This is the original article (linked from The Verge one) and is much clearer:
> Bluesky, the rapidly growing social media platform, is violating EU regulations by failing to disclose important details, a European Commission spokesperson told reporters during a daily briefing on Monday.
> “All platforms in the EU even the smallest ones which are below the threshold, which is the case for Bluesky, have to have a dedicated page on their website where it says how many user numbers they have in the EU and where they are legally established. This is not the case for Bluesky as of today,” the spokesperson said.
EU/EC officials aren't secret that they make as much as possible illegal to get companies to come in and talk with them before they launch products. I have heard this at least twice from the source and more than a couple times from other people I know.
I'm not saying this doesn't happen, but I also think it's genuinely difficult to write policies that apply to technical systems that don't exist at the time of writing and which are also clear enough that regulators, courts, and the relevant parties within tech companies all understand what they mean, what they imply about technical systems, etc.
With respect to much older law, e.g. copyright, I think we still haven't fully interpreted what constitutes "copying" or "distributing" in a digital context.
With respect to data privacy, though I was part of a team that was responsible for ensuring my company met GDPR obligations, it's still not clear to me what really constitutes deletion or erasure for these purposes. What if my DB doesn't delete stuff on disk immediately but marks some records with an in-memory tombstone, so normal DB queries will no longer return the record but files containing the record do still exist? Am I obliged to delete all DB backups when any individual exercises their deletion rights? If my datalake uses columnar files that record events (e.g. clickstream data) from many users, every time any user exercises their deletion rights, do I have to re-write all the files that included any event from them? To find all files containing a user efficiently, I'd probably need to start indexing by user, which if anything puts my team on the path to using user-specific data more intensively going forward. Or is it sufficient to mark their ID in a "forgotten" file and ensure that datalake results do not include information from their records, though the records are in principle still readable? If you didn't have a good systems/data engineer participating in the drafting of the policy, it's easy for a regulator to just write "delete" without thinking through what the actual definition should be, and what the implications are.
> Am I obliged to delete all DB backups when any individual exercises their deletion rights?
No, just don't use that individual's data in any processing going forward, unless you have a lawful basis for doing so. If you restore from those backups, don't lose the fact this individual exercised their right to be forgotton.
> What if my DB doesn't delete stuff on disk immediately but marks some records with an in-memory tombstone, so normal DB queries will no longer return the record but files containing the record do still exist?
If you don't process those records any more, that's fine. Ideally purge your database tables from time to time, because you should also have retention limits, set to the minimum possible. "Forever" is not an acceptable limit for PII.
> do I have to re-write all the files that included any event from them?
No. Write a list of users whose events you mustn't process any more, and preferably stop collecting events for those users... assuming that specific data you're collecting is data which you don't have a legal basis to process without their continuing consent. If they withdraw consent, you have to stop. It's that simple. Design with that in mind.
> the records are in principle still readable?
It doesn't matter about "in principle", it matters if you continue to process the data of individuals who have exercised their right to be forgotton and withdrawn their consent, and you have no other lawful basis with which to continue processing their data.
> which if anything puts my team on the path to using user-specific data more intensively going forward
"The 'no beatings' law just makes we want to beat people even harder". You sound petty.
Treat PII as if it were hazardous waste; minimise your collection of it and processing of it, dispose of it as soon as you can.
> it's easy for a regulator to just write "delete" without thinking through what the actual definition should be, and what the implications are.
They did think it through. Section 67 of the GDPR: "Methods by which to restrict the processing of personal data could include, inter alia, temporarily moving the selected data to another processing system, making the selected personal data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system."
You just don't like having to do it, and would prefer if once a user gives consent (or even if they don't), you can keep that data and do anything you like with it for all time and there's nothing the user can do about it.
I don't know who you are or what your qualifications are, but at least some of what you've said is in conflict with guidance I have seen from qualified professionals (some of which were in mutual disagreement).
