offer their product for cheaper?
Why are existing laws and regulations protecting competition insufficient? Especially in light of FCC rulings that punish anticompetitive behavior even in the absence of formal net neutrality laws.
The sort of freedom referred to has nothing to do with a zero-price. It has to do with the ability of two consenting adults (or we can say "willing parties" if you want) to enter into a transaction to exchange goods or services, or proxies (like dollars).
The opposite of such a freedom is not that one party chooses to charge for some of its services, but that one party is prevented from offering such a service.
You mean like... Netflix being prevented from streaming through your ISP (the only one available in your area mind) because Google paid it more to prefer YouTube traffic? The things Americans will frame as freedom of choice will continue to baffle me I guess.
>You mean like... Netflix being prevented from streaming through your ISP (the only one available in your area mind) because Google paid it more to prefer YouTube traffic?
You mean a thing that has literally never happened anywhere in the US?
> The things Americans will frame as freedom of choice will continue to baffle me I guess.
I understand that you are frustrated with what is happening with this new legislation but it doesn't help you to make up smug fantasies about America just to make yourself feel better. Your energy would be better spent on your own knitting and maybe this kind of thing wouldn't happen.
Is Netflix "prevented" or "not preferred". Let's pick our battle before we fight it.
But there is some useful grounding here. I use the term consenting adults, but perhaps we should refer to "legal entities". I think it is fair to start from a place where legal entities are allowed to enter into agreements with one another.
You are a legal entity. I am a legal entity. Netflix is a legal entity. Google is a legal entity. EI is a legal entity. (I have given the hypothetical ISP in your post a name, Evil ISP.)
There's my starting point. Would you like to continue a discussion about this? Please feel free to let me know if you disagree with anything above, and we can start there.
Apologies if that came out as snarky like the other commenter suggested. It's really a genuine question about that point of view there.
>Is Netflix "prevented" or "not preferred". Let's pick our battle before we fight it.
See, in my mind these two are, legalese aside, absolutely identical for the consumer. Legalese included I absolutely realize they are the same, why wouldn't they? It's just contracts between legal entities.
From the view of a society with states that govern and can, where it benefits or would otherwise hurt society, restrict what entities can put in their contracts I'd say that there are plenty of cases to be made for such restrictions (e.g. worker protections, access to elementary resources, ...).
I'm kind of hoping here that we have some common ground there. I feel like our point of disagreement is whether or not governments should be involved in the case of ISPs, right? My point there would be that if one legal entity (consumer) does not have a wide range of choice (ISP), there hardly is any choice to be had and one party can pretty much dictate the terms of their agreement (and a bunch of other arguments for net neutrality others formulated way better).
This might really boil down to the question if we personally attribute some societal value to ISPs being a neutral player or pure infrastructure provider I'm afraid.
No worries. It's the internet. I was hardly snark free, either.
So, I have a couple priors.
One of these priors is that it is, in general, a good thing to place as few restrictions on actors in society as possible. Not anarchy. Not mindlessly. Just as a general rule of thumb. Something that doesn't need justification on its own, but rather needs a case to be made to go against.
Another of these is that, in general, laws and regulations have costs. Enforcement carries cost. Also, we forego the things that are regulated against - rarely are these things pure evil. Sure, there are exceptions. Genocide is pure evil (though there is much room for compassion for those coerced into participating). This gets us down a rabbit hole quickly.
So, in general entities should be able to make deals. And adding to legislation that exists is costly (as in "bears cost").
The situation you describe sounds a lot like a monopoly. The nightmare scenario presented in net neutrality is typically "Netflix is blocked because Google paid more to let Youtube through". I think this is categorically different than "Netflix is now more expensive than Youtube is". Especially because the latter sentence is already true. We can disagree here.
The case is one of actual blocking. E.g. Google makes some exclusive deal with Comcast, where Comcast does not allow traffic from other streaming video suppliers. This is clearly anticompetitive, and we already have regulation to address it. Comcast and Google would both be blatantly in violation of anti-trust regulations and could be prosecuted. We don't need net neutrality to prevent this. Indeed, there are cases of wholesale blocking of this sort in the past that were dealt with by the FCC without formal net neutrality legislation in place. E.g. Vonage got blocked by an ISP that offered landlines; ISP got smacked.
So as I see it, we're left with the case of differential pricing.
So it seems to me that net neutrality addresses two primary concerns: true anticompetitive behavior and differential pricing.
In the case where services are priced differentially, but all are available, I honestly see very little difference to cable TV. And there seems no inherent reason that all traffic should carry the same price, as it is not the case that all traffic costs the same to an ISP.
So what might cause differential pricing? Sure, Google could pay Comcast to discount its services, but that's just a transfer. If Google pays Comcast to make it easier to get to us, well we're making that up to Google somehow. They're not doing it out of the goodness of their hearts. Either we're paying with data and ad impressions, or it's baked into the subscription price.
If Google enters a contract with Comcast which has Comcast charge extra for Netflix traffic for no other reason than Netflix competes with Youtube, then we're back in an anticompetitive scenario and don't need net neutrality.
But it is reasonable that different traffic costs differently. If Comcast is offering its own streaming service, they can serve that entirely on their own network - no need to use any peering agreements or pay for bandwidth beyond their own infrastructure. If Youtube or Netflix comes from outside of Comcast's network (not always the case - Netflix subsidizes its traffic by offering streaming appliances to ISPs), then that traffic IS more expensive than Comcast's own content. This seems entirely reasonable to price differentially.
Ultimately, I would like net neutrality, and would personally benefit from it. Or rather, I would personally have my current state prevented from being negatively impacted, since net neutrality is largely the status quo. I do not fail to see this. But it is an argument that doesn't hold water with me (I am not saying this is your argument, simply that it is a common one).
So, I think we may be at a bit of an ideological impasse. If I interpret your response correctly, one of your priors is roughly "if we see an area where we think we can improve things through legislation/regulation, we should". My priors lead me to look askance at new regulation/legislation. I don't see why we need net neutrality, only why we might want it. For me, "need" is the threshold for legislation, not "want".
Let me know if I'm off on what I suggested as the two primary issues addressed, or if you have questions on where I'm coming from, or if I seem to be off on interpreting your stance.
I almost had to laugh after the US just recently abolished Net Neutrality. And what is the grind with cookie notices and GDPR? I very much like to know what companies can do with my data, what data they have and demand deletion of it.
This is not against companies, it's for people. Companies should have had these information in the first place, now they just need to display it to the user but I guess thats too much to ask.
Im all against filters but cookie notices and GDPR are consumer friendly laws which I like a lot.
>I almost had to laugh after the US just recently abolished Net Neutrality
Your laughter is misplaced. America didn't have net neutrality up until fairly recently and before it was enacted, the internet worked just fine. It'll work just fine now. And if it really matters that much to you that you feel some kind of emotional release from your own worries, just know that many states are already putting laws on the books to reinstate it.
Edit: I can't seem to respond to Superleroy so I'll put it here.
Laughter is good but laughing at the imagined misfortune of others indicates moral failing.
Regarding the state of internet in the US, that is easy to test out. I have Comcast. Name any website or any service and I'll see if I have any trouble accessing it. As it stands, I haven't noticed anything amiss. I run ssh, a web server, I have several Python script that run all day consuming web socket feeds. I naturally stream video etc. No problems and it is all very fast. I have access to 2 Gigabit service. I believe your assertion that my Internet isn't good is in error. You did mention that it makes you happy to laugh at other's misfortune though so if it makes you happy, imagine my internet being terrible. I won't be mad.
Well last I heard ISPs were not providing top service to say the least. So unless "working just fine" means "it's really shitty but hey we have internet", I would say that no, the internet is not "working just fine" at least from that perspective. I don't know why you think removing net neutrality laws was a good idea but maybe you can elaborate.
Laughing truly makes me feel better and distracts me from my worries, I don't know why you have to be condescending about it. I did not say that I think filtering is a good idea, the contrary is true.
I just think saying that the EU pass regressive internet laws, while the US is the beacon of freedom and choice is laughable.
I did not laugh at others misfortune or moral failing but at the following sentence "the US feels like the only place where users have the freedom to choose what their internet should be". I do not laugh at people having only a single choice of ISP or the abolishment of NN, but at the blindness with which that statement was made. If by "users" ISPs are meant then I agree, but let's be real, users often don't even have a real choice of ISPs, let alone what "internet should be", whatever that means.
With the rest of what you wrote, I don't even know what argument you are referencing. Was it that I said the internet is shitty? Nowhere did I say that you can't access a website so Im not exactly sure why you want to test access to websites or state that you can stream video. Is that all it takes for you to say that your internet is "working just fine"? Maybe I understand that statemend a little wider than you do, so let me elaborate: When I say "it's really shitty" I mean more than just accessing websites, I mean bad industry practices, non competing ISPs and no or limited choice of ISP, total surveillance, rampant data collection by big companies, etc.
For me this is not a sign of a "fine" working internet. But if you limit it to "I can access websites" then I agree with you.
To your last point, I never asserted that your Internet is slow or that you can't access sites, so I don't know why you keep misstating my comments.
>America didn't have net neutrality up until fairly recently and before it was enacted, the internet worked just fine.
Yes, America did have Net Neutrality. Net neutrality was the norm for the entire history of the internet, and it was formalized in law in 2009 after Comcast started blocking torrent traffic in the late 00s and people asked the FCC to do something about it.
The net neutrality kerfuffle in 2014 was due to a court decision overturning the earlier law (based on the logic that "net neutrality" and "common carrier" are similar enough that it's unfair for them to be different categories".
I would say neither the Great Wall nor the European laws will threaten the freedom of internet as much as the large US internet monopolies enforcing their behavior on the whole network.
>I would say neither the Great Wall nor the European laws will threaten the freedom of internet as much as the large US internet monopolies enforcing their behavior on the whole network.
And thanks to this copyright law, these companies that affect both of us equally today will be much worse for your tomorrow. The upstarts to challenge these so-called monopolies won't be hamstrung by weird EU laws in the US but they won't be able to even try to challenge the incumbents on European soil lest they run afoul. So a problem that everybody had is now much worse for you. And you take time out of your day to be smug.
Edit: @krageon, Facebook is having much difficulty with the younger demographics and other services not owned by them are siphoning off their users. And Google is mortally afraid of voice search and assistants eating their lunch. They are not unassailable. But we really don't need their positions further cemented with misguided laws.
Where were these "upstarts" when Google and Facebook were busy destroying the ecosystem before these laws? I'll tell you where they were: They were being assimilated using the huge piles of money these companies made selling anything and everything they could find on you to everyone who was willing to pay.
A small, idiotic part of me wishes this actually passed. Let's just get this over with as quickly as possible. Let the EU purge their bottomless need to "save" the world and write as many regulations as they have in them, or can be influenced into, and maybe eventually the deluge will touch enough citizens so it becomes clear that this much concentrated power was a mistake.
It's not like this not passing will matter anyways because there'd be another attempt, and then another, and another, ad infinitum. The EU would clearly have passed this thing thousand times over already if it wasn't for the pushback from its subjects, but you only get the pushback on the first couple of attempts. Eventually, people's interest fade. They've got shit to do, can't police their representatives each waking moment, and foolishly assume that a representative body will honor the will of their far away constituents, should the same matter ever again be decided on. So really, as long as there's the EU and special interests that want this, it's pretty much a sure thing this will eventually be passed.
With the GDPR, it seemed like the EU turned into a PR firm that mounted a massive union wide marketing campaign but there's no such effort this time. Is this the difference between EU's own pet projects and directives where they're just a clueless underwriter?
Policies like this make it glaringly obvious how little our government representatives around the world understand technology.
It almost seems malicious, or at the very least anticompetitive. Who has access to such filtering systems already, or the resources to create one?
