Except this isn’t really true. Streetlend made its money by selling your privacy data to advertisers through Amazon. So when you put up a power drill for lend, people would see power drills for sale at local shops, based on their online presence harvested through stuff like their Facebook account.

The really ironic thing about that this is that streetlab imagined itself “ethical” when it’s entire business model was selling your data...

The GDPR isn’t really that hostile to small business and it doesn’t require an understanding of law. You can hire a data protection officer at a legal firm for almost nothing, and as long as you follow their advice on how to pass audits, you’re really not in trouble.

That being said, the GDPR is really hostile toward startups trying to make money the same way Facebook and Google does. You need to have a massive legal department to do that, and Streetlend obviously did not. But is that really so terrible?

It may call for a new business model for the internet, and that may seem impossible right now. But do you remember when the EU outlawed environmentally shitty lightbuilbs and everyone said we were going dark because it was impossible to do anything else? Today 95% of lightbuilbs are LEDs because of that.

Startups will find a way to make money that isn’t selling your data.

If you mean he just slapped some Amazon ads on his site to support his side project, then accusing that guy of "selling your privacy data" requires quite a bit of mental gymnastics and is a pretty dishonest description of the facts.

The blame here is wholly with the users for putting their data online in the first place (really, you can go a very long way with my.fake.name@gmail.com!) and especially Facebook for providing the framework that enables this all.

*edited for grammar

Blaming users for providing their personal data is strange -- if the implication is that nobody should provide their personal data because it can be abused then is it not obvious that the use of personal data should be regulated?

If the majority of banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?

As for the Amazon bit, I think you're underselling it. Amazon tracks users in arguably unethical ways (due to the lack of consent, and the scope, and the inability to opt-out) and display their ads is inflicting that on your users. If you care about your users privacy (which is what GDPR is trying to enforce) then you would know that "just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data. I do agree it's not trivial to handle GDPR if you don't have a lawyer (though you can get a data officer from a legal firm), but complying with laws is part of doing business.

See, I disagree with this very premise. Why is it true? It's _not_ my data; it's data about me. Even things like pictures, once shared, are no longer under my control. I actually feel it's fundamentally dangerous to make users think they actually control data they don't.

> If you care about your users privacy (which is what GDPR is trying to enforce)

I also disagree with this. The GDPR doesn't do anything to make companies handle my data more carefully or responsibly.

If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely. The rest of my data is no different. I own my data and the data about me, not them.

GDPR gives users the controls and governance over their data that should have always existed, but that tech companies gaslighted users into believing doesn’t exist.

This is where it becomes murky for me.

If you send me that photo via email, should you subsequently be able to revoke my access to that photo. If so, by what means?

If you used a closed messaging system (say Facebook's messaging system, or Apple's Messages), should you be able to revoke access?

If you follow the argument a hop, skip and a jump away, what happens if I submit a photo to a publication and they run it on their website? Can I revoke access? What if that publication has published that photo in a physical form?

ie, where is the line where a reasonable person should expect that the data they have willingly shared/published has slipped beyond their control?

All other rights are reserved. Would it change the dynamic to be able to revoke access to assets in a private messaging system? For sure. But copyright law (at least in the US) supports this right of the copyright owner. The inability to revoke access is a failing of the tool or the product, not the law.

> The inability to revoke access is a failing of the tool or the product, not the law.

Does the law need to change? Or (in the case of email) is it fine as is because the reasonable person realizes that once you hit 'send', the content is out of your control?

I'm sorry, but it's not. Full stop.

> If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely.

I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.

> The rest of my data is no different.

Exactly, you have no control over it.

> I own my data and the data about me, not them.

No, you don't _own_ your data.

> GDPR gives users the controls and governance over their data that should have always existed

No, on all accounts. There is no reason at all that you need to delete accounts or force anyone to delete any information about you. That's all just silly.

> but that tech companies gaslighted users into believing doesn’t exist

That's also silly. If you don't control something, you don't control it. Full stop. I don't understand why you don't understand that.

On the one hand, the other guy is legally correct - gdpr's purpose is to legally give individuals control over data about them (pictures they upload, addresses they input, whatever). That control is responsible on a site to site basis - if a person's naked picture is leaked online, every single IP address that hosts it must take it down if requested, or violate gdpr.

You're making a functional argument - if a person's nudies are leaked online, they don't functionally have control over that data. Morals and laws be damned, that picture is staying on the internet.

You can both disagree about the morality of this but simply restating both of your points with more "full stops" is pointless. If you're both really having trouble understanding each other's positions, step back and try to defend the opponent's decision.

Which is my point. You no longer retain any control over it. A law saying you have control over it is silly, because it's worse than worthless: it makes me think I have control over something I don't have control over.

Laws cannot magically manufacture things which cannot ever be created.

Moreover, the gdpr doesn't prevent any of the problems that have caused data breaches in the past. The way that Target and Equifax (both of which could easily claim the data they had was essential to their business: Target with credit cards and Equifax being used by banks to coordinate information) are both equally likely under the gdpr and both equally unpublishable.

As for Facebook and Cambridge Analytica, how would this have been prevented? Facebook can just ask you to opt in to their usage of your info to use their service. Facebook can share information with other entities that claim to be gdpr compliant. Other entity then shares information with other people outside of Facebook's control.

I just don't see how the gdpr changes a fundamental fact: you no longer control something someone else has. Laws cannot change that. Laws can give you recourse, but they cannot change it. I actually believe that it's dangerous to believe that I have control over things I don't: it's a false sense of security.

Also there's the fact that companies can end up sharing data to other parties, or a company can be acquired and change their mind about what the data will be used for (which is allowed because of the originally nebulous scope of their T&C which was specifically designed to allow for expansion without asking for user consent explicitly when usage changes). GDPR provides methods for users to be protected in both of those cases -- while just enforcing education does not.

Not to mention that if education was mandatory, then the same companies complaining about GDPR today would be complaining about educating users how their services abuse their dignity. Cutting Google/Amazon/Facebook/etc slack for making hundreds of billions from users' personal data and creating "Big Brother"-esque profiling systems for their billions of users doesn't really seem rational to me.

