How to effectively evade the GDPR and the reach of the DPA
blog.zoller.luWe've actually been threatened with a lawsuit because RocketReach displayed some obviously inflated revenue for one of our customers. Luckily, we were able to prove that the numbers were changed recently and threatened to report them for fraud, which ended this pretty quickly.
Seriously shady company.
> threatened with a lawsuit
I don't understand, who threatened you with a lawsuit? Why did they care about RocketReach?
We used a product from a company (I'd prefer not to name them) and received an official letter from them that on of our customers had more than 10 million in revenue, which in turn would require us to buy a larger plan from them[0]. They cited the companies (inofficial) RocketReach page as a source and demanded 30k USD (iirc).
They only retracted the thread after we could prove (via Google Cache and archive.org) that the page was very recently modified to show such a big revenue and threatened to report them for fraud.
We probably could've deflected the case since the company was public and therefore its revenue was also public, but, as a very small company, we had neither time nor money to spare for an useless lawsuit. And we assume that this was their bet. We switched to a competitor after this, obviously.
[0] It later actually turned out that this AGB change was after our purchase and not yet affecting us, but we didn't know that at the time.
Sounds like that company was as shady as rocketreach... someone who threatens their own customer in bad faith (or negligence) just for 30k is likely to be more trouble and of less value to you in the future if that's their focus of increasing revenue.
Good call ditching them.
[edit] speculative aside...
What if they were intentionally feeding rocketreech miss-information? it might seem far fetched but these personal data collecting companies like rocketreach or even equifax obtain their information from a variety of untrustworthy sources.
I was a victim of this through my own foolishness a couple years ago:
I was using a car insurance comparison site and guessed one piece of the required information I couldn't completely remember - a speeding ticket date - I couldn't remember the exact year. Turns out I entered it exactly one year off, and it was so long ago anyway that it had no bearing on the quotes.
After continuing with my existing insurer, a few months later my insurer sent me a demand for a rather large quantity of money... that's right, they attempted to backcharge me for 5 years worth of insurance over an extra speeding ticket they had "discovered". Obviously there was no way I would pay them but it was extremely difficult to convince them to stop harassing me for this money even though they had no proof. Even after demanding they provide evidence of their discovery which they refused.
It's scary how easy this is to do, and I wasn't even trying.
> someone who threatens their own customer in bad faith (or negligence) just for 30k is likely to be more trouble and of less value to you in the future if that's their focus of increasing revenue.
Yes, that was really strange. We though they might need quick money, as this was right at the beginning of the corona crisis. Still, not acceptable.
> What if they were intentionally feeding rocketreech miss-information?
That's possible but quite strange. This information is public in our country, so there is a known reliable source and they should've known better.
> Obviously there was no way I would pay them but it was extremely difficult to convince them to stop harassing me for this money even though they had no proof.
Yes, this is quite usual. We were seriously lucky we discovered the change; but, given that they backed up so quick after calling it a fraud, I'm seriously assuming it was.
Thanks for explaining. (How surprised I would have felt, when first getting contacted about sth like that and a lawsuit)
Yes, we were shocked, too. Luckily one of us is a bit experienced in law and directly dug into this while keeping his cool. I saw our doors closing already, to be honest.
Currently there's not much the data protection authorities in the EU can do about foreign companies abusing the data of users.
I assume that in the coming years (or decade?) there will be more efforts to ensure the enforcement of EU law for foreign companies that offer services to EU citizens as part of trade deals.
Right now there's e.g. a flourishing industry of data brokers in Israel that illegally collects data from EU (and US) citizens and sells it, a practice which is hard to stop as well since most of these companies don't have offices in the EU.
I think another possible strategy would be to go after the clients of these companies. If they can't legally sell their data to companies in the EU or US their business model would falter. The GDPR actually mandates that you as a data controller validate that companies which process data for you adhere to GDPR principles. Right now it seems this isn't being enforced much yet but I think it will be soon, which hopefully will have an effect on data brokers outside the EU as well.
It is enforced and viral in EU. Think of it like radioactive materials, any operation needs to be fully tracked.
While accessing any user personal details you need to have user consent to process their personal data. You can't simply buy the dataset and assume it has consent. When you buy data from data provider you need to make sure user gave consent to handle data by third-parties to that provider in accordance to GDPR. Users can revoke the consent, every party needs to be ready to handle that scenario. Any data export outside EU GDPR also needs consent. Moreover the dataset needs to be registered with local regulator.
While accessing any user personal details you need to have user consent to process their personal data.
Consent is only one of the lawful bases for processing data under the GDPR. In practice, it's the one almost everyone tries not to rely on unless they can't avoid it, because it comes with extra obligations that other bases might not.
Could you list the others? Or at least provide some examples?
Basically all I know are based on either mandatory by law record keeping, or records used to fulfill whatever service/product/goods the user purchased, but even in these cases the processing must be described, right?
The GDPR itself is actually quite readable, so if you're interested in the details, you can got to the source. There's a neatly formatted version hosted here:
https://gdpr-info.eu/art-6-gdpr/
What the source material won't tell you, for better or worse, is how these are interpreted in reality by data controller, processors and regulators. The two main things to know in that respect are:
1. Relying on the subject's consent is usually the last resort. It comes with lots of extra strings attached.
2. The "legitimate interests" provision is open to interpretation. It is widely used as an excuse for processing that many of us might consider far from desirable. But it is also a risk for data processors doing things many of us might consider reasonable, because any regulator can take a different view and they get to win by default.
I'm not sure how I feel about the screenshot at the end, showing that various policy makers also have their personal information being sold.
I guess the information is out there, and doing so also makes it definitively personal for the policy makers / enforcers involved.
That said, the policy makers / enforcers may be genuinely hamstrung. The US imposes its laws globally because of it's status as a global reserve currency (trading in USD requires the transaction to route via the US, thus making the entity subject to US law).
The EU doesn't have such status or power over US companies. The most it can do is try to prevent them from operating in the region.
As a person who almost certainly has his personal information being sold on this platform, I'm not pleased, and would love to see something done to prevent this kind of activity. Unfortunately, that depends on the US government to take action, and the last 12 years haven't been a flying endorsement of the effectiveness of the current government system. (This is not meant as an statement regarding the effectiveness of either President, but rather a regarding the low output from the system as a whole)
> The EU doesn't have such status or power over US companies.
US companies operating in the EU are subject to EU law. Worst case the company itself doesn't operate in the EU, however that still leaves its customers (Intel, AirBnB, etc. ) potential targets to apply pressure on.
Does RocketReach have servers in the EU? Employees? Subsidiaries?
I generally don’t know in this case. But in general my European friends seem to think that merely having someone from the EU access a website makes that website’s owner have a presence in the EU, even if the server that handled it isn’t. That seems like overreach to me. If that were the case, I’d block EU access for any of my domains, and I don’t think we want a future where that becomes the norm. The ideals of the Internet are free exchange of ideas and information, no country-specific walled gardens.
> The ideals of the Internet are free exchange of ideas and information, no country-specific walled gardens.
Your argument reduces to "freedom of speech" == "freedom to take and distribute personal information" (They are not equal).
Your walled gardens cherry on top only highlights the deficiencies that some countries have to protect personal information - Saying this is making the internet into walled gardens is like promoting tax evasion by using Ireland (in this case the US == Ireland, because it is deficient)
My understanding is that merely having a website that can be accessed from the EU may not by itself be enough to be subject to the GDPR. However collecting or processing data on EU citizens or residents certainly is. And almost all websites track users (even when it's not obviously useful to do so), so unless you go the USA Today route and create a site for the EU with no tracking, you have to comply.
