New Trans-Atlantic Data Privacy Framework Largely a Copy of “Privacy Shield”
noyb.euI wish that all of our governments would just be honest and admit that they are involved in massive amounts of illegal data collection, that they really love spying on their own citizens because it gives them a lot more power, and that they will never do anything to protect the people if it might mean they have to give up even a little of that power.
Any discussion about what can be done to help protect people's privacy and safety would go a lot smoother and progress faster if they'd skip all the theater and stopped pretending to take meaningful action. It's a waste of everyone's time.
Here in Europe, we are in a paradoxical downward spiral. And unfortunately, I see no end to it.
Understandably, we don't want our citizens to be spied upon by the US and have all that data stored in the US.
Unfortunately, our "solution" is to create regulations which cause so much disadvantage to European tech companies, that we will see our citizens use even more US built tools in the future.
We already live in a mostly US-built internet. Throwing more and more regulations at it only cements this situation.
It seems there is nothing to get out of this rut. Looks like we will keep feeding the patient a treatment that worsens their condition.
> Unfortunately, our "solution" is to create regulations which cause so much disadvantage to European tech companies, that we will see our citizens use even more US built tools in the future.
What is the "disadvantage" to European tech companies who don't want to spy on anyone? What advantage do Europeans who don't want to be spied on gain by using US services that will spy on them instead of using European ones that couldn't spy on them as easily/completely due to pro-privacy laws?
The US business model has established "free" for services on the net, paid for by others using behavioral data for advertising. That has its advantages (access for all, no matter the socioeconomic background!) but no "paid for by others" scheme that is less intrusive has popped up yet and "free" is very hard to compete with.
There's also less of a culture of "pour billions into tons of startups and see what sticks", which is a market distortion of its own. That aspect is drying up in the US though, thankfully.
> paid for by others using behavioral data for advertising
And some generous VC funding sloshing around in the Silicon Valley, and the associated global brain drain. This is proving to get harder to reproduce elsewhere.
Europeans can use ad supported models without resorting to surveillance capitalism. They can even use targeted advertising without it. You don't need to have people's entire internet history, a full list of their past sexual partners, and their GPS coordinates to push ads relevant to a person's interests. The spying is entirely unnecessary, and there's a history going back long before the internet even existed proving that ads without the spying are effective.
Privacy laws don't prevent Europeans from offering ad based services on the net, and being limited to providing more privacy friendly services will make those services more attractive to consumers outside of the EU as well. There's a lot of opportunity created when you can't simply fall back on the most exploitative practices the US allows for.
It's not like having fewer regulations in tech would be an instant panacea. The bigger reasons for US dominance are the larger capital and consumer market - both still fragmented in the EU. Add on top of that a more flexible labour market in the US (someone from California is more likely to work in New York than someone from Lithuania to work in Portugal). Regulations do matter but there's so many other things that make it harder in Europe.
EU regulations are not a monolith of good or bad. The cookie law is dumb beyond comprehension. On the other side GDPR is just great and I have yet to hear a good argument against it. The criticisms usually sound like listening to creationists talk about how silly evolution is (by that I mean they don't understand it).
The only way I see Europe develop it's own internet tech and big businesses, is to copy what China did by simply blocking the foreign competition. Today there would be no Weibo, Baidu, Alibaba or Aliexpress without it. And I don't see a problem in that approach, but wouldn't mind being educated otherwise.
Edit: I wish at least some of the people downvoting would have the intellect to form a paragraph of counter arguments, so I could understand why. It's like a sports event in here.
The cookie law is partly dumb, but also frequently implemented in a way that violates the law and rarely subject to meaningful enforcement or significant penalties. So mostly the same practical problem as the GDPR.
Blaming cookies for tracking people is like blaming a bullet for a murder. It's the trackers installed on pretty much every single website that are the thing that tracks people, using cookies of course. The Google analytics or Facebook pixels, to name the top two offenders.
I don't see how this relates to GDPR. Please explain.
> Blaming cookies for tracking people is like blaming a bullet for a murder. It's the trackers installed on pretty much every single website that are the thing that tracks people, using cookies of course. The Google analytics or Facebook pixels, to name the top two offenders.
Yes. I agreed that the cookie law is partly dumb. The part of the cookie law that’s dumb is that it’s too narrowly scoped and should apply to all tracking technologies and techniques, for whichever purposes and vendors are or aren’t okay with the user. And it needs a systematic way for user-specified defaults across all websites, instead of leaving that to browser extensions.