GRPR regulations, while I absolutely realize their necessity, have made it difficult for me to expand my side business into the EU. This would just be another road block for innovation.
The greatest irony is EU regulators whining about the dominance of Google, Facebook, etc, while passing regulations like this which make it impossible for anyone to compete with their ilk. Google and Facebook will have no trouble building the automated filters that are mandated by this legislation. The impact of this will be felt entirely by smaller companies with either will shut down, or, more likely, will never be founded.
And companies will neglect the EU market altogether. The great legal firewall of the EU. We can pass laws to make things better without any technical competence! Lets go after cryptography next!
Australia is already on the case, re: cryptography: https://protonmail.com/blog/australia-anti-encryption-law/
> And companies will neglect the EU market altogether
As an EU citizen (until April, anyway), can I live in that future please?
Despite best efforts, there's just no way around the general notion that affecting the tide affects all boats. You take the bad with the good of an internet with fewer restrictions, or you add both bad and good for everyone with restrictions. Even attempts to target legislation tend to have an unquantifiable ripple effect beyond the foresight of naive legislators.
> You take the bad with the good of an internet with fewer restrictions, or you add both bad and good for everyone with restrictions.
One could try enacting clear restrictions that do not require a team of lawyers to divine a meaning, and one of lobbyists to make sure the meaning is correct. You can write regulations that take intention and unlawful gains into account. And, finally, you can get somebody that understands the subject to tell you what can actually be done and what is sci-fi.
But it seems that lawmakers worldwide consider themselves above that kind of concern.
Despite best efforts, there's just no way around the general notion that affecting the tide affects all boats.
Of course there is. You just add a minimum scale requirement before these obligations kick in, so they only affect sites that are big enough both to cause significant problems with illegitimate uploads and to have the resources to do something reasonable about it. Laws are written like this all the time in places with more sensible legal cultures, but the EU is infamous for not understanding why that is useful, and that brings us back to quanticle's point.
> Of course there is. You just add a minimum scale requirement before these obligations kick in, so they only affect sites that are big enough
This is what I'm referencing in my last sentence, "Even attempts to target legislation tend to have an unquantifiable ripple effect beyond the foresight of naive legislators." This naive view doesn't respect the intertwining nature of businesses of all sizes that work in the industry nor does it take into account the chilling effects on growth (the latter being less of an issue). Small businesses lean on larger ones that might be targeted in a myriad of ways including infrastructure, standards, software, employment, acquisition potential, marketing, etc. Targeting them is like targeting me and to say "only affect sites that are big enough" is part of the classist dialog that too often exists in a utopian vacuum that assumes all results are the exact representation of their intentions.
You are trying to make this into more than it is.
The principle that some things are too small to be concerned about is a long-standing legal tradition, hence de minimis and so on.
In my own country, the UK, many rules do not fully apply to very small businesses and various extra allowances are made financially, precisely because imposing the same rules on a five-person start-up as a 2,500-person international corporation may be disproportionate.
There is nothing at all unusual or naive about this. It's done all the time. It's just not something the EU in particular has ever been very good at understanding or dealing with. For example, by their own admission, several of the key officials involved in the VAT changes a few years ago literally did not realise that many thousands of microbusinesses that would also be covered by the new rules even existed, nor that the new rules would essential cause them to not exist any more. The new copyright regime we're talking about here is a different context but still has the same underlying problem.
It was also believed that Facebook and Google were GDPR ready and only them could be. That's not what happened.
Just because they only went after a subset of companies, doesn't mean that everyone isn't still non-compliant with that mess.
That's the case though.
It isnt. Being GDPR ready is not that hard. It just takes time and resources, but following the law always takes that. And leave it to businesses to complain about anything and everything.
>It just takes time and resources, but following the law always takes that.
Right, and that's why laws should be worded to minimize the time and resources required to comply with them. Laws like GDPR and Article 13 are like a nominal tax on every business. It's easy for Google and Facebook to throw a few million dollars and a few thousand engineer-hours to take care of compliance with this stuff. It's much more difficult for a 10-person startup with a fixed runway.
Saying "It just takes time and resources to deal with that," is a vacuous statement. It takes time and resources to deal with anything, no matter how large or small. The key factor is how much time? How many resources? And finally, how do the time and resource requirements compare to the time and resources you have on hand?
If you actually looked at how these laws are worded (ie given specific provisions for the capability of a company), you would see that this kind of right-wing capitalist propaganda-like rhetoric holds no water.
What if:
> Genetics regulations, while I absolutely realize their necessity, have made it difficult for me to expand my side business into the EU. This would just be another road block for innovation.
When I look at GDPR I see a safeguard against mass surveillance and dystopian add ruled societies.
GDRP is a reflection of a mass surveiled and dystopian ad ruled society. GDRP makes it HARDER for consumers once the’ve consented. All that will happen is that this will be gamed instead.
No it doesn't. Consumers can withdraw consent at any time, they have to give informed consent (i.e. the consent is void and null if the consumer can't reasonably be expected to understand what they consented to) and companies have to keep track of what data they acquired and what they have done with it.
The "consent" popups you see on loads of websites these days actually run counter to the GDPR because they usually opt-in by default or tie consent to uses for which that consent is not necessary. They also rarely provide detailed information about what data is used and what they do with it.
That is not even remotely true. GDPR expressly affords revoking consent—and deleting any information gathered—at any time.
No, it doesn't. In fact, the rules about what must or must not be deleted are more complicated than that and in some respects ambiguous, and as yet there is little useful guidance from regulators to clarify those ambiguities. This is a significant problem with the GDPR.
I can't edit my comment above any longer, but for the benefit of those who are downvoting:
The point is that there may be multiple lawful bases for collecting the same personal data and it may be used for multiple purposes. The fact that consent was one of those bases does not necessarily convey a right to erasure if others still apply after consent is withdrawn.
Moreover, given that one of the other lawful bases for processing is the infamous "legitimate interest" umbrella, which could cover almost anything or almost nothing depending on subjective interpretation, the whole situation is quite ambiguous.
I think they do understand exactly what is going on but they know that upload filters are faulty almost always in favor of people with money. Upload filters like ones on youtube are super biased towards taking down anything that looks like copyrighted content but they also take out a load of legitimate content. Its now up to the content owner to prove that their content was fair use or that its not even the same thing as the copyrighted content.
In the end the big companies win and the individuals lose.
"In the end the big companies win and the individuals lose."
That's how other industries are run nowadays. I'm not saying it's a good thing, but that rather this does not come from cluelesness about tech, but more about bringing tech into the legislatory mainstream.
> Upload filters like ones on youtube are super biased towards taking down anything that looks like copyrighted content
Youtube's filter removed the audio track from a video of mine that was essentially silent to start with. There was certainly no music, TV, movie, etc... in the background.
You were obviously playing four minutes thirty-three seconds of silence by John Cage[1] on repeat in the background! Crystal clear copyright violation!
[1] https://en.wikipedia.org/wiki/4%E2%80%B233%E2%80%B3
That actually came up in a now-deleted comment. Incidentally, the audio is back now, though I made no request for review. I wonder if they periodically rescan content when they make changes to the algorithm.
Here's the video for the curious:
https://www.youtube.com/watch?v=wCEjJhm8qYM
There is someone with a financial interest in not having people watch it, but removing the audio won't help them.
And how many $ did that cause Disney to lose? The system fails almost entirely siding with the orgs with money and power.
That is outright ridiculous. There should be a level of human intervention to determine okay this cant be a damn copyright issue this AI is coocoo.
Letting black box "AI" that is often incorrect run wild is way less expensive than having a human intervene to review flagged videos. Hence the rise of machine learning algorithms that can do all kinds of neat things, but fail hard on the plethora of edge cases that exist.
Hence the need for penalties on false positives. Alas, here this won't happen on its own, because streaming platforms need people with money (and their content) more than the reverse.
This is partly because justice systems in the western countries require you to have a lot of money if you want to see your rights preserved.
That aside, the bill is designed to target "the big ones" because publishers want to gain access to profits from advertising. You just need to look at the people who initiated this tragedy.
I hate it that people don't talk about what problems the law intends to solve. You will be able to quickly reduce the answer to special interests. At that point, a legislative process should stop immediately. Will be interesting if the european institutions are able to do so.
Centralization loses. Publicly available content loses. A global community loses. Individuals are too many, faster and more clever than any one company can ever imagine to outmaneuver, it just means our shared internet culture becomes more localized and hidden.
I'm fairly sure this will mean more centralization as youtube will be the only one able to comply with the laws and everyone else will be locked out.
I'm fairly certain YouTube wasn't around when I traded external HDs full of movies/tv shows with my high school friends.
And that's the problem. Piracy decentralizes easily -- it has been that way since before the internet was even common.
What these rules do is destroy user generated content. Because your external HD can hold every Hollywood blockbuster in the last five years but it's nowhere near big enough for all the user generated content on YouTube.
> youtube will be the only one able to comply with the laws
A properly decentralized system can comply with the laws as well: you know what you put up, so there is a filter - it's just in meat space.
Worth pointing out that anyone could run their own instance of PeerTube[1], for their own content, if they wished.
I think the bigger issue is that many YT creators rely on its ads for revenue.
1 - https://joinpeertube.org/en
> super biased towards taking down anything that looks like copyrighted content
YouTube's uploads filters don't work very well with Peppa Pig episodes that have been chopped up into 45 second pieces and reordered randomly.
What part of the GDPR makes things difficult for your side business? Every discussion I run into has people claiming this sorta thing, but my reading of the text make it fairly clear that for 90% of non-despicable use cases there's really not that much of a problem...
My "despicable" side business is (was) making Android apps with Admob ads. I needed to update my app to allow EU users to opt out of targeted ads. Why Admob doesn't just add this functionality to their widget they place in my app is beyond me. In order to update my apps, I need to target a newer version of Android. It's not that it's very outdated, they were targeting Android 5.0, and get updated every 6 months or so. But a change in the Android API has made this very difficult for me. Being a side business, I had to make the choice - let go of the $600/mo I was making from ad revenue, or continue with the constant barrage of code updates required from Google for my apps to work. I decided to let it go. My app would still be on Google Play, even though I couldn't update it, if it weren't for GDPR. They pulled it due to non-GDPR compliance. So, yeah, GDPR has costed me $600/mo. I'm sure there are a lot of others with complex stories about how these regulations affect them. BTW I support GDPR and privacy as a whole, and wish my native USA would take privacy more seriously. It is the details of the implementation that are lacking. I also suspect that Google uses policies (such as putting the burden of Admob GDPR compliance on the publishers) to try to push out small developers.
So, this has nothing to do with your business, and everything to do with admob illegally spying on your users.
I mean, I empathise with your problems, but this very much doesn't sound like "GDPR makes by side business impossible". It sounds like "exploitative user-data abusing ad vendor abuse s their lock-in to exploit people's personal data" kind of problem, so I'd say things are working.
FYI, "allowing EU users to opt-out" is still wrong, they would have to explicitly opt-in to targeted ads. At least, in so far as ads are targeted based on personal data.
A client, a large pharmaceutical company, asked me to remove everything that could potentially violate the GDPR from their Android / IOS app. Apple rejected the update despite me stating the reason for the update, because the app could have been a website instead. Some of the functionality I had to remove was mobile specific, like reading measurements from a medical device etc.
I mean, that's just shoddy reasoning or laziness of the client. If you make a medical app like that, you clearly have a lawful basis for processing based on the "contract" lawful basis. So the only issue would be taking care how it's used, and having a policy in place for handling that data.
My specific issue was the EU representative; as the sole "employee" of my company, I will not pay a lawyer based in the EU to represent European users with privacy / data concerns. They could just contact me directly.
Ok, that's one I'm willing to concede is annoying for single person companies and there should probably be some fix for dealing with that. On the other hand, I understand why a legal representative within EU jurisdiction is desired.