There's also the question of who they sell the data to. It's hard to see why they would sell EU citizens/residents data to companies who don't have any EU presence themselves, so at least some of their customers are bound by the GDPR as far as these are concerned. Informed consent is required at every step, so for example they would need the EU subject's consent to buy that data from RocketReach.
A noticeable number of websites outside the EU did block access to people who appeared to be from the EU when the GDPR was introduced.
As for over-reach, the practical reality is that laws can be enforced extra-territorially if, and only if, the country that wants them has leverage. In some cases, that comes from making deals with other governments, where one or both give weight to the other's claims voluntarily in their own territory.
In other cases, it comes from networking effects. If you are a US-based business running a US-based website with no presence of any kind in the EU, then maybe the EU can't do anything to hurt you. On the other hand, if you have any relationships with other businesses that are within reach of the EU, they might be used as leverage to reach you.
Worst case, you find that anyone connected with your business who travels to the EU or anywhere with a relevant extradition treaty gets arrested. Obviously a reaction that extreme is unlikely, but if perhaps a government thinks you owe them lots of tax money or the personal data you aren't processing according to their wishes relates to some matter of their national security, stranger things have happened.
If the companies don't have assets in the EU that can be affected by EU prosecution, then the GDPR is not enforceable. It might be possible to prosecute and trial management, but again this has only consequences if they enter EU jurisdiction or if they are extradited. Such issues and questions always arise with laws whose reach is extraterritorial. Keep in mind that the US has a fair number of these laws as well.
deny entry or arrest executives of the company if they try to enter the EU. Surely some of these people travel...
Yes, that would work. It's what the US does after all. I'm not optimistic though thah the EU is capable and mature enough to handle the ensuing diplomatic heat. At least not yet.
You do know that US law is imposed everywhere in the world, right? DMCA notices and stuff like that.
This is not true. It is the choice of the local jurisdiction (or sometimes the company so chooses) to abide. The US does exert leverage in many situations as one might expect the EU to do. But acting as if every country is 100% beholden to US law with no sovereignty is wrong and just excuse-making. There are many places that don't respect DMCA making your statement very false.
Maybe so but it is effectively imposed on all citizens of the world. Other than for the now rare cases that people are serving stuff up from their home.
So it seems are parts of Chinese law. https://qz.com/1875863/hong-kong-national-security-law-cover...
A country claiming its law is enforceable everywhere does not make it so.
> The ideals of the Internet are free exchange of ideas and information, no country-specific walled gardens
> If that were the case, I’d block EU access for any of my domains
These two statements are at odds with each other ...
Yes, that’s my point. It’d be a tragedy.
It seems like you're trying to absolve yourself of responsibility by using a passive voice, similar to this recent trend of abusing the 451 status code. You would be the one choosing to block the EU and further balkanize the Internet.
Why don't you just comply with EU regulation though? Just like we have to comply with the KYC/AML that the US forces on everyone.
Because they cannot enforce it. This is the same reason websites don't comply with african law. Wether it is morally wrong or right is an other question.
It may just not be worth bothering. Most of the time when I see someone complaining about a page being blocked for Europeans it's some local American news outlet serving a town of five thousand people whose IT department consists of one guy in a broom closet.
You do realize that Europeans et al have to deal with AML/KYC because of international agreements your countries have entered into? This isn’t just the US unilaterally saying “your banks and money processors must obey our laws.” The US passed extraterritorial laws, and then sought agreements from other countries to enforce these laws. The EU hasn’t done this. AFAIK there are no trade agreements or such that offer reciprocal rights to enforce GDPR. If the EU wants to enforce the GDPR globally, then that’s what they’d need to do.
Because I didn't vote for it, not even indirectly.
EU can and should sanction such businesses, individuals behind it and their suppliers. Basically, just do the same as USA does to Nord Stream 2. This will be painful enough.
And their clients, if necessary.
> The EU doesn't have such status or power over US companies. The most it can do is try to prevent them from operating in the region.
Wouldn't that already be quite a step? I don't know who they're selling the data to, but it should at least be possible to prevent them from selling that data to organisations with a European presence, right?
> trading in USD requires the transaction to route via the US
Is this correct? How's that enforced? Say, I have a company in Poland which sells some goods for a million dollars to another company in Poland. We both have USD accounts in Polish banks and the transfer is between these accounts. How does the money route via the US?
It's not enforced but it's a de facto practical requirement.
If Polbank (forgive me for the bastardized names) wants to give 1M USD to Bankpolska, they either need to ship cash (which can be done but is expensive or tricky) or have a specific bilateral agreement betwene them (which can be done and is done sometimes, but linking every bank with every other bank bilaterally does not scale), or need some interbank settlement system that will do that, but there's no such system in which they can participate. E.g. there's Fedwire but neither Polbank or Bankpolska can be direct members as far as I understand (they generally are not members; I'm not certain if it's caused by some strict limitation or just practicalities and costs.)
So the standard means is to use 'correspondent banks' e.g. USA banks that do that for them. Polbank might have an USD account with Chase or Citi, and Polbank can ask Chase (via a SWIFT message usually) "hey transfer $1m from our account to Bankpolska, it's cover for a customer deal #1234" - but this means that the transaction "goes through" USA.
Alternatively, multinational banks may have branches in both USA and Poland and so they can be direct participants and settle this directly, however, then it would involve a Fedwire transfer (in USA, subject to USA laws and limitations) between Polbank USA branch and Bankpolska USA branch.
That's standard practice for pretty much every currency. EUR settlement between two American banks usually (not always, there are various options) goes through EU, RUB settlement usually goes through Russia, etc.
If there's a sufficient need, Polish banks could establish an interbank settlement system through which they could transfer USD directly (e.g. similar to the one they have for transfering Polish zloty), but it's a hassle and has costs, so currently they have not done so because for them it's generally not a problem to route all USD payments through USA.
There have occasionally been efforts to do large international USD transactions which don't touch the US, usually because one or both of the participants is under US sanction. There is enough USD infrastructure in London that it may be an alternative to New York, but everyone involved has to scrupulously avoid any interaction with any machinery under US jurisdiction, which is quite difficult.
I learned about this from reading the case brought in he UK by the US government to try to stop this happening. I didn't bookmark it, and of course can't find it now.
Not this, but an example of how it can go wrong:
> According to the settlement agreement, BACB actively solicited U.S. dollar business from Sudanese banks and processed the transactions by way of an internal book transfer process that involved a nostro account maintained at a foreign bank (Bank B) located in a country that imports Sudanese-origin oil. (A nostro account is an account a bank holds in a foreign currency in another bank.) Although these transactions were not processed to or through the U.S. financial system, the process to fund BACB’s U.S. dollar nostro account at the foreign bank did involve transactions processed by or through U.S financial institutions in apparent violation of the U.S. economic sanctions.
https://www.nafcu.org/compliance-blog/ofac-dings-london-bank...
> If there's a sufficient need, Polish banks could establish an interbank settlement system through which they could transfer USD directly (e.g. similar to the one they have for transfering Polish zloty), but it's a hassle and has costs, so currently they have not done so because for them it's generally not a problem to route all USD payments through USA.
Doesn't it still need to be involved with USA? I mean, sure, they can use this settlement system to trade between each other independent of Fed, but ultimately the funds in the settlement system have to be stored as reserves in Fed, i.e. in some bank under US jurisdiction. So, after all, US still has control over this new settlement system, but now they can't freeze individual accounts in it, they can only freeze funds in reserve account(s) that this system consist of, potentially affecting many (innocent) parties. Am I right?