Ideally this would be opt-in rather than opt-out for privacy reasons, but I do understand the valid argument that the subset of people who would explicitly opt in to tracking are not representative of the whole user population.
Probably the best balance of hassle vs privacy vs statistical validity is to require the major browsers to force a one-time explicit choice per purpose and/or per vendor without dark patterns involved, save those as defaults that get sent to the sites in a way that is legally mandatory for sites to respect, and allow per-site overrides using the same mechanism - instead of the current mess of shady consent pop-ups.
> I don’t see how this relates to GDPR. Please explain.
Both have more user-friendly requirements than people expect, both are widely violated in user-hostile ways, both are rarely enforced by regulators, and what rare enforcement does exist is slow, often reluctant, and with inadequate fines to change industry norms and sometimes not even much of the behavior of the fined company. They’re separate laws but with the same practical enforcement / incentive problems.
> The part of the cookie law that’s dumb is that it’s too narrowly scoped and should apply to all tracking technologies and techniques, for whichever purposes and vendors are or aren’t okay with the user.
A recent definition of the German authorities clarifies that with „cookies“, they don’t interpret it narrowly as the specific browser technology but any kind of beacon or mechanism for tracking[0]:
> Gemeint ist damit beispielsweise der Einsatz von Cookies und anderen Technologien wie LocalStorage, Web Storage, das Auslesen von Werbe- und Geräte-IDs, Seriennummern, aber auch der Einsatz von ETags oder TLS-Session-IDs zum Zwecke des Trackings, Fingerprinting (z.B. durch das Auslesen von installierten Schriften oder Anwendungen) und vieles mehr. Der Einfachheit halber wird das im Folgenden i.d.R. unter dem verkürzenden Begriff „Cookies“ zusammengefasst.
They name as explicit examples not only cookies but LocalStorage, Web Storage, reading of any kind of serial numbers, ETags, TLS Session IDs (if used for tracking), and any other method for fingerprinting such as font profiling.
[0] https://www.baden-wuerttemberg.datenschutz.de/faq-zu-cookies...
> A recent definition of the German authorities clarifies that with „cookies“, they don’t interpret it narrowly as the specific browser technology but any kind of beacon or mechanism for tracking[:] LocalStorage, Web Storage, reading of any kind of serial numbers, ETags, TLS Session IDs (if used for tracking), and any other method for fingerprinting such as font profiling.
To be fair, even the original wording[1] isn’t specific to cookies, only to client-side storage or code—which is also not the precise cause of the problem, but includes all the things you’ve listed:
> (24) Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms. So-called spyware, web bugs, hidden identifiers and other similar devices can enter the user's terminal without their knowledge in order to gain access to information, to store hidden information or to trace the activities of the user and may seriously intrude upon the privacy of these users. The use of such devices should be allowed only for legitimate purposes, with the knowledge of the users concerned.
> (25) However, such devices, for instance so-called "cookies", can be a legitimate and useful tool, for example, in analysing the effectiveness of website design and advertising, and in verifying the identity of users engaged in on-line transactions. [...] Access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose.
(Emphasis mine.)
Interesting that this also uses the phrase “legitimate purpose”, but in a much broader sense to what the GDPR will eventually use. I did not realize that.
[1] https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX...
That’s a good approach! I hope it becomes accepted across the EU. Still, it does seem to restrict the applicability of the ePrivacy Directive (aka the cookie law) to ones which use storage on the end user’s device, based on how that law was worded. The GDPR can of course still apply to other forms of tracking as long as they involve processing personal data.
> Ideally this would be opt-in rather than opt-out for privacy reasons
As long as it's about cookies, the law is nonsense. Asking laypeople to "opt-in to tracking" so they can log into a website would render most websites inoperable.
> They’re separate laws but with the same practical enforcement / incentive problems.
I disagree with this. The cookie law popups pretend to ask users whether they consent to being tracked or not. Which is entirely misleading. With GDPR the pressure is on the companies to disclose what data they are collecting on you and give you the option of deleting it.
> Both have more user-friendly requirements than people expect, both are widely violated in user-hostile ways, both are rarely enforced by regulators, and what rare enforcement does exist is slow, often reluctant, and with inadequate fines to change industry behavior.
If I understand you correctly, you're saying the main downside to GDPR is it's not properly enforced. I agree with that.
Neither the GDPR nor the ePrivacy Directive (cookie law) requires consent for cookies that are technically necessary to operate a website, including those to reflect a user-initiated login action. This is separate from consent to tracking for advertising, marketing, and analytics purposes.
