Has anyone actually come across any sites that have gone properly GDPR compliant yet? 90% of the conversions I've seen have seen have gone with: we use cookies, click here to be fine with that (almost always after the cookies are already set), or click here to embark on some convoluted process to disable some in our spuriously derived non-essential categories.
It appears the positive opt in requirement of GDPR is being universally ignored by the industry.
I've seen various sites in compliance, mostly smaller companies TBH. It seems to be mostly US companies who seem to be getting it completely wrong (maybe that's biased by the sites I frequent), which has perplexed me a little as it would have been cheaper to just do nothing about it at all.
I'm also wondering if the cookies thing is actually just the other law, but now we're all having to look at the old "we use cookies" notifications in a GDPR light.
The irony is that the rules about annoying cookie notifications were supposed to be fixed by some additional changes that came into effect with the GDPR, but those changes weren't ready in time.
The cookie banners are required by the ePrivacy Directive, not the GDPR or its predecessor, the Data Protection Directive. ePrivacy has been around for years. Directives are EU-wide “directives” to each member state (country) to enact their own version of it. Therefore, both ePrivacy Directive and the old Data Protection Directive resulted in varied laws from country to country making compliance a challenge. Part of the purpose of the GDPR was to create consistency by replacing a directive with an EU-wide regulation. They have the same plan for ePrivacy and already have published an ePrivacy Regulation for review and comment. The ePrivacy Regulation was supposed to be passed at the same time as the GDPR, but they’re behind so people are expecting it in 2019. There is a recognition that the cookie banners have been a failure, and it is expected the ePrivacy Regulation will get rid of them (but there will still be TBD consent requirements around use of cookies).
Yes, that seems to be what they're aiming for now. It was originally supposed to come into effect alongside the GDPR last month, repealing the analogous ePrivacy Directive that was (and for now remains) in force, and therefore allowing member states to update their national laws to remove the annoying cookie notification requirements. Sadly, it wasn't ready in time.
Maybe this is a bit of a weird stance, but I don't think setting cookies counts as a violation of privacy. First of all the user has full control over the cookies and can arbitrarily deny, delete or even modify them (nobody uses this power, but they still have it), and fundamentally telling someone to remember some bit of information doesn't really tell you anything about them.
However reading cookies (and sending the content to a server) obviously is privacy sensitive, although even then it should be noted that users have full control over the cookies. This makes cookies better than e.g. a profile that's stored on Facebook's servers.
AFAIK,the 'cookie law' directive was even more relaxed than what you describe. It never mentioned cookies explicitly. It was talking about tracking. If you had a good technical reason like keeping login session open, you never had to place a pop up in the first place.
However, if you started to track people explicitly, even without a cookie, you needed to inform the user.
How that law got interpreted as a 'put a pop up on everything' is beyond me. Most sites managed to annoy the user with a pop up, and still were not on the legal side of the law as they did not inform which third parties exactly got the information.
Why didn't the EU step up and gave guidance to stop the madness? No idea. In general, they tend to bury you alive under folders when given half a chance.
I don't know what the cookie law status is today. It was supposed to be superseded by the GDPR, but i think it is still active, together with the GDPR.
You have to put the pop up if you want to count visitors with Google Analytics, or use Google AdSense, and that covers the vast majority of small / medium sites.
Yes, most online shops that I have an account with seems to do GDPR compliance correctly by simply adjusting their contract they have with the customer. In order to do the service which I customer has bought and send an item to a location they need the shipping location, so they changed the contract to say "we are storing the location for the purpose of sending you the item you bought". They can't go and sell that information to a third-party, but they can store it for the purpose that I as a customer requested of them.
There is much confusion. Cookies are governed by the ePrivacy Directive, not GDPR. ePrivacy regulates email, phone, text and other communications – not personal data per se. It prohibits setting a third party cookie on a device without first getting consent. It also requires consent for email marketing, which, when collected in the context of a sale to a customer (and some other restrictions) may be opt-out (this is often called a “soft opt-in”). Otherwise, the consent must be opt in. This is getting confused with the GDPR.
I know a lot of companies that I believe are compliant, but they also do not do anything where they'd need to process data with non-obvious reasons.
Many high-profile sites rely on advertising, and that makes things more complicated, since they have a clear business interest to get and share as much data as possible, instead of a "process only data strictly needed" approach others can take.