Thanks for the explanation this makes more sense
Euro dollars are constantly traded without going through the US.
CLS currencies and any currency which is fully convertible can be used in transactions without any involvement of the jurisdiction that minted the currency in the first place.
The USD has a huge settlement infrastructure that is completely independent of the US.
Doesn't it still involve accounts in US banks though? Please see my direct reply PeterisP for explanation. I cannot see how could it work without Fed oversight as it would allow it to "print" dollars.
Also, could you please share more info? I'm very interested in financial settlement system, especially for USD and EUR, but sadly there's too little public resources.
Thanks, a reply like this is why I come to Hacker News!
The bank will either have a presence in the US itself, or it'll have a partner that does that it'll route the transaction through.
If you've done a USD transfer, it'll most likely be a SWIFT transfer, and you can ask your bank for the SWIFT routing log. You'll most likely see an NYC bank (or NYC branch of your bank) in the middle.
SWIFT is a communication network, it replaces the letters and couriers ancient banks would have used to agree that payments have been ordered and funds have been moved. Payment don't "go through" any bank that hasn't been explicitly requested. The whole point of the SWIFT network is that it is global and it allows you to reach every branch of every bank.
There are of course banks whose SWIFT processing is handled by someone else, but they are usually service bureaus or central offices within a conglomerate, not partners in a specific country.
I'm not sure about this. I think you're conflating SWIFT transfers with USD transfers
USD is fully convertible https://www.kantox.com/en/glossary/fully-convertible-currenc...
I can "take dollars out of my pocket" and pay you without going through the US no problem
USD transfers even within same non-US based bank let's say same example in Poland is done with SWIFT, but unlikely it goes thru NYC bank as the cost is none and the transfer is instant. SWIFT is used only for addressing and accounting in such case.
Within the same bank it's just internal accounting. But when two different banks are involved, an USD transfer generally goes through USA.
No it doesn’t, https://en.m.wikipedia.org/wiki/Eurodollar.
Not to mention that since the USD is a CLS/FCC currency you can perform correspondent banking transactions with it without having any government involved in the process.
It gets quite interesting when foreign currency is involved: https://en.m.wikipedia.org/wiki/Nostro_and_vostro_accounts
This same BS is perpetuated by YC backed Apollo.io by simply scraping public LinkedIn profiles & then masking asterisked emails & numbers(usually your company public numbers) & asking people to sign up.
And when you do request them to remove the same, they ask you to provide ID proof. As if one would provide the same to a company which didn't take your consent for the initial profile data either.
I somehow managed to get hold of the CEO's mail ID got mine removed. But I can only imagine what everyone else would have to do when they want to control their web-presence.
There are at least 50 data brokers I've had my information removed from. They will say whatever they can--"we need proof," "it's just public information anyway."
Every time I insisted they take it down, right now. Every time they have complied.
There's so many it's basically pulling weeds at this point.
The scarier companies are the ones collecting pictures of your face to train their private facial recognition software.
(Hell I'm hesitant to post HERE because you can't manage the privacy, content or existence of your comments)
Some data brokers are threatening you with "if you get removed from our database you will be marked as high risk of fraud and your transactions/orders you do online like hotel reservations will get rejected/put on hold for screening".
Well played. Absolutely legal but totally immoral
But is it true? If not then I'm pretty sure in the UK at least there's some law against it.
There are certainly rules in the GDPR about automated decision-making that might be relevant.
I don't know, but I'd think it's slightly true I'd guess you'll be marked in THEIR database, so if the hotel happens to use that company's lists, you might be marked, but not be high risk in anyone else's books...
That's not legal, because that is still personal information being stored. They have to delete it all, upon request.
The implication (whether true or false) is that some company might treat the absence of a record in their database as suspicious.
> There's so many it's basically pulling weeds at this point.
...and they are often run by the same people. They use shell companies to basically avoid take-down requests.
Their goals is to make it sufficiently annoying to take down your information, that most people give up. While at the same time removing it (regardless of the process) for anyone that occupies them too much time - because your individual data isn't valuable enough to waste defending against a take-down.
I suspect a (faux) lawyers letter is easier to get these takedowns processed than the calls/emails that most people try.
I'd be interested to know if anyone has had success with any legal measure that would enjoin them or any other entity they're in any way affiliated with or that shares common ownership.
I've been in touch with a company called Acxiom, who shared my details on Facebook. I've never heard of it, so I submitted a Data subject request to see what they know about me.
They then asked me to provide my address to confirm my identity. Given that I moved quite frequently, and that I'm now asked to share more personal data with a company who's mishandling my data, I wasn't keen on it.
I mentioned that my full name is globally unique, but they refused. I tried to ask them to share some masked data that I can confirm in full (e.g. "give me a partial address and house number, I can give you the full address"). They refused.
They definitely try to make it hard for you, and to dodge responsibility.
Acxiom is one of the largest (and oldest, they started in the 1970s) data brokers in the world. I think they, like a lot of other creaky corporations, don't necessarily make things difficult on purpose but they...don't go out of their way to make the bureaucracy any more navigable than it has to be.
In other words, it's not a bug, it's an accidental feature.
I am sorry, how does that resolve the issue of them operating illegally?
The fact that you’re a old mess means you should be destroyed as a business to allow for newer, more ethical businesses to pop up.
If this is an accidental feature it means you should be accidentally run out of business.
> how does that resolve the issue of them operating illegally?
Which part of the process described is illegal? The GDPR explicitly requires[1] controllers to verify subjects' identities in an access request:
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.
That is true, but the word "reasonable" is significant. Taking reasonable steps to confirm a data subject's claimed identity is fair and necessary. Giving them the run around and hiding behind that verification obligation as an excuse is not.
I mean, sure, but OP indicated that he didn't want to provide the info they requested for verification. I don't see how their action here could be considered unreasonable.
"I promise you that I am the only person on earth with this name" doesn't really seem like a sufficiently secure attestation.
OP here. My name is unique globally (there are no other people with this name), easily searchable, linked to my personal domain, and my personal email address on that domain.
But even if we can't go by that, I gave them plenty of options that won't involve me disclosing my entire address history. How on earth am I supposed to give all my address history to a company I never heard of, and who shared my data without my consent...
They didn't come up with any concrete suggestions that won't involve disclosing much more information about myself than I think it's reasonable to require in order to release my own personal info.
I think I was very reasonable, and they weren't. Legally I'm not sure what the situation is. IANAL.
I'll be honest - based entirely on your description of events, with no other context, I wouldn't have approved this request either. Here's my reasoning:
> They then asked me to provide my address to confirm my identity...I wasn't keen on it.
This means one of the primary avenues of verification (possibly the only avenue for some shops) is unavailable. In the scope of GDPR, it's important to remember that they aren't allowed to retain any information you provide for this purpose for any reason other than keeping a record of the request.
> I mentioned that my full name is globally unique, but they refused.
I would have absolutely no way to validate this, because I don't have a comprehensive listing of all 7 billion-odd people in the world. Even if I did, and it was, it's still only a single factor - I doubt you'd want me to release your data to anyone else based only on them knowing your name and that it's unique.
> My name is...easily searchable, linked to my personal domain, and my personal email address on that domain
This can't be relied on, obviously, because there's no identity verification on (most) domain registrations. For all I know, the email address that I have attached to your profile isn't even yours (because we have no preexisting relationship, this has never been proven.)