If I owned a site I would not have a problem to delete someone's personal data.

Also your sugguestion is that if you want to keep your data protected then you should not be using anything on the Internet or make any deals because once you have ordered something on Amazon it can sell your data to everyone else? Or when you rent an apartment, realty agency should be allowed to share your name, SSN, bank card number and address with everyone? No, I don't think it should be this way.

If I find the person that owns the server hosting my data, and I put a gun to his head, and I say, "remove my data," do I now control that data?

What if I instead pay someone else to go around putting guns to the heads of server owners? If I build an army?

What if instead of that I communitize my resources into a legal system that doesn't put guns to people's heads, but will take their money away and put them in jail if they don't follow the laws?

Don't get me wrong, I'm with you in the hacker-culture sense: fuck the system, man, if Google wanted to it could probably blackmail individual US government officials to the point that it took the country over. I get that. I guess we can get deep into a political science debate about governments and social contracts.

Put it this way: Is your sense that you can walk to work without getting mugged a false sense of security? If not, the only alternative is homesteads with militias (not walking to work anymore), or, arming entire populations (putting the burden of self-defense on the people). In the past, this has been tried, and led to gang rule.

If we "give up" on legal systems, we have ample evidence for what happens. When you apply those lessons to the digital space, maybe it's not 1:1, I guess some countries will be learning that for us, while others will try things like GDPR.

It's all a journey for human civilization. People like you that promote self-defense are great because we get amazing government-agnostic tools out of the deal. People that support GDPR are also great because we can test out "social contract" methods.

What's wrong with dancing around both sides of the aisle?

The gdpr makes people think that they don't need to think about what they share and with whom. Do you really think companies are going to significantly change just because of this? I highly doubt it. Sure there will be some things, but in the end many of the same patterns and uses will emerge.

You keep writing as if everyone has a meaningful choice about who gets data about them, but clearly that is not always the case. Someone may obtain data about someone else from a third party, and you can't avoid sharing a certain amount of data and still function as a normal member of society.

The idea of absolute, black-and-white privacy, where either you share personal information or you keep something completely to yourself, isn't very useful in the modern world. Our conventions must be more nuanced than that, and in practice that means what really matters is who gets access to data about you and what they're using it for.

That means basically don't share them with anyone, don't sign any contracts, don't work and live in the street. Because even your employer or real estate agent can sell them to anyone else in your model.

Aside from the "nuh uh; uh huh" nature of this exchange, I really don't understand what your position.

> I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.

I'm not sure what youre definition of "control" is, but based upon the arguments you've made about "control" above, I assume you mean it in some absolute sense.

Ownership definitely implies control. He can use DMCA to compel a third party to stop publishing his photo, for example. How is that not "control"?

Your definition of control seems to be somehow about capability or power, rather than normative ethics or legal right. Which is a rather absurd way of talking about this issue.

In that sense of control, I don't even control my own body. Someone who is stronger than me can hurt me; can rape me; can even kill me. I have no control.

Of course, for normative reasons, we make laws against other people controlling me in certain ways even though they have the power to do so.

Data privacy is no different. The discussion is not about what degree of control a party is physically capable of exerting. The discussion is about what degree of control the government should grant to each party.

The fact that someone somewhere is capable of hoarding my data, does not imply that this outcome is just or optimal. Your position is a textbook example of the naturalistic fallacy.

I actually cannot think of a single instance where someone has "control" over something and the law exists purely as a way of exercising that control, and I can think of hundreds of examples where laws exist to stop people from doing things they may be physically capable of doing but would produce a negative effect on society if permitted. Maybe there is such an example, but it'd be an outlier.

If anything, the anomaly here is that inappropriately using or sharing personal data about someone is in most cases still only a regulatory or at most civil matter and not a criminal offence. Obviously such an act can potentially cause far more harm to that individual than many physical acts of violence that do carry jail time.

Actually, this isn't true, for the purposes of this analogy.

You can only lock up people who are in your country and under the control of your legal system. If your ex flees to Russia and sends out these photos from there, good luck prosecuting them and putting them in jail.

This is the internet we're talking about. An EU law doesn't apply outside the EU, in places like Russia, the US, China, and many other locales. What's the EU going to do when sites in those other countries refuse to take down pictures based on this EU law?

What are you actually trying to say here?

This is similar to some other laws, you can be as slanderous as you want to someone in private but if that slander makes publication then you open yourself up to a lawsuit. You may own copyrights to the image you take of someone in public, but you cannot use their image in your merchandise despite owning the copyright to that image. If someone is doxed in an email, and the email hosting provider used is compromised and has their emails linked to the public, the person who was doxed has just as much right to request that the publicly available emails be removed from search engines, etc.

https://en.wikipedia.org/wiki/Personally_identifiable_inform...

It requires the entity to give you the ability to delete your personal data, which means a contract where you grant a service a permanent and irrevocable right to data about you in exchange for a service is illegal.

It also requires the entity to provide an equivalent service to any site visitor that chooses to not grant their data to the entity, thus making the business model of trading even revocable access to one's data for a service unviable in the long run.

It makes it illegal to offer a service in exchange for data that is stored without end-user retrievability. Therefore, it makes a contract where you grant a service irretrievable data about you in exchange for a service is illegal.

All of these reduce the range of possible voluntary interactions. It's anti consent.

And it is bonkers to imply that something that requires you to actually get affirmative consent from the user is "anti consent". You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.

>>You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.

I agree that it is anti-consent. I don't have a problem with laws requiring more legible consent forms.

My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored.

No, you didn't. You gave a list of one-sided transactions where the user has no freedom or really consent at all in the matter.

"My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored."

No, you didn't. All you did was post a list of "transactions" where the company has all the say, and the user really has no input whatsoever. No one is going to miss those transactions.

If you truly, honestly are concerned with "consent", then you should be applauding this law, as it does require actual, informed, affirmative consent. Not the "Here's a great wall of text, agree to give us every little bit of data with no recourse whatsoever for you or don't get any access to the service at all" form of "consent".

I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".

I have difficulty responding to such an immature mischaracterization of what I listed.

