This is at least the 5th instance I've seen of a website announcing their closure due to GDPR on Hacker News. Most websites probably wouldn't announce it and given that a post about simply blocking all EU users got upvoted to the front page less than a week ago I doubt the idea of blocking all EU users isn't more prevalent.
> Yes, this is really little different from shutting down a whole forum because you received a single DMCA request.
Completely unrelated. Not only are DMCA requests easier to handle than data access requests, the fines for not complying with GDPR are disproportionately larger for violating DMCA.
Work required for complying with a DMCA request: delete the offending material, a basic feature implemented on every single piece of forum software
Work required for complying with a data access request: Search every single service you potentially could have stored user data in and provide it to the user. A non basic feature that requires custom development.
Additionally any malevolent user (as is shown in this case) is incentivized to send a GDPR data access request while this is not true for DMCA.
I agree however that they are both horrible laws. So if your argument was to show that GDPR is just as bad as the DMCA I agree. GDPR is a horrible law and it is not obvious to me that the law wasn't created specifically to target non European business.
Except this forum software does provide a tool that lets the user export their own data, as well as a tool that lets an admin strip all identifying data.
The only way this targets non-European businesses is because the litigious nature of US culture seems to lead to this sort of overreaction.
I'm also not sure how a malevolent user is any more incentivised to abuse this than DMCA. The DMCA lets them issue actual legal threats and action. This just allows requests.
The DMCA helps big business at the expense of the general public. This does the reverse. It's no wonder there's been so much noise and scaremongering.
A lot of the US over reaction to the GDPR probably stems from the fact that they assume that Europe has a system where parties sue each other, the jury system, as opposed to the state suing parties, the inquisitorial system.
Getting sued in Europe is a huge deal, getting sued in the US is part of doing business.
Yeah from what I have heard the main reason for this law is to stop obvious abuses to people's privacy. It seems that most overreactions are due to ignorance of the system behind the law or to make some kind of political statement.
As a proponent of North American small businesses to just stop doing business with the EU my motivation doesn't stem from the ignorance of the system rather the knowledge if it: the fines will be issued by the relevant authorities of each and every EU state according to their own interpretation. Certain countries might see this as a neat little cash grab opportunity.
I just don't see the EU giving fines to American small businesses. What kind of money could they expect to get out of them? I'm curious though, what EU countries do you think are so desperate for money that they would basically extort American small businesses?
If Brexit has any impact (which is unlikely, but admittedly still unclear[1], [2]), incorporating again in Ireland or France is very easy and has similarly-minded regulators.
I'm in favor of GDPR, but this is how it can be trivially used to target non-EU companies. EU regulators can be pressured to more aggressively pursue dominant foreign companies (or lay off important domestic companies) which many people already believe they do in various industries (banking/finance especially, as well as tech, automotive, aerospace, pharma...).
>Except this forum software does provide a tool that lets the user export their own data, as well as a tool that lets an admin strip all identifying data.
Completely besides the point, there are hundreds of different pieces of forum software that may not have that feature implemented.
>The only way this targets non-European businesses is because the litigious nature of US culture seems to lead to this sort of overreaction.
Did I ever bring up litigation? What is your point here?
How about you try answering this question I posed to you
What is your point here? What is your point when you say that the EU is not litigious? Are you saying that I shouldn't expect to receive a fine for violating GDPR? Are you saying that I should just ignore GDPR data access requests if I am operating in a supposedly ethical manner and I am not selling user information?
I didn't see any question in there. My answer though is: respond to the request (which shouldn't be as hard as some are making out), but don't worry about fines unless you've been misusing the data or repeatedly ignoring warnings.
That's not how laws work. Someone has to prove they are innocent if another person claims they aren't to regulators. There is a cost to that. There is no way the law can know perfectly who is 'misusing data' beforehand.
You've posted dozens of comments in GDPR flamewars. This sort of high-quantity, low-quality controversy quickly gets extremely repetitive and thus is off topic in addition to breaking the site guidelines (https://news.ycombinator.com/newsguidelines.html).