> I tried to ask them to share some masked data that I can confirm in full...They refused.
I don't think this is actually allowed under GDPR, but assume it is. Let's say you do this twice with two different data controllers - they each provide you with a masked address, but they've masked different parts (because there's no standard).
If you were a malicious actor, you'd now have the subject's complete address and could use that to gain access to the rest of their data. It opens up a significant attack vector.
> How on earth am I supposed to give all my address history to a company I never heard of, and who shared my data without my consent...
Assuming this was someone unknown and not Acxiom, this is a valid point and unfortunately I don't think there's a great answer. In this case, it is Acxiom and you could've quite easily discovered that they're a major corporation and not a random data harvesting shop.
> I think I was very reasonable, and they weren't.
At the end of the day, you're going to have to give them something to prove who you are. If you won't even provide your old addresses, then absent a government-issued ID (which I assume you also would be reticent to provide on the same grounds) I don't know how else I would even attempt to conduct verification.
I think you miss the elephant in the room, which is my email address. That's not something that easy to fake, and I'm pretty darn sure they have it in their database.
If they have other details about me, like my phone number or address, they can offer to give me a call, or send a letter to confirm my identity (btw, another company I filed a request with did just that). This won't expose any further details. The fact is, they didn't suggest any reasonable alternative.
> Assuming this was someone unknown and not Acxiom, this is a valid point and unfortunately I don't think there's a great answer. In this case, it is Acxiom and you could've quite easily discovered that they're a major corporation and not a random data harvesting shop.
The fact that they're big is irrelevant. They already shared my data without my explicit consent. They're a company I never ever signed-up for, interacted with in any way, yet they hold data on me. They share it and make profit out of it. I'm definitely not keen on sharing any additional info with a company that aggregates my data as their core business.
I hope you see the huge imbalance here. To get my data I need to jump through hoops and expose even more data about myself (to a data broker which makes money off of it). To sell, aggregate, share and abuse my data without my consent and very likely in violation of GDPR requires no validation that indeed the data belongs to me, nor even an attempt to contact me and ask for consent.
I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent. This is one of the problems inherent in GDPR as written, and needs to be addressed in the next revision.
> I think you miss the elephant in the room, which is my email address. That's not something that easy to fake, and I'm pretty darn sure they have it in their database.
As I wrote earlier, the issue here is that because they have no direct relationship with people in their data lake, there's no way for them to know with certainty that the email address associated with a person belongs to that person without some form of additional validation.
You can prove that you have access to that email, but you still need to prove that you're you.
> If they have other details about me, like my phone number or address, they can offer to give me a call, or send a letter to confirm my identity
This brings up the same problems as before: what if the number has been recycled? What if the letter is intercepted by someone living at an old address? Then they've given up the store again. Just because someone else is doing it doesn't mean it's a good idea.
> I hope you see the huge imbalance here.
I do, but you also need to look at it from the other side of the screen. As much as you have a legal interest in accessing your own data, they have a legal interest in ensuring that you are actually the one accessing it.
What you've run into here is one of the other...accidental features of GDPR: it incentivizes companies like Acxiom to be as strict as possible when verifying identities for access requests. They'd much rather be forced to defend the stringency of their access policies than to be strung up by the EC for enabling large-scale identity fraud because they weren't vigilant enough.
> I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent.
Well, I definitely didn't. Even if I did give consent for processing my data, sharing with Facebook isn't something I would ever in a million years agree to. An explicit consent should have been specific about it. Evidently Acxiom shared my details with Facebook. But let's leave it aside for now.
> You can prove that you have access to that email, but you still need to prove that you're you.
That's where the huge imbalance lies, isn't it? They link my email, along other details, and they also share my email with Facebook. Yet, when I'm contacting them, from the same email address, then suddenly it's not enough.
But let's say one piece of info isn't enough, they have other pieces? let's match them. Send me a letter, give me a phone call, give me the postal code and ask me to complete the address (or other parts of the address), provide a reasonable way for me to prove my identity. Without effectively asking for my entire address history, or compromising even more data about myself.
> it incentivizes companies like Acxiom to be as strict as possible when verifying identities for access requests. They'd much rather be forced to defend the stringency of their access policies than to be strung up by the EC for enabling large-scale identity fraud because they weren't vigilant enough.
We completely agree on this one. They're as strict as possible when subjects try to exercise their rights, but loose as a cannon when it comes to sharing data, making sure they get real and explicit consent etc.
I'm leaving aside the consent piece, because frankly it's unlikely that they ingested this data without receiving it from a third party to whom you did give explicit consent.
That seems a rather optimistic assumption, given the historical way data brokers and those who use them have operated. Plenty of businesses, including some household names, have been caught with their hands in the cookie jar on this one before. No doubt plenty are still doing it and hoping not to get caught or that any penalties will be small enough to be worth it.
As I wrote earlier, the issue here is that because they have no direct relationship with people in their data lake, there's no way for them to know with certainty that the email address associated with a person belongs to that person without some form of additional validation.
There are few ways to know anything with true certainty unless someone in your organisation personally knows someone you're dealing with. It is more about being reasonable.
If an organisation maintaining large amounts of personal data about people without their consent can't find a reasonable way to verify identity and allow the data subjects to exercise their rights, the GDPR-esque solution to the problem is to shut that processing down entirely until the organisation can get its house in order, or permanently if it can't find a way to do that. If that kills the data broker's business model, maybe they shouldn't have been using that business model in the first place, or should have discontinued it when the GDPR came into effect.
Allowing the organisation to deny data subjects their legal rights by hiding behind the verification obligation is at best against the spirit of the law but probably against its letter as well, and certainly justifies a regulatory investigation if it's being done systematically by a big organisation that should know better.
> That seems a rather optimistic assumption
I'm just basing this on my experience working on products in this space and specifically dealing with compliance and "retroactive" consent in the run-up to GDPR implementation. I could definitely be wrong.
> If an organisation maintaining large amounts of personal data about people without their consent can't find a reasonable way to verify identity and allow the data subjects to exercise their rights...
I'm genuinely curious: if you were them, what would you do to resolve this without asking the subject to provide any additional data for verification?
I'm genuinely curious: if you were them, what would you do to resolve this without asking the subject to provide any additional data for verification?
There obviously needs to be something confirmed to verify the identity, but by definition personal data is data about an identifiable subject, so there must be something that can be checked.
If a big data hoarder has personal contact details, attempting to reach someone using those in response to a subject request isn't unreasonable. The hoarder will also have obligations under the GDPR regarding keeping data correct and up-to-date, so they should be in a position to do this in most cases or they're probably in violation already.
Some contact details might be checkable against an external reference to confirm they really are still up-to-date before relying on them, in which case a single attempt using that method might be sufficient.
Otherwise, if you can reach someone via two different and reasonably secure methods associated with their profile then it's probably reasonable to assume they are who they say they are.
If the hoarder doesn't have contact details they can use, then apparently there is some other identifying characteristic of the data subjects that makes it personal data, and in that case presumably you'd have to look at that and see how it could be used for verification.
This. I would go out on a limb and offer that Axciom has likely invested more in compliance in this regard than most other companies on the planet.
People may not agree with their stance, but it has yet to be successfully challenged in court to my knowledge.
One good thing about the GDPR is that it was basically designed to allow the regulators to beat up businesses that do that. If you're too old or inflexible to live up to your obligations, congratulations, it's now a liability that could into substantial fines.