I listed a set of contractual arrangements that are now illegal. All of them could be entered into completely consensually, and cannot be reduced to being categorically one sided, given we don't know what the value of the service the user gets in exchange for their personal data will be in every instance that said contract is used.

You're infantilizing people when you claim they're not capable of consenting to the sale of their personal data. In fact, no court of law would ever agree with you that these contracts are non-consensual ipso facto what the user offers, which is why the only way these kinds of contracts could be categorically disqualified is to circumvent the courts' purview of establishing consent, by resorting to statutory interventions like GDPR.

And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.

What you're doing is absolutely reckless.

>>I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".

Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.

Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.

And in that set, you predicated that the user could not revoke consent. That means that it is not a free contract.

>And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.

A contract in which one can not revoke consent is a contract in which one can never truly give consent. If I am unable to revoke my consent, then it can never be in the interest of the user, because my interest may change in the future.

>What you're doing is absolutely reckless.

No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.

>Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.

Which is what you're pushing for. You don't want me to be able to withdraw consent later, thus my selling of data WILL affect my future self.

>Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.

It still affects your future self.

Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent! You should be ecstatic that you will now be able to exercise greater freedom than you could before. You will have that most basic of freedom to evaluate whether or not something is still in your interest, and if it's not, withdraw, without the other party still benefiting off of your information.

No I didn't. I said that these contracts enable the user to sell their personal data. If a personal data sales contract includes a clause allowing you to 'revoke consent' AFTER 'selling' your data, then you are renting your data, not selling it.

By making contracts without such clauses illegal, you are reducing the space of contractual interaction, in making it impossible to sell one's personal data.

>>That means that it is not a free contract.

Again, I have difficulty responding to such immature mischaracterizations of reality.

Selling your personal data is a 100% "free contract".

>>No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.

You obviously don't care to debate this issue based on rational arguments and facts. You're debating in bad faith. You've already made up your mind and are more than willing to mischaracterize the situation, and people's position, to push your views.

>>It still affects your future self.

Everything you do affects your future self, but this particular type of sale does not cover data genereted by your future self. It only covers what you have already generated.

It's absurd and totally dishonest to compare it to selling oneself into slavery. It's nothing more than hysterical fearmongering about the free market, in support of government limiting people's contractual rights.

>>Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent!

You're once again mischaracterizing the ability to re-voke a sale, after the fact, as "withdraw consent".

When you sell something to someone, you no longer have a claim to that something, and thus the other party no longer needs your consent to maintain ownership of it.

That I really need to explain the semantics of ownership to you, and explain how allowing retroactive and unilateral reversals of sales makes it impossible to sell something, shows just how completely delusional and dishonest you're being.

All the changes are to "consent", which is the naive consent of clicking "I accept".

You can still do anything with a proper, considered, contract.

I don't see why the new rules couldn't have been limited to those of this sort, which ensure that users are providing considered agreement.

At the very least, my original statement was overly broad.

So if I investigate you, take your picture, etc. have I stolen from you?

I actually hadn't considered it before, but I imagine that being a PI in e.g. Germany must be a veritable legal minefield.

Why do we protect any rights by law? Usually it's because some harm is likely if the right is not protected and the potential victim cannot effectively protect themselves due to some imbalance of power.

Reasonable people can debate how far privacy rights should be protected and where the balance lies between protecting the data subject and allowing data processors to do useful things. Maybe the GDPR doesn't strike the ideal balance here and favours one side too much at the expense of the other.

However, it makes no more sense to argue that someone can't have any legal control over how personal data concerning them is processed than to argue that, for example, someone can't have any legal control over whether their physical property remains in their possession. Many social conventions have proven to be useful, and we codify them in laws so that everyone can see what is considered acceptable behaviour and so that people who try to undermine those norms for their own benefit at the expense of others can be dealt with.

No, it's more like making it a crime to break or lose something lent to you. At most it's a civil matter handling damages, not an extension of control over the item lent (baring any contractual agreement).

Put another way, how is protection of privacy by restricting what someone may lawfully do with personal data any different to protection of physical property by restricting when someone may lawfully use or remove it? Typically you can't physically stop someone from sending your email address to someone else once they have that information, but then typically you also can't physically stop someone from stealing your TV while you're out once they have a big sledgehammer and access to your front window.

I think most of us would still say that we have legal control over our possessions, and most of us would still say that theft is unacceptable behaviour and should be punished. In Europe, where perhaps we tend to have stronger feelings about privacy than in some parts of the world, a lot of people similarly feel that they should have the ability to restrict how data about them is being used and shared, and that some things that some organisations have been doing until now are unacceptable behaviour and should be punished if they continue to do them.

"To have legal control over your PII" and "To have legal control over your possessions" are similar in nature. The fact that such purposes are implemented in different ways, for mostly technical reasons, does not diminish the argument.

The main technical reason is that, right now, loss of control over PII is widespread, and individually processing each claim would likely overload the judicial system of EU countries which usually don't have class action lawsuits. GDPR simulates a class action lawsuit using regulatory bodies, to be triggered by refusal to comply with a significant number GDPR requests.

GDPR attempts to fix that.

(not perfect control, but that is the same in every area where law is broken, e.g., there are burglars, but still I think you would consider being in control of your personal belongings, and nobody would argue that we should stop prosecuting burglary because many burglars will always get away with it)

Intentions and effects do not always align. The effect of GDPR is to make any business model where a user trades their personal data for a service illegal.

Business models involving voluntary exchange should not be prohibited.

The fact is, the free market already gives users control over their data. They are not obligated to use any service that requires private information from them.

And by mandating an option to remove your data, it makes a contract where a user gives a permanent grant of their data to a service provider, in exchange for a service, illegal.

they could have alredy fined current privacy abusers under the existing law framework. this will be used to stromgarm independent news sources.

I honestly thought this kind of reasoning was a right-wing caricature. No, it is not obvious that choices with risks attached should always be regulated away.

Disclosing information in proportion to trust is a basic life skill. I understand that many in the tech community are frustrated to see the general public failing to exercise this discipline, and maybe regulation is the best way to protect them from themselves, but that's not obvious.

