The lack of publicity or even publicly available copy of the ruling is odd. I guess the choice of Amazon to reside in one of the secretive tax haven jurisdictions of Europe has the side effect that it also has a really secretive information commissioner.
Summarized conclusions of the original complaint [1]:
2.2.3.1 claims that Amazon does not disclose anything proving they intend to get consent from their users to process their behavoural data for ad targeting purposes
2.2.3.2 is a rebuttal against one potential line of defense from Amazon. This defense is "We have to collect/use data because this is precised in our contract with our users and so we need to respect this contract". The rebuttal is that the main goal of the contract is a marketplace to buy/sell goods. Ad targeting is not essential to fulfill this goal and it is not something that can be considered as reasonable user expectations
2.2.3.3 It says that Amazon does not explicitly states that it's in its legitimate interest to process data and do ad targeting. It then refers to section 2.1.3 which shows that Amazon could not claim legitimate interest anyway. Section 2.1.3 is too complicated for me as it quotes a lot of precedent rulings in European law to prove it can't be legitimate interest
Please keep in mind that it is the complaint, I don't have details on the ruling of today
At least the Luxembourg DPA is doing its job, unlike the Irish DPA that seems to think it is a division of the Irish Industrial Development Agency charged with shielding multinationals from accountability.
That's also the reaction [1] of "La Quadruature du Net", the association that brought the complaint
"(...) this historical fine shows even more blatantly the complete resignation of the Irish authority for data protection, which in 3 years hasn't been able to process any of the 4 other claims we made against Facebook, Apple, Microsoft and Google."
it also goes after the French authority for data protection (CNIL) to say basically: you used to be one of the best in Europe, now you're a mere shadow of your former self
Thanks for providing relevent details. I first came across this story on local media (syndicated from Reuters) and they were similarly light on detail. I then checked the News page for the Luxembourg National Data Protection Commission¹ but there was no mention of this case.
Which is an absolute joke because everyone using amazon to actually purchase anything signs their terms and data collection is clearly part of those terms (as one would expect for an online retailer).
In addition, they run Amazon Marketplace and a well known recommendation engine and clearly allow sellers to advertise.
This always seems to be more about posturing than anything else. Or rely on weird logic loops.
Consent is only valid if it's informed and specific. More than that the data minimization applies - you can't require using personal data if it's not necessary.
If the statement "collecting this data without consent so we can more effectively sell ads helps us make money, so it's a legitimate business interest" was considered a valid argument, would that make much of GDPR toothless?
Is it reasonable to assume I can agree (as a non-lawyer) to terms and conditions that are 50 pages (wild guess) long? Especially since they are written in legalese?
TC have always been long and legalese and it wasn't because of GPDR. I can't find your examples in the T&C, it seems to be about 'privacy notice'.
Am i supposed to read that too and keep up to date? I signed up in 2003, do you mind showing me what i agreed to?
And out of genuine curiosity, 'any information' seems to be a superset of 'personal information', isn't it? what is "any information"? and are you saying amazon is only using personal information (which is what, exactly?) to display ads?
Amazon is much better than most. You can read historic t&c's. That said, you have a big misunderstanding. If you have continued to use the site, all T&C's updated based on continued use.
The ruling states their EULA doesn't actually say that they are using the data they're collecting in order to advertise. Collecting data doesn't mean you're allowed to use that data for advertising without explicit, revocable consent.
In many jurisdictions, even if consent is informed and specific, a contract which is not the result of actual negotiations but is standard - e.g. between a client and a large company - can often have clauses nullified by the courts, either for being unfair/detrimental to the client, or for their presence being detrimental to public interest.
Not they are not. They are public records in most. Luxembourg is one of the few exceptions.
They might not be available online but can be ordered from the court clerk (which is the case here in Finland for example) but the 2 largest EU countries (Germany and France) has them online for free.
Though as most European countries are not using a case law system the actual value of getting these is not that important for lawyers etc.
In Germany you do not get all the cases, just the ones the courts deem important enough. E.g. if the ruling is different from earlier ones in some aspect, if it is a higher court or if the case was of particular public interest.
Oh that's just extremely not true. Open, non-secret courts are incredibly important for avoiding impropriety. Especially in a common law system, there's just no way that would work.
I am reasonably certain that they earned more than $1B by using this targeting information... Their ad network is quite small as just $28 billion annually, but it seems unlikely that purchase history wouldnt uplift value more than 4%.
I believe they're saying that it _doesn't_ have negative returns. The fine is under 1 billion dollars, and the poster you replied to is saying they're "reasonably certain that [Amazon] earned more than $1B by using this targeting information."
So the poster is saying that they believe it was worth it for Amazon to break the law and pay an $888 million fine.
But, of course, the fine isn't a price point for unlawful behaviour but a penalty levied in judgement of the fact that the company violated the social contract. Seeing fines simply as a business cost would be a serious distortion of the way society should function. Could people in boardrooms actually entertain that kind of reasoning in good conscience? I really hope not.
Boardroom greed might follow a logical rational but this behaviour isn't reasonable in the long run. Disregard of fairness and civil conduct won't be worth the eventual cost of a society that becomes increasingly opposed to the system itself.
Break the law once, shame on you - pay a fine. Break it twice, well, we might rewrite the law so the fine is enough to actually deter you. Break it three times and shame on us for letting you trade at all.
With Amazon there has been a long-term strategic plan. Bezos had been operating Amazon at a high level for a quarter of a century and most of his personal wealth is tied up in the stock. Your golden parachute premise doesn't apply in this case. There was a strategic plan, Bezos wasn't counting the seconds waiting on a golden parachute. Amazon is largely commanded by long-serving execs that notoriously take a long-term strategic view, not executives looking to bail out at any moment. Jassy for example has been there since 1997.
Amazon's ad business has extraordinary margins and is growing fast. They knew they could afford speed bumps between the starting block and where they plan to end up (one of the world's largest ad networks, reliably printing $30 billion per year in operating income).
Your whole argument is about long term good to Amazon.