For the record, your EU representative isn't required to be a lawyer or even legal expert, though.
Shut up with your stupid “innovation”. Your innovation is just another dumb idea.
“Laws against stripmining are just another road block for innovation.”
Just shut up already. Shut. Up.
Posting like this on Hacker News will get your account banned. Please don't.
https://news.ycombinator.com/newsguidelines.html
Isn't the unspoken rule to just ignore GDPR until you're big enough and EU starts bitching at you, at which point you just pay them off and spend some resources on compliance?
How is GDPR a problem at all? Is it so hard to avoid personalized tracking of unregistered users, ask users for their consent at sign-up time and implement a button for them to export and delete their data?
The irony is most sites use cookies to click on the "this site uses cookies" and as I block them I get the same message ad-infinitum on every fucking site... and I'm in NZ NOT the EU
Blame the web devs and their bad implementation of it. It’s really not that hard to get right (unless of course you don’t really want to comply).
Agree that getting the region wrong is sloppy.
But how does one avoid asking every time when cookies are blocked? What other implementation option is possible? This is what cookies are for.
> But how does one avoid asking every time when cookies are blocked? What other implementation option is possible? This is what cookies are for.
Local storage? Detect if cookies are blocked? Or, simply don't use cookies for purposes other than providing the service - which exempts you from the need to show the message?
> Or, simply don't use cookies for purposes other than providing the service
This, or as a minimum: Don't track people who has the DNT header set.
You mean the DNT header which is set by default in browsers? Then we can simplify your proposal to: "Don't track people"
You say this as if you're thinking that tracking is a normal thing to do to your users. I'm happy GDPR is fixing such misconceptions.
The only browser that set it by default was IE, and Microsoft ended that with Windows 10.
I've seen different Linux distros have it as default both for Firefox and Chromium as well.
But yes, the userbase for those is so small that we can assume that people with the header on simply don't want to be tracked.
Cookies don't matter. Personally identifiable information matters. Storing a "seen_cookie_notice=true" flag is fine (assuming the banner itself indicates that interacting with it will set the flag) as long as you don't use it for anything else.
The GP does not store cookies. How will the site store the seen_cookie_notice?
I wish browsers had a "do track" option which told every website: yes I consent, do what you want, just don't show me a popup. These cookies banners and GDPR popups have ruined the web.
So ads that follow you everywhere and inescapable email signup forms haven't done it, but "cookies banners and GDPR popups have ruined the web". Got it.
I know you are being sarcastic, but honestly yes. I'm not too bothered about being tracked and having targeted ads. It doesn't negatively affect my experience. My ad-blocker takes care of most of the ads anyway.
These intrusive popups and banners, on the other hand — especially the new post-GDPR in-your-face ones which I have to dismiss before I can even read a simple article — have ruined the user experience of the web. And my ad blocker doesn't seem to be able to block them.
There are lists that can block these popups, if that's really your main concern. Still, I think saying that they're the bigger problem than the pervasive tracking they try to protect their users against, including only casual users, is a bit much.
I can only speak for myself. The popuips are the bigger problem.
There's a lot of hand wringing about tracking but what harm does it actually do?
How is it easy to limit this? It's about how you treat EU citizens, not where people currently are.
How do you propose the website remembers your preference except through the use of a cookie? Cookies are the only way to keep client side state in a cross browser way. Keep in mind, cookies for non tracking purpose are allowed under the cookie law.
They should use localStorage. Unlike cookies, localStorage doesn't get transmitted to the server.
Certain security policies block localStorage, though. There doesn't seem to be a perfect place to store it.
Using a cookie that fits within the constraints imposed by the GDPR? It does have a list of criteria to which data it applies.
Only remember my preferences when I explicitly ask the site and opt-in to cookies?
That's the reason you see cookie-banners. They are your chance to opt-in.
Surely not, I see cookie banners at the very first chance they can throw them at me, way before I would need them for anything.
Kia ora! The "issue" here is that most sites which want to cater to worldwide audiences pretty much try to comply with influential legislation to stay on the good side. And GDPR/EU regs wield a big enough stick and come from a large enough region that you can't ignore them unless you want to block your site out completely to traffic coming from the EU. So they try and just do a worldwide rollout, irrespective of where you live. Of course, you can always implement this selectively but maybe more tricky to small and medium businesses, so they play and safe. Probably. I am speculating here.
The "EU" as a market is only important to the largest players or as an after thought once you have a solid footing in e.g. the US for one simple reason. The EU has too many languages so you can't just target the entire population in one shot like you can in single language even larger economy in America. Even if you wanted to target the entire EU, in my personal experience I can tell you that some web services work well in a place like Germany yet fail hard in France so most small to mid-level players are only going to go in places where they make the most money and it may be years before they ever end up in say Italy or the Netherlands. All that adds up to the EU regulations having a much smaller impact on most startups than you seem to believe. And that impact will be zero on the ones who look at the regulatory landscape as it exists now and just decide to stay out.
Edit: I see somebody chose to express disagreement via mouse rather than keyboard. Interesting.
As a European who has never been to an English-speaking country yet has always preferred English versions of everything (and all my friends are bi- or tri- (or more) lingual, reading something in English or in our mother tongues is a near-zero difference for us) I wonder what is the actual proportion of Europeans who can not be targeted by a service in English... I've heard learning English is not particularly popular among e.g. Italians but in Scandinavia and in France almost every "millennial" is more or less fluent in English and comfortable with it.
PS: I didn't downvote, I never do - I'm a downvote-hater :-)
Don't worry, it happens even when you allow cookies. Because a good part of the news sites will ask you again (in a couple of days/visits) if you have disallowed them. In case you accidentally clicked the wrong thing, I guess is their excuse. Accept button is a single up-front button, where as Rejects are hidden behind Manage... Needs to be cracked down on.
Is it so hard to ... implement a button for them to export and delete their data?
Yes, it is. Although we're constantly updating the code, my team's responsible for a web site for which the data model is nearly a decade old. And the overall business process that it feeds is about 25 years old. We don't know everywhere that the user's data goes in order to export it. Building the support to do so is pretty big. And being able to expunge their data on request is huge, given that data models were constructed without thought to a requirement that the user data be purgeable. It turns out that the requirement isn't quite that broad, but then the legal advice to help determine where it does need to be done isn't cheap.
I don't disagree. My comment was mostly tongue in cheek, but I guess a /s was needed. I'm glad it spurred some discussion, though.
Avoiding personalized tracking of unregistered users means you can't use Google Analytics or something equivalent. Not that it's impossible per se, but these tools have a strong added value, so...
> but these tools have a strong added value, so...
Strong added value to who? If Google Analytics disappeared tomorrow do you think the average internet user would be at all impacted?
Remember, GDPR is about protecting the user.
I admit this is a very amateurish view but I don't really understand why do people need Google Analytics or anything like that at all. As a webmaster you can log every request a depersonalized way recording the fact of a request to a particular HTTP resource from a particular country originating from a particular website as a referrer at particular time. You don't need any 3-rd party service for this and this doesn't mean tracking any particular user.
I'm not a fan of GDPR, but no, it doesn't mean that. It only means that GA can't be used in a way that allows you to correlate the data back to a particular individual. You can still use it in aggregate, and you can even follow individual threads through the system; you just can't know who the user was.
The problem with GDPR is that the actual scope of it applies to is rather unclear, and the regulatory guidance hasn't been reassuring as to what the actual extent will be in practice.
For example, do email addresses on the comments on a blog site fall under that protection? If so, there are some agencies in charge of enforcing GDPR that are violating GDPR on their sites...
EMail Addresses are protected by the GDPR. Passwords are too.
THat doesn't mean you can't use email addresses without asking; ie if the comment system uses emails to notify people of replies or moderative actions, then it's totally legit to collect it for exactly this purpose.
You only need consent if the personal data collected isn't strictly necessary for the operation of your site, ie if you use tracking cookies and sell emails to advertisers.
> For example, do email addresses on the comments on a blog site fall under that protection?
That is not unclear at all. They absolutely do.
That doesn't mean you can't have them, but it means you need consent, you need to be clear about how you will use them and you need to let people withdraw consent.
You can't win an argument about whether something is unclear by proving (let alone merely asserting) it is so. This is something a lot of people seem unclear on.
The only people unclear on this point are people who have failed to do even the most basic research into what GDPR says. It is blindingly obvious that an email is information that can be used to identify a person.
I'm not arguing with you. If it is clear, then it suggests people saying it is not clear are basically trolls. Surely you can see that telling an apparent troll to admit being a troll is unproductive. You might be right, or you might be wrong, but you can't win that debate because it's about inner motivations and perceptions and not verifiable facts.
Whether something is clear or not is not dependent on whether a specific person knows it.
A reasonable person who is even minimally informed about GDPR will know that an email address is covered by GDPR, hence it is "clear".
Why though? Email addresses are quite obviously "something that identifies a person".
I'm not debating what's clear or not to me. My point is that it's subjective and if someone says a thing is unclear, you can not necessarily make it clear to them or force them to admit they are lying about their perception. Arguing with confusion is like debating whether someone is in pain when they act like they are. It could be they are lying. It could be they are not. It could be they are particularly stupid.
I want to emphasize - you can be right or wrong about the GDPR, but that's not the same thing as being right or wrong about whether people are confused by it.
I think it should be obvious that debating feelings or perceptions or emotions of other people tends to lead to unproductive interpersonal interactions, but perhaps others have not noticed this phenomenon. I can't imagine winning a debate with someone over whether they are trolling or not. Even if it's really obvious, nobody can see inner motivations for sure.
> It could be they are lying. It could be they are not. It could be they are particularly stupid.
At the point where one can prove that one part is too (trollish || stupid) I think it is reasonable to limit how much we care about their opinions.
You seem to be making the same mistake a lot of people (especially those from countries with no regard for consumer protection or privacy) do with regard to the GDPR:
It's not about e-mail addresses. It's about personal information. It's not about what data you can have. It's about how you can use data.
You don't own my personal information, I do. If I give my information to you, you can only use it in whichever ways I consented to when I gave it to you. If you want to use it for something else, you need to ask me again. And you can't just give me a blanket CYA contract to sign just so you can decide later.
This is precisely how it would work in normal everyday social interactions. If I go to a Mom & Pop shop and give them my number so they can call me when my favorite brand of soup is back in stock that doesn't mean they can call me to tell me about random new stuff they carry or give my number away to someone else.
Personal information is owned by the person it is about. It gets murky with aggregates (but the GDPR helps you figure out which ones are still considered personally identifiable) but it's blindingly obvious for things like "enter your e-mail address".
Do you have an e-mail input in a contact form? I'm going to assume that'll be used so you can respond to me although it'd nice of you if you say that explicitly right there on the form. If it's a comment form, why do you need my address? Who will it be shown to? What are you going to do with it? Where will it be stored and how can I tell you to delete it later? That's why you now need to think up a Privacy Policy: these are questions you always had to answer for yourself but now you're legally required to make conscious decisions about this.
Is this too much of a hassle? That likely means you didn't have any good reason to collect that information in the first place. Great! Personal information is a liability and it's better to collect less of it than more. Although that may disappoint future Zuckerbergs, collecting people's private information (even if they give it away voluntarily) imbues a lot of responsibility on you if you don't want to be completely careless. And the GDPR is an example for a policy that gives that responsibility teeth and punishes companies who are careless.
You don't want to store passwords in plaintext. You don't want to hoard credit card details or medical data. Personally identifiable information is no different. The GDPR just provides ways for you to store and use that information legally, in addition to reiterating that privacy and control of your personal information is a human right.
> How is GDPR a problem at all?
I'm sure there will be a significant price tag just for training people to be compliant with it.