>If the majority banks lost your money regularly, would you blame customers of the bank for using banks -- or would you say that banks should have stricter regulations to stop people from being screwed?

False dichotomy. You want a spectrum of financial products that depositors can choose from according to their risk tolerance. It's essential that we have stable, regulated, insured checking accounts. It's also essential that we have self-directed brokerage accounts.

>"just slapp[ing] some Amazon adds on [your] site" is not the correct approach to handling users' personal data.

A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?

The assumption is that all users are actively making a choice. Many are not aware of the choices they are making, and I think it's wrong to punish them for it -- when companies profit off this lack of literacy and people rush to their defense whenever people start talking about regulation.

I don't want companies like Google and Amazon to be able to hoard massive amounts of personal information about a large portion of the world's population, and not have to respect the rights of the people whose information they have acquired.

> You want a spectrum of financial products that depositors can choose from according to their risk tolerance.

If effectively everyone of importance just uses Amazon (or Google) ads then you don't get a "spectrum" and there's no choice involved. You have an option to either use or not use a majority of the internet. Yes, you can use ad-blockers but that's not a long-term solution.

> A site sending your browser Amazon ads does not oblige it to execute or display them. And this isn't some secret backend upload. If someone is willing to use a site with this revenue model, why is that your business?

Most users are not aware of how these things work. I agree that if everyone knew how to block those ads and what the actual problems are with them, then things like GDPR might be less necessary (though the right to retract consent is something that should be enforced).

But even then, ad-blockers are a defense against an industry that is over-stepping ethical boundaries every day. At which point do you say that companies which inflict systemic violations of ethics on billions of people should be held accountable? Or is it always the fault of the people because they didn't care enough about their personal information?

What ethical boundaries do you think are being overstepped through advertising?

I could imagine a major ad campaing where this question is posted all over the city:

"What ethical boundaries do you think are being overstepped through advertising?

Think for yourselves, don't let the government tell you what to think!

Sincerly, your friends the advertising business"

That's a hard fucking question for me to answer concisely, so I wont do that. Sry.

The current state of data privacy doesn't even include the spike.

As you point out, education is a fine idea, but it isn't going to work if there is a major industry based on it not working.

Are you going to stop using all these services that track you some way or another?

Most digital companies wouldn't exist if they weren't allowed to use the data.

So instead of just blanket calling it something it isn't and something that certainly isn't unique to FB or Google why not actually discuss the fundamentals rather than scapegoting someone just because they are some of the most successful.

This is a statement you're not possibly able to prove, and you've even left "the data" open, so you can quibble about the definition in future replies (despite the GDPR clearly giving one).

Terminating replies here due to the gross intellectual dishonesty; have a great night.

> Most digital companies wouldn't exist if they weren't allowed to use the data.

GDPR does not deny you the right to use user data, it regulates usage. This is such a ridiculous strawman that it doesn't even classify as a fallacy, it's just simply a lie.

> Are you going to stop using all these services that track you some way or another?

(I have stopped using many of the services you mentioned, but you're actually touching on the reason why regulation is necessary.) It is unreasonable to tell the general public they should stop using the internet if they want to maintain their privacy and dignity. And that's why there need to be regulations to provide protections for the general public when using a technology that is so central to the modern world.

You are still using them one of the biggest users of personal data your ISP and that's a service you pay for.

Don't pretend you are stating facts when you are just stating you personal opinion.

I had the impression that this is rather clearly regulated by the GDPR. A user has to consent to each use of her data. And you have to explain the use in an understandable way, no legalese. Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked). I don’t see how this could hurt any ethical business model.

If I refuse tracking for ads, then a newspaper can’t refuse me access to their articles.

This arbitrarily limits the range of businesses that can exist. For the sake of people who value their privacy having nothing denied to them, it reduces the services available to everyone.

they can. a business does not even need to do business with you. it's not a right that a business needs to service you. and btw. this is german law.

heck they can even rely on other laws to cancel your service any time they want.

in the next years GDPR will change nearly nothing. except that it will kill some smaller businesses.

GDPR is not strongly enforceable, if people think they have a right to something they still need to go to court.

the only thing which might change is that it will be easier to delete accounts and data (which is a good thing).

Even better, it requires the use to say “yes”.

I'm actually pro-GDPR but this needs to be kept in mind.

This is a misunderstanding. Consent is only one acceptable legal basis for processing personal data under the GDPR. Almost everyone is going to use it as little as possible in future because of all the extra red tape involved. Ironically, that probably means a lot of organisations will now be straining to justify processing on some other basis and to minimise use of data subjects' explicit consent and exposure to the associated subject rights.

Just make a list where you explain in simple words how you want to use the data and add a checkbox to each item (default not checked).

It's not that simple, because for example organisations may have legal obligations or legitimate interests in processing data about someone even though it may not be in that person's interest. Consider these:

[ ] I agree that my bank may keep records of the money I owe them.

[ ] I agree that the car rental firm may keep a record of me borrowing their vehicle.

[ ] I agree that the school where I'm applying for a job may do a background check before trusting me to look after kids.

Obviously there are many issues like this where consent for the data processing can't be voluntary and independent of everything else that is going on.

Speaking of false dichotomies...

I think you'll find that self-directed brokerage accounts have more regulations than checking accounts because they provide more opportunity to commit fraud.

That might be the theory, but there may be unintended consequences in practice.

As others have said, introducing regulation always has a cost. In this case, the cost appears to be that a small side business that has been providing a useful service to the local community for several years will no longer be available.

It doesn't matter whether the business was actually violating the GDPR. It doesn't matter if the person running it misunderstood the new regulations and formed an exaggerated view about the potential risks. The end result is still that his service isn't there any more.

The level of risk and profit is going to adjust to the correct balance over time.

It apparently wasn't running at a profit even before these new overheads. It was essentially being provided as a gift to the community by the person running it, and that person is not prepared to accept what he perceives to be a lot of extra risk just for doing people a favour. Why then is it reasonable to assume that someone else will step in and be willing to provide the same benefit to others despite the additional overheads?