The cookie law doesn’t pretend to require consent for non-essential cookies placed on end user decides - it does require that consent. But, yeah many of the popups handle this in misleading ways where the verb “pretend” is quite accurate. This is exactly the same problem of under enforcement and misaligned incentives that limits the effectiveness of the GDPR, even though the two laws have different scopes and requirements.
Yes, you correctly understood the GDPR downside I was describing.
Can you provide me an example of a single EU regulation that is an unambiguous uncompromising good, that could not be accomplished in a better way on a national level?
Just one.
Can you provide me an example of a single national regulation that is an unambiguous uncompromising good, that could not be accomplished in a better way on an international level?
Of course I'm being facetious and I'm sure you understand why this is a not a useful question for me to ask. In practice, there is no such thing as a regulation that is "an unambiguous uncompromising good" and each decision about regulation involves a series of tradeoffs. Don't create straw men.
Unless the EU law is optimal you could always argue it could be better at a national level. So none?
Can you provide us with any single regulation that is an unambiguous uncompromising good?
Hell, are you even sure that “unambiguous uncompromising good” is a thing that can actually exist in any group of humans?
This is a straw man fallacy.
See:
> EU regulations are not a monolith of good or bad.
The Chinese succesfully kept the Americans out so it's totally doable.
They kept the Americans out with homegrown competitors which are openly government-affiliated spyware, and even so it was routine for technically savvy people to use American social media through VPN until they cracked down. I’m not sure this points towards a workable strategy that’s compatible with the EU’s goals and principles.
I am pretty sure Europeans are not ready for the compromises that come with this approach.
It’s also easy to misunderstand the sentiments, from the comments here. We Europeans do not hate the US or American companies in general (though some are evil, of course, just like some European ones). OTOH we are seeing the privacy nightmare they are building for themselves and really don’t want that, thank you very much.
“Buy European” is limited to nationalist loonies and privacy-conscious nerds, mostly, and in the latter case it’s not because of anti-Americanism. Fix US laws and 1) Americans will live better lives and 2) these sort of issues will disappear.
I think it's more EU tech protectionism. Basically the law is saying, "you can't use US tech services." So this creates a local market for EU tech services. There's probably an argument between capitalists in the EU who want to develop that market (while complying with EU privacy regulations) and security people in the EU/US who want to continue to use tech to facilitate mass surveillance.
Trying to guess who will win out is interesting. The privacy vs. surveillance discussion always feels one crisis away from tipping to surveillance (see: 9/11), but the EU privacy lobby is remarkably strong. I also think a market for tech services that don't spy on you is probably pretty huge; by itself it's not a big selling point, but contrasted against services that definitely spy on you (not to mention net neutrality concerns) they look pretty good, plus being able to tap the EU market is a huge incentive. So--no jinx--I think I'm bullish on privacy here, because it seems likely an unholy alliance of capitalists and privacy advocates would be decisive.
GDPR dramatically reduced venture investments in europe, compared to the US[1]. Protectionism is not something you can do indirectly. It requires certainty and clarity.
[1]: https://cepr.org/voxeu/columns/short-run-effects-gdpr-techno...
I'm not really talking about GDPR here; it's not US-specific and doesn't have the effect of walling off the EU market from the US.
I'm not a huge fan of GDPR FWIW; in particular I think the requirement to have representatives and data protection officers is way too burdensome for smaller companies. They probably thought they'd create a cottage industry of EU representative/DPO service companies, but that's so little of a business it just feels like an invitation to set one up as a front for money laundering. I like the thought of GDPR, but the law as written is actually pretty weird IMO.
So the current approach is just to implement the same law after it was deemed illegal with minor changes as it takes some time until the courts decide it is illegal? What a joke.
Unfortunately, yes. The Commission is playing dumb and hoping we’ll get tired before they do.
It seems there is no cost to those who repeatedly implement these illegal frameworks. A modest proposal: Jail-time of twice their duration (from implementation to judicial strikedown) for the EU negotiators involved.
It still doesn't help EU businesses navigate the clash between the US Cloud Act and the EU's GDPR, and seems more focused on appeasing US interests than safeguarding European rights.
Yeah, looks like this will be valid for just as long as it takes Schrems to drag it through the courts.
Again.
fool me once, shame on you.
fool me twice, shame on me.
fool me thrice, ???
profit
>the US still takes the view that only US persons are worthy of constitutional rights.
Lovely. That makes me feel all warm & fuzzy about data privacy...
/s