Since that's all this account has done and we don't allow single-purpose accounts here, I've banned it. Please don't create accounts to do this with.
a) They are doing the thing we have collectively decided is bad for society (misusing personal data)
b) Do nothing about this when somebody invokes one of their new legal rights, whether that be to retrieve the data you have on them or remove the data you no longer have a grounds under any of the six legal basises to store (which includes 'consent', which can be revoked, as well as five other bases which cannot be revoked but have more limited scope with what you can do with the data)
c) Be reported for this
d) Refuse to work with the compliance group
At this point, judging by how the EU has historically used fines as an enforcement mechanism, you're looking at a small fine designed as a wakeup call. The 20 million EUR figure (or % of revenue) is a _cap_, not a floor, and the EU has never gone for maximum fines except when it is obviously required to enforce compliance.
> Additionally any malevolent user (as is shown in this case) is incentivized to send a GDPR data access request while this is not true for DMCA.
People send fake DCMA takedowns all the time.
If someone sends you a GDPR data request, you can ask for administrative costs. You can even ask it to be mailed to you via post. If someone sends you a bogus and unreasonable GDPR data request, you can ask them to pay you a further reasonable fee.
This can almost be an auto-response. Trolls will get bored.
> Work required for complying with a data access request: Search every single service you potentially could have stored user data in and provide it to the user. A non basic feature that requires custom development.
This is not true. Recital 62[1] says you don't have to give them any data they already have, and Recital 57[2] says you aren't obliged to determine which of your data identifies them if you aren't going to do it anyway.
> I agree however that they are both horrible laws.
I like the GDPR a great deal, and I think it'll be good for companies big and small in the long run. Disclaimer though: I'm doing some GDPR consulting, so you might prefer to think I'm getting paid to like the GDPR.
The scary bit seems to be for companies that approach compliance from the point-of-view of centralising understanding, and minimising the impact and costs of that compliance. They're looking for someone to tell them "this is enough effort", but the point is that Europeans don't want people playing chicken with their data[3].
As soon as companies realise that embracing the spirit of the GDPR is cheaper, it starts becoming a real opportunity for them.
I felt the regulation text itself was clear that the first request is free.
"1 - The controller shall provide a copy of the personal data undergoing processing.
2- For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs."
The ICO says that the fee must be based on the administrative cost of providing the information which seems consistent.
Since you're allowed to respond to the first request with a list of the types of information you control, you should be able to do this without a search (and without undue costs).
> if Lockheed martin were to start a Gmail, GDocs equivalent tomorrow, would you use their services knowing how closely they work with the military?
Them working closely with the military would not be the reason I would choose not to use their service considering that almost all emails already go through NSA servers.
> then it implies that there is nothing special about markets
How so? It implies simply that markets are not efficient. It does not imply that state control would be more efficient and it does not imply that markets are not the most efficient way of determining the value of a resource.
What it definitely says however, is that a government committee could not, in any way, successfully determine the value of all goods and fix prices based on that determination.
> It implies simply that markets are not efficient.
No it implies that efficient market states are an NP complete problem. And that we are likely approximating the optimization of efficiency (of the allocation of resources) using markets. Different approximation algorithms have different properties. Might markets be the best in every possible way, sure, but it's very unlikely given what we know about approximation algorithms. It's like one of the best variants in one way, perhaps that's the best way, but we should figure that sort of thing out. And that's what this paper is laying the ground work for.
> What it definitely says however, is that a government committee could not, in any way, successfully determine the value of all goods and fix prices based on that determination.
In it's editorializing about markets. Which isn't incorrect. But the larger consequences of efficiency being an NP complete problem means that there are many possible algorithms we could use to solve them if they are given equivalent resources. If those equivalent resources are thousands (or millions) of government panels then we should be able to mathematically prove equivalency. That's my point.
There is a method of solving an NP complete problem with millions of companies participating in stock markets?
Your question is not related to my point. And you'd have to at least answer it for markets first before I would bother to try. My point is that it is an interesting area of research, we should answer both questions and their interrelationships.