I’m not sure I entirely follow the point of the complaints. The complainants seem to have a problem with the fact that they’re asked to either agree with the ToS or not use the product/service. How’s that illegal/unfair? No business is obliged to allow all and sundry to use their product/service - regardless of whether they abide by the rules. GDPR doesn’t mandate that, does it?
While I of course fully support the protection of consumer data/privacy, the companies also have a right to decide whether they want non-compliant users using their service. They’re not running something like public transport, which must, by rights, be available to all.
There are several lawful bases for processing personal data. Consent is one of them. The companies don't have to rely on consent. But if they do that consent must be freely given.
This point in GDPR could be clearer, and I hope the national regulators provide better advice.
Also, lots of complainants don't understand GDPR and so we will see a bunch of complaints based on incorrect understanding of GDPR.
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
>Also, lots of complainants don't understand GDPR and so we will see a bunch of complaints based on incorrect understanding of GDPR.
Indeed, probably lots of entitled people who believe Facebook (though I’m no fan, and haven’t used it in years) ought to behave as a charity or govt-funded entity.
Thanks for that (I’ll be reading through the link more fully).
>When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
So, the company needs to phrase/frame/present the “service” carefully enough - to take the example of FB again, the service they offer could be phrased as "a means to communicate with and see updates from your connections, together with ads that have been targeted based on your profile details”. Naturally a contract to execute such a service cannot be fulfilled without them processing personal data, and this is the only service they offer. Does this understanding seem correct?
We should already be used to this. We're used to seeing the phrase "Your statutory rights remain unaffected". A site's ToS, a store's policies, etc do not override your rights available by law.
If a shop says "no returns", what they actually mean is "changing your mind or deciding you don't like it isn't a valid reason". But you can still return something if it's faulty, isn't as described, or isn't fit for purpose - because they're your legal rights, phooey to the store's return policies.
It's my understanding (which could be wrong, is constantly evolving, and desperately needs test cases) that being able opt out of unnecessary PII collection or processing is a legal right, and phooey to the ToS that claims otherwise.
In practice, I think that's yet to be determined. GDPR is new. These rights are new. "If it's faulty" is easy for lawyers to determine. "Fit for purpose" ...isn't that hard, and the lawyers have had time to practice. "Unnecessary PII collection or processing" ... the lawyers are currently 23 wikipedia links deep^ trying to identify the aristotelian truth of the matter, presumably in order to make necessary amendments to the aforementioned contract.
Shops putting signs on walls is just not comparable to this, in practice. Normal people are signing dozens of pseudo-contracts they don't understand each day. That has been accelerating and gdpr has accelerated it further.
>It's my understanding (which could be wrong, is constantly evolving, and desperately needs test cases) that being able opt out of unnecessary PII collection or processing is a legal right, and phooey to the ToS that claims otherwise.
That’s actually a great point. Collecting PII is NOT illegal, as far as I can see. Nor can it be illegal. Same for personalized ads.
Consider a real estate agent. To show you the right kinds of houses to buy and finally make the contract, they have to have enough PII about you. If they know nothing about you, they’ll end up showing 1-bedroom studios for a family of five and a three bedroom suite for a bachelor living alone. Similar arguments can be made for all kinds of service providers.
Now onto the issue of FB, the only service they offer is “communication tools with built in personalized ads”. PII is necesary to provide that service.
well, I'm cagey with "unnecessary" because I honestly think it's going to take a good few cases in front of judges until we properly understand where that lays. Which will be fun.
I'm also curious where other points will land in reality. eg, if I ask Apple to remove all data they have about me, will that also remove me from your address book? If I ask Google to remove all data they have about me, will that also remove any emails you've received from me?
In this light, I'm happy to see the first complaints arrive against Google and Facebook, as they're exactly the examples we all have in mind, and we need to see how they'll play out in reality.
(Albeit, I also trust the European legal systems won't commonly wield the maximum possible fines, but rather seek compliance. The scary big numbers, the source of so much FUD, should be reserved for wilful disregard after this step. "Walk softly but carry a big stick" style.
Yes, indeed. It will take a few cases to see what reality is. Though I am equally sure companies which make billions off personal data will leave no stone unturned to argue that their use case is legit.
Their case will be helped by the fact that they can simply have the user “consent” to stuff. And since none of those are “critical” services, they will find ways to prove that user consent was actually voluntary, and not coerced.
So I think you’re right that only the most egregious violations will have real trouble.