Has the EU actually shown any teeth to these outfits?
It's one thing to say something is illegal but if you don't enforce that these firms will be able to operate with impunity.
Has the EU actually shown any teeth to these outfits?
It's starting to.
https://dataprivacymanager.net/5-biggest-gdpr-fines-so-far-2...
There are 7-8 figure fines already this year, and two 9 figure ones that the UK regulator has given notice on.
Note that in principle it's not up to the EU to enforce because the GPDR is a directive; it's up to the individual member states to enforce the directive as enshrined in their law.
GDPR isn't a directive, it's a regulation. It's literally what the R stands for.
The major difference between the two in terms of how the EU makes laws is that directives are the indirect one: individual member states are required to incorporate the provisions into their own legal systems to give them force of law. An EU regulation is the direct equivalent: it carries force of law across all member states immediately. In the case of the GDPR, the UK government has also stated that its provisions will continue here after Brexit and the related transition arrangements.
However, you're right that enforcement will normally be done by an individual member state, because it is typically the national data protection or privacy authority in each state that acts as regulator and has enforcement powers under the GDPR. In theory, there's supposed to be some coordination so one of those regulators will take the lead on any given investigation or enforcement action instead of 28 different organisations all diving in at once, but it doesn't seem to be clear yet how that aspect will work post-Brexit.
In theory, yes. In practice... I'm not so sure. These processes are slow and I imagine that the regulators are drowning in complaints and are hugely understaffed.
And there's no recourse besides filing a complaint. Even if I'm legally right, what damage was caused to me that I can seek compensation for? (assuming I go and try to take them to court directly).
Isn't the difficulty in proving actual damages in a personal claim one of the main arguments for making this a regulatory matter?
As mentioned in my other comment near here, the regulators have started issuing some reasonably substantial fines already.
Yes, absolutely. Yet the likelihood of Acxiom being fined anything other than some token amount in a case like mine is virtually zero.
It feels like that, but I wonder how long it will be before one of the regulators decides to make an example of one of the big data-hoarding companies. Their whole business model is morally and now also legally dubious, and it's so obviously against the spirit of the GDPR that it seems like a matter of time before someone decides to pick a fight. I doubt it will be a single case like yours that starts it, unless perhaps it provides a convenient excuse to start an investigation, but it will be a thousand or a million situations like yours that motivate it.
There's so many copies of personal data all out there, it would blow your mind. I have a friend who works in this industry. Brokers sell to other brokers who sell to other brokers, who might even sell it back to the original broker after it's been "enriched" with more detail from additional brokers.
I'm a pessimist. You will never remove your personal data. If you get it removed by one company, the others will pop up like mushrooms. Also, from what I've seen, a lot of this information is out-of-date or crap that is just plain wrong.
They obviously need to have a process to validate identity, and it's ridiculous to think that they would tailor that process for every request.
It's also odd that you would want to give them your NEW address if they are likely validating against your OLD address.
Why didn't you just give them your OLD address to check against?
In fact identity verification is one of Acxiom's lines of business, but that is US-centric and probably doesn't work very well for EU or global persons.
Disclaimer: I worked for Acxiom 2007-2009, but not in the data brokerage core business.
> They definitely try to make it hard for you, and to dodge responsibility.
Yes, but at the same time you do not want them handing over all your data with zero checks on identity right..?
My ID contains: first name, last name, date of birth, place of birth, length, issuance and expiration, document number, citizen service number (~SSN), citizenship, photo (2x), gender, issuing authority (in my case: a municipality so small that it's more specific than geoIP), and in some countries it also contains your place of residence.
If they just have my name, now they have a lot of extra information. That's why my government recommends[1] to both watermark the copy and blacken unnecessary fields like the citizen service number and your photo. Such fields don't help them identify you, so you shouldn't share it with them. But imagine actually doing that: the only non-black parts (the parts they can actually match against their database) would be my name. Or in the case of WiFi tracking: nothing. I had to submit ID but really they just looked up whatever MAC address I claimed; I could have claimed my ex girlfriend's MAC address for all they knew. It's also trivial to photoshop a document if all you need to swap around are a few letters.
Identification is completely useless unless done in person when they can actually hold the document against the light and compare it to the European database of what it should look like[2]. (I've never seen anyone do the latter; see also lichtbildausweis[3].) Online, the best you can do is ask to confirm data that you already have about the person. Asking to confirm that same data but on a photoshopped (watermarked and censored) piece of plastic doesn't help anything.
In conclusion, sure I agree that you shouldn't be able to request my data, but the point is about the means rather than the goal. Is providing a censored and watermarked picture of an identity document a means of reaching that goal a better means of reaching that goal than confirming some data like the calendar week during which I was in whatever hotel they have my data from (for example)? That's what GP was offering them: asking to confirm masked data rather than having to provide extra and unnecessary personal data.
[1] https://www.rijksoverheid.nl/onderwerpen/identiteitsfraude/v... In Dutch, but see the pictures near the bottom. This is the federal Dutch government's recommendation on how to provide a copy of your identity card.
[2] https://www.consilium.europa.eu/prado/en/search-by-document-...
[3] Original in Dutch: https://dewinter.com/2012/09/24/de-legitimatiecontrole-in-ne... TL;DR: a "lichtbildausweis" is the german word for "photo ID". But how many Dutch people know that? So when you order a photo ID from germany, for example from a website that sells company badges (like, upload your company logo and employee photo and they'll print a plastic card for you), make sure it contains all the fields that you'd generally expect on an ID card, and they'll take it for being a german ID.
Maybe post the CEO’s email here so we can all get our data removed as well?
tim
How does this apply to Clearbit which saves the Google Contact list of everyone who installs their extension [0][1] and then sells this data [2] ?
They have >150K extension users, so they are syncing a massive contact list with personal information that they are then selling via their different products like Prospector [3].
[0] https://connect.clearbit.com
[1] https://chrome.google.com/webstore/detail/clearbit-connect-s...
Couldn't find anything on those links or Google about them scraping your contact list.
Would you have any proof or evidence supporting that statement?
>And when you do request them to remove the same, they ask you to provide ID proof.
On the other hand, imagine one day you try to log in to your Twitter/Facebook/whatever-the next-big-thing-is and you can't, because the company has deleted all your data upon your request. You didn't make that request though. Someone else did it, claiming to be you.
It gets even worse when you realize that people can request all the data the company has collected of themselves. What happens when somebody impersonates you and requests all of your data?
You need to have some kind of verification method that leads back to a real identity. Otherwise this can be massively abused. I doubt that even asking for a real ID is enough.
Twitter/Facebook/whatever-the next-big-thing-is doesn't have 9 out of 10 fields that are on my ID card. If I show them a piece of blacked-out plastic with only my first name visible, since that's the only piece of information they have about me, it won't help them identify me.
Yes, you need to prove that you're the data subject matching their records before they should act on your request, whatever that request may be. But uploading a copy of your ID card almost never serves that purpose. See also a bigger comment I wrote elsewhere in this thread with sources and examples: https://news.ycombinator.com/item?id=23957503
Ok but he didn't subscribe on that website.
OP here - That's the point. They are not a data controller by that very simple fact. They are processing this data on an illegal basis. Any lawyer around that want to assist me suing in the US?
Did you reach La Quadrature Du Net ?
Also check other CCC co-organizers & the political activist sphere.
Would anyone actually be upset to discover that apollo.io was no longer tracking their information?
Electronic signatures tied to your ID.
Don't delete instantly but after X days. Notify owner immediately.