I'll note that two paragraphs above the point you quote from, under 65, the description of the right to be forgotten includes that "a data subject should have the right to have his or her personal data erased and no longer processed". I.e. erasure and cessation of processing are not the same but are both required. Your point about 67 only clarifies the second of those requirements. 66 describes something of the extent of erasure, but doesn't define it erasure -- one controller should inform other controllers who are processing data "to erase any links to, or copies or replications of those personal data", which doesn't seem to clearly support your interpretation.
> "The 'no beatings' law just makes we want to beat people even harder". You sound petty.
No, the point is if you have just a pile of event spew, it's legitimately more work to first e.g. group by user. If you have a user-indexed pile of events, without any particular hostile animus, still your data team has a warm start on user-centric analyses. But you sound snide.
> Treat PII as if it were hazardous waste; minimise your collection of it and processing of it, dispose of it as soon as you can.
In the ML/AI era, it quickly becomes very hard to justify ignoring your data that happens to have user-linked data in it. Users want and use recommendations and experiences that are informed by their personal data. Even if their data doesn't include PII fields like names, addresses or phone numbers etc, their right to object to processing, or ask for all their data to be disclosed to them, or to ask that it be deleted extends to all the usage and behavioral data that products are built on.
> You just don't like having to do it, and would prefer if once a user gives consent (or even if they don't), you can keep that data and do anything you like with it for all time and there's nothing the user can do about it.
Maybe don't try to tell other people what they like? I'm actually in favor of strong data protection laws, and I wish my own country would adopt some. I think the broad provisions of the GDPR are generally positive. However, I do think very little clear material was available for companies who were trying to come into compliance by the time it went into effect. In particular, there was no certification system, no official or regulator who you could get a live response from, no qualified inspector you could hire who could confidently evaluate whether a system did or did not meet the requirements of the new law. GDPR went into effect in 2018 and only this year was the Europrivacy certification fully approved under article 43. In the period from 2016 to 2018 many companies, including those not in the EU, were in the bad position of needing to draw up plans for large projects to make our data architecture meet the requirements as interpreted by our counsel, and in some cases evaluating whether it even made sense to do business in the EU (if you happened to only have a small amount of business there).
>In the ML/AI era, it quickly becomes very hard to justify ignoring your data
It might be very hard for you, the provider. Me as the user I don't care at all about your technical challenges (to put it mildly). I expect you to fix it so I voted my representatives to force you to fix it. Because if the AI can do everything as we are told again and again, I'm sure it can also find a way to purge itself of my data. Sarcasm aside, it's not 2018 anymore and there are more and more practical guidelines how to apply GDPR and everything else, so worst case let the AI swallow those as well and find that way.
Right to erasure is defined in article 17, and note what it says:
> the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
There is a lot of leeway in that. Depending on your circumstances, you may have an obligation to erase data, and communicate to other controllers you gave the data to, who also have to do the same. But note you can take into account your technology, cost, etc. - you must be reasonable about it (and instruct others to do the same, so the subject doesn't have to ring round all the 100s of spammers trying to datamine them); work with the process and do the best you can. Don't come up with excuses as to why you're going to ignore the data subject's requests.
The person who will be invoking this directive against you will be a national of one of the EU member states, and they'll be bringing their information commissioner with them. I seriously doubt they will proceed against you if, technically, you still have some of their data in old backups or keep tombstoned records for a specific amount of time before permanent deletion, but you've made sure that individual's data will never resurface in your system, even if you restore from backups, and you've minimised retention to what you absolutely need.
Of course, if you can delete a specific person's data, and they ask you to, and you don't have other legitimate reasons to keep it, you must. Indeed you should delete it even if they don't ask, as soon as it stops being relevant - and you shouldn't go with the plan of "oh but it'll always be relevant, so I'll keep it indefinitely".
Event streams? Have the user's client not send the event, or go round purging events, but given you have to check if the user has opted out of processing anyway, you might as well delete the data when you can. Data warehouses? Go through the user's records and overwrite them with randomised junk, and flag them as unusable.
> In the ML/AI era
Yeah get outta here with that thinking. Also see articles 21 and 22, the right to object to automated decisions.