I became an advocate for GDPR after I started implementing it for the company I work for. I am an advocate for it because it requires companies to think hard about what they need the data for and whether or not it is going to adversely affect their customers.
Before GDPR there was virtually no downside for gathering private information. There was no downside for using that information to profile customers for any purpose you want. Now there is a downside: you have to tell the customer what you are doing with the data and you have to get permission to do so if the use is not related to the service that you are providing to the customer.
IMHO this strikes a good balance. You can still use the data, but there is a cost. Even within the organisation where I work, it has completely changed the way they look at this data. Previously the attitude was, "Let's collect the data and use it, because why not?" Now we're being told, "These are the only things we want to collect data on because we don't want to piss off our customers".
This is exactly what I want. I have in the past used Facebook's services. I currently use Google's services. I don't mind if their business model is destroyed because IMHO, on balance this way is better. I don't mind if people will have to pay for services like theirs. I'm old enough to remember a time where it was already like that -- it's really not so bad. Having thought about it (by way of being required to implement GDPR), I'm going to move to move away from the Google's et al. Having seen the transition in the company I work for, it's clear to me how much better it is.
GDPR benefits the US and US tech dominance. With GDPR the EU just legislated away one of the most profitable monetization schemes ever devised. I think the administration will sit back and do nothing and watch the fire from across the pond.
You mean the consent like not going on the website in the first place? And if all GDPR was just a bunch of consent forms it wouldn't even be a problem.
GDPR is bad/onerous for the following reasons
- right to have access to the information that is being stored on you
- right to be forgotten
- right to view a web page without being shown ads
If GDPR was only asking for consent + banning the sale of information to 3rd parties it would hardly have had the chilling effect it is currently having.
I've been seeing GDPR supporters saying that a lot recently. Time will show if it's true. I admit it's possible that removing ads as a revenue model could somehow allow europeans to innovate and discover a superior model but I'm not betting on it.
Thank you Europe for being the guinea pigs, you will either lead the way or hopefully prevent others from making the same mistakes.
Thank you for giving my comment the least charitable reading possible. If that were the case why would I even bother leading with
"you will either lead the way" If a better monetization scheme that ads arises from the ashes of GDPR then I really will have no reason to be frustrated.
Which is how the paper and TV ads industry worked for more than half a century, forcing brands to push creative limits in creating campaigns that we regard sometimes as a pinnacle of arts and media culture.
Just because the Internet lets you laser focus a campaign by profiling the shit out of people, it doesn’t mean that is how things should work.
> Which is how the paper and TV ads industry worked for more than half a century, forcing brands to push creative limits in creating campaigns that we regard sometimes as a pinnacle of arts and media culture. Just because the Internet lets you laser focus a campaign by profiling the shit out of people, it doesn’t mean that is how things should work.
How did the paper and tv industry work? Oh yeah, advertisers would crowd around and bid up the largest players. Small niche products would receive little to no revenue and die quick deaths.
That is what I suspect will happen in the EU. Without tracking Advertisers will be unable to know how their ads are performing. Without metrics such as conversions which require end to end tracking advertisers will need to rely on the reputation of the platform.
Products such as google and facebook will receive significant attention from advertisers. The tiny blog you enjoy reading that is barely scraping by will receive very little.
> Without metrics such as conversions which require end to end tracking advertisers will need to rely on the reputation of the platform. Products such as google and facebook will receive significant attention from advertisers.
Yes that's a valid concern. But blogging hasn't been profitable or even sustainable for a very long time now in the way it used to be ten or fifteen years ago, with YouTube, Fb, microblogging platforms, and news aggregators having taken this space instead. Those who keep on running blogs do so for promoting their own services, products, or other agendas, or as a hobby, and will continue to do so. So it's not a terrible loss really; the great starving of blogs has already happened in the past.
But sites such as product review blogs could get a boost by ad money being in need to be allocated in innovative ways. Post-GDRP advertising requires thinking a little bit out of the box, and leaving the "ad" model as we know it behind which isn't very effective to begin with. If you consider attention a scarce resource to compete for, I could imagine ad money going into more and new native advertising sites, temporary sites for local events with direct sponsoring, focused sites for special interests, etc.