This is what this subthread is talking about
>But, of course, the fine isn't a price point for unlawful behaviour but a penalty levied in judgement of the fact that the company violated the social contract. Seeing fines simply as a business cost would be a serious distortion of the way society should function. Could people in boardrooms actually entertain that kind of reasoning in good conscience? I really hope not.
>>People in boardrooms dont entertain reasoning in good conscience because conscience doesn't come into it - just "Does this make us more money?"
>>>Boardroom greed might follow a logical rational but this behaviour isn't reasonable in the long run. Disregard of fairness and civil conduct won't be worth the eventual cost of a society that becomes increasingly opposed to the system itself.
That's one company, and the long term you are discussing is for their own benefit, not to the long term benefit the poster was discussing, so you prove my point.
Long term view is something like 1,000 years TO START.
A 20-50 year viewpoint is a baby.
It's a principle in western law that punishments be specified ahead of time so that a person could choose to break the law if they felt it was worthy. In such a framework punishments cannot be so extreme that you would never consider breaking the law.
IMO the dismay at this idea is coming from those who consider law as part of morality, in which case, it may be immoral to even develop a calculus for ignoring morality when the material returns are good enough.
Continued violation would lead to repeated (and possibly escalating) fines. This one was nowhere near 4% of revenues that is the upper limit, and specially for a company like Amazon 4% of revenues would be incredibly high.
I’m pretty tired of this line - the way Amazon is choosing to use their revenues for tax purposes means they aren’t turning profits but they are certainly profitable
It isn't a tax dodge, it's a simple matter of Amazon's international retail business still growing quickly and so needs a lot of capital. Happy to look at any evidence otherwise.
just because the profits are deferred to some time in the future does not mean these actions did not help the company expand, establish monopoly and devour other businesses in the meantime.
The fine is based on last annual turnover, not profit and certainly not future profit. Even if Amazon were taking a loss, they still would be fined this amount.
I was stating what was probably the court's opinion, not necessarily my own.
But to answer your question, consumers can be harmed through loss of choice, as Amazon forces out other businesses.
I'd also caution against focusing exclusively on harm to consumers. The harm to businesses is just as real, and something governments are justified in trying to prevent. Their citizens, business-owner and consumer alike, will not thrive in an environment where a handful of companies dominate, crushing or absorbing any competitors through underhanded means. Businesses and consumers do not live in separate worlds.
Frankly that argument doesn’t really make sense. If I ran a car stealing gang and didn’t turn a profit (say due to costs related to my underlines), then my punishment wouldn’t just go away because I made no profits. The punishment would be related to the total value of the cars that were stolen.
A similar line of reasoning here would show that Amazons profits are irrelevant. It does’t matter if they have zero profits today due to magic accounting or due to future strategy or due to monopoly building or anything else because the profits don’t matter at all.
Of course you’re correct that if there’s not damage caused by Amazon (equivalently that Amazon did nothing illegal), then they wouldn’t have to pay any fines, but in that case you’re changing the subject and arguing something than than your original point. The EU however seems to believe the actions to have been illegal which makes profit irrelevant to the discussion.
Privacy is a fundamental right in the EU. Data protection law is not consumer protection law, and thf. "consumer harm" is the wrong lens.
I don't read French and so haven't read the complaint, but I am a data lawyer, so I can make a fair guess. The harm alleged to have been suffered is likely to be that persons have been tracked and profiled without their consent, in breach of their legal right not to be, and so have suffered an unwarranted intrusion into their private life.
To those from countries whose legal systems treat privacy as a consumer or constitutional right, this may seem anti-intuitive. Even within the EU, there is plenty of controversy around some of the legal points at issue in these types of cases/complaints. Regulators are not always immune from doctrinal thinking.
It will be interesting to read the full findings of this specific regulator when available.
So because Amazon is taking their immense revenue and expanding they should be immune from fines/consequences for their actions? Clearly they are receiving tons of revenue from their European operations.
Aren’t these sorts of fines usually based on revenue and not profit? The revenue is the money taken from Europeans and not the profit. Basing the fines directly on profit doesn’t really make much sense.
While from purely monetary perspective this seems like it tips the scales more to a balance, from systematic perspective, this is more corruption on top of corruption.
You have politicians colluding with businesses to save them a billion in taxes, contrary to the intent of the law. Then you have the same politicians colluding to basically go pirate and surprise fine the same business a billion for some semi-arbitrary violation out of nowhere.
There's no system here, no law, just both sides one-upping themselves in being absolute fucking assholes.
The result is instability and environment not conductive to businesses or the people that makes them up.
Think about it, how come everything is fine, and then out of the blue you get sued for a billion? Was there a warning? Was there a grace period, a chance to rectify things? No.
This is not law enforcement, this is law abuse. It's like the US cops that stop random cars, and if the driver carries cash, they just take it under bullshit pretense.
We're moving towards an anarchy, under the guise of justice.
I think the parent's point is that in a more well-functioning system Amazon would be given notice and time to rectify their presumably mistaken wrong-doing which they would then appropriately rectify in good faith or to avoid penalties.
The parent is pointing out how the current system incentivizes "surprise" fines as an alternative to up-front tax and how this dynamic trends towards fines being seen as a simple cost-of-business rather than a true penalty/punishment.
GDPR was published and companies had time to get ahead of it before it went into effect. There were special recital sessions where guidance was given for what parts of it meant. Many companies put into place a lot of changes to comply. Yes, parts of GDPR could be a little ambiguous, but as with every law, a company can be more or less conservative in making sure they're above reproach.
Why should violations be "presumably mistaken" if a company has a legal department and the resources to comply with the law? If the speed limit is posted, I don't expect a cop to give me a warning when I've exceeded it under the assumption that it was inadvertent, and give me a reasonable period to come into compliance.
This is a massive understatement. There's a lot of comments here by people who clearly want to like and support GDPR but have never actually tried to "comply" with it in a large business. GDPR is a textbook example of how not to write law (unless of course you're actually trying to create a despotic regime). It has so many problems when viewed from a law engineering perspective that it's really quite expected that a lot of companies will just give up, because the only plausible explanation for the way it's written is to be able to arbitrarily fine certain types of companies on demand.
