The GDPR has already resulted in quite a few websites simply refusing to serve the EU. Will this clinch it? Will the EU be cut off form the internet due to over-regulation that no one wants to put themselves at risk over?
I think calling GDPR over-regulation is extremely suspect. The GDPR does a good job in codifying basic privacy principles of what you can do with personal data. Clear communication, consent, control over your own data and data protection principles. Things that should be self-evident but we have been failing with forever, and something that has become an extremely widespread widespread in an online society. The only reason to call it over regulation is if you're spoiled about not being regulated beforehand - but there was a clear need for such a law and codifying reasonable privacy principles. I don't understand why I hear so few Americans about wanting this in their own country.
Article 13 is fundamentally different from the GDPR. The fundamental problem is that I think (and most people hopefully do) user privacy is an ethical good, and I don't believe (much of) copyright law is an ethical good. If you fundamentally believe copyright must be defended vigilantly Article 13 is not an unreasonable consequence at all - I just don't agree with that premise one bit.
Websites that don't want to comply with GDPR, I say good riddance. If you really feel you cannot uphold the basic privacy principles posited, then screw you too. But for Article 13, the laws are only in the interest of big corporations. I don't care about those.
There is a cost to businesses in complying with and implementing regulations, regardless of the size of the business and how good or bad their behaviour has been with respect to the intention of those regulations. You can't deny over-regulation by assuming only the badly-behaving people are burdened by it.
Besides, there is also a cost to me: the never-ending pop-ups and acceptance dialogues, inability to access information in a straightforward manner for those that choose to block, etc.
What is the percentage of users who actively control their privacy as a result of GDPR (and still happily use the website)? What is the percentage of badly -behaving businesses who will be prosecuted?
> There is a cost to businesses in complying with and implementing regulations, regardless of the size of the business and how good or bad their behaviour has been with respect to the intention of those regulations. You can't deny over-regulation by assuming only the badly-behaving people are burdened by it.
Indeed - the lack of this cost of business was causing (1) reckless and (2) (deeply) unethical behaviour to become rampant [0]. I think it was fair to say it was not acceptable anymore, and I think the GDPR does a good job of formalizing rules of basic common sense about personal data protection. There's really nothing in the GDPR that I can point to that is overbearing, although of course many businesses do implement unnecessarily overbearing UX on top of it.
Processing personal data should be a risk to business, and I think some basic rule of law was warranted for this risk to be clear to business.
I'm not saying there is no cost to regulation. But the cost needs to be proportional to the good it achieves and I think the GDPR does that quite well. Article 13 - in my opinion - clearly will not.
You can avoid the burden of GDPR entirely if you simply don't collect user data, and you can avoid most of it if you only collect data that you actually need.
> I think calling GDPR over-regulation is extremely suspect.
I don't. I find it an egregious example of over-regulation. I think not recognizing the obviously large scope of such regulation is extremely suspect.
> The GDPR does a good job in codifying basic privacy principles of what you can do with personal data
By what measure do you define "good job"?
> The only reason to call it over regulation is if you're spoiled about not being regulated beforehand
I admit being this kind of spoiled. But it's ridiculous to say that's the only reason. There are measured ways to go about things and to so blatantly say that this is the only reason one might view it as over-regulation (despite real reasons such as size and scope and ineffectiveness of predecessors/enforcement) destroys our ability to have real conversations about the many alternative ways to solve some of the problems we have. Such a black-and-white absolutist view is harmful.
> I don't understand why I hear so few Americans about wanting this in their own country.
Can't speak for all, but for many, it's because they recognize the difference between what would be ideal and what would actually happen. Large anti-company (especially against companies that users prefer to use) laws have a chance to be frowned upon, despite ridiculous promises/optimism/naivete by the hopeful.
> Websites that don't want to comply with GDPR, I say good riddance. If you really feel you cannot uphold the basic privacy principles posited, then screw you too.