The level of risk and profit is going to adjust to the correct balance over time.

Again, why should we make such a strong assumption in general? Previous ill-judged regulation of tech industries by the EU hasn't gotten any better with time. They still haven't fixed the "cookie law", which must be on the short list for most useless and widely ridiculed law in history! More seriously, they still haven't fixed the VAT mess, which finished too many microbusinesses and caused significant damage to many more slightly larger ones.

"But it's such a small site/ the person's side project" all the more reason to stay away from this. Having a code of ethics where you end up using the most profitable option anyways is not a real code of ethics

The point of ethical judgement is that it's _not_ the best choice by other factors

He's not making a profit. Meaning he's actually paying out of pocket to allow neighbours to lend stuff to each other. Yet he's abandoned his code of ethics?

But many ads are those that track you across pages and use many of the same stuff as Facebook to show you products. So if you're uncomfortable with that, it's important to put pressure on that.

If he were just throwing up Google AdWords /FB ads or whatever he would be participating in an ecosystem that is unethical for many. It's helping to support a good cause, but wouldn't it be nice to get good things without contributing to an unethical system in the process?

But likely in complete compliance with GDPR... As Adwords and FB Ads would be in compliance.

That is the entire point of laws like GDPR, it has nothing to do with User privacy and everything to do with Ensure their can be no competition to Adwords or FB in the future.

So many contradictions in one paragraph.

You most likely already had one and are now paying them to do this as well

In the UK the ICO is the governing body, and they say I don't need one. From their guidance linked below

>The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority, or if you carry out certain types of processing activities.

I am neither a public authority or carry out those certain types of activity.

https://ico.org.uk/for-organisations/guide-to-the-general-da...

That is COMPLETELY IRRELEVANT to what people are saying. If someone complains about me, am I obliged to defend myself? If I don't, am I subject to ruinous penalties? If I do and am victorious is the complainer required to compensate me for all of my costs?

Again, part of the problem is that it's not clear what does and doesn't constitute a violation.

I can tell you as someone who is working in an old school retailer/wholesaler we are not, and neither is anyone we are talking to through various trade bodies, employing lawyers to do GDPR.

Lawyers can't help you with ambiguous laws very much as it takes precedents to make sure what the words mean.

The reality is that almost all businesses are small businesses, and most businesses are microbusinesses. These sorts of organisations don't have full time resources watching out for potential legal hurdles coming down the line in a few years. Many of them don't have full time resources at all.

It's ironic that a law where one of the main effects is to dramatically increase notification requirements has resulted in barely any media coverage and no notification from any official sources to any of my businesses yet. What media coverage there has been mostly seems to have been prompted by people being surprised by the sudden wave of privacy-related emails. So, how is this not going to be a surprise move for millions of small businesses if no-one did anything to tell them about it?

If you run a business and were not aware of GDPR then you incompetent or employ people who are feeding you bad information.

Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.

Why? Most businesses are very small and don't have any sort of in-house legal team, and won't go actively looking for expensive external legal advice if they aren't aware that they have a need to.

Seems like these businesses who are not "aware" of it are exactly the type that would have other bad practices that will leak personal data of their customers.

That is an entirely unfounded assumption. There is literally no relationship between being technically competent in protecting personal data, having a positive attitude towards respecting privacy, and being aware of new laws coming out of the EU.

GDPR punishes the vast majority of businesses that do not have business models reliant on selling user data in favor of trying to catch the ones that do.

Unfortunately, I fear this regulation will do absolutely nothing to stop the bad actors from selling data as they do now.

But I'm completely in favour of it anyway.

Failed reality check.

A Data Protection Officer, especially from a law firm, is not in any way imaginable "almost nothing" regards the cost.

I can't imagine it's a cost less than five figures.

Google and Facebooks manoeuvring to adapt to the GDPR give a clear road map of the legal requirements. Bluntly, they're not that bad, and they're better for a new startup who can adapt to them from the ground up than an established venture who has to find new ways to make money.

The reporting requirements of the GDPR can be large, but for most companies most of the time you're dealing with a relatively unchallenging piece of legislation. Most of the requirements are just to be able to explain what happens with user data and handle sporadic deletion requests. Loosely connected, separately stored, IDs are the solution to this (pseudonymization). It's a different style of development, but far from tricky. That's systems development, not legal.

This is a legitimate threat to startups reselling user data and overly friendly web-tracking solutions, yeah. To them I say "boo-hoo". For the rest of us? IT regulation with legal teeth is a promising indicator for IT companies. There are more of "them" than there are of "us", and if our legal issues are getting play that means our salesmen will also get play.

I know you didn't intend to, but you've nailed the problem: the ambiguity and doubt. Most (<100%) * most (<100%) is a fraction times a fraction, never a good equation if the upside is low.

I doubt the StreetLend dude made much cash out of this project, so why bother? It was likely just a convenient excuse to kill a side project that had little value that sucked a lot of time, but still, the ambiguity no doubt helped push him towards this outcome.

This doesn’t feel particularly onerous, especially as any good business plan will include getting public liability insurance for inevitable occasional serious mistakes.

Even though we never resell, mine nor monetize data, the increased risk of legal action was not acceptable to us.

Have you ever filed a claim on an insurance policy? Your premium will certainly go up next time that policy is up for renewal.

It’s unfortunate for our users. They’re quite upset that we’ve decided to drop all EU customers. But, we’re not willing to take on any additional risk for such a small revenue source.

https://cybercounsel.co.uk/data-subjects/

1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.

2. If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.

Luckily, my organization is not “established” in the EU.

Its only the end-user-is-product companies that have to have armies of lawyers, and that is no bad thing surely?

Note that you're on a site pretty much dedicated to the ongoing viability of end-user-is-product companies, hence the backlash here. My experience, same as yours, is that anyone who provides a service for money isn't having any difficulty at all complying with the GDPR.

I don’t think you’re going to disrupt Google or Facebook without trying something new, and the GDPR certainly forces startups to think different.

The law is needed, otherwise everyone would continue to abuse users' data more and more. So that's clearly not the solution. The ideal solution is fining both Google and Facebook for all the money they've made from that abuse from at least the past 5 years, to level the playing field.