Small niche products thrived on their inherently high precision in content-based targeting. When their niche had ad buyers. (edit: actually I meant "if", niche content providers without much on-topic ad budget are a winner of tracking-based targeting)
The more recent capability of targeting those niche ads also on random click-bait sites didn't exactly help those small niche products.
(Edit, for clarification: with unrestricted tracking, if you publish to a niche with good ad money, the few ads that you do show, for a tiny fraction of the ad budget of your niche, become the information source used for drawing much of your niche's ad money to ads displayed to your audience on unrelated sites. Your ad-network should practically "steal" your content-targeting information to divert on-topic ad money to entirely unrelated sites)
> Your ad-network should practically "steal" your content-targeting information to divert on-topic ad money to entirely unrelated sites
Do you have a link to support that? I believe it, but I'm looking for an article that explains it well. I read one that had a good example of an advertiser basically telling the operator of a high-quality, premium site that he's only going to use them to gather audience targeting information so they can be targeted at cheaper sites.
The tiny "share on facebook" button, a google analytics script and so on, you don't even need to show an ad to associate my browser identity with the topics on the site I am visiting. But ads can certainly serve the same purpose.
Maybe you misunderstood what I meant (my wording wasn't exactly perfect), I'm not talking about some dramatic ad-fraud scheme: without tracking-based targeting, all ad-money about scuba-beekeeping (just making up some really small niche) would go to the few sites dedicated to pleasures scuba-beekeeping. This is how Google started their dominance, they were the best at automatically matching scuba-beekeeping advertisers to scuba-beekeeping websites. Content-based targeting.
With tracking, ad-networks show a small, cheap ad (or even just some tracker the site includes without monetary compensation) on the scuba-beekeeping site and take a note that the browser identity a target for scuba-beekeeping. Ads about scuba-beekeeping will now appear to that browser-identity on random news sites and the like while the niche site won't see a cent for the targeting information.
All in all, if the "native" ad market (the one addressable by content-based targeting) of a site has above-average value per eyeball, a site will tend to lose more from cross-site targeting than they will gain from showing ads unrelated to their content (but related to whatever their visitors have visited before), if the "native" ad market is lower then they may win. Visit frequency also plays a role, if the content-targetable sites take only a small percentage of their users' browsing activity, a no-tracking scenario would cause a bidding war amongst on-topic advertizers, if they take a large chunk of their users' browsing, inbound tracking targeted ads (about other topics) could easily more than make up for the losses in on-topic ads.
It should be possible to track ad campaigns and therefore see exactly the turnover ratios as long as the campaigns are broad enough that they don't target individual users.
In the analog world they do this for example via coupon codes which are unique to the ad.
>It should be possible to track ad campaigns and therefore see exactly the turnover ratios as long as the campaigns are broad enough that they don't target individual users.
In the analog world they to this for example via coupon codes which are unique to the ad.
This will severely undercount the number of conversions. It's not atypical for someone to view/click an ad and then purchase at a later date through a different channel.
It was possible to track that before GDPR. It is not possible now.
By following a different business model? Employ a small team, sell ads based on relevance to the content you're reading, going after niches... It's not like there's only one formula for success. GDPR is going to force a different formula on the market.
This relies on the fact that your business can be served anywhere. What if you're in a niche that can only be limited to your area or to people who speak a specific language in that geographical area?
>The US holds one dominating advantage in one subset of technology. Consumer-facing internet tech. While a lot of people employed in this field commentate on this website, it's a marginal part of the tech industry, and it's not worth sacrificing privacy for, Europe does not need Silicon Valley to produce high-value products.
https://www.polygon.com/2018/4/28/17295498/super-monday-nigh...
https://digiday.com/media/gdpr-mayhem-programmatic-ad-buying...
http://money.cnn.com/2018/05/25/media/gdpr-news-websites-la-...
https://www.theguardian.com/technology/2018/may/24/sites-blo...
Try doing some basic research before asking leading questions that you don't expect responses to.