These are not how chilling effects work. You don't get to say "well, if they choose not to do business where a law is, they must not be able to uphold that law". There are compliance costs/risks. The amount of assumptions concerning this topic, whether assumptions that the law is good or assumptions that those disagreeing with it are of a certain ilk, need to stop. You only hurt your cause discussing things in this manner.
I'd like to point out that you're responding to me as if you assume I have no to little experience with this law and its consequences for organizations. That's not a reasonable assumption - my post is speaking from organizational experience. You're not talking to some outsider of all of this.
If you have specific problems with GDPR or that it goes too far, I'd like to know what those specific aspects are. In my view, there's some basic rules on how to deal with personal data that the GDPR codifies, and it does that surprisingly (for the EU) reasonably. It starts from simple principles of citizen rights and ethical behaviour and writes a complete rulebook on how to apply them - that's my definition of a good job.
It might be difficult for business to adapt to actually now considering processing personal data a risk. But that by itself does not make GDPR "overregulation" - that just makes it a difficult regulation change to process. I won't shed a tear about business having a difficult time going through that process - I'm incredibly happy that they are forced to consider processing personal data a risk, because it is.
Also note I specifically said "Websites that don't want to comply with GDPR" - not "Companies that are not sure they can comply with GDPR yet". There's a reasonable difference, I agree. But, yes, if you find that your business intrinsically cannot comply with GDPR or you don't want to - it's time to take a good hard look in the mirror.
GDPR caused some non EU media businesses to preemptively block EU users because their primary readership is not in the EU and their primary business model is abusing their users in ways that GDPR restricts.
GDPR did not really change the media landscape in the EU. Business as usual here. Mostly companies went through a brief period where they had to consult lawyers and expensive agencies on how to cover their asses. Mostly good things have started happening after that. Some companies that were doing technically unacceptable things under pre-GDPR legislation have now grudgingly stopped doing those things.
The only thing I've noticed is even more website popups about cookies that make it hard to anything but give the go-ahead to all the cookies, but I'm not sure whether that is a result of GDPR.
That's pre-GDPR (barely), and the original idea was that users should be able to opt out of cookie tracking. But instead most web sites just added that super-annoying (particularly when it covers the whole page) pop-up giving you one option: Accept cookies or else. That was not the intention of the regulation at all. So far I've seen only a single web site that actually gave you the option to not use cookies (yes/no, not just yes).
I’ve seen a lot that give you yes/no options. Some of them tell you that you can’t use the site, sorry, when you click no, but I’ve noticed many let me continue on anyway.
Of course, I’ve seen even more that give you only an accept option... that, or as sibling commenter said yes/wilderness of options.
Yes, it's normally websites run by "good people" (some non-commercial organisation) that let you easily say yes/no. Media websites implement the dark pattern of Yes/[wilderness of options page].
This is pre-GDPR, but it feels like since GDPR there's been a real uptick in this.
I suspect that this is mostly the results of the all or nothing being the easier to implement solution. I've seen several websites that do a offer a more advanced tool where you can opt-out of some cookies (3rd party tracking mostly) but still use the main site.
now you should be free and bold to click the disagree / refuse / no-cookies button and get the experience you expect.
because if the tracking/ad/shit/any cookies are not fundamentally required for the page to show, then denying you the usage of the site is a violation of your privacy (because you can't give selective consent to specific data uses)
sure, a lot of sites throw up the ugly banner, but now you can click fuck cookies, because fuck cookies if you only want to read a fucking HTML page with pictures. they can still make stats about your visit and aggregate them, but tracking cookies are absurd. (they can filter out repeated visits by looking at IP addresses and browser fingerprinting and/or they can ask you nicely to help them get better stats, but now they have to unbundle that from the ad tracking purpose.)
>now you should be free and bold to click the disagree / refuse / no-cookies button and get the experience you expect.