1. Absolutely everything is maximally vague and subjective. Whoever wrote it never wanted to have to justify any decision made under its authority. Everything is defined with terms like "legitimate", "disproportionate", "significant", "likelihood", and the perennial favorite "reasonable effort". If you believe you have a legitimate need or made a reasonable effort and a regulator doesn't, or that your users are giving consent and then someone else claims it isn't explicit enough, who can say who's right? There are no standards on which to judge anything so it turns into a pure difference of arbitrary opinion. Merely being conservative is no use at all because you don't even have any idea, based on reading the law, whether what you're doing would be considered conservative or aggressively non-compliant. Nor does anyone else.
2. Compliance is basically impossible for any large institution. The EU Commission was itself non-compliant on the day GDPR came into effect, which was noticed immediately, and their response was that they had written themselves (and nobody else) an exception into the law so that they had more time to comply with it. When the government that writes a law acknowledges an inability to follow it by the deadline they set for everyone else, you know a law has problems.
3. Because the law is written so badly you can find plenty of people interpreting it in ways that would imply Amazon is doing nothing wrong, like this page [1] which purports to be busting GDPR myths and states that "processing is subject to stricter rules only if the profiling "produces legal effects" concerning the data subject or "similarly significantly affects" that individual. This will unlikely be the case for most advertising-related profiling and for the personalization of offerings".
4. GDPR theoretically requires every company in the world to comply, or does it? It's triggered by "offering" services to people in the EU, but what counts as "offering" is left undefined and like everything else, could be interpreted in dozens of different ways. Is having a website sufficient? Nobody knows. Here's PriceWaterhouseCoopers' advice on GDPR compliance for Switzerland [2] which starts by saying "My company is only Swiss-based, does it have to comply with GDPR? Alas, there is no simple answer to this.".
The fact that so many results when searching for GDPR are articles that claim to be debunking myths about it, and that so many such pages directly contradict each other, is indicative of the massive level of confusion this law has justifiably generated. It can be interpreted in any way any government wants to justify almost any level of fine imaginable, and governments are directly incentivized to do exactly that. Cynicism about GDPR and its motives will not go away by simply having lots of EU-loyal HN posters tell Americans that compliance is easy when it so obviously isn't.
Yeah that's not how GDPR is written, there's no provision for notices, that's the law and it's available to everyone to read.
All of Amazon's competitors, including my employer, have spent a lot of money and energy to comply. Why Amazon decided to just ignore what everyone else knew was a big deal is beyond me.
We could broaden the conversation and also ask who are the people who got harmed to the tune of $1B, and how they will be redressed for that harm
The point is not the legal matter at hand but the nature of the law itself and how it came to be. As much as i like that we don't get spam calls anymore in the EU, the problem was pushed under the rug, not solved (all the spam calls are now from UK numbers). The bigger problem is that while the legislators legislate for putting restrictions on eu businesses, they have not legislated an equal amount that would be conductive to business in the eu.
Do you know what the phrase "throw the book at them" means.
It means you have a rich set of laws, which punish various offenses which look fine on paper, but in practice everyone violates just to do their regular job, so they're widely not enforced.
But if you want to fuck someone in particular, you can easily find them in violation of a dozen or two of them, and put them in jail for a long time or fine them substantial amounts.
You threw the book at them.
This is basically what most of EU's data privacy, cookie and so on laws are about, in practice.
It's interesting how you can take a collection of seemingly or genuinely good-intentioned rules and use them to basically rule as a king, but there you go.
That not really how, at least some, European countries work. Laws are written and companies are generally expected to follow them. We’re try to catch up, going from an society where rules are followed, without the need for actual enforcement, to one where companies don’t follow the law unless the court makes it unprofitable.
Are companies expected to follow laws the day they get signed, even if it might take over an year to implement compliance? Think about it. Because here's what happened:
> The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, which filed numerous lawsuits against Big Tech companies on the behalf of 12,000 people shortly after the GDPR was established that year.
This privacy group waited for the law to get signed, and promptly sued every big company that clearly handles user data.
Do you think finding everyone a billion or two would help them come up with a time machine and go back in time to implement a law before it exists so they're compliant by the time it's signed? Curious.
You'd think that if this was a legit defense they would use it in court, instead of "There has been no data breach, and no customer data has been exposed to any third party" clinging to anything irrelevant, as I'm sure they don't hire incompetent lawyers waiting for an online poster to come up with a solution
I think GDPR discussions are always heated on the 'EU vs US' line because of different approach to trust in the govt. In the EU people tend to (surprisingly maybe) trust politicians more because they at least want to be re-elected and distrust corporations/billionaires because they want to increase profit. In the US, I think, it's different, there is a distrust in the government because they are here to get us and more trust (surprisingly maybe) in corporations/billionaires because they are just like me working hard to earn money
The GDPR was enacted two years before it came into force. Companies trading in the EU had plenty of time to come into compliance.
LQDN didn't "wait for the law to get signed" - it was signed ages ago. They waited until it was enforceable.
It's worth pointing out that the GDPR is an EU "regulation". It doesn't have to be ratified by member states, and they don't have to implement some kind of compliant national legislation. This is very different from the previous EU privacy legislation, which required member states to enact suitable laws, which many of them were apparently reluctant to do.
The GDPR came into force the day the regulation was issued. It's just that "came into force" means that the 2-year breathing-space provided for in the regulation began at that time.
If we're talking about GDPR, it came into effect on 25 May 2018, after being adopted by the European Parliament on 14 April 2016.
That's two years, one month, and 11 days for implementation. Those additional days are days after it was published in the EU's Official Journal. It's not EU's fault that companies waited until 2018 to give a fuck about it.
> Do you know what the phrase "throw the book at them" means.
It's perfectly reasonable to throw the book at them, because unlike their competitors they don't seem to have made even a token effort to begin compliance.
If they didn't have the book thrown at them, people would complain that the law is toothless.
I've worked for two companies that had to implement GDPR, in both cases the legal departments were extremely serious about it and we had to do a lot of work to comply. Why should Amazon get a pass?