Problem solved.
you mean like Estonia's digital signing? ;) and pretty sure that most sane-ish companies already delay and notify people of major stuff like account deletion and such, less hassle on both parts, company also benefits as it can just batch process requests weekly or monthly or so.
I have a complaint sitting agains Apollo.io as well. I'll make sure to post the outcome here.
Data sharing seems so prevalent, and I would dare say even with EU companies, the chances of getting caught (let alone fined) by the GDPR are pretty slim.
An interesting exercise: If you have a Facebook account, go to this page[0] or this one[1] and see if you even recognize some of the companies that shared data about you. Not to mention gave explicit consent to sharing your data ...
My list includes companies I never gave consent to (e.g. Amazon, Uber), never signed up for or gave any details to (e.g. Robinhood, Triplebyte) and some I have zero clue about, but the name alone sounds dodgy (Opteo, Mindshare Biddable Digital ...).
[0] https://www.facebook.com/ads/preferences/?entry_product=info...
[1] https://www.facebook.com/off_facebook_activity/activity_list
I had a very similar experience with Apollo.io. Somehow my professional data (business email, personal phone number, name, job title and my LinkedIn network and connections) ended up on this website without my consent. I’m assuming it was collected from several sources such as LinkedIn (Even though I had my privacy settings tight) and some conferences I attended in the past year. Either way I contacted them and they sent me a document to confirm my identity and then proceeded to remove my data from their website after I sent it back. I was a bit shocked as it’s basically asking to confirm my identity and give them more information about me when I haven’t even granted them permission in the first place. Such “data brokers” need to be regulated. The most annoying thing is that they only remove data under GDPR, CCPA if I am a resident of California, UK or EEA. Well what if I’m from a country that doesn’t fall under one of those 2 regulations?
Vote for a better government that cares about its citizens digital rights?
The achilles heel of the GDPR is that you must act through a DPA. In the case of the Shrems he had to basically sue the Irish GPA in order for them to do their job. And instead of actually doing their job, the Irish DPA instead fought Shrems on behalf of Facebook.
As an EU citizen and resident, it's abundantly clear to me that getting a DPA to act in my best interest is mostly hopeless. I'm reminded of the CANSPAM Act where a US citizen can send their spam to the FTC and have them investigate it. Only they never will. All spam sent to the FTC just goes into blackhole, and next to no one is ever prosecuted. Even when it's clear who the spammer is.
I don't think many people realize this fact. That a politically motivated entity controls European's access to privacy restitution, and they're rarely motivated to actually do anything. This makes the GDPR is my eyes primarily a joke. It certainly isn't about securing my rights as an EU citizen. It seems more written to benefit lawyers and others who make money because things are complicated.
If the EU actually cared about my privacy rights they would allow all Europeans access to restitution without mediating it through national agencies. I want to be able to hire a lawyer and directly take abusive firms to court over GDPR violations. I shouldn't have to act via some pre-court mediator who gets to arbitrarily determine if my claims have merit.
What about Article 79, "Right to an effective judicial remedy against a controller or processor"? It reads:
> Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
> Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
Lusha in NY does this too except they claim the deletion magically happened automatically because of "algorithms".
I'd made a subject access request because they'd sold my personal email address linked to my business position to random spammers. That association didn't exist in any legitimately accessible data, only in the linkedin data breach.
Looks like rocketreach is aggregating information that is public on fb,linkedin etc. He forgot to mention that the google search result he got is already selling those, but maybe we ve become blind to that? Rocketreach is packaging and selling it directly, google does it indirectly. Same thing though, are those illegal?
This information can also obtained from the chamber of commerce in the netherlands
Heh, I read that as "rocketroach" first.
Fundamentally the thing which everyone is missing is that the regulatory authorities can simply say that the data can not be used within the European Union by Rocket Reach. They may not be in the European Union but they can make their product useless in the European Union.
Now watch the entire currently-EU based adtech industry relocate out of the EU...
Ultimately, adtech has to broker between publishers and advertisers. If those have any business in EU, they will be liable for the data, even if the broker is outside of jurisdiction.
But the publisher and advertiser might not know where the data came from. The broker could easily just say "oh yeah, we have permission from these people to share this data".
I'm sure some of them will get caught, but how long will that take?
A free-market solution would be to establish strict liability for the publishers and advertisers, regardless of intent. Establishing liability creates an incentive to manage the risk, and therefore establishes an insurance market. The insurance companies would gather additional information in order to price the insurance accordingly, including audits of the data brokers and determining risk factors of each data broker. Doing business with a disreputable data broker would then lead to higher insurance premiums. While this cost would larger be passed through to the purchaser (the companies purchasing adtime), the cost would be lower for advertisers that deal only with reputable data brokers and follow best practice, thus having a market advantage for well-behaved advertisers.
Granted, this relies on several levels of the efficient market hypothesis. At some point, it is more efficient to ban poor behavior than to introduce 3rd-order effects that slightly discourage poor behavior.
If you buy a stolen bike and could reasonably have known that it was not obtained with consent, you're also liable. For example, an unusually low price from someone who doesn't own a bike shop and wants cash can be indicators for that. In the case of data, it may be that they are able to provide lots of data without plausible source.
Sure, you might be liable, but do you think that in practice this will matter? It's not like it's somehow obvious that an advertising company has data on you that they shouldn't have. Somebody needs to actually suspect that for any investigation to happen.
I find it hard to say without a specific example, but I'm afraid that you might very well be right in the general case.
It’s like drug cartels relocating from Mexico: noone will feel sorry.
I don't see Google or Facebook relocating to Mexico soon. They don't have to, when they finance politicians
They would be relocating their corporation only - they'd still be operating in the EU on EU customers.
In that case they would still be subject to the GDPR.
...yet since it's unenforceable, then they probably don't care.
Why not? If they have offices in EU, raid them. If they have customers in the EU, freeze their bank accounts or sanction their payment processors.
> If they have offices in EU, raid them.
They won't - that's what relocation means.
> If they have customers in the EU, freeze their bank accounts or sanction their payment processors.
This is comical. The government isn't going to start shutting bank accounts for GDPR violations on small foreign corporations, as if they're smuggling nuclear fuel to Iran. Half the bank accounts in the world would be closed if we were so sensitive to regulations.
Good riddance
They'll still be operating, and serving you ads, just beyond the reach of EU laws.
They then can't make business with European publishers or show ads for European businesses as those are liable. And showing ads for things not available in Europe isn't really bringing revenue from an European audience ...
well, then this is the equivalent of computer hacking I guess and I better hope non of the adserving pages has an office in europe
Let them. One step at a time until the industry dies.
I thought this was obvious. I've been saying since day 1 that GDPR won't help much with privacy. It might even do the opposite by making people feel that their data is safe. But a company beyond the jurisdiction of the EU can simply ignore GDPR and vacuum up all the data they want.
What will ultimately help with privacy is not leaking out this data in the first place. Push browsers and other such services/devices to stop leaking enormous amounts of information on the user.
That's not to say that GDPR isn't useful. It certainly is, because it stops the big legal businesses from doing it, but it also has the downside of harming European online businesses.
UE should do as China do. A big firewall that block all US business that do not comply with GDPR.
The end result is the fracturing of the internet. You'll have the Chinese internet, the EU internet, the Russian internet etc. The internet kind of loses its meaning at that point.
Also, I do remember reading some kind of EU document that this is what they were thinking of.