This button doesn't exist in 90% of cases. Websites tend to dump you into a complex, deliberately tedious to edit options UI rather than providing a "No" button.
yeah, then those sites are not compliant at all. just yesterday on a news site there was just an accept button. it was sort of cute, that it was very stark colored floating on the bottom of the page, so it allowed the reader to view the article, but there was no refuse option. (at least for my browsing sample these are becoming a rarity.)
It’s too early to say how GDPR has impacted the landscape as no significant enforcement has happened.
Their are major complaints outstanding against Google, Facebook & the IAB that will define how online publishers can be funded once they are litigated.
I've so far only noticed the blocking on (tabloid) US news sites which when visited with a VPN are full of trackers and overflowing with ads. It didn't feel like a loss to me but would be curious to know if there are services which people feel they really needed/wanted but now can't access w/out VPN?
The Chicago Tribune is not a tabloid, and it blocks EU visitors now, nor are many TV stations that now block people from outside the US. Even a VPN doesn't always solve the problem, unfortunately. It's also very annoying that Google News still shows links from those sites even though you can't actually visit them.
I was actually searching for this very example but incorrectly remembered it as LA Times (but it was the Chicago Tribune). Not sure if this is a loss to people in the EU if the CT would go dark for them. Maybe annoying to expats but not sure if anyone here would cry over them. This might have in fact been the reason why they didn't bother with compliance in the first place (no subscribers/reader from EU)?
Instapaper was a sort of nice utility that blocked EU users after May last year. Fortunately there are alternatives, some of them arguably superior (pinboard?).
Businesses cannot afford it and no, it is not happening. Also, abusing GDPR is one thing, how about all these companies start to pay VAT and taxes on sales originated from EU.
Business currently just state they comply with GDPR, but really they don't.
All these big blanket OK consent buttons we see on landing pages have already been shown in court do not constitute informed and freely given consent. The real impact has het to come, hopefully after some stiff fines are handed.
And you are right: I also wonder about enabling large scale VAT dodging by sites like aliexpress.
I assume you'd be happy for EU businesses to reciprocate and pay US sales taxes on goods & services sold into the US?
Even if you are, I'm not actually sure that would be better for anyone involved. Seems like it would essentially stop or severely diminish online commerce between US/EU as too much hassle.
no it doesn't. facebook was always pretty good at asking for permission. it showed you that so and so app will have access to this and that. and people blindly clicked it, because they wanted the maffia wars, the mob wars, the farmville, the latest zinga shitclick time waster to one up their friends in imaginary internet point games. (I tried them too, then luckily the fad wore off.)
FB has to show who they sell data to, that's the new part basically. They will probably show a long list of random companies. It'll look a bit scary, people will get accustomed to it. (FB will find a dark pattern that minimizes the attrition due to any permission/consent step in their money machine.)
But that is the thing. The regulation is still in effect, even after they gave the permission.
The identifiable information still has to be encrypted. They still need to specify exactly where the information will go and why. And if a new company wants to access the data or even wants to use the provided Information for something new, Facebook has to ask permission again.
Once again telling the user why that company needs permission and why as well.
It's doubtful that the current blanket prompt is enough. But it remains to be seen wherever the law will be enforced and it's of course possible,that nothing will change and regulator's never act on the law
FB will have to do the aggregation themselves, and then the sell the aggregated data. no PII. and they are doing that, allowing targeting and stopped the messaging legacy APIs, now if an app wants to read your messages it has to ask for permission. (I don't even know if there is such a permission anymore.)
That said, I hope the EU courts will look at them the first time they fuck up. (And that might be right now. But so far I'm not aware of any recent FB data/privacy abuse.)
Agreed, it's a way over the top. However, I would like the EU, or the US, to tell Facebook to get their data collection and reselling under control. The GDPR should have taken care of that issue, but until someone drag Facebook to count over a GDPR violation and wins, nothing is going to change.
But it's in a website's favor to serve as many consumers as possible, won't any group that isn't willing to conform to EU standards be out competed by those that do?
If a few major sites like Wikipedia, YouTube and Facebook decide to not service EU any longer, I think it won't take long before that regulation is rolled back.