People say that capitalism is the "worst economic system, except for all the others", and that's true. But one of the main issues with capitalism and why it gets to be so broken in the end, is that when companies abuse their powers, the punishment almost never fits the crime. If it did, I think capitalism would be a much more optimal economic system. I think this is by far the biggest issue.

As an example, Intel made tens of billions from anti-competitive moves against AMD, and it was only fined $1.4 billion, a fine that's still under dispute even a decade later (Intel has yet to pay it).

Samsung, and other memory makers have been caught at least once in the past, and now again, doing price fixing. But the fine was and likely will be again much smaller than the profits they made.

Then we have the big banks, which also made a ton of money from screwing people over, and again they were fined at "record levels" but still much less than they made in profits.

This is how the incumbents keep getting ahead of the others, even when stronger regulations pass - they never have to truly pay for the crime they did in the past, and they get to keep 95% of their profits from that crime. That isn't how things should work - the governments should take all of the profits they made from the crime and the fine should be added on top of that. If a company grows 10x in size in a decade from abusing some law and consumers, then the governments should absolutely take back 90% of its size when it's punished later. That's the deterrent.

Now in regards to privacy, the laws weren't that strong before, and I don't really believe in punishing people or companies for laws that didn't exist, which is why governments need to be much more vigilant from the birth of new industries, and not wait until they are mature and most damage has already been done.

Maybe my solutions are a little too extreme, but I do believe more needs to be done compared to what governments are doing now. We can't just let companies get away with almost all the profits they made from abusing consumers.

Also, there need to be stronger anti-merger laws. That's for sure. We almost never need to let companies merge, and if they do merge, that almost always ends-up not being in the consumers' favor. If some companies can't compete on their own anymore, then so be it - let them go bankrupt. The rest will either become stronger, or new entrants will appear. I think that's still preferable over allowing them to "survive" under a bigger company. Let the creative destruction flourish in the market, as it's supposed to.

Probably not far enough. You need to outright shut them down, put them in a prison of sorts, fine them, and then let them continue operating after their term is up. Do not let them sell, do not let them split. But people will lose jobs, ads will be taken out to fight it, and it will be held up in court for far too long. Google and such have ingrained themselves in a way that to properly punish them for their actions is not politically tenable, because the only fitting punishment would destroy these companies and cause significant economic harm.

Alas, many people make money off of loose regulation and they are thus biased.

I am afraid we won't see any improvement anytime soon.

Calling that stolen is mixing your personal opinions with facts.

At it's core it is the most ethical a free service can make money (aside from donations). He isn't selling the data or showing personally targeted ads. (Of course it could be using some amazon plugin that does it anyway for convenience or from ignorance, but he can do it without it through amazon apis)

Founder here. Streetlend never passed personal data to Amazon. It used the search term eg “ladder” and showed ladders on sale from Amazon. No personal data was passed.

Unless you're doing something shady with user data (and you _know_ if you are) the GDPR essentially comprises having _some way_ of giving a user all the data you store on them, and _some way_ of deleting that data.

In this case both of those appear trivial to automate, and even more trivial to just do if somebody actually wants those things. Shit, dropping email login and only accepting federated auth would get you there in one step, unless you're doing things you're not saying.

I've been running websites and doing IT for a long time. I've spent least 10 hours on my employer's dime reading about GDPR and trying to figure it out. There's a lot of ambiguity. We're in the US, we don't do a lot in Europe, so we're at less risk, and my conclusion was that we're small enough (while MUCH bigger than streelend) that we're not going to be a target while some of the ambiguities get worked out in courts. This poor guy has no protections.

I'm not faulting the person, I'm just saying the response doesn't seem founded in firm reasoning, but in (self-admitted, by the link!) "I need to look into this but I haven't, so we're shutting down". This isn't a newsworthy event or "proof the GDPR ruins businesses".

> This isn't a newsworthy event or "proof the GDPR ruins businesses".

It is anecdote that complying to a far reaching and ambiguous law has real consequence.

This is, again, because the legal text is ambiguous.

I posited this to our counsel when discussing what to do about GDPR. He cautioned that he’s seen investigations start due to a nosey bureaucrat.

I don’t know if your product is public facing, but if it is, all it takes is a single sufficiently powerful government employee to get curious about your business and start asking questions.

Even if you’re not doing anything wrong, having to engage counsel to respond to the government could get pricey.

Because the GDPR is extraordinarily ambiguous.

Except with GDPR all you could do is report them to the member states governing body. So no trolling.

> Very Specific and not open to interpenetration

Except this makes them inflexible and leads to them having to be constantly redrafted. So no use to the world of the HN.

> Have options for "settlement" as this rewards the guilty, and harms the innocent

GDPR is between you and the regulator, they already do this work and the whole aim of the process is to stop you doing bad things. A fine is a late step in the process for organisations who wont listen.

> Have more public resources for people with limited resources. Law firms and Large corporations use Legal Expenses has a weapon in Civil Courts over smaller companies due to the high costs and generally no public resources for Civil access

Is off topic when it comes to GDPR, see my previous answers

> All Civil Cases must have to show Actual Damages not Theoretical Damages

Again off topic with GDPR, but in the UK that is how damages works already, isn't it?

What? Define almost nothing. For small businesses it is a wishful thinking they can hire anybody from a legal firm. They probably don't even have a lawyer or a legal department as they can't afford such luxury.

And now we are finding out LED lights are bad for our eyes and our sleep, so we may go blind sooner and die sooner.

Ok that might be a bit extreme, and besides there is an efficient incandescent tech that will probably come back and save us (and you can argue the EU helped that too)... but my point is the EU has good intents but their creations seem polarised into either extremely preemptive or extremely reflexive and are often premature and poorly thought out, fighting for something for the people but often without thought for how they will directly hurt the people.

For tech the EU isn't exactly unique in this respect though, the UK for instance recently tried to inact some pretty rediculous laws that undermine basic technologies that make the internet work.

Yeah, I'll just get a small loan from my father.