Here's your one line compliance GDPR course: don't treat customer data like it's something to be sold to anyone that asks for it. PII is not yours.
If you escalate things to the point where you need to "pay them off" you're entering serious monetary fines territory.
So many people here compare this to GDPR...
I can recommend everyone to just read the EU website on GDPR: https://ec.europa.eu/info/law/law-topic/data-protection/refo...
they write the official website in understandable language, in plain and simple English, not in weird lawyer talk. They have examples for companies as well. What to do, how to act etc..
Forming your opinion about these laws based on what the big American data companies tell you about it is about the same as asking tobacco companies what they think about health laws.
It really isn't that hard to just take 30 minutes and read the website from the EU. Literally every comment here talking about 'stupid old lawmakers that don't understand the internet' has not even read the bloody document. I've seen Youtube comment sectioned that were better informed than HN about this.
I think people compare it to the GDPR based on amount of internet big-brother it imposes and other prior-restraint requirements on internet businesses. Telling someone to compare the wording is unrelated to the general concerns of oversight. The unfortunate part is that these contrarian opinions are assumed to have been formed from big American companies and people who haven't read the documents. You shouldn't so quickly assume ignorance.
“General concern” isn’t necessarily a valid complaint, or understanding of the situation.
The GDPR gives _individuals_ power over their data. It’s not “big government oversight” (whether you think that’s good or bad).
Is the text on that website the legally binding or not? If not then it has no real value.
"Legally binding" is the wrong phrasing but this can be used to prove what they call Legislative Intent: https://en.wikipedia.org/wiki/Legislative_intent
I doubt that if HN website text isn't legally binding it doesn't have real value.
I tend to put GDPR and this Copyright bill in different camps. The copyright bill is insane. GDPR is... also a bit insane, but the hard parts shine light on what we probably should have been doing which are now hard to do because we've spent so long ignoring the ethical elephant in the room. GDPR is very far from perfect, but I think it's still directionally good. The copyright bill is just bad.
GDPR is very good in fact. If you read through it as a person, it is basically the way we should have operated from the start. Reading it while wearing the hat of my role in my company, I can see all the points where we are collecting data without a well defined process and clear understanding from the end users. It is hard to fix this, but it is for my own good as a person.
GPDR is essentially some guidelines published by OCDE in 1980 turned into law. So yes we should already be operating like that from the start. I get the feeling that to some countries GPDR is not a big deal and to others is a nightmare, depending on the business culture.
Can you explain to me how the deletion policies work?
If you ask for your data to be deleted does that include your address in my contacts? Does it include your messages to me? Does it include your posts that appeared on my feed?
In the physical world all of those would be mine. Addresses: It would be my paper address book with your address written in it. Email: would paper letters you sent to me that I keep in my files. Your posts in my feed would be postcards I received from you keep in a scrapbook or shoebox.
It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
I think that the best way to view the deletion policy is to imagine what would happen if someone stole the data. If it is anything that could get you sued over then that is data that needed to be deleted.
This will likely cover a bit more than if it was physical objects. To be fair, most physical paper address books would not include millions/billions of addresses, and would unlikely be stolen by accident. The only one that has billions of paper letters are the post office which is regulated. The physical world is not very different to GDPR if one includes the context of how many book shelves of information is being stored on companies databases.
I don't think that's correct. A business has the right to retain records that are necessary for them to do business. From the lawyer that advised us in this, his call was that Order History data doesn't need to be expurgated even though it contains the person's name and address, etc. There are any number of business reasons dictating that we need a record of this stuff (e.g., auditing for sales tax compliance; being able to handle customer returns in the future, or fraud claims from the credit card processor).
In the physical world all of those would be mine.
This is a common misconception, but the GDPR applies to the physical world as well. The regulation only talks about "personal data in a filing system", which is a generic term.
> It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
The ICO gives really good advice on this.
https://ico.org.uk/for-organisations/guide-to-the-general-da...
>If you ask for your data to be deleted does that include your address in my contacts?
I'm assuming that "my" in this sentence means a business, since individuals are not subject to GDPR, and that the thrust of your question revolves around, say, a customer support portal.
Yes, addresses have to go unless you have a legitimate business reason to keep them. For tax purposes or to prove something in an active court case are both examples of a reason you could keep the address at least temporarily.
>Does it include your messages to me?
No, they could be anonymised instead. If the messages contain PII you might need to sanitize them.
>Does it include your posts that appeared on my feed?
Same as the previous question.
>It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
This is defined on, like, the second page of the GDPR document. Article 2 "material scope" point 1.
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
GDPR kicks in when you start processing this stuff automatically. If you want to handle your entire businesses paperwork via a set of paper ledgers with humans in front of them, that'll make you GDPR immune.
Listen man, I read the GDPR document /once/ almost a year ago now, and I remember the answers to your questions off the top of my head. I'm not a lawyer either, I'm a software engineer.
If someone told you GDPR was complex, they lied to you. The legislation is dead simple and most of the document is actually not about what businesses need to do but about what the EU bureaucrats need to do. You only need to read about half of it, the rest is irrelevant to you.
If this matters to you, just go read the damn thing. Trust me, it's a fricking revelation to do so, you'll be staggered by the amount of bullshit people spout about it and the amount of needless fretting and hand-wringing they do once you know how simple it is. Don't get me wrong, the implementation may be hard for some businesses, but I'll also tell you straight up, there are lots of businesses voluntarily making their GDPR implementations harder and more expensive than necessary because they didn't bother actually reading the law and are instead going off third-hand chinese-whisper information, which is a crazy way to run a business.
> I'm assuming that "my" in this sentence means a business, since individuals are not subject to GDPR
No; tokyodude is asking what happens if you request that (for example) Google erases your data, and he has your email address in his Gmail contacts. Does Google, as the data controller who ultimately stores tokyodude's contact list for him, then have to purge your email address from tokyodude's address book?
> Listen man, I read the GDPR document /once/ almost a year ago now, and I remember the answers to your questions off the top of my head. I'm not a lawyer either, I'm a software engineer.
This condescension is obnoxious and unwarranted. Just take a look at the complexity of the conditions at https://gdpr-info.eu/art-17-gdpr/ dictating when the right to erasure applies. Point (b) seems to suggest that it applies by default if the basis for originally processing the data was the subject's consent... but that the controller can override that if they have another legal ground for processing. So can they just argue they have a "legitimate interest", under article 6(1) point (a), in preserving tokyodude's address book? I have no idea.
Meanwhile, point (f), linking to article 8 about children, is saying - I think - that a data controller must honour an erasure request if it's about data they collected from a child, even if they have another legal ground for processing that data. So even if the legitimate interests argument above would hold, if you're a 12-year-old, I think you absolutely can demand that your email address be purged from tokyodude's address book and he can't do anything about it?
How about your actual emails to him? Can you demand that Google deletes them from his inbox? As far as I can see, the answer logically ought to be "yes"; Art 17 (1) (f) applies and I don't see any exception that would let Google wriggle out of the obligation.
But I'm not sure if any of the above, because this stuff is vague and complicated. If you truly think it's simple, I invite you to walk us through the answers to the scenarios I've explored above, supporting your assertions with relevant references to the text of the law. I do not expect you to be able to do so.
>No; tokyodude is asking what happens if you request that (for example) Google erases your data, and he has your email address in his Gmail contacts.
Oh, well in that case this is explicitly handled in recital 18. https://gdpr-info.eu/recitals/no-18/
> Point (b) seems to suggest that it applies by default if the basis for originally processing the data was the subject's consent... but that the controller can override that if they have another legal ground for processing.
Yes.
>So even if the legitimate interests argument above would hold, if you're a 12-year-old, I think you absolutely can demand that your email address be purged from tokyodude's address book and he can't do anything about it?
Yes.
>How about your actual emails to him? Can you demand that Google deletes them from his inbox?
Covered in recital 18.
I totally agree with all your interpretations, well done. See what I mean about it not being that complex?
Not that you shouldn't run all this past your company lawyer to make sure they agree mind you. After all, companies keep lawyers around for input on exactly these kinds of issues, might as well get your moneys worth.
It's ok for you as a software developer to be unsure about some of these things, you're not a trained lawyer. What I'm being condescending about is software developers wailing "oh it's impossibly byzantine, oh it's impenetrable, oh woe, oh drat, oh heavy is the burden of being me in a GDPR-compliant era". Software developers regularly read documentation more complex than the GDPR legislation. Jesus, you'd think it was written in latin the way some people on hacker news cry about it.
I think part of the issue here is that a plain English reading of the GDPR implies such appalling totalitarian overreach that most people find it hard to believe that it can really be what's meant.
I mean, you've just agreed with my reading that the GDPR gives me the power to reach into your personal inbox and censor your records of communications with me. That sort of power for bad actors to carry out historical revisionism on what until now we'd've thought of as someone else's data is unprecedented and - at least to me - a pretty frightening threat to freedom of information and a culture of truth. And meanwhile we've got people running around Hacker News saying "GDPR is all wonderful, it's just common-sense privacy protections, and if your business isn't spying on users without their consent and selling their data you'll be fine".
You're clearly confident that the (to me, somewhat dystopian) interpretations we discussed just above will hold up in court. I'm not, even though they worry me and seem to me to be the most straightforward plain English reading of the bill. That doubt - and associated anger at the failure of the EU to bring greater clarity to these sorts of points before now - seem to me to be reasonable, and not a worthy target for condescension.
>I mean, you've just agreed with my reading that the GDPR gives me the power to reach into your personal inbox and censor your records of communications with me.
That's quite literally the opposite of what recital 18 explicitly says?
recital 18 clearified absolutly nothing for me. My plain reading of recital 18 is that it has to do with personal records stored on paper or my own computers. it in no way covered emails I received from you via Gmail and whether or not you can demand Google delete emails you sent to me from my Gmail account.
That's the opposite of totalitarian, btw, if we're interested in words.
In what way is government-mandated censorship and falsification of history "the opposite of totalitarian"?
In that the government isn’t using people as tools. People are using the government as a tool.
(Edit: without addressing your questionable definition of what it means to control one’s data.)
> I think part of the issue here is that a plain English reading of the GDPR implies such appalling totalitarian overreach that most people find it hard to believe that it can really be what's meant.
Do you think this level of hyperbole is necessary?
In what sense do you think I'm being hyperbolic? I'm pretty sure I mean every word of what I wrote literally.
(Though perhaps "authoritarian" would be a better choice of word than "totalitarian"; I mean it only in the broader sense of "infringing unjustly on individual freedom" and not in the stricter sense of "mandating total subservience to the state" that a Google 'define:' search yields as the first result. I thought it was correct to use "totalitarian" in the former sense, but don't have time to confirm; if I'm wrong, and that word choice is what you take issue with, then I'll concede that it was an erroneous word choice and I should've written "authoritarian" instead.)
> Oh, well in that case this is explicitly handled in recital 18. https://gdpr-info.eu/recitals/no-18/
I disagree. One's GMail contacts is a clear (ha) example of a fuzzy scenario that I think is ... questionably handled by the language at the link you reference. It's difficult especially because it's a weird hybrid of a very personal or household activity that runs inside a commercial activity.
From the text:
> 1 This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity
Ok!
> and thus with no connection to a professional or commercial activity.
...wait, GMail is clearly a professional or commercial product. An online addressbook in GMail... does that count as having a "connection" or not? My purpose of the addresses is personal. But it's clearly connected (at least by tcp, haha) to a commercial activity.
> 2 Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
Ok ... wait, social networking clearly involves commercial entities (e.g. twitter). So my personal actions for personal non-business uses of twitter are not regulated. Fine. But twitter itself is?
> 3 However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
Ok so the regulation applies to the controllers/processors (e.g. GMail, twitter).
So: the regulation does not "apply" to me for my personal use, but my (personally defined for personal use) GMail contacts could get deleted by the other person?