> I do think very little clear material was available for companies who were trying to come into compliance by the time it went into effect.
I sympathise somewhat, but it's a regulation for individual states to actually legislate, and you had 2 years! The main thing you had to do was get the general message and not look for loopholes. From what I see, information commissioners have only been going after egregious holdouts, rather than well-meaning companies, especially if they don't have their own certification scheme running.
So… EU regulations are about "protecting users privacy"… but requires you to know how many of your users are EU-based, and publicly report it ?
I don’t know about you, but "country of residence" is the kind of private information but I’d rather not be collected unless good reasons. Requiring to collect it seems rather antithetical to "protecting user privacy".
> But since Bluesky isn’t yet big enough to be considered a “very large online platform” under the DSA, the regulator says it can’t regulate Bluesky the way it does X or Threads.
So are they breaking the law or aren't they? Sounds like they aren't but the EU wants to be on their back anyway.
I thought the article was pretty clear: they are breaking rules (not laws, FWIW) but are not yet big enough for the EU to do anything about it. At their current growth trajectory they will soon. The EU statement seems to just be an anticipation of the inevitable.
> Sounds like they aren't but the EU wants to be on their back anyway.
> The regulator hasn’t reached out to Bluesky directly, yet, The Financial Times writes.
I think no on is on anyones back, they just follow standard procedure more or less.
There is a new "growing" platforms which might be affected by such regulations and they just want to make sure what their state is and under which legal aspects they operate (e.g. if they have any EU offices onto which they should base official communication).
The things pointed out by the article are also non issues:
- a missing statistic about EU users which you need once you have a certain size but practically kinda should have before _to show you have not quite yet that size_. But that is somewhat of a nothing burger, you add it when needed and as long as there is no reason to believe you acted with malicious intend it's unlikely to involve any penalties.
- regulation related to moderation, non issue as Bsky enforces their AGB and that already fulfills more or less all moderation requirements (maybe not some increased reporting requirements for larger companies, but like said they don't count as such yet)
So IMHO a nothing burger.
My guess is various news paper made "official" information/press requests to some EU institutes asking if Bsky complies with this or that and stuff like that and then created a issue from atm. more or less nothing. Wonder if it was with malicious intend.
> 1. It puts Bluesky on notice that they need to watch their numbers
can't be as they haven't reached out to Bluesky, can't put someone on notice without communicating with them
this articles seems to be based on newpapers doing "press requests" not any EU institution initiating actions, some parts can outright be read as "what is Bsky, we should find out if it is relevant if we get press requests about it, where is their office again?"
> 2. It preempts accusations of unfair application of the rules
I'm not sure where such accusations should come from. I don't thing any related EU regulatory organizations care about what people in the US thing about supposedly unfair treatment of X compared to Bsky.
> 3. It reminds Blusky that if they trade internationally they need to "do as Romans do".
which only makes sense if they communicate with them but the only communication flow seem to have been the Financial Times asking some regulators. So I don't think so.
This is like when a non-atheistic person claims that the only way to be kind, ethical, moral etc is to be religious. They are not mutually exclusive. You can be a good steward of your users' data without imbibing yourself with EU regulation.
It's a variation on "Premature Optimization Is the Root of All Evil". Focus on what actually matters for your startup. If for some reason some EU regulator actually comes knocking, you're most likely big enough to mean you've created a successful startup.
Then you just say "Sorry!" and you implement what they want.
This is probably different if your company is in the EU, but this is my North American point of view.
It can go both ways. Just because a company has done something that deserves to be regulated does not mean the regulation itself is a good way of accomplishing that. For what it is worth, I think the EU for the most part is doing alright in some places with some severe missteps as far as encryption and privacy goes.
I've honestly been pretty happy with it. It gives developers the ability to push back on shirt practices with "do you want to lose access to the European market?" Having that in the tool belt is very handy
Counter-point: as a programmer and data engineering working with large and small companies, GDPR has been of massive help to me, as the clients have now the concepts coined and I can back my stances with legal texts when it comes to protecting people data.