It wasn't out of the blue. This complaint has been ongoing for a long time. Regulators have been vocal about these concerns for a while. Discussion of these issues,such as how the ad industry is at odds with privacy activists and increasingly regulators too, are common across various academic and industry forums. Amazon will have taken expert legal advice and likely have been involved in lobbying at all levels. Regulators typically have carefully constructed action policies which cover a range of measures, including warnings, which may well be delivered privately. Not everything that happens in the world makes the front page of Hacker News :)
> n you have the same politicians colluding to basically go pirate and surprise fine the same business a billion for some semi-arbitrary violation out of nowhere.
I work for an online retailer that's not Amazon, we took GDPR very seriously and have as a result stopped collecting a lot of data and spent months implementing compliance. It seems Amazon has done next to nothing compared to what we did and chose instead to ignore the issue. It's absolutely no surprise what's happening to them, it's precisely what our legal department warned us about. Are you saying that Amazon should be above the law?
Also, the assumption that a grace period is due assumes that such behavior is only marginally inappropriate. Suppose Amazon was reading its customer's email; would you also argue that it needs a "grace period" after a demand to stop doing that before it actually stopped?
>you have the same politicians colluding to basically go pirate and surprise fine the same business a billion for some semi-arbitrary violation out of nowhere.
Your wording here implies that you think this fine is not justified and is nothing more than a shakedown against Amazon. Am I misunderstanding here or is that really what you're saying?
Ironically, you may not realize how accurate that is because the amount that will end up being paid is far far less after all the bribing and court cases and buying off/buttering up politicians and judges, etc.
It would be worth it for some government accountability group to track just how much the difference is between the fine levied and the amount paid. It's literally never the amount published so the people are assuaged.
> you may not realize how accurate that is because the amount that will end up being paid is far far less after all the bribing
Sources? (Actually curious if there is some published statistics)
Bureaucracy with all it's faults still has quite a lot of checks and balances that have to add up so I wonder how many appeal results are there that are not as interesting as the first fines reported
As long as fines are priced into the cost of doing shady business they'll be paid. Hopefully they will rise enough so that it's no longer profitable to risk them - we'll see then if the 'tariffs' as you call them will continue or will they stop
They will never stop, because the regulations are written so broadly that essentially any business could be found in breach of them.
The EU’s service sector is massively uncompetitive, and most of its regulation of this sector has been designed as either a tariff or just a general barrier to trade. In every GDPR related thread people complain that the law is not achieving its objectives (which you’re almost doing here also, with your “maybe it will eventually work” comment), but the law is doing exactly what it’s designed to do. It’s implementing trade barriers (a generally unpopular type of policy), and generating popular support for them (by dressing them up as privacy regulations).
> In every GDPR related thread people complain that the law is not achieving its objectives (which you’re almost doing here also, with your “maybe it will eventually work” comment), but the law is doing exactly what it’s designed to do.
I think you might be misinterpreting those comments. It's not that hard to follow GDPR, what's hard is to work around it. If you want to do exactly what you did before but you want to weasel your way around GDPR it's not impossible, unfortunately, but harder.
And people are complaining about it not achieving its objectives precisely because you can weasel your way around and that's why we have those stupid 'Accept all cookies' huge buttons and 'Change settings' small ones, that later change to another big 'Accept all' and even smaller 'reject'.
Stop selling user's data without their consent and GDPR is a breeze to be complaint with. Try still selling it, eliciting the consent via dark patters, and complain how hard and complicated it is.
> Stop selling user's data without their consent and GDPR is a breeze to be complaint with. Try to still sell that, eliciting the consent via dark patters, and complain how hard and complicated it is.
So it should be safe to entirely dismiss your comment on the basis that Amazon in this case hasn’t even been accused of providing data to a 3rd party, let alone selling it?
Selling/collecting - I'm glad that GDPR seems to treat them at almost equal footing, even harder to prosecute if you leave a huge backdoor
It's my data - fuck off, I'm interested in the business you're offering, not increasing your bottom-line at the expense of my privacy and especially I don't want to have a profile of me created just because you can. If I haven't consented to it, you won't do that - simple as that
The EU's service sector will continue its downward spiral as these regulations increase. They are building an ever widening mote for US Tech giants and calling it a win for the people
Was always wondering the same. How much weight does "you have been fined $10M" have? Do they pay them in like 100 installments over the course of 5-10 years?
I don't know about other countries, but in Poland the fine has interest - no less than 8%, it's tied to the economic indicators. It's at the minimum of 8% right now due to covid.
> the Luxembourg data protection authority slapped Amazon with the record fine in a July 16 decision that accused the online retailer of processing personal data in violation of the EU’s General Data Protection Regulation, or GDPR. Amazon disclosed the findings in a regulatory filing on Friday, saying the decision is “without merit.”
>“There has been no data breach, and no customer data has been exposed to any third party,” Amazon said in a statement, adding that it plans to appeal. “These facts are undisputed. We strongly disagree with the CNPD’s ruling.”
That sounds like Amazon saying "as long as we don't expose data we can do whatever we want with it", which isn't how the GDPR works at all.
When a company uses unrelated facts to try to steer the opinion, it means they have nothing else to defend themselves with.
It still makes financial sense for them to fight this ruling even if they have 0 basis for it: simply delaying the paiement of a 800M euro fine cover the lawyers' fees.
There should be interests on fines to account for this.
When you sign up with amazon you agree to their terms. These are pretty darn clear.
The decision rests on a whole complicated series of make believe facts. That users were not told their data would be collected (false) or that they weren't told or aware that amazon used ads or targeting (despite amazon recommends stuff on literally every page or similar customers bought xxx).
The idea that this is a data leak is crazy - amazon is doing stuff in-house there is no sale to third parties here.
The fine is for not getting explicit consent to use data in targeted ads. Maybe they ruled that something buried in a huge T&C document doesn't count as consent
God, this is why these terms and conditions are so long.
1) Yes - they say they will use your data in this and other ways.