I am definitely not a lawyer, but this does seem at least somewhat contradictory, or at least would benefit greatly from a few more clarifying sentences.
Comparison to complex documentation is not apt to your pro-condescension argument. Complex and vague can be very different.
Documentation can be complex, but if it's rigorous and not vague, I am totally fine with that. Software can be very complex. When it is complex, I would hope the documentation has sufficient detail to cover their intricacies. I'm glad that the postgres documentation is huge and complex -- it has to be.
I do however complain pretty often about vague documentation haha. I feel like it's pretty common for people to complain about an under-documented quirk shooting them in the foot (e.g. mongodb and durability back in the day).
One last thing: If your interpretation is right (and it seems plausible, maybe even likely), then I really need to locally archive my emails and contacts more often haha.
I think your interpretation is correct. In particular, I think that your first two quotes from the text are saying that the "personal or household" user themselves has no obligations under the GDPR. It's coherent to include social networking in here; without that clause, a child writing on Facebook about how another child smells bad would presumably themselves be a data controller and subject to an erasure request, whereas with the clause, Facebook can be compelled by a regulator to remove the post but the child who posted it cannot.
Or at least that's my interpretation. Like you, I remain uncertain and troubled.
>One last thing: If your interpretation is right (and it seems plausible, maybe even likely), then I really need to locally archive my emails and contacts more often haha.
I mean, yeah, you probably should if you care about it. Most office exchange servers are configured to allow some users to "unsend" emails. Outlook dutifully deletes the email from my co-workers inboxes, but my thunderbird client simply tells me that someone sent a recall request and lets me choose what to do with it.
The things sent digitally from me to you end being my property and end up being your property immediately as long as the sending is not part of some business arrangement, but if it is some business arrangement that business is regulated, and when it becomes your property if ever can be dependent on many different factors of your business.
> If you ask for your data to be deleted does that include your address in my contacts?
If that address is visible to you because I gave you access to my data, then yes.
If that address is visible to you because I gave it to you and you put it there by yourself, then no.
> Does it include your messages to me?
No. Messages I wrote to you are yours. I gave them to you. You can keep them. They get deleted when/if you ask for your account to be deleted.
> Does it include your posts that appeared on my feed?
Yes. My posts are mine. If I make them public or share them with you, you can look at them, copy them, do what you want with them (depending on the license). If I remove my account they get deleted from my account. If you made a copy for yourself, you can keep the copy.
> It's not clear to me how those are handled by the GDPR and at what point things sent digitally from you to me end being my property and no longer your property.
As always, ask a lawyer.
> If I remove my account they get deleted from my account.
Maybe.
There's an argument for the public good that can be appropriate (e.g. a public figure on twitter).
> Can you explain to me how the deletion policies work?
Disclaimer: The GDPR hasn't been the law of the land for a year, so there is little precedent.
It is fairly simple, the GDPR requires that companies that control identifying information about you (or somehow delegate this), have acceptable reasons for doing so (user consent/other law/etc). When some entity controls your information the GDPR gives you certain rights. The key point here is that the company is controlling your information not you, whereas the scrapbook is under your control. The loss of control of the information creates in my mind a moral obligation to treat it a certain way. One of the rights that the GDPR confers on the data-subject is the having data deleted, this right is not absolute and if you have any other grounds (e.g. AML regulation) for keeping the data then you don't have to delete it. Additionally, deletion doesn't have to be immediately consistent, so you won't have to go into old backups and delete the data there.
TL;DR: If someone asks you to remove something, just delete it from your SQL database, and that's it.
There are two key costs for startups implementing the GDPR:
1. Privacy by Design - Make some efforts to design the information systems in your company in a way that promotes privacy. 2. Demonstrating compliance - This tasks scales with company size, you might start out with a boilerplate privacy policy, but as you grow want to be more diligent.
this doesn't help clarify things at all.
you send me an email. I use Gmail. you request Google delete all your data. does google have to delete the email from you that's in my inbox?
The real issue with GDPR is that it's extremely under specified and we're left to educate guesses to find out what and what's not illegal until the matter is settled in courts.
For example a service provider can collect emails under the Article 6(b) clause to provide its services. But what happens when a user exits the contract? There's a conflict there because the provider need to keep hold of the email (to avoid user cancelling, asking for deletion then registering for another free trial) while the provider might not be holding consent anymore (Article 6(b) no longer applicable and consent subject to withdrawal at any time)
Would it be safe to store an hash of the subject for that purpose? Apparently, not: https://www.sciencedirect.com/science/article/pii/S026736491...
So what's the best practice there? We're all taking guesses. And that's not the hallmark of a good law.
> The real issue with GDPR is that it's extremely under specified and we're left to educate guesses to find out what and what's not illegal until the matter is settled in courts.
Best practice now may not be best practice in future. Sure, there could be guidance produced. In fact there is, it's just usually by the enforcing bodies.
> what happens when a user exits the contract > to avoid user cancelling, asking for deletion then registering for another free trial
You can be sued for six years in the UK. Other jurisdictions I'm not so sure about. If you're providing a service and have agreed a jurisdiction and can be sued in that jurisdiction, there's your lawful basis.
The right to be forgotten only applies where the basis is purely consent. If you withdraw consent, and consent is the only basis, your data should be deleted. But if you're providing a service, then another basis applies: contract and legitimate business interest.
I think you'll find you have a legitimate business interest and a lawful purpose there for maintaining the email addresses -- as long as you don't later change the purpose and include them on a mailing list.
> So what's the best practice there? We're all taking guesses. And that's not the hallmark of a good law.
It's largely down to the enforcing body. The ICO (UK enforcing body) generally only fine after a major incident or you've failed to stop doing something really bad. Or you've set up a business that is egregiously scummy. You can read the list of fines online. [0]
It helps to see it more like fire legislation -- there are many ways to prevent and contain fire. You can seriously reduce the risk of fire and the consequences if one happens.
Breaches are similar. If you have a data breach, something's gone wrong. If you're not taking serious mitigation to prevent that from happening, then maybe you shouldn't be taking user data in the first place.
[0] https://ico.org.uk/action-weve-taken/enforcement/
You can keep hold of data for a good business reason such as the one you stated. A hash of the e-mail address is probably reasonable, but you might also want some logic to detect users who use g-mail style addresses, i.e. "exampleuser+label@gmailcom", which allows one gmail account to have many forms of the e-mail address, in which case hashes don't work.
This is another class of an example I have seen cited around from time to time - a user signs up, performs fraudulent behaviour and then demands the records of this behaviour are removed and continues to perform fraudulent behaviour. You have a good business reason to store this data so therefore the user cannot demand you remove the data.
You shouldn't keep it longer than is necessary however. How long would work to deter this behaviour you describe? I'd say 30-90 days should be sufficient.
> A hash of the e-mail address is probably reasonable
I even sourced why it isn't but eh, who read post they're replying to, right?
The “Right to be Forgotten” is clearly in contradiction with the first though.
At least GDPR is intended to help actual people, instead of increasing media-holders' stranglehold over their content.
This
In a way, GDPR goes in the way of common sense, despite the legalese and FUD
Copyright filter is censorship.
Why does it matter what it is intended to do?
Because intent matters?
But why? People are affected by the practical application. Even if you argue that intent matters once it reaches a court or regulator, that is long past the effect.
Because when a law is pushed by corporations, aimed at individuals, you're not likely to have much recourse, as an individual targeted by such a law. The hammer is going to drop on you and that's that.
A law such as the GDPR, which is targeted at corporations primarily, is worded in such a way that no company is going to get massive fines if they seriously tried to comply, but for whatever reason failed to do so. They're going to get a dozen written warnings, guidance on complying etc. before they have to pay anything. Small businesses don't even need a data protection officer.
Why this discrepancy between laws targeting individuals vs corporations? Because corporations control the flow of capital, control a large part of our politicians, can blackmail with outsourcing etc. None of this power is usually available to an individual.
Ah, you're saying it matters during design. Sure. I am talking about after passed, the intent matters very little. Too often on the GDPR and other legislation in effect, the intent is used to judge effectiveness which is invalid. When a law on the books is not working right, what it was trying to do is not an argument in favor of it working right.
> I am talking about after passed, the intent matters very little.
The intent matters precisely because of how the law is going to be enforced when passed.
But since its enforcement can be completely contrary to the intent, intent only matters to the enforcers if they want it to matter. The actual enforcement, whether intended or not, is what really matters.
> But since its enforcement can be completely contrary to the intent, intent only matters to the enforcers if they want it to matter.
Right, and my argument is that with legislation intended to serve the people, (GDPR), enforcement is likely to be much closer in line with the intent than say Article 13, which is the other way around, (serving corporations, not people).
Enforcers are newer as aggressive when protecting individuals as they are when protecting corporate interests. Apart from corruption, this is simply because of the leverage corporations have that individuals lack, (control of the flow of capital).
> I tend to put GDPR and this Copyright bill in different camps [...] GDPR is very far from perfect, but I think it's still directionally good
Depends on the context. I tend to see how one begets the other. GDPR is good by intent, but is bad by implementation. The copyright bill is bad by both intent and presumably implementation. And since it turns out that only implementation matters, many would agree that we'd be better off without both and recognize that solutions to the problems the GDPR attempts to (heavy-handedly yet ambiguously) fix can have more measured steps towards remedies.
> GDPR is good by intent, but is bad by implementation.
What is so bad about the implementation? Genuinely asking, I went through making a few companies compliant - and companies that were treating their data and security responsibly, had only little or even no issues at all to get their things in order.
One of the great things about the GDPR is that it clearly defines WHO is responsible if something goes wrong. The generic mindset seems to be that accidents and incidents happen, but as long as you did reasonable effort to prevent this from happening, there's little to fear.
> What is so bad about the implementation?
Several things, but I'll be brief. Basically the same problems its predecessor had: lack of enforcement, inconsistent enforcers across countries, subjective enforcement, attempts at global internet governance, and not providing substantial benefit compared to the costs. They took those implementation failures and instead of scaling back and doing a measured approach to understand what went wrong, they exacerbated it by adding more burdens on businesses and increasing scope chilling many businesses into spending money out of fear of compliance or regionalizing their online presences. All of that with hardly any practical effects makes it a clear net negative, and couple that with the fuck-with-the-global-internet mandate they were given and we've ushered in a scary internet big brother, cheering the whole way. All to prevent tracking and data sharing. Compare the harms, compare the results, compare the costs, and it becomes clear that while we all want the implementation to achieve its goals, in practice it is more bad than good.
You should be wary of using your personal business anecdotes to justify impositions on the rest of businesses. The "I can't see any problem means there aren't any problems" is not an inclusive mindset.
How can you possibly have complaints about how GDPR is enforced? No regulators have enforced it yet, the first GDPR case ever is expected to be heard in late February.
This reads like a generic batch of "law bad" mumbo jumbo with "gdpr" dropped in like a mad lib.
Feels like a this would be appropriate analogy that they might be able to understand how rediculous it is:
* Police may or may not put cameras everywhere
* Police MUST catch criminals as soon as they break the law, otherwise the police would be as accountable as the criminal.
* Policy CANNOT ever talk to, interact with or accuse non-law breaking citizens
It would be prudent for Wikipedia at this time to shut down service in the EU, and simply put up a banner indicating that they can't comply with XYZ regulation.
Regular folks in all walks of life, and also the bureaucracy would immediately be effected. It would be a 'shock' to Europe and a powerful signal of how vital these resources are, and the real extent they are messing with them.
Basically, everyone would become aware of the issue, in a very material way, and get a taste for he chaos this law might imply.
Kind of like internet 'gilet jaune' as a crude metaphor.