The judges might also want to demonstrate to everybody (including their own system) that the big stick can in fact be wielded to real effect. If people start beliving that the stick is really just a prop, no point carrying it, is there…
> Collecting PII is NOT illegal, as far as I can see. Nor can it be illegal.
Article 6 [0] is phrased negatively, making collecting PII illegal unless x or y. These points cover all the use cases the lawmakers deemed valid; a real-estate agent may collect PII because of 6.1b (taking steps to enter a contract at the request of the data subject). Should a new, possibly valid reason to collect PII come up it would first need to be checked and then added to the list.
Since most websites and online services do not aim to form a contract nor fit points c-f, they have to obtain consent by the data subject (6.1a) to make collecting PII legal.
Since most websites and online services do not aim to form a contract nor fit points c-f, they have to obtain consent by the data subject (6.1a) to make collecting PII legal.
Many common purposes for data processing might come under point f (legitimate interests) depending on the circumstances. Analytics, marketing, monitoring to check for fraud or other abuses are just a few examples.
Doesn’t “consent” (point a) supersede all the rest? Looking at how people have been conditioned to so easily click on "I agree", that will be the most obvious thing to pursue for most companies.
You can do more or less anything with the subject's consent, but one of the big changes under the GDPR is that subjects can always withdraw that consent later and then exercise their right to erasure if there is no other lawful basis for that processing.
True, but the custom isn't that we sign seven contracts at lunchtime, as we browse shops in a mall & buy a sandwich . That's new, for a regular person "seeing" gdpr.
We'll see if this difference is legally superficial or material, as this all plays out.
There was a lot of MOP interest in gdpr and it's friends (like the US Congress' FB stuff). Politicians got attention for their rhetoric, as they legislated. Journalists delivered coverage and opinion, including a lot of moralising too. Social media was abuzz.^ They never told the average MOP that gdpr would be a bunch of contracts she'd be signing.
From the perspective of corporations.. the party complying & implementing gdpr... they've mostly interpreted it as "Rules About The Contract Our Customers Must Sign". Their lawyers assure them this is best.
I think this was a piece of legislation that our legislative systems are particularly ill-equipped to deal with.
I suspected this was the case, but had no idea of the search terms. It strikes me I do enter several contracts per day, offline, almost always simply implied by actions. And we have consumer protection acts to guard the edges of these implied contracts.
I think what the web needs right now is to figure out what the implied contract is, and save the modals for those out of the ordinary.
Pardon my apparent impertinence in putting it this way - but isn’t the implicit contract rather obvious?
In the digital/information age, personal data is the new currency. You pay for online services with that currency. If your data (money) is more valuable to you than the value you’d derive from use of a certain service, then you don’t pay for it (and by rights, don’t get to use it). I think my money is too valuable for me to spend it on bottled water, so I drink tap water. I think my personal data is too valuable for what I’d get from using FB, so I dont use it (there’s 20+ very widely used apps to “stay in touch” and “communicate” with people).
Eventually (even a couple decades maybe), it will become a question of getting the most bang for your buck (data). If two companies offer the same sort of service, but no. 1 needs all personal info all the time (like FB today), and no. 2 only wants your location twice a day, no. 2 will be cheaper and win out. When no. 2’s executives get greedy and ask for your location 4 times a day, Reddit will squeal.
No, the implicit contract is far from obvious. Yes, everyone knows Facebook shows you advertisements in return for using their service; that personal information is used for that purpose, the extent of personal information collected, and what else it can be used for and with whom it may be shared, is far from clear even to technically-inclined individuals, much less the average user.
There's a reason Facebook has you agree to a 10,000 words ToS and related documents, and it's not because the contract here is blindingly obvious. It would be another thing if the type and extent of their data collection was clearly spelled out and delineated so you knew exactly what you're giving up; but Facebook explicitly wants the ability to collect anything and everything and use it for whatever. Under those conditions, what kind of information they collect about you and what other data it allows them to infer is completely opaque. ("It's just an indoor photo me and a friend, surely Googlebook can't tell where this was taken?" https://nakedsecurity.sophos.com/2016/02/29/google-knows-whe...)
You’re right that what they collect and what what they use it for should be specified more clearly. I suspect if one carefully read through the 10K word ToS, it covers just about everything they do. If it hadn't historically, it will have, since GDPR.
Despite the whole media stink about Cambridge Analytica, usage figures aren’t significantly different. This leads me to believe the average user will simply agree to whatever is put in front of them so be able to use checkout pics and read newsfeeds or play farmville or whatever else it is that people do on FB.