2) The T&C's and the presence or absence of this statement in them is NOT meaningful to any ordinary users - these things have had to get so long they are not useful anymore.
3) The ads and suggestions targeting you are obvious on these sites. There is no secret.
Note - their T&C says the following:
"We receive and store any information you provide in relation to Amazon Services. "
"We use your personal information to display interest-based ads for features, products, and services that might be of interest to you"
It may be clear, but it’s still in violation of the GDPR, which requires clear, unambiguous, non-coerced consent for each case where consent is required. Non-coerced means you have the option to decline and services can’t be withheld if you do.
Terms & Conditions fail this requirement in many ways.
This is the problem with the GDPR - we are ALREADY flooded with the damn cookie walls, now we are going to have to click through another 20 separate screens? It's ridiculous.
It's crazy being a generally big govt / left supporter - this is the absolute crap that gives govt / the left a bad name. 95% of people DO NOT CARE about their cookies etc and are annoyed by this endless crap.
> Now we are going to have to click through another 20 separate screens?
I’ve never seen that. (Maybe I’m not visiting the same types of web sites you are.) You’re obviously ranting, which makes it hard for me to take you seriously. But blaming your imaginary problem on “the left” rather than the websites you imagine will do this to you seems a bit silly even so.
All the information you need to read and understand to sign up to Amazon (in English) is 12k words, or an hour and a half of average reading time. What percentage of users to you think spend an hour and a half to read and comprehend the terms. 1%? 0.1%? 0.01%?
In addition, under GDPR consent has to be separate from terms and conditions, it has to be opt-in, and the explanation of what you opt in to has to be clear and concise.
And this is why folks hate the GDPR. AS soon as we have to jump through 10 more screens to do anything people are going to be even more annoyed at the cookie and now GDPR wall you have to fight through to use websites.
With the amount of physical assets and business Amazon has in the EU it will be easy to enforce the collection. The other option is to confiscate the warehouses and data centers and sell those to pay the fine.
Also I’m not sure how Luxembourg laws work but here in Finland the government would just declare that company bankrupt and take all of their stuff to pay the fine. (Company not paying their bills in time is grounds for bankruptcy).
This is also the easiest way to get a company to pay what they owe you. Just send a notice of wanting to declare the company bankrupt to the courts for not paying usually leads to the bill getting paid in a day or two. This has actually happened to some really large companies (mainly insurance companies that did not want to pay after losing in court when disputing their insurance decisions)
Twitter in Russia is very different as they do not have any physical assets there.
It would be better to require a license for (any) data processing at scale which is easily granted (covering all possible use cases) but can be perpetually revoked. That would be taken much more serious than these fines.
If it's already not allowed to use data in this way - thus the fine - what purpose would allowing and revoking the right to do so serve. It's already prohibited.
What if law defined the processes more closely? “Billing data must be kept for 2 years numerically and 10 years on an offline device or paper. Marketing data can be kept for 6 months until renewal of consent by the user. The rest is permitted upon license.”
The compelling thing with GP's proposal would be that it is easier to enforce. If the license is revoked there is no gray area for interpretation left.
Both proponents and opponents of GDPR have said that the ambiguity of GDPR is an intentional feature. It closes loopholes or allows for arbitrary power of politicians, depending on who you ask.
But seriously, the industry has largely been in a Wil-E-Coyote moment ever since GDPR came into force, because most of the "standard practices", and for companies like Facebook and Google their business model, became illegal at that moment.
The industry reaction has been to mostly ignore it and carry on as always, running on air and making sure not to look down. Oh, and trying to their best to annoy users by running nasty and also mostly illegal "consent popups", in an attempt to do a repeat of the very successful campaign against the cookie directive.
I don't think it will work this time around, because the EU learned from their earlier mistake, and specifically came up with fines that will really, really sting.
As far as I know, cases against Facebook are currently making their way through the system (not sure about Google, but they are also guilty as can be), but haven't resulted in a ruling and fine yet.
Immovable business model, meet irresistible regulation.
The EU is not going to get into a war because it doesn't have any countries capable of fighting a war. The GDPR is not powerful because as much as they think they can extract revenue from a multinational company, the pacifist EU countries don't have the power to enforce it at scale. China, Russia and the U.S. aren't going to help them enforce the GDPR. If the companies don't like it they will just ignore it and exclude the EU from the world economy.
The EU will moderate its enforcement to a degree that is tolerable by the companies to avoid any major conflicts.
What's this about war? Who mentioned war? The EU is not fining a nation-state with an army; it's fining a corporation with EU subsidiaries and assets.
If you want to trade in a place, you either obey the laws of that place, or you shut down operations there, or you get fined.
Are you suggesting the USA might use armed force to prevent the EU fining Faceache? I don't think I've heard even nativist nuts suggesting anything remotely like that.
Just forwarded this news to my executive team who held up my attempts at getting us GDPR and CCPA compliant for 8 months last year. They said the laws were 'toothless'. Happy to be proven correct!
> How much can an organization be fined for a GDPR violation? The GDPR allows the EU's Data Protection Authorities to issue fines of up to €20 million ($24.1 million) or 4% of annual global turnover (whichever is higher).
And the best part is that the fine is calculated according to the parent company, so you can't create a subsidiary to handle all the iffy GDPR stuff and have it work with 0 turnover.
So if any of Google's properties F's up, the fine is calculated from Alphabet's annual turnover.
The evidence that you're wrong starts by the fact you already started from the "We" are the winners and "They" are the losers, so "They" are playing dirty and "We" are the real victims here.
If you haven't read the investigation documents and ruling ( as I didn't ), the most we can do is having a hunch and googling Amazon's past and track record in everything from business tactics to employee policies, I think no one is surprised they have problems with the law.
And speaking of law, each place has their own laws, customs and views on how society should look.
The EU's focus on data protection, particularly the German view, which is to a large extent that which now prevails at the EU level (though the others were very similar), predates the existence of these tech companies. By a huge amount.
In Germany, it is considered a "Grundrecht", a "basic right" of constitutional rank.