I'm kind of surprised there hasn't been action like this done already, now its probably too late anyhow, EU is fucked. SOPA and PIPA had massive protests like that. Maybe Google for example isn't protesting because they know it helps them a lot actually, since they can expect to see no competition from the EU ever again.
https://www.blog.google/around-the-globe/google-europe/propo...
Afaik wikipedia has no copyright or something. So somebody would create a read-only copy (less than 100GB, I guess), call it wikipedia2.com and everyone would use the copy..
And Google would swiftly and automatically rank it high in all of EU. /s
Very few would figure out the clone's location, and it wouldn't be able to be updated really.
VPN's would be another solution.
But for the 99% it would be very disruptive and prove the point.
>Very few would figure out the clone's location
For this purpose clever people invented search engines. These would detect missing content in the original wikipedia and funnel all traffic to wikipedia clones. Nobody would notice the difference. And no point would be proven.
If someone adds a wordpress plug-in for this I will install it tomorrow for a laugh :-)
There were blackout plugins around since SOPA/ACTA times. I had one on my old Wordpress blog for SOPA.
Regular folks would learn to use a proxy, like any good Chinese or Vietnamese citizen. We’ve proven average people can get pretty technical when the interests are aligned (think P2P).
Not quite.
a) 'Regular folk' have never heard of the term 'proxy' and would struggle quite a lot with it. Though I agree, after some time, they'd figure it out.
b) The point is not to 'block Wikipedia' - it's to inform Europeans of the consequences of their legislation. If they even had to think to use a proxy to use a common service, the point would be made.
Regular folks don't read Wikipedia.
Another possibility: the EU is serious and wants the content farm to show ads business model to die.
If they're serious about that, then why are they reinforcing the monopolies of the two greatest offenders, YouTube and Facebook? YouTube and Facebook already have the market dominance and engineering talent necessary to build whatever content blocking filters that are mandated by the EU's boneheaded regulations. This regulation will hurt them, sure, but the worst outcome for YouTube will be a bunch more videos that are "unavailable in your country". Same thing with Facebook -- it already shows different posts to different users based on geography; this will be merely one more criterion to filter posts on. What this will kill is all the companies that could compete with Google and Facebook. No one is going to found a media-sharing startup when even a single slip up can leave them liable for an eight or nine-figure sum.
My theory is that, despite their rhetoric, the EU is actually okay with monopolies. Monopolies are easier to extract rents from, in the forms of fines and taxes. It seems like the EU would rather have a single Facebook, a single YouTube, a single Google, etc. than many competing smaller firms.
What's you definition of a content farm? This bill essentially targets online online medium you can upload and share content on. This should be reworded to the EU is serious and wants to go back to Web 1.0
Maybe that's not a bad thing. Most of the policies that have emerged from the EU and US recently would mostly affect the users of large platforms like YouTube and Facebook. If content creators were to host content on a website they own, they would have complete control (well mostly, the web host would be responsible too, but that worked pretty well before) over their content and what they can and can't share.
I agree, kind of. My projection for a future with stricter copyright laws is a rise of or at least stronger development of subcultures that produce their own content which slips under the filter radar because of non-mainstream memes and references. Also more poeople will be attracted by subcultures because the mainstream becomes more regulated and boring as nobody will be able to freely mix and advertise it. Though what would really happen is that the media industry will be able to exert more control over influencers and we get sth. like a TV 2.0.
https://www.youtube.com/watch?v=t7tA3NNKF0Q&t=1s
This does a very good job of explaining how small content creators are practically powerless now on the web in terms of protecting their content being stolen.
Ads have nothing to do with this. It's not aimed at business models that show ads, it's aimed at business models that host user content.
The whole point is to put content exclusivity back in the hands of traditional publishers.
And how do "business models that host user content" generally generate revenue?
Well, traditional publishers that have a complete hosting infrastructure.
How does it apply to ISPs by the way?
There are obviously some serious problems with ad-driven businesses on the net. But they have also done a lot to put technology in the hands of poor people. Any plans to replace them with paid-only services need to figure out some way to make them available to people on very limited incomes.
You would have to be at the extreme bottom end of the scale to not be able to afford the cost of hosting some content on the internet (maybe 3 euros per month?). It is something you could find space for in your budget unless you are literally starving and have absolutely 0 space in your budget for anything. If that were the case, I doubt this hypothetical person would be spending a lot of time on the internet in the first place.
And let's not forget these ads are all clamoring to make people spend money on things they "didn't know they needed", so it's not like they're materially doing someone who is very badly off any favours.
That's literally the only redeeming aspect of ad-driven model I'm aware of. It's good you point this out, personally I don't have good alternatives if one were to just burn advertising industry to the ground (something I fantasize about).
Still, advertising is a Red Queen's race; once a party achieves some advancement (like animated ads, video ads, tracking, etc.), everyone else has to follow suit. The relative situation of player is ultimately unchanged, but the baseline is more user-hostile. So there's plenty of possibility for regulators to simply roll adtech back to 1990s, and advertisers would still make their money.
A few examples of what you are describing would be very welcome.
IIRC, Facebook, Twitter and Gmail don't make you pay to sign up, meaning people who can't afford to pay end up enjoying those services for "free".
(At least, I think that's what parent was getting at, not saying I super agree with it).
That would be a really bad thing, too.
As with most interesting problems, this legislation hasn't been written with a focus on what sort of end-results are easiest to arrive at a technical solution for. This article characterises that as 'magic wand regulating' -- I'd hate to see an alternative where EU directives contain explicit technical implementation guidance!
> As with most interesting problems, this legislation hasn't been written with a focus on what sort of end-results are easiest to arrive at a technical solution for. This article characterises that as 'magic wand regulating' -- I'd hate to see an alternative where EU directives contain explicit technical implementation guidance!
There are multiple ways to create bad legislation. One is to require a specific solution, but another is to require a result that no known solution can produce.
This is not really about technical solutions. It's about an understanding of how computers work. The underlying assumption is that companies _will_ build technology that is as good as the law requires it to be. Large companies very well might, but this is a killer for small businesses.
Let's legislate that all cars must attain 150 mpg and cost less than $10,000. The EU proposals are approaching that kind of absurdity.
The Renault Twizy falls into that category. You need to find a better absurd example in the future ;).
It's an electric car, so no oil consumption (parent talks bout mpg)
There is an mpg equivalent for electric cars based on the idea that 1 US gallon of petrol is 33.7 kWh.
That's 70% of the entire energy contents of the gasoline. You don't get anywhere near that kind of efficiency even on large electrical generators. 16.2 kWh is way more realistic.
Cool, didn't know that, thanks
Ah good to know :)
Let's just use the standard HN response here: your business model is not my problem. If you can't make that car, maybe cars shouldn't be permitted to exist.
Also: That all the cars are expensive and do X to limit MPG are because of lazy manufacturers, nothing in the law says they have to do it that way.
I'm okay with this if the government provides me with a black box that will tell me if content is legal or not.
That'll however require that all data uploaded with your service will have to go via such black box, so you'll essentially perform mass surveillance for them.
That's why I said box, and not service ;)
Well, ok, the definition of a "black box" pretty much dictates what it does internally is not known to you, so you can never be sure what data it does/doesn't send out.
"rather than taking in the criticism and warning from knowledgeable experts, they're just adding in duct-taped "but this won't do x" for every complaint where people warn what the actual impact of the rules"
This is pretty typical of committee-planned anything, corporate or bureaucratic. They take concerns and "address" them. As long as everything has been addressed...
just like every TOS and privacy terms agreements users are made to sign
People underestimate what a big pain in the ass internet has been for the EU bureaucrats in the last 5 years. They can't just remove users freedom in one hit, they need to do it slowly: cookie laws, gdpr, copyright. And of course they always put a little bit of "sense" in every rule. This is a classic tactic that has been used by State organizations for maybe thousands of years. You can find examples in ancient Rome, medieval cities, nazi germany, post-1917 Russia. The problem is that while modern democracies had a way to get rid of laws made using this tactic, the nations under EU's rule don't. The reason is that while you only need one good cycle of elections in one nation to get rid of a malicious national law, when it comes to getting rid of EU's rules you need multiple good cycles of elections in numerous nations, then you also need to convince a good amount of bureaucrats, and then you also have to remove the local interpretation of the EU directive. When people say that the EU is bad, it's not just because they want the vote from the stupid poors or they don't understand democracy. There are good reasons derived from political science and in favor of democracy to not accept the current way the EU impose its will on european nations. I hope this post was easy to understand.
GDPR is a good thing for citizens. But leave it to Americans to proclaim something that is good for people bad because it inconveniences corporations.
>But leave it to Americans to proclaim something that is good for people bad because it inconveniences corporations.
I just read the GP post again and I don't see anywhere he indicated his nationality. I understand this legislation is stressful and it may cause you to need something to lash out on but bashing someone's imagined country of origin isn't going to change anything and misdirected anger will probably only make you feel worse.
Furthermore, many of the posters I've seen criticizing the GDPR law have in fact claimed to be citizens of EU countries.
Addendum: I find it disheartening that I wrote this to help the parent poster recognize his misplaced anger and to state facts yet some other people also in an apparent act of misplaced anger/sadness/frustration take the time to down vote me. Hacker News you are better than this.
Disagree on whether it's a good thing, but regardless we citizens work at, own, and buy from corporations too.
One of the first fines went to an online forum critizing GDPR.
when corporations are people and money is speech, humans are merely an inconvenience
Eh, cookie laws don't take away your freedom, and GDPR is overall a good thing.
You're piling on irrelevant things for your anti-EU frame. Enjoy your hard Brexit.
> had a way to get rid of laws made using this tactic, the nations under EU's rule don't
"Under EU rule" the EU is made by its member countries, as opposed to what some people say.
Of course they do. It's an EU directive. Some countries already said they don't intent to move forward with it (Italy and Poland come to mind)
> when it comes to getting rid of EU's rules you need multiple good cycles of elections in numerous nations, then you also need to convince a good amount of bureaucrats, and then you also have to remove the local interpretation of the EU directive
And guess what, this amount of discussion, coming and going is actually helping (people see the BS) in this case.
> Of course they do. It's an EU directive. Some countries already said they don't intent to move forward with it (Italy and Poland come to mind)
You make it sound as if Directives are optional. They aren't. They must be implemented by a deadline set by the Commission, or the member state is open to legal action either domestically or in EU court.
You are correct (once the directive is approved), but there are also degrees and (limited) changes that can be put by member states.
Confused about how that would work in practice.
I took a cursory look out of interest :
https://assets.publishing.service.gov.uk/government/uploads/...
I can see how Directive wording is either taken verbatim ('copy-out'), or brought into harmony with existing laws to avoid duplication.
Not sure how something could be implemented 50% (like a degree), or parts ignored completely.
Also, wouldn't any limited changes have to be approved at EU parliament level before being ratified as a Directive in the first place?
Nice, that's a very informative document. Minimum requirements and avoiding golden-plating seem to be base principles.
It's probably not a copy-paste nor a 'pick and choose' but something that has a bit of flexibility (and it also has to be harmonized with local law).
How do cookie laws remove user freedom?
> cookie laws, gdpr, copyright
One of your examples is not like the others.
How does GDPR remove user freedom?
It forbids letting users exchange their information for access to a service. (Because you can't disallow access if they don't agree to data collection). You can say any such deal is inherently bad and users shouldn't have that option, and you might even be correct, but it's still a restriction of freedom.
> Because you can't disallow access if they don't agree to data collection
Yes you can, if the data is necessary to provide the service. If the data is just generic spying for profit, completely unrelated to the service provided, then you shouldn't be asking for it in the first place.
Please remind us on democratic freedoms of Russia slowly eroded. Or on slow progress of Nazism in face of majority pro-democratic populace. Neither happened.
Germany just requested that France give up their UN security council seat so that the EU could have it
Remember when the EU was just supposed to be a trade union rather than an organization that can pass laws that effect every person in Europe?
https://www.japantimes.co.jp/news/2018/11/28/world/germany-u...