"From the description Streetlend didn’t violate the GDPR in concept though. Addresses are public record, available in public databases, and there is nothing stopping you from doing lending eBay. All it needed to do was clear it’s records every 6 months and let people delete their accounts."

> But the comment you commented on said:

"The problem is what happens if a legal firm or an agency targets you. Even if you adhered to the spirit of the law, they can dig up evidence that you didn't obey the letter of the law (since GDPR is quite loose and ambiguous)."

The issue seems to be that the resources required to resolve a delta - from Streetlend's pov - are perceived as excessive. Too much risk; not enough reward.

Look at what happened with Thiel and Gawker. Right or wrong is irrelevant if the opposition has deeper pockets and can bleed you to death (in legal fees).

> Startups will find a way to make money that isn’t selling your data.

Perhaps, that could be true. But plenty will not want to be caught in the crossfire in the meantime. And that too is a biz decision.

Out of touch with reality much?

Just like all regulation its very doable but its way more cost effective for the big players.

They can take some credit for the dim and dimmer mercury containing CFLs, and the ludicrously expensive and somewhat unreliable early LEDs, if they like.

This is not true. The US has parallel regulation that encourages the phase out of incandescent bulbs [1]. True to form it's a lot weaker than the EU regulation but it sends the same message.

> This regulation makes life for startups disproportionately harder than for Google and FB that already have an army of EU lawyers on payroll.

This is not true. In fact the GDPR makes it clear that for small businesses (<250 employees) most of the control burden is relieved.

[1] https://www.epa.gov/cfl/how-energy-independence-and-security...

I also found some LED bulbs that have simulated filaments inside clear bulbs for an old-fashioned look, and again the incandescent color temperature.

I've even found cheap LED replacement bulbs for the various interior lights in my car that look just like incandescents.

So I think it's kind of passé to be debating LEDs at this point.

1. This regulation is specifically (deliberately?) anti small business. If your revenue is less than €20m their fine is up to €20m, i.e. can be 100% of your revenue, meaning bankruptcy. If your revenue is greater than €500m, your fine is capped at only 4% of your revenue, i.e. an acceptable fluctuation. It's worse than a regressive tax.

2. China also has many regulations. Instead if trying to extend their jurisdiction to foreign sites, they simply block them. I thought about this and I actually prefer the Chinese non-expansionist model: I would rather outsource due diligence to the Chinese government than hire expensive EU lawyers and then implement EU specific blocks.

FYI we do not collect any data other than for spam and DDoS attack mitigation, but apparently if you have any third party code in your site like ads you have to subject all of that to this expensive audit.

Well meaning regulation like this written by people who have never created anything pratical in their lives other than regulations illustrates why entrepreneurship in modern Europe is nearly impossible.

Rubbish, this is just spreading FUD.

From the UK ICO: "It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum £17 million or 4% of turnover allowed under the new law.

But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm."

Look at the track record of the UK ICO - how many small businesses and side gigs have been fined £500k? How many businesses of any type have been fined the current maximum of £500k?

So where does this ludicrous assumption that everyone is always going to be hit with the maximum fine from here on in come from?

Even TalkTalk were only fined £400k for the most ridiculous incompetence leading to 4 breaches in 18 months and failing SQL injection 101. They make profit in the tens of millions yet still didn't hit the maximum (They should have in my opinion). I think at the time that was the largest penalty yet issued.

Same goes for other data protection bodies across the EU - there will be few instances of maximum penalty under current data protection. I'm sure some countries have never imposed the current maximum.

nb It's not a ridiculous law - I'm fully in favour of it, as are many others over here.

That's the most interesting thing about the GDPR. While some developers are picking up their ball and huffing off home, others are actually 100% behind the regulation.

It says something when tech-savvy people agree to sacrifice time and effort and probably profits to protect their users from their own software.

Or the competitors' software.

Consider some business that was doing what GDPR requires already: users could delete their data, they could request a complete copy of it as well as an explanation what it is used for, and it was only used for defined purposes that the user signed off prior anyway.

Sadly, that reduces flexibility somewhat, but they're doing it because they consider it the right thing.

For them, GDPR levels the playing field and makes sure that they never have to stray from this conduct just to remain competitive with companies that aren't so nice to their users.

Nothing about the gdpr solves the problems of companies having insecure systems that _leak_ user data. I also don't believe that data about me is data I own. To me, the gdpr feels ineffective at the real issues causing me harm (leaked info) and also a giant burden on companies that fundamentally changes how the industry has worked, but in a way that quite frankly, doesn't make any sense to me. The data about my order isn't my data to control.

It doesn't directly prevent insecure systems, but discouraging companies from storing information they don't need and transferring it on to third parties for whatever reason they feel like massively reduces most people's exposure to this risk.

>The data about my order isn't my data to control.

If you believe people have a right to privacy, then you believe they have a right to decide who gets to know what information about them.

That's not even remotely true. A right to privacy does not mean I get to control the actions of others.

Nothing restricts what others can do with them, they just have to state it so I can decide whether that's ok for me or not.

The lack of this clearly defies the right to privacy, just consider the extreme case of "I'll dump your data on GitHub next week"

Requiring disclosure of a breach within 3 days of it happening, as opposed to the several months that is commonplace now, is a big help.

"I also don't believe that data about me is data I own."

Everyone disagrees on this point. Right now, Europe says the opposite.

"also a giant burden on companies that fundamentally changes how the industry has worked"

Good. Currently the industry is geared to suck up every last bit of user data like a vacuum, regardless of whether it's actually needed, so they can sell it. This has gone on for far too long, and I'm glad to see the industry hopefully move away from it.

If I place a camera in my house so that it's recording what's going on in your bathroom- is that data you would like to be kept private, or not?

I'm fully behind the GDPR. It might not be perfect, but I've read the law and it's surprisingly straightforward and sane.

Why is it sane to assume data I've sent to a service is my data to control?

GDPR increases maximum penalty to be high enough that it could be a penalty to a Google or Facebook for a serious, wilful, breach of regs, in an environment where the tiniest fraction of reported cases get any fine at all (16 of 17,300 reports for 2017 in the UK) let alone the maximum. Internet now certain that one man software companies and hobbyists with non-commercial regex sites will receive £17m fines, every time and it will be used as a stick to beat one's political enemies with or, most comically of all, pay for local infrastructure improvements.