Yes, it's hard for EU authorities to enforce its laws on a company that has no EU presence or revenues to threaten. At least the Luxembourg DPA is doing something about it, unlike the Irish DPA that deliberately does nothing (or worse, colludes with Facebook to help them skirt GDPR with highly dubious and most likely legally invalid semantic contortions).
In this particular case, GDPR can get enforced for the buyers of data.
Rocket Reach and similar companies may be outside the reach of GDPR, however, all the advertisers and global platforms who actually want to target EU customers are within the reach of GDPR so it's illegal for them to buy data from Rocket Reach.
Another company collecting and selling your personal data right there in Silicon Valley: https://eightfold.ai
I don't know if there's another good example, but Poland fined an EU company under the GDPR for scraping profile data without giving proper notification: https://news.ycombinator.com/item?id=19530087
You shouldn't have to guess where your personal data is going, and how it's being used. When the GDPR was first coming into force, I remember getting bombarded with all these notification emails from all these companies coming out of the woodwork that I didn't recognize. But I don't think I've ever been notified by email, SMS, phone or smoke signal since then.
The biggest flaw of the GDPR in my opinion is that it leaves the definition of what's considered personal identifying information with too much wiggle-room for creative interpretation. Maybe it's hard to pin down exactly, but there's often too much emphasis on the word "identifying", as if it's otherwise OK to gather every intimate online detail and build a profile that is a unique identity in and of itself. It's even worse when real-world decisions can be based on it without your knowledge.
I recently had my own rude awakening learning about these data brokers and risk analysis services. The matter itself was relatively trivial, but I didn't realize the extent of this before and the scope of what personal information they're gathering. And it doesn't matter if you think it won't affect you, since you've done nothing wrong. From what I read elsewhere, even exercising fundamental consumer rights may be held against you. https://news.ycombinator.com/item?id=21440526
> The biggest flaw of the GDPR in my opinion is that it leaves the definition of what's considered personal identifying information with too much wiggle-room for creative interpretation.
Note that this is the totally normal approach for Civil Law systems: you define the general principles of what the menace is, and leave it down to the courts to determine whether or not those principles have been violated. In essence, you can view it as every case being decided on the basis of the mischief rule as exists in many Common Law systems.
> Instead of pursuing Rocketreach locally on that basis alone, the CNPD just gives up arguing it has no jurisdiction in the US.
Which is true and obvious. Why anybody ever thought the GDPR would have teeth outside the EU is beyond me. It was always laughable to me that anybody believed that the EU had made a law that applied to every company in every country in the world.
I had a similar experience with a company called RateSetter.
- They email me some marketing
- I respond with DSAR
- They acknowledge receipt of DSAR
- 6 months pass
- I bump the email thread
- They respond saying they have deleted my data as per my request (I requested access, not deletion)
- I point this out
- They apologise and offer £100 to drop the complaint
- I refuse and complain to ICO
- Obviously nothing happens
GDPR is toothless.
The Privacy Shield framework that was just declared invalid by the EU included a requirement that US companies make themselves available for arbitration of disputes brought by EU data subjects. GDPR by itself doesn't include that concept. But if GDPR is going to be enforceable, the negotiation around a successor to Privacy Shield should probably include it.
I've always wondered about the practical side of how GDPR is supposed to work for companies outside the EU.
If you've got actual stuff in the EU, it's easy. You get fined under GDPR and if you never show up to argue your side in court or an administrative hearing or whatever, they seize your real estate or bank accounts or physical servers or whatever, and sell it to pay your fines.
If you're US-based, how does it work? Hmm, if you're a modern shop you probably have stuff hosted by big companies, like servers on Amazon's AWS or code on Microsoft's Github. Then the EU could presumably tell those companies to stop hosting your stuff, or they'll become liable for fines as an accessory to the violation. Microsoft and Amazon probably have a lot of bank accounts and physical stuff in the EU that could be seized and sold, so they couldn't simply ignore the fine. They'll probably drop you as a customer immediately once Europe starts making them pay fines, and maybe try to sue you in the US court system to try to recover those costs.
I've never heard of this happening though. So maybe this isn't actually a thing.
If all your stuff is on US soil, and you're careful not to use providers with any European presence, how would they do it? Does the EU have some way to order all European ISP's to blackhole traffic from your company's IP ranges? When your executives come to Europe for vacation or conferences or whatever, could they get hauled off the plane in handcuffs and taken to a European jail over your company's GDPR violations?
Again, I haven't heard of this actually happening. But it seems to me that would be how they'd do it, if they really wanted to prevent overseas companies from simply ignoring GDPR.
If there's no threat of enforcement, why bother with GDPR at all, unless you're planning on having seizable stuff like real estate or bank accounts or physical servers in Europe someday?
Is crunchbase/owler/cb insights and every other public data aggregator/lead generator service also illegal by the same logic?
define illegal.
and no, those aggregators don't process PII / Personal Data.
They typically have a person's different social media account links and work history. Isn't that personal data?
I hope so...
I figured that the European Union would simply act to block such a website from being resolved in Europe by DNS resolvers?
This constitutes denial of justus and you can sue them either in your country or in the European Court of Justus.
For most, you can simply ignore it since it doesn't apply anyways
I'd to hear why I was downvoted. it is a fact people forget. Most have websites have that stupid cookie notification when 99 don't need to. Here is how to evade the gdpr, ignore it like it doesn't exist
It's always nice to not find yourself in one of those databases.
Data frugality ftw.
GDPR compliance would be trivial if web browsers used a stateless request-response hypertext transfer protocol.
O Tempora O Mores
Does GDPR apply here? They might not be selling to the EU, and they aren’t monitoring EU persons but just selling historic information. I don’t read GDPR as applying globally to any and all trade in EU personal data. https://gdpr.eu/companies-outside-of-europe/
Well in reality it applies if the US wants to enforce such judgments. If myself, as the king of Monaco, I declare a law that says that US companies should pay a tax to pay for air that transited through Monaco (and hence was cleaned by Monaco's trees), it's perfectly valid.
It applies. Practical enforceability is another thing completely.
Yes it does apply. https://www.hipaajournal.com/american-companies-gdpr/
Your link is in reference to multi national companies. I don’t see how GDPR applies to companies that don’t do business with EU persons and without an EU presence.
They are selling into the EU though, right? So they do do business with EU persons.
Unless the payment processor is in the EU, the courts would have no jurisdiction.
The courts would have jurisdiction on the recipient though. The recipent has to evidence a valid reason according to GDPR to process a subject's data.
The recipient is outside the EU.
GDPR applies, it has worldwide scope for data on EU citizens. On the other hand, European courts lack jurisdiction to enforce their laws on companies without EU offices and assets.
FWIW I'm really glad that EU courts lack this jurisdiction - any gain from privacy would more than be wiped out from losses to free speech, especially with the extensive history of libel tourism.
> GDPR applies, it has worldwide scope for data on EU citizens
Not quite. It applies to people who are "in the Union".
There is a very large overlap between "EU citizens" and people "in the Union", so most of the time there is no need to make the distinction but it is there.
It’s hard to make an argument for the EU courts having that jurisdiction without also granting the same to Saudi Arabia and China.
The way it works is that the EU fines their EU-based operations or stops them from operating in the EU. And if they don't have any, those of their customers who do could not legally acquire their data on EU citizens without the subject's informed consent anyway.
Typical of this kind of regulation: the real purpose is less about ensuring individual rights and more about giving bureaucrats more power. The GDPR is great in the latter sense. It’s impossible to predict the outcome of a legal process even if you do your very best to comply, and you can be slapped with incredible fines... Cross the wrong bureaucrat and your days are numbered (in an economic sense).