> Germany just
"just": "In the past, [Merkel] and Foreign Minister Heiko Maas have both called for individual EU countries’ seats on the UNSC to be “europeanized.”"
> requested
"proposed"
> that France give up their UN security council seat so that the EU could have it
"To lessen the pain of losing the powerful seat, France could become “the permanent EU ambassador to the United Nations,”"
> Remember when the EU was just supposed to be a trade union rather than an organization that can pass laws that effect every person in Europe?
The EU was never supposed to be just a trade union, that's a key distinguishing difference between the EU and the EEC. (Though even the EEC was in large part motivated by a long-term vision of a United States of Europe.)
Remember when the USA was just a colony and not a superpower? Things change.
"It was so much better when the 13 colonies would just pay our taxes and not complain"
The EU was never a trade union, the EEC was [1].
[1] https://europa.eu/european-union/about-eu/eu-in-brief_en#fro...
<rant> To be sure, we do some pretty stupid shit in the US, for example a senior Senator having no fucking clue how FB makes money.
But of late the EU is looking like it's taking the lead in peak dumpster-fire status. I can't imagine anyone with an IQ above freezing temperature and a heart beat buying into the Article 13 stuff, it's simply mind-blowing.
Of course the porn filter stuff in the UK is a close second in stupidity.
And let's not forget our Five-Eyes friends in Australia with the fantasy land crypto backdoor legislation.
All of this leads one to the conclusion that what's needed in representative government is not term-limits, but age limits. The Septa and Octogenarians running things are not mentally capable of comprehending the world as it actually exists. People need to know when it's "time to go fishing"....</rant>
Thankfully you can fly to Zurich without stepping foot in the EU. And soon - London.
You will find that the Swiss comply with most EU laws, including GDPR in most instances. And so is/has/will the UK. You really can't sit next to one of the largest trading blocs in the world and ignore it, unless you don't intend to do deal with them/ conduct business with them in any shape or form. Good luck in your quest to find, freedom or whatever else you're trying to find.
You guys might be interested in my startup. We are going to provide a copyright content registration service as well as a vetting service for 3rd parties to upload user posts which are then scanned against the registered content.
Are you going to assume all of the liability when you get it wrong as well?
What I don't understand yet is why any of the content holds would help you by providing lots of useful metadata. It seems much more lucrative for them to find your violations and sue for more than they could have gotten from subscriptions and/or ads. Plus, if the site goes out of business fighting/paying, that's one less competitor for their own streaming service.
I suspect an entity like Google could offer such a service, based on its enormous reach, compute resources, and a similar system already implemented for YouTube.
Played right, this could offset some lost ad revenue.
And then suddenly, Google gets the right of life and death on almost any content on the internet. This is dystopian enough to be believable.
Is anyone doing this already? Content FIlter as a service? Presumably, everyone's going to need it now, and it makes no sense for every social network permitting video/audio uploads to build their own.
What's the pricing scheme?
I wonder if the ardent pro-EU supporters on HN believe that the incompetence and deadening hand of the EU bureaucrats only extends to GRPR regulations.
With the Great Firewall in China and Regressive laws in the EU, the US feels like the only place where users have the freedom to choose what their internet should be. Unfortunately, they have to deal with clicking on cookie notices, GDPR and now this.
By freedom, I assume you are a big supporter of the "Restoring Internet Freedom Order" and can't wait until you can choose to add the YouTube or Netflix packages to your internet connection for $20/mo each.
Absolutely. No one is entitled to free content, what's wrong with paying for Netflix/YouTube?
Netflix is already paid.. fyfy18 is talking about paying your ISP for the privilege of accessing Netflix.
I paid for my car. I still have to pay for gas on a regular basis. I still have to pay tolls on many roads and highways.
I paid for a CD once, a long time ago. I still had to pay for electricity for the stereo. And that damn greedy electric company chose to charge me more for listening to it when I wanted to. Sure, I could have played my music from midnight to 6am, to take advantage of my evil utility's lower rates at night, but I chose to listen during the day.
That utility was really evil, too. I wanted to install an electrically powered utility in my old house. It was a dryer. But they made me go out and find some third party to "prepare my electrical network" for the product I had already purchased. I had to find an electrician to come and install a 240V circuit in my house. I already pay for electricity, but they couldn't even be arsed to come fix my wiring for me.
Don't get me wrong. I love net neutrality. But I don't think my preferences should be enforced upon the entire population. I also hate fishing. I don't care for tripe. But I also don't try to enforce that preference on others.
My mother barely uses the internet at her home, but she pays the same price I do. I am a very high bandwidth user. I definitely free-ride on the average user who consumes less bandwidth. It's not fair. I should pay more. But I don't.
I paid for a CD once, a long time ago. I still had to pay for electricity for the stereo. (...)
Irrelevant, you already pay Netflix and your ISP.
A better analogy would be: I paid for a stereo, but now I have to pay for listening to it because it's a Sony, whereas I wouldn't if it was a Philips.
My mother barely uses the internet at her home, but she pays the same price I do. I am a very high bandwidth user. I definitely free-ride on the average user who consumes less bandwidth. It's not fair. I should pay more. But I don't.
Also irrelevant, Net Neutrality doesn't in any way prevent ISPs from charging for the bandwidth you consume. If they don't, it's their decision. It only prevents them from charging more depending on where the bits go.
> Irrelevant, you already pay Netflix and your ISP.
What did I pay my ISP for?
I can pay for cable television. I can pay extra for HBO, or not. I can only get NFL Sunday Ticket on DirecTV. Where is the outrage?
Why is the coax that comes into my house and hooked up to my cable box less deserving of outrage than the coax that comes into my house and connects to my modem?
I can pay extra for HBO
Exactly! You pay for HBO, like you already pay for Netflix. You don't pay a surcharge to be allowed to pay for HBO.
I can pay Comcast $30 for "basic cable". This brings every piece of equipment and signal into my home necessary to watch any programming that Comcast has to offer. There are no technical limitations, but there is some flag in Comcast's system that indicates I am only allowed to watch the channels included in basic cable. If I want, I can call them up and add the HBO package. With no technical improvement, simply an update to my customer record, I can near-instantly see this content.
I cannot purchase cable HBO without paying for basic cable. I have to pay my cable provider a premium for the privilege of paying them for HBO. I could, of course make a contract directly with HBO and stream, though that is theNetflix scenario.
I have a dumb wire coming into my house. Depending on the deal I make with my cable provider, I can have different content available by using that wire.
My internet is a dumb wire coming into my house. I can make a deal with my ISP to have certain things possible on that wire. I have a customer record. They block certain ports. E.g. I cannot run an email server using my connection. If I purchase a business package, they will update my customer record to indicate such and I get a static IP and can now send email. They are allowed to do this.
Both of the above are about dealing with a single entity. So all of these prices are bundled into one payment to one entity.
I can purchase or lease content. One way to do this is Netflix. Another would be to purchase media, e.g. a Blu-ray disc. They are mere providers of content. If I want to consume the content I need to purchase a compatible platform. If I lease content from Netflix I need basically any computer and an internet connection. If I purchase a Blu-ray, I need to buy a player of some sort.
When I purchase my Blu-ray player, there are license fees baked in there to various patent-holders for the privilege of decoding that disc. It's all bundled up into one price, though, for fees and hardware. The purchase of a Blu-ray player is a completely different transaction with a completely different entity than the creator of the disc. The hardware manufacturer is under no obligation to sell me a player, but they do. They are also under no obligation to make their hardware support multiple formats. Despite this it was very easy to find a VHS-DVD player for a while there. I don't think anyone offers Blu-ray and laserdisc.
When I lease my internet connection, that is a different transaction with my ISP, a different entity than the content provider (Netflix). The ISP is under no obligation to offer me a contract to serve all content equally to me, though that has been a common contract for a long time.
Among the actors A, B, and C, there is no obligation on C when A and B make an agreement. There is no obligation and should be none on my ISP when I make a deal with Netflix. Similarly there is no obligation between Netflix and me when I make a deal with the ISP. And similarly with the purchased content and the hardware manufacturer.
If my ISP (who, as a matter of fact IS my cable provider) charges me like my cable provider, that does not seem terribly unreasonable from a business relationship perspective.
All that said, another element of argumentation is that different content providers may subsidize their content. This is, of course, already the case. Netflix gives ISPs streaming boxes for free to optimize delivery of content. A subsidy doesn't have to give cash. I'm sure Google has similar boxes for Youtube content.
Now, what of the nightmare scenario? This is where one content provider pays an ISP to not host anyone else's content. Netflix pays Comcast to not support Youtube. This is different than Netflix paying Comcast on behalf of its customers (it already does in the form of its streaming boxes, which reduce load on Comcast's network - that is very much a direct subsidy). Netflix shouldering a cost on behalf of its customers is just a transfer, we would pay for that in the Netflix subscription (and we do! We pay Netflix. Netflix sends boxes to ISP for "free"? No we pay for those streaming boxes which by definition are a subsidy to Comcast). That's fine. Netflix paying Comcast to block a competitor's content? That's different. And if we need to deal with it, we can. Anticompetitive behavior is already something that we have legislation in place to prevent. And we can use that infrastructure in the case that one actor in the market is distorting it. As we did when Intel made exclusive deals with OEMs to block AMD out of deals. As we did when Microsoft bundled IE for free. As has happened in many other cases.
Now, all that said, I like net neutrality. Actually, I freaking love it. I want it very badly. It is a good thing for me. I benefit from it. But me wanting something is an insufficient threshold for me to support it as a policy. I would love to pay no taxes for instance. I would be better off if most people were not allowed to drive (so long as I get to be one of the lucky few). I would be better off if a lot of things happened, and vanishingly few of those things are good policy. Now, before the strawman cometh, my argument is this:
"I want" or "I receive a specific benefit" is a poor justification on its own for a policy. Similarly "Two of us want" or "two of us receive a specific benefit" is a bad justification. This holds for very large N (certainly more than half of the population - see the case of 51% enslaving 49%).
I am not saying that net neutrality is the same as me paying no taxes, or the other items I mentioned.
My argument is this:
Agreements between party A and party B should not be expected to impose arbitrary obligations on party C. Net neutrality says exactly that: "Because I paid Netflix for a service, Comcast is required to enter into a contract with me to deliver that network traffic to my home"
I would be mighty miffed if Comcast forbade me from watching Netflix. Still doesn't mean that I have the right to impose that obligation upon them.
Of course, that "nightmare scenario" is exactly what happens; since Comcast, like every major ISP, is also a huge content producer and distributor - including with their cable service, and with Xfinity On Demand, which is a direct competitor to Netflix - they are distorting the market by charging for access to other services, just like MS did by bundling IE.
So you can make an hypothetical argument using a spherical ISP that doesn't follow net neutrality and also doesn't own a content distribution service, but in practice the two can't be separated.
Where is the nightmare? Before formal net neutrality laws were enacted and since repeal, the vast majority of ISP contracts are unlimited and unmetered. There are instances of violations, and these have pretty much uniformly been handled by the FTC anyway.
Again, noncompetitive behavior is covered under existing legislation. But "no extra for Netflix because I like Netflix" is not an argument that carries weight. Charging extra for something that incurs cost is not anticompetitive. Comcast can distribute its own content for much cheaper if everything stays on its backbones and doesn't require peering with other networks. Why the hell shouldn't they be allowed to offer their product for cheaper?
Why are existing laws and regulations protecting competition insufficient? Especially in light of FCC rulings that punish anticompetitive behavior even in the absence of formal net neutrality laws.
The sort of freedom referred to has nothing to do with a zero-price. It has to do with the ability of two consenting adults (or we can say "willing parties" if you want) to enter into a transaction to exchange goods or services, or proxies (like dollars).