It's actually pretty easy to see the pattern, isn't it? The US tech giants' business models most often are based on data usage that is inherently incompatible with GDPR (Most are esssentially advertisers). And apparently most of these companies continued that practice despite the GDPR.
Most EU tech giants are B2B and mostly don't have this problem in the first place.
Yes, in the EU a company whose business model is violating its users' privacy rights (and those existed pre GDPR) would never have gotten off the ground.
Because they have mild success only. DailyMotion is great as #2, but Youtube is about 1000x bigger. Other startups exist, but are far from Apple-style success. Who would let any company own a campus anyway.
If "tech giant" equals "web advertising platform", then sure. But there are quite a few big physical tech companies within the EU. Bosch and Facebook have about the same revenue, for example. ZF Friedrichshafen, a company noone has heard of, has double the revenue of Youtube.
I wouldn't call making dishwashers tech. I'm not disparaging, I love how quiet my Bosch is, but I would classify it as an industrial company not a technology company
Bosch is quite big, they are also a major supplier of the things e.g. a Tesla is made off, e.g. of the hardware behind the self driving functionality. And health tech like germ detection.
ARM holdings is owned by a Japanese fund and being sold to a US corporation.
European salaries are paltry in comparison to US and the businesses are either stagnant (Bosch) or dying off except for a few successful ones that are being sold off to either Chinese conglomerates (Volvo) or USA/Japan (ARM holdings)
There are many other reasons why large tech companies have a hard time emerging in Europe. One could argue that none of the really big tech companies that emerged in the US is recent either.
So it makes sense, if companies can't be helped, for EU to at least try to protect the consumers.
> One could argue that none of the really big tech companies that emerged in the US is recent either.
That can't be reasonably argued. The US has dozens of large tech companies that have emerged more recently than the classic big tech giants. The EU, or Europe more broadly, has exceptionally few.
More recently, for large tech companies, is the past ~20 years. It typically takes a long time to become worth $20 billion or $50b or $100b. That time frame excludes Microsoft, Apple, Google, Amazon, Netflix, Adobe, Cisco, Intel, Oracle, Nvidia, AMD, Dell/Emc, Vmware, Salesforce, PayPal, Applied Materials, Texas Instruments, Qualcomm, Broadcom, Verisign, Intuit, IBM, HP, Autodesk, eBay, Booking, Expedia, Cadence, Marvell, Micron, Lam, KLA, Western Digital, Seagate, among many others.
Most of these companies have solid growth profiles and will be far larger in ten years than they are today. Beyond that are dozens of single digit billion dollar tech companies born in the past 20 years that will join that list.
The EU should also be asking itself why Atlassian and Shopify didn't originate there instead of Australia and Canada. Why didn't UiPath move its HQ to Berlin or Paris instead of NY? Why didn't Elon Musk start SpaceX or Tesla in the EU? Why did the Collisons build Stripe in California? Why is the EU competition for AWS companies like Hetzner, OVH and Scaleway (which are actually DigitalOcean peers)? One may not like Bezos, however he's going to push tens of billions of dollars into attempting to build up Blue Origin, where's the EU comparable by one of their zillionaires? All the biggest US fortunes are first generation and in technology, except for Buffett. The biggest EU fortunes are in fashion, cosmetics, retail. That's representative of the EU being left behind, stagnant.
The US badly beat Europe in the IBM-HP-Fairchild era. The US badly beat Europe in the Apple-Microsoft-Intel era. The US badly beat Europe in the early Internet & Web era (Google, Amazon, Netflix, Nvidia, Cisco). The US is badly beating Europe in the cloud era.
And that's understating things. It's not a race. The EU isn't even participating, they're stretching on the sidelines, watching the US and China compete to see who can build the largest tech companies (China's tech companies are largely locked inside of China, and that's about to get worse, so the US will win that contest). There's no indication that the Europeans have figured out how to compete, how to scale quickly through their own markets and then rapidly push globally to win markets before the US companies do. So far all they've come up with is top down command schemes whereby countries like France think they can will an AWS competitor into existence magically, or alternatively they scheme to use regulatory capture to entirely avoid having to compete.
The point you quoted was about the US tech producing several behemoths in the turn of the century. As of today, no later company in your list is on the path of competing with the best of that generation.
You decided to read that point as an appeal to EU-US banter-if-not-chauvinism, I'm afraid that's not really a discussion I'm interested in having on HN.
The EU fell of that wagon long before GDPR. There weren't any major IT businesses from Europe 20 years ago either.
If anything, GDPR might actually give European businesses some room to maneuver on the European market, as US businesses seems hell-bent on making money off their users' data rather than the core services they provide for the users.
I am currently implementing GDPR for a health related startup. This half sentence sums up the entire regulation pretty well. It's infuriatingly unspecific about what you can do, and full of vague hinting on things that you maybe really should not do.
"Can I do this?" "Yeaaaah, not exactly saying that you can't but maybe it would REALLY be better if you don't, maybe"
Absolutely disgusting. Lawyers must be thrilled to have it.
Edit: My gripe is not at all with privacy protection laws but with laws that are unclear. Apparently I have been unclear.
> It's infuriatingly unspecific about what you can do, and full of vague hinting on things that you maybe really should not do.
It really isn't that complicated.
You can collect and process data assuming you have a valid business reason to do so. You need to collect/process that data in a way that complies with the law based on what you're collecting/processing.
Want to collect people's health data? Cool, ask them for consent and you've got the right to collect it.
Want to process that data to make decisions about their insurance premiums? Sure, you can do that, but you'll need the user's consent.
There's a lot of uncharitable talk in this thread, where comments like yours assume bad intent on behalf of businesses who find GDPR compliance challenging. It's a giant body of regulatory law, of course it's complicated! The GDPR probably _isn't_ hard to deal with if you don't actually care about privacy; it's easy to just not follow the law and hope you don't get caught. But if your company respects individual privacy, and collects personal data only with a lawful basis, and needs to make assurances to its customers that all the regulations are being followed, there's a lot of work you have to do to demonstrate compliance, and many specifics (for example, with regards to personal data erasure in backups and archives) are completely unspecified. How uncomplicated is that issue?