Not really. The methods companies use to skirt around the EU regulation has been the actual disaster. Case in point: The EU never mandated the cookie popups that proliferate the web. They simply passed common sense regulation about user tracking. But there's too much money to be made tracking your every move on the internet, so along came the popups that convince you to allow yourself to be tracked. Every time I see one I'm reminded of how relentlessly exploitative the modern web is, not how mistaken the EU are.
I'd say those are unintended consequences and should have been taken into account. The effective result of the regulation appears to be just to have added annoying popups and close to zero change in company behavior.
You have third party data brokers in the US which has everyone's data and sells it to anyone, you don't have that in the EU. I'd say that is a pretty big change.
There’s an open question of who is to blame when poorly written legislation causes companies (with fiduciary responsibility to their shareholders) find ways to follow the letter of the law but not the intent and create end results that are worse for the public.
The American perspective tends to be that if millions of users are suffering because thousands of companies are interpreting the laws created by a single legislature, we should tell that one legislature to fix their shit. (Note: not that they actually do fix their shit, but that’s who we yell at)
The European perspective tends to be that the thousands of companies should each be individually yelled at to fix their shit (Note: not that they actually do fix their shit, but that’s who they yell at)
Neither way is all that effective tbh. But looking at the end results, I must say I prefer using the internet outside of the EU. I always use private browsing, and the implementation of EU rules when browsing the web in Europe makes this an absolutely insufferable experience. Pages and pages of legalese I have to click through to access a single google result - when guess what, none of that applies because I’m browsing in private. The natural response for me would be to then disable private browsing and let google store its “you clicked through our bullshit” cookie to make my life easier — resulting in the exact opposite of the intended effect of the law.
Like I said, neither side is perfect, but using the internet “privately” is actually much easier outside of the EU vs in it. To me, that means we need to yell at the legislature. Opinions may very.
I have forgotten the recent example, but there are sites that don't have a banner at all because they don't track users and others that see the Do-Not-Track header and replace the banner with a discreet acknowledgement.
Good point, a reasonable response to the who debacle would be to get the legislature to mandate that a HTTP headset similar to do-not-track must be configurable on a browser basis and all requests that hold it must be seamlessly executed as if the user had pressed the “do not agree” button previously.
Who cares. Everyone should collectively turn their websites off in the EU, so that they can continue to suffer in mediocrity. The EU doesn’t have to deal with their own laws because they don’t innovate or produce anything.
The question who is not breaking EU rules?
The funny thing, when there is penalty let's say $100M, all these funds going to the government to spend more for another regulations. Never ending loop. User doesn't receive anything.
The EU’s own website has the same banner message asking for analytic cookies, it’s just a poorly designed and executed regulation like many in the EU revolving around tech.
Longest period of peace in Europe seems like a pretty big achievement, even if many of us don't even know what it's like to live through wars in Europe. On a smaller scale, having a single currency, no roaming fees, traveling and working everywhere without worrying about tourist or a working Viswa is pretty big too.
Easy to forget about many of these things as we just take these as a given baseline.
>Regnier reportedly went on to say that the commission has asked the EU’s 27 national governments to look for “any trace of Bluesky” like EU-based offices. The regulator hasn’t reached out to Bluesky directly, yet, The Financial Times writes.
>But since Bluesky isn’t yet big enough to be considered a “very large online platform” under the DSA, the regulator says it can’t regulate Bluesky the way it does X or Threads.
So it sounds like they are 'breaking' rules that don't even yet apply to them?
This is the original article (linked from The Verge one) and is much clearer:
> Bluesky, the rapidly growing social media platform, is violating EU regulations by failing to disclose important details, a European Commission spokesperson told reporters during a daily briefing on Monday.
> “All platforms in the EU even the smallest ones which are below the threshold, which is the case for Bluesky, have to have a dedicated page on their website where it says how many user numbers they have in the EU and where they are legally established. This is not the case for Bluesky as of today,” the spokesperson said.