Ops, that was obviously a controversial standpoint. Just to be clear: I’m all for individual rights. But laws need to have predictable consequences and be fairly and equally enforced, and my impression is that the GDPR is not. As an example I’m pretty sure the local court here in Malmö, Sweden has violated my rights under the GDPR. Do you think anybody would give a rats ass if I complained? I highly doubt it...
It might depend on the country, but Austrian authorities treat GDPR compliance very seriously. Even if the authorities got away, such cases make for embarassing press coverage and can threaten precarious coalitions, especially when elections are close.
"Rocketreach has not met the requirement of the GDPR to name an EU representative (Art27) to account for the processing of European Personal Data. In their answer, the CNPD makes it sound like it is optional, it isn't. Instead of pursuing Rocketreach locally on that basis alone"
LOL, yes.
I'm sure they also do not meet the legal requirements of North Korea, Saudi Arabia, and many others.
Likewise, various EU corporations do not meet the legal requirements of non-EU places like those. Would he prefer that they did?
Even more interesting, since he expects the US to follow EU law, how does he feel about the EU following US law? The US has that Patriot Act, and lots of EU companies are not compliant. Maybe he should report a few EU companies to the FBI.
> I'm sure they also do not meet the legal requirements of North Korea, Saudi Arabia, and many others.
China is the most straightforward example, companies cannot operate unless they basically do it through an - implicitly Chinese state controlled - partner company. China also has a literal Great Firewall monitoring, modifying or stopping all cross-border traffic. So yes, you have to play by their rules if you want access to the market.
US, EU and other western countries also require you to follow their - much more lenient - laws and rules for access to their market, but for now it's rarely enforced through blocking etc. Saudia Arabia, Russia, India, Turkey and other "second world" countries block a lot of services that don't follow their laws or government commands. Same thing: follow da rulez or our market is closed to you.
North Korea has their own exclusive "internet" and blocks all access to the regular internet except for a few highly monitored and controlled locations like universities and government institutes, which are not connected to the NK internet. Not comparable at all.
> Even more interesting, since he expects the US to follow EU law, how does he feel about the EU following US law? The US has that Patriot Act, and lots of EU companies are not compliant.
This is effectively already the case for a large part. All non-china global IaaS companies are US, so everyone has to play by US rules and law. I don't believe for a second that the NSA cannot get the data from the European Google/Amazon/Microsoft data centers.
I think your information may be a bit out of date, in China you can own and operate as a WFOE
https://en.m.wikipedia.org/wiki/Wholly_foreign-owned_enterpr...
WFOEs indeed exist, but there are many restrictions on the types of business they can conduct, both directly[1] and indirectly because activities require licenses[2] that WFOEs can't get. The grandparent post was wrong in the details, but it's still a different world from the USA or EU.
1. https://www.fdichina.com/blog/china-company-registration/ftz...
2. https://www.china-briefing.com/news/entry-strategy-chinas-on...
Could be, I'm not an expert. I'm mainly based that on stories I read regarding Tencent, ASML etc.
US companies should follow EU law when they are doing business in Europe, or processing EU citizens' data.
Likewise, EU companies should follow US law when they are doing business in the US.
Businesses should not operate in jurisdictions where they can't meet the legal requirements. At the very least, RocketReach should geoblock itself in Europe.
When are we going to admit that GDPR is a failure?
Asserting a bunch of rights around personal privacy is great, but I've yet to see any compelling evidence that the relevant courts and bureocracies are capable of enforcing the law effectively. EVERYBODY is cheating.
Every time this is brought up on HN, the response is to wait for when the big fines start coming.
It's been two years. They're not coming.
A lot of the work that is done to become and stay compliant with the GDPR is invisible from the outside, but I can assure you that most large companies and a lot of the smaller ones are taking it serious.
The GDPR also has a "pull-in" effect on companies outside the EU that (often illegally) sell personal data because their clients in the EU (the data controllers) have to prove that these companies (their data processors) adhere to the GDPR if they want to do business with them. If a EU company buys personal data from a company outside the EU or sends personal data to that company they are liable if this data gets abused or if the personal data was not acquired in accordance with the GDPR. The whole "privacy shield" mess was about the question whether EU companies can still send personal to the US based on a self-certification process US companies go through (turns out they can't).
Some of the data brokers already feel this pressure and will be forced to change their business models unless they want to lose their clients within the EU. Sure there are still EU companies that do business with these data brokers today, but most of them know that they're exposing themselves to considerable risk and are already looking for alternatives.
Some pretty big fines have been issued already. See:
https://www.enforcementtracker.com/
Over time I expect them to go up further as companies can no longer claim they did not have enough time or were not aware of the law (that never was a defense anyway but DPAs tend to be lenient. So far).
Since the GDPR has come into effect I see in my practice that companies are a lot more aware of their responsibilities towards their users, have better processes and security in place. Is it perfect? Not by a long shot but the improvement is immense and as time goes by and more companies end up setting an example of how things should be done and those that don't end up getting find I expect this trend to continue.
What I like most about the GDPR is that it steers towards compliance, not towards making life of businesses unnecessary harder.
Contrary to you I think the GDPR is a resounding success, the only thing that would make it much better still is if other areas of the world would take up similar legislation so the playing field would level.
I mean, I genuinely hope I'm wrong here, so I'm happy if other people are disagreeing with my interpretation.
I dont know.
From what I can understand of German/Google translate, the third from top:
https://www.enforcementtracker.com/
Link to .pdf:
https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180927_DSB_D5...
Is the Austrian Authorities making a 300 Euro fine to a "common citizen" making "illegal" use of a dashcam (it seems - but I am not sure about it - that the issue is that the car is not - how? - visibly marked as videorecording?).
Anyone more familiar with German (and legal German) can clear the matter/explain?
Why would you pick that example, rather than the 16 million fine an Italian company received?
As a counter example to the "success" you mentioned.
Again if I got it right a "common user" got stinged because of a dashcam.
The Italian example you refer to is actually a success, like most other ones, I was objecting not to the Law in itself (that is IMHO a good one) but rather on how it is applied, here and there, in spots and seemingly in a random way.
The larger fines are starting to trickle through[0], remember EU bureaucracy is usually less about flashy cases than US and more of giving people the tools to do the right thing.
It's 350 cases in two years in an economic zone of 450m people though.
350 publicized cases, most cases are too small for the public to take note of.
This website contains a list and overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation (GDPR, DSGVO). Our aim is to keep this list as up-to-date as possible. Since not all fines are made public, this list can of course never be complete, which is why we appreciate any indication of further GDPR fines and penalties.
I just read a bit on that site:
> The private person used a dashcam to make recordings of public road traffic and then published them on YouTube as a compilation.
What a PATHETIC thing this GDPR is. Fully agree that we should admit that GDPR is a massive failure (who would have thought!)
Greetings from a European.
>EVERYBODY is cheating.
All the big European companies I've worked for seemed to put lots of effort into complying.
Can individuals sue and go to court? Or do complaints have to pass through privacy regulators.
I’m curious how a class action hasn’t been formed around Verizon and Oath’s behaviour?
There's currently no equivalent of a class action suit under EU law, IIRC. Some jurisdictions within the EU have something equivalent, but there's nothing Union-wide. I vaguely recall some movement by the Commission to establish something like that though a few years back, but I don't recall where it went.
So you say, the intent is good, but the execution fails. What is your proposal that serves the same purpose?