The more collecting and processing you want to do, the more complying you're going to have to do, I can see that.
With respect to the archives: don't you think that's best left to the company and their legal department? - As far as I'm concerned, an archive is by definition immutable. And if a company caan't protect its own archives, it's got worse problems than GDPR.
> The more collecting and processing you want to do, the more complying you're going to have to do, I can see that.
I am sorry, but this is too hand-wavy considering the insane complexity we are touching here.
To illustrate, a super simple example: Someone writes you (a business entity, it's harder when it's in health) a mail with a random business related request.
If you think, it should be fair enough to a) receive/store, b) read and/or c) answer to this very much unsolicited mail you are mistaken. If you think, that there is a clear/sane/minimal way to handle any of these scenarios, you are wrong again.
Depending on your exact situation and request you might first have to respond by asking the party to waive their right to encrypted communication (which they, of course, couldn't even execute, since pgp is obviously not a thing with real people in the real world), and/or their physical address, to SEND THEM YOUR ANSWER VIA POSTAL OR FUCKING FAX, because that is deemed a sane way to get around problems with email storage/encryption, even in big companies and governmental agencies.
You definitely also have to delete the email after some amount of time. All of a sudden you (as in some random person who just wants to do business in the modern times) has to figure out retention policy and implementation (or pay some consultant, who will be happy to be paid to figure out how to use email for your business without getting sued in 2021)
In case you don't run your own email server on your own fucking physical server, you also better get a contract with every relevant so called Processor (Art. 28 GDPR) in the chain. This however might not suffice if if you want to use gmail/google workspace (or in any other non-eu hosted provider). Depending on the industry it might simply be illegal for you to use theses services. I say might, because, honest to god, there is no clear fucking answer on this. Trust me, I looked.
But you know what, this is not my biggest gripe with GDPR. It's not the burden that it puts on seemingly simple processes, no matter how well intentioned you might just want to get your actual job done.
The biggest gripe is that it's full of vague wordings like "meet requirements to ensure protection" without specifying the exact fucking requirements, or "careful handling of sensitive data", as if that explained anything. What the fuck? If you are actually serious about creating a law to protect privacy you have to at least provide very serious specs – and, I would argue, to be not completely fuck all the normies trying to run a business, also easy and cheap implementation.
After having done a very thorough trip through the entire thing, I am 99% certain that 99.9% of businesses are knowingly and/or unknowingly in violation of GDPR.
Well, on the other hand you have American corporations stealing data from every orifice because they can get away on technicalities of those ultra specific laws.
"Well, actually we DID put a 8pt text on a subpage somewhere, the law doesn't define the text size of disclosure, MINE AWAY!".
EU seems to have learned the lesson. Heck, even American corporations like Google, Apple and Amazon put vague descriptors in their terms of service and AppStore rules so they avoid rules lawyering.
I work in a IT health care company in Europe. The main difficulties are the laws and regulations, not the software development. But I think it's a good thing.
Good luck for your work and if you aren't sure if you can do it, don't.
>Absolutely disgusting. Lawyers must be thrilled to have it.
Well, if a company's determined not to comply with GDPR, then it's going to be on the lookout for loopholes, and ways around the legislation. And indeed, if that's its plan, and the legislation is vague, it's going to need a much bigger legal department. That's not the law's fault; that's because the company doesn't want to comply.
If on the other hand a company wants to comply, then that very vagueness protects it, on my reading. It's hard to imagine being done for GDPR violations, if you've familiarised yourself with the provisions; and if you are affected, have a concrete plan to ensure you are in compliance.
I confess that I don't like the vagueness. It gives greater discretion to the judge. I've lived all of my life under UK law, which is more specific and prescriptive than the laws of most EU states, where judges have much more power.
Having worked in a US health tech start-up (and done some compliance work there), and now working with GDPR as a US company, I'm similarly frustrated with how imprecisely the regulations are worded. US health information privacy laws are much easier to interpret and follow. Large, important parts of GDPR compliance hinge on wording like "the processing is not occasional." "Occasional" is not defined in the regulations, and different countries' advisory bodies have completely opposite interpretations about what it means.
Feel your pain. At my last job I worked with mostly EMEA and mainly EU countries. Worked directly with our lawyers in the EU to makes sense of it all. This was right when the GDPR was looming and it was stressful to figure out how to comply.
I worked on GDPR for a health related startup and at some point, I had to start explaining GDPR and HIPAA to the lawyers! The lawyers thought the startup was subject to HIPAA, but we weren't a health org or a BAA, and I explained that. They said "well it's probably better if you just follow that law anyway"
To what extent is your startup's business dependent on violating users' or others' privacy? Will it be uncompetitive if they don't?
It's a broad question, not a legal one.
If the answer is: it's very important, because our competitors will violate and win, then EU probably expects to apply industry-wide regulation.
If the answer is, not much or we don't know yet, then just don't. Please.
Law and money are certainly important, but there's other important things too.
Look at it from the regulators' perspective. Regulators will always lag nimble startups. But if those companies are violating reasonable and widely-held priciples (perhaps not the law, yet) how should the EU best apply those principles into law?
I find the vagueness of the GDPR exactly satisfies this dilemma.
This is by design as most EU data privacy/competition laws are thinly veiled attempts to extract bribe money from large US tech firms. Sadly, the US gov is also following down this road.
Laughing because the company you invested in has committed illegal activities and has to pay $888M seems strange to me. Not a high standard to set for your investments.
amazon is a good investment and remains so. it does not derogate from the two facts, 1. karma and 2. the world isn't fair, as in this is a few days profits. comparable to you getting few thousand dollars fine for breaking the law.
That doesn’t matter. As a shareholder there is absolutely no way this helps your stock price. While you may not be crying it doesn’t make any sense to “lol” at it either.
They said revenue but they don’t understand what it means. Only a few percent of that revenue is actually profit - perhaps there is no profit depending on the market. It’s an especially tiresome thing to point out since probably more than half of HN readers are paid a salary out of these kind of revenue figures.
The law provides for fines to be a percentage of turnover.