The opposite of such a freedom is not that one party chooses to charge for some of its services, but that one party is prevented from offering such a service.
You mean like... Netflix being prevented from streaming through your ISP (the only one available in your area mind) because Google paid it more to prefer YouTube traffic? The things Americans will frame as freedom of choice will continue to baffle me I guess.
>You mean like... Netflix being prevented from streaming through your ISP (the only one available in your area mind) because Google paid it more to prefer YouTube traffic?
You mean a thing that has literally never happened anywhere in the US?
> The things Americans will frame as freedom of choice will continue to baffle me I guess.
I understand that you are frustrated with what is happening with this new legislation but it doesn't help you to make up smug fantasies about America just to make yourself feel better. Your energy would be better spent on your own knitting and maybe this kind of thing wouldn't happen.
You mean a thing that has literally never happened anywhere in the US?
This specifically may not have happened, but these things certainly did:
https://news.ycombinator.com/item?id=17284597
Sure, I'll bite.
Is Netflix "prevented" or "not preferred". Let's pick our battle before we fight it.
But there is some useful grounding here. I use the term consenting adults, but perhaps we should refer to "legal entities". I think it is fair to start from a place where legal entities are allowed to enter into agreements with one another.
You are a legal entity. I am a legal entity. Netflix is a legal entity. Google is a legal entity. EI is a legal entity. (I have given the hypothetical ISP in your post a name, Evil ISP.)
There's my starting point. Would you like to continue a discussion about this? Please feel free to let me know if you disagree with anything above, and we can start there.
Apologies if that came out as snarky like the other commenter suggested. It's really a genuine question about that point of view there.
>Is Netflix "prevented" or "not preferred". Let's pick our battle before we fight it.
See, in my mind these two are, legalese aside, absolutely identical for the consumer. Legalese included I absolutely realize they are the same, why wouldn't they? It's just contracts between legal entities.
From the view of a society with states that govern and can, where it benefits or would otherwise hurt society, restrict what entities can put in their contracts I'd say that there are plenty of cases to be made for such restrictions (e.g. worker protections, access to elementary resources, ...).
I'm kind of hoping here that we have some common ground there. I feel like our point of disagreement is whether or not governments should be involved in the case of ISPs, right? My point there would be that if one legal entity (consumer) does not have a wide range of choice (ISP), there hardly is any choice to be had and one party can pretty much dictate the terms of their agreement (and a bunch of other arguments for net neutrality others formulated way better). This might really boil down to the question if we personally attribute some societal value to ISPs being a neutral player or pure infrastructure provider I'm afraid.
edit: formatting
No worries. It's the internet. I was hardly snark free, either.
So, I have a couple priors.
One of these priors is that it is, in general, a good thing to place as few restrictions on actors in society as possible. Not anarchy. Not mindlessly. Just as a general rule of thumb. Something that doesn't need justification on its own, but rather needs a case to be made to go against.
Another of these is that, in general, laws and regulations have costs. Enforcement carries cost. Also, we forego the things that are regulated against - rarely are these things pure evil. Sure, there are exceptions. Genocide is pure evil (though there is much room for compassion for those coerced into participating). This gets us down a rabbit hole quickly.
So, in general entities should be able to make deals. And adding to legislation that exists is costly (as in "bears cost").
The situation you describe sounds a lot like a monopoly. The nightmare scenario presented in net neutrality is typically "Netflix is blocked because Google paid more to let Youtube through". I think this is categorically different than "Netflix is now more expensive than Youtube is". Especially because the latter sentence is already true. We can disagree here.
The case is one of actual blocking. E.g. Google makes some exclusive deal with Comcast, where Comcast does not allow traffic from other streaming video suppliers. This is clearly anticompetitive, and we already have regulation to address it. Comcast and Google would both be blatantly in violation of anti-trust regulations and could be prosecuted. We don't need net neutrality to prevent this. Indeed, there are cases of wholesale blocking of this sort in the past that were dealt with by the FCC without formal net neutrality legislation in place. E.g. Vonage got blocked by an ISP that offered landlines; ISP got smacked.
So as I see it, we're left with the case of differential pricing.
So it seems to me that net neutrality addresses two primary concerns: true anticompetitive behavior and differential pricing.
In the case where services are priced differentially, but all are available, I honestly see very little difference to cable TV. And there seems no inherent reason that all traffic should carry the same price, as it is not the case that all traffic costs the same to an ISP.
So what might cause differential pricing? Sure, Google could pay Comcast to discount its services, but that's just a transfer. If Google pays Comcast to make it easier to get to us, well we're making that up to Google somehow. They're not doing it out of the goodness of their hearts. Either we're paying with data and ad impressions, or it's baked into the subscription price.
If Google enters a contract with Comcast which has Comcast charge extra for Netflix traffic for no other reason than Netflix competes with Youtube, then we're back in an anticompetitive scenario and don't need net neutrality.
But it is reasonable that different traffic costs differently. If Comcast is offering its own streaming service, they can serve that entirely on their own network - no need to use any peering agreements or pay for bandwidth beyond their own infrastructure. If Youtube or Netflix comes from outside of Comcast's network (not always the case - Netflix subsidizes its traffic by offering streaming appliances to ISPs), then that traffic IS more expensive than Comcast's own content. This seems entirely reasonable to price differentially.
Ultimately, I would like net neutrality, and would personally benefit from it. Or rather, I would personally have my current state prevented from being negatively impacted, since net neutrality is largely the status quo. I do not fail to see this. But it is an argument that doesn't hold water with me (I am not saying this is your argument, simply that it is a common one).
So, I think we may be at a bit of an ideological impasse. If I interpret your response correctly, one of your priors is roughly "if we see an area where we think we can improve things through legislation/regulation, we should". My priors lead me to look askance at new regulation/legislation. I don't see why we need net neutrality, only why we might want it. For me, "need" is the threshold for legislation, not "want".
Let me know if I'm off on what I suggested as the two primary issues addressed, or if you have questions on where I'm coming from, or if I seem to be off on interpreting your stance.
I almost had to laugh after the US just recently abolished Net Neutrality. And what is the grind with cookie notices and GDPR? I very much like to know what companies can do with my data, what data they have and demand deletion of it.
This is not against companies, it's for people. Companies should have had these information in the first place, now they just need to display it to the user but I guess thats too much to ask.
Im all against filters but cookie notices and GDPR are consumer friendly laws which I like a lot.
GDPR has a lot of positive elements (and some drawbacks). I can't imagine what you like about cookie notices though.
>I almost had to laugh after the US just recently abolished Net Neutrality
Your laughter is misplaced. America didn't have net neutrality up until fairly recently and before it was enacted, the internet worked just fine. It'll work just fine now. And if it really matters that much to you that you feel some kind of emotional release from your own worries, just know that many states are already putting laws on the books to reinstate it.
Edit: I can't seem to respond to Superleroy so I'll put it here. Laughter is good but laughing at the imagined misfortune of others indicates moral failing. Regarding the state of internet in the US, that is easy to test out. I have Comcast. Name any website or any service and I'll see if I have any trouble accessing it. As it stands, I haven't noticed anything amiss. I run ssh, a web server, I have several Python script that run all day consuming web socket feeds. I naturally stream video etc. No problems and it is all very fast. I have access to 2 Gigabit service. I believe your assertion that my Internet isn't good is in error. You did mention that it makes you happy to laugh at other's misfortune though so if it makes you happy, imagine my internet being terrible. I won't be mad.
Well last I heard ISPs were not providing top service to say the least. So unless "working just fine" means "it's really shitty but hey we have internet", I would say that no, the internet is not "working just fine" at least from that perspective. I don't know why you think removing net neutrality laws was a good idea but maybe you can elaborate.
Laughing truly makes me feel better and distracts me from my worries, I don't know why you have to be condescending about it. I did not say that I think filtering is a good idea, the contrary is true. I just think saying that the EU pass regressive internet laws, while the US is the beacon of freedom and choice is laughable.
I did not laugh at others misfortune or moral failing but at the following sentence "the US feels like the only place where users have the freedom to choose what their internet should be". I do not laugh at people having only a single choice of ISP or the abolishment of NN, but at the blindness with which that statement was made. If by "users" ISPs are meant then I agree, but let's be real, users often don't even have a real choice of ISPs, let alone what "internet should be", whatever that means.
With the rest of what you wrote, I don't even know what argument you are referencing. Was it that I said the internet is shitty? Nowhere did I say that you can't access a website so Im not exactly sure why you want to test access to websites or state that you can stream video. Is that all it takes for you to say that your internet is "working just fine"? Maybe I understand that statemend a little wider than you do, so let me elaborate: When I say "it's really shitty" I mean more than just accessing websites, I mean bad industry practices, non competing ISPs and no or limited choice of ISP, total surveillance, rampant data collection by big companies, etc. For me this is not a sign of a "fine" working internet. But if you limit it to "I can access websites" then I agree with you.
To your last point, I never asserted that your Internet is slow or that you can't access sites, so I don't know why you keep misstating my comments.
>America didn't have net neutrality up until fairly recently and before it was enacted, the internet worked just fine.
Yes, America did have Net Neutrality. Net neutrality was the norm for the entire history of the internet, and it was formalized in law in 2009 after Comcast started blocking torrent traffic in the late 00s and people asked the FCC to do something about it.
The net neutrality kerfuffle in 2014 was due to a court decision overturning the earlier law (based on the logic that "net neutrality" and "common carrier" are similar enough that it's unfair for them to be different categories".
I would say neither the Great Wall nor the European laws will threaten the freedom of internet as much as the large US internet monopolies enforcing their behavior on the whole network.
>I would say neither the Great Wall nor the European laws will threaten the freedom of internet as much as the large US internet monopolies enforcing their behavior on the whole network.
And thanks to this copyright law, these companies that affect both of us equally today will be much worse for your tomorrow. The upstarts to challenge these so-called monopolies won't be hamstrung by weird EU laws in the US but they won't be able to even try to challenge the incumbents on European soil lest they run afoul. So a problem that everybody had is now much worse for you. And you take time out of your day to be smug.
Edit: @krageon, Facebook is having much difficulty with the younger demographics and other services not owned by them are siphoning off their users. And Google is mortally afraid of voice search and assistants eating their lunch. They are not unassailable. But we really don't need their positions further cemented with misguided laws.
Where were these "upstarts" when Google and Facebook were busy destroying the ecosystem before these laws? I'll tell you where they were: They were being assimilated using the huge piles of money these companies made selling anything and everything they could find on you to everyone who was willing to pay.
So how are the click troughs on the amp stories doing in the land of the free?
The difference is choice. You can choose not to click. No one's deciding whether something should be clickable for you, which is the point.
Did you forget about net neutrality in US? All of us as Fucked, Australia too, with their encryption thing.
A small, idiotic part of me wishes this actually passed. Let's just get this over with as quickly as possible. Let the EU purge their bottomless need to "save" the world and write as many regulations as they have in them, or can be influenced into, and maybe eventually the deluge will touch enough citizens so it becomes clear that this much concentrated power was a mistake.
It's not like this not passing will matter anyways because there'd be another attempt, and then another, and another, ad infinitum. The EU would clearly have passed this thing thousand times over already if it wasn't for the pushback from its subjects, but you only get the pushback on the first couple of attempts. Eventually, people's interest fade. They've got shit to do, can't police their representatives each waking moment, and foolishly assume that a representative body will honor the will of their far away constituents, should the same matter ever again be decided on. So really, as long as there's the EU and special interests that want this, it's pretty much a sure thing this will eventually be passed.
With the GDPR, it seemed like the EU turned into a PR firm that mounted a massive union wide marketing campaign but there's no such effort this time. Is this the difference between EU's own pet projects and directives where they're just a clueless underwriter?