I don't understand why - the regs seem reasonable and not especially difficult to meet unless your business is built on wilful abuse of personal data. Just a reasonable effort to enhance DPA taking into account new techniques and misuses of data. Deletion for everyone, not just a minority - thanks to FB et al feeling it's fine to never delete, and run shadow profiles on all. The highest penalty will be saved for the most offensive cases involving multi-nationals. It will be interesting in a few years to see how many maximum fines have been levied. My bet is none at all, once or twice if there's an especially egregious breach from an Amazon or Google.

I've little doubt that just as I feel more should have attracted fines under DPA I'll feel more should have got GDPR fines.

My intuition is that the people who complain are that fraction of developers who actually care about their profits more than their users' privacy.

For us in Europe 20 years of DPA must help - I doubt there's many here would want to go back to pre-data protection.

No, in fact, most people get served with nothing more than a formal caution or a £90 fine. This is normal - this is how the law works in this country. Anyone who doesn't understand this hasn't even been paying attention to the lowest-common-denominator newspapers, which are constantly screeching about how people usually don't get anything close to maximum sentencing.

When a corporation is compliant and only has minor infractions, they will (most likely) write a sternly worded letter.

But if you're constantly and repeatedly or willfully ignoring or breaking the regulation they definitely won't leave it at a simply tap on the fingers.

Plus, I don't think any regulatory body is looking for bankrupting a corporation. They will obviously size the fine according to how much the corporation has in turnover or profit.

If you have minor infractions caused accidentally and you cooperate I have doubts that any regulatory body for the GDPR will go beyond sending a simple letter asking you to fix a problem.

I am not one to say "trust the EU government, it is good". But the intent of the legislator is obviously not to kill businesses willy nilly, it is to punish certain behaviours, they have no reason to willingly cause a business to shut down, which is why the GDPR explicitly accounts for collaboration.

In the end, it is up to you to decide not to abide to the law. There have been local regulations forever, this won't change much.

Note that, in parallel to the EU regulation, the statutory maximums can be enacted(ever since Booker judges can use their discretion again), but in reality most judges rule within the sentencing guidelines.

Yet. Wait until the company is another political organization that is identified as an enemy or competition. Then these laws become tools for shutting down dissenters with selectively applied fines, even to companies outside of the EU.

And unlike you say the law does say the regulatory body for the GDPR has to consider the business needs of smaller businesses and adjust their fines accordingly if they even hand them out.

There is a good flowchart in this thread too, I recommend to study it.

We both contributed to a conversation where you made the same point, a few days ago:

https://news.ycombinator.com/item?id=16888026

Back then, I was not convinced that you had a clear idea of how such a money-grabbing scheme could be implemented. I would kindly ask whether you have a clearer understanding of the relevant procedures now.

The people saying how easy it is don’t know what they are talking about.

By "28 different interpretations I assume you mean those of different member states. It would actually be 27 now that the UK is leaving, but even so, the GDPR is a regulation (General Data Protection Regulation) and not a directive, partly in order to eliminate inconsistencies in national laws. To clarify, as a regulation, the GDPR does not need to be passed into national law.

Additionally, this reduces the burden on companies that would previously have to deal with multiple local authorities, in the context of the Data Protection Directive.

Further, there are provisions for the consistent application of the GDPR across all member states, particularly a European Data Protection Board.

This is from an article I quoted earlier:

Coordination and Consistency

Under the Directive, there has been a certain level of coordination in interpretation and enforcement. Apart from informal contacts among authorities, there has been a succession of non-binding opinions issued by the “Article 29 Data Protection Working Party,” an advisory committee comprised of representatives of the national supervisory authorities (commonly termed “data protection authorities” or DPAs), along with the European Data Protection Supervisor appointed by the European Commission. Under the Regulation, that group will become a more independent and powerful regulatory body called the European Data Protection Board, tasked with ensuring “the consistent application” of the GDPR. An entire chapter of the Regulation (Articles 55-63) is devoted to cooperation and consistency, with procedures for multiple DPAs to coordinate investigations and promulgate consistent decisions and policies reviewed by the Board and reported to the European Commission.

One feature of coordination that should be helpful for multinationals is a provision for companies to work with a “lead supervisory authority” in the country where the company has its “central administration.” That authority will then coordinate with the authorities in other countries where the company operates, attempting to achieve consensus on issues that affect all of them.

https://www.infolawgroup.com/2016/05/articles/gdpr/gdpr-gett...

Generally, I have no idea why you say that the GDPR will be nearly impossible or actually impossible to comply with. Different member states have different regulations for drug use, for instance, but that is never used as an excuse to violate drug laws "becuase they are impossible to comply with" due to different national interpretations.

If the US court doesn't decide that, the EU will have to resort to indirect measures (Google AdSense will probably stop working since Google doesn't want the EU courts on their butts for making business with someone who violates the EU law and other measures)

https://www.privacyshield.gov/article?id=How-to-Join-Privacy...

So how does that affect companies that don't elect to join Privacy Shield?

Agreed that AdSense will probably start indirectly enforcing the GDPR at some point. Someone will probably make a lot of money picking up the traffic they lose, in exchange for never changing planes in Frankfurt again...

I guess we'll have to wait and see what happens in that case, if the US court system is willing to enforce GDPR fines on their side, that would be a win for the EU (the US has been doing this for ages)

https://community.spiceworks.com/topic/2007530-how-the-eu-ca...

> "While we don’t yet have U.S.-EU negotiated civil enforcement mechanisms for the GDPR (and it is unknown whether we ever will), there is still the application of international law and potential cooperation agreements between U.S. and EU law enforcement agencies, which have been increasing in recent years."

That sounds pretty murky to me, more a statement that she expects regulators to cooperate than one that current law provides a clear path. Not that I can find a more confident article in the other direction, of course...

He wasn't 'almost jailed' - he was fined £800. And the video involved him saying 'Gas the Jews' over and over again to his dog, to which the dog reacted.