A fine as a proportion of profits just reduces your profits by a few percent; as long as your profits are still huge, it doesn't matter, and you pay up. If it's a percentage of turnover, you might well end up with losses for that year, and no profits at all.
The regulation is designed to make your shareholders sit up, and put pressure on the board to come into compliance. It was targeted at turnover rather than profits for obvious reasons - corporate accountants are very good at making profits invisible. And turnover is relatively easy to measure.
[Edit] Changed "revenue" to "turnover" - "revenue" was an alternative fact.
It's unfair to assume they don't know what revenue is. Comparing it to the revenue is perfectly valid. Amazon famously didn't make a profit for many years, does that mean that they couldn't afford any fine during that period? I think it implies that the profit of a company is a poor indicator of their wealth and what they can afford.
The person seemed to be implying as if they were making the money back in 1 day otherwise this comparison would be meaningless, as they can have infinite revenue, but 0 profit.
Who's better positioned to pay a fine, an individual contractor who makes $1mil profit in a year or an unspecified company that makes no profit but has a >$1B market cap and high revenues?
It feels like the person I replied to first is so eager to assume others don't understand the difference between profit and revenue that they miss the forest for the trees.
I think it is unclear because the top level post didn't make a conclusion, just threw out a fact.
If the implied conclusion is the fine won't hurt or have an impact because revenue >> the fine, they are missing the relevance of comparing the fine to profit.
I'm not sure what other conclusion they would want people to take from the fact presented
The fines are obviously not intended to bankrupt them.
Amazon had $7.8 billions in profit this quarter, 10% of that should hurt badly enough to course correct, shouldn't it?
It's worse than that. Almost all of Amazon's profit comes from AWS and its US business, but this fine is entirely a cost due to its retail business in the EU.
The operating income of Amazon's international retail business in 2020 was just $700m, it makes their entire European business last year overall unprofitable.
Holy crap, what do they even do with that money? I'd love to read more about this. They have 615,000 people living there, meaning they get 55,000 USD in gov revenue per person.
For comparison, the US gov got ~8,750 USD in rev per head in 2019.
> Holy crap, what do they even do with that money?
Free public transport for one.¹
I holidayed there a couple of years ago before they made it free and even then, it was still heavily subsidised. It cost only €4 for a ticket that covered bus, tram or train to anywhere in the country for that day. Even in rural areas, buses were travelling every half hour from early morning until late evening. It was great for long hikes (or kayak trips) and returning by bus. I loved the freedom of it all.
What matters isn't really the government revenue but the government spending. The discrepancy is a lot smaller for the latter metric. In 2020, the US government collected 10.5k/person but spent 20k/person.
There is a law. You respect it, otherwise there is a fine.
Are you saying european companies that are leaders in their fields should not be fined by the US if they disregard its law when doing business there ? If yes, you should inform the US. If not, then you're being an hypocrite.
So, according to you, european countries should not be able to have laws and apply those?
Companies like Amazon, Apple, Facebook and Google should not be regulated? They should be able to do whatever they want to do?
Still seeing people in support of such imperialism is quite sad to be honest..
Apparently this is due to this french association whose main goal is to sue the big tech companies. They've sued Google, Apple, Facebook, Amazon, and Microsoft:
This is a misrepresentation of the association. They existed way before this campaign and GDPR
The first paragraph [1] of their About section mentions they started in 2008 to fight against HADOPI, which is the French authority created to enforce copyrights in reaction to (illegal) streaming/p2p sharing of music/movies etc.
Recently, they're fighting against new French laws allowing the government to collect/process more data on all its citizens for supposedly anti-terrorism purposes
Unpopular opinion:. It should be illegal to not use purchase history to make better ad placements.
Forcing companies to not use all the information at their disposal to make business decisions leads to worse decisions. It would be like a superstore not being allowed to see the demographics of the area the store is located when deciding if they should stock more types of toys or false teeth. Clearly the families will likely be interested in toys, while the retirees want false teeth. Forcing families to hunt through aisles of false teeth is wasting their time, reducing the businesses revenue, and is bad all round.
"We're just taking money from the megacorps" isn't true - you're also forcing every user of a website to get a worse experience, sometimes severely to their detriment.
> It should be illegal to not use purchase history to make better ad placements.
I'm not sure about legality but I think your argument should be made to stock regulators. I don't agree with it but I can certainly see your argument, on the face of it, has merit. I also think it's distasteful and wrong and I don't care to elaborate on that.
> Forcing companies to not use all the information at their disposal to make business decisions
There are plenty of laws which force companies to not use all of the information at their disposal. Privacy laws, for example, are set to help people (not necessarily customers) have a better life. Corporations don't have a right to profit from people who don't wish to be profited from.
> you're also forcing every user of a website to get a worse experience, sometimes severely to their detriment.
I fully disagree. I don't believe that using customers' purchase history guarantees in any way that the customer's experience will be better. The only thing it's likely to guarantee is a more profitable company. The two metrics may be correlated but they're not causal.
Seing how unreasonably bad Googles ad quality was the first decade after buying DoubleClick I don't buy this.
For a decade Google threw away information about what I searched for or what website I visited and presented generic "dumb male age 20 - 40" ads to me. They still do sometimes if I browse without adblocking enabled.
You are clearly uninformed, This companies need to ask permission.
So a few Google, Ms, Amazon devs could put their brains to work, create a standard for people like you to get a beaut full experience, you could give them permissions to watch your browsing, access your health data, listen to your microphone, scan your files, data mine your images and social posts. You could even help this nice companies by filling a form where you tell them what kind of ads you want to see, what things you like, what you hate.
The only problem is that either there are few people like you that want to give permissions, the giants don't want to share the profits and for sure don't care about your experience, or this giant devs are incompetent or are focusing on easy projects like throwing some npm modules to some source code/social posts/images and prentend they made an AI developer/writer/artist etc.
TLDR GDPR asks for permissions, you can just click Accept ALL , after you clicked Accept All and the ads are still garbage then is not EU fault that Amazon devs that work on ads are incompetent or are optimizing for the thing you don't care.