What the EU could mandate is a max 1000 word ToS, that the more concerned user without legal training could actually grok. The GDPR just makes sure companies cover themselves legally - not that hard, if they can get away with a humongous ToS which almost no one will ever read.
I agree. Still, I think that there is a difference between implied contract/obligations and an actual piece of paper with your signature (or checkbox) on it.
GDPR has requirements about data protection, right to forget, pseudo-anonymity, etc. But as long as the ToS doesn’t violate the rest of GDPR (i.e. things like you allow us to store your passwords in plain text), are there any actual restrictions are imposed on ToS?
Now, for the complainants complaints to be valid, there have to be things in the ToS that are against GDPR. As far as one can see, there isn’t. BigCos have been careful enough to not step on the toes of EU regulations. But what part of the GDPR gives the EU the right to force a company to offer its service to someone who doesn’t accept the “house-rules”?
Sorry if I seem argumentative, I’m not, I’m just trying to wrap my own head around this thing.
The problem is not with "accept ToS or leave", but that that ToS demand things for the company the complainants argue are not legal to blanket demand in ToS, but have to be optional.
The GDPR says no such thing, does it? My GDPR skills are limited by a reasonably good read of wiki and other articles, not the actual text. It states “Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed”. It has other requirements about the company being “responsible”, protecting by design, pseudo-anon, right to forget, etc.
As far as I understood, it doesn’t mandate the exact nature of the ToS between the service provider and user, leaving that to be a free-will agreement between two parties.
Consent is only one basis for processing, and comes with high requirements.
Consent is required to be "freely given", which isn't the case if it is required. E.g. Article 7:
> When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Or in Recital 43:
> Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
Thus, where they do give "consent" as the basis on which they process data as part of Terms of Service the user has to accept, that's highly critical if they do not query for that consent independently, and in a way the user clearly can deny. You can't require consent in something the user has to accept to use your service.
>Consent is presumed not to be freely given [...] if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
Yes, indeed. That just leaves the matter to specifying the exact nature of the contract. So the service being provisioned can be “access to the tools to connect with one’s friends and such tools have personalized ads built into them”. Does my approach misinterpret things? I don’t think anything is specified about what kinds of contracts can or cannot be offered. And in a reasonably free market, it cannot. And of course, it should not - hardly any of the biggest internet companies could make money without ads.
Now if FB or Google, or another company were to be regulated as a utility company, then yes, the nature of their contracts can also be regulated.
They could go a step further, and simply ban “all personalized ads” - I’m not sure how feasible that is, but that would give the EU the right to regulate the kinds of ads shown by FB and ergo, the kind of data collected. But personalized ads is a immensely vague term that could even catch tv and radio ads (targeting based on demographics, and time of day the show is being broadcast, etc.) in the dragnet.
From my understanding that's part of the point of those complaints: a) force Facebook to clearly use that argument if they want to rely on it (GDPR requires them to be explicit about base of processing, and right now they're not) and b) regulators and eventually courts to figure out where those lines are, and get Facebook to adjust accordingly. It's certainly possible that they find that advertising-financed offerings can justify some processing by the need to make money, but that needs to be determined. E.g. I could imagine that they'll be blocked from using protected categories of data that way without explicit opt-in, but will be allowed some matching on others.
To be a bit glib, if Ads are a core part of the offering, surely the facebook.com front page should mention them?
Ah, that’s a good idea. The EU could/should mandate specifying very clearly what precisely the service is.
Of course, like another commenter mentioned about face recognition and image processing, that is hardly relevant to most kinds of advertizing.
The question is one of legal basis and also of specifying explicitly what is being done with the data.
That leads to the next question - how will things be verified? Will an entity get to audit FB algorithms in toto to sign off that they’re secretly processing facial recognition data?…that’ll be the real challenge.
> It states “Unless a data subject has provided explicit consent to data processing for one or more purposes, personal data may not be processed”.
It doesn't really say that. There are six lawful reasons to process data. User consent is only one of them. The one that's useful for most companies is "legitimate interest".
>There are six lawful reasons to process data. User consent is only one of them.
Yes indeed, there is a list of reasons. I pick the one based on consent, because it seems the most relevant for a company. Process the users’ data, but get their permission first.
>The one that's useful for most companies is "legitimate interest”.
I would have thought that one was a bit nebulous. No one has given a hard and fast definition of that term. And rather than risk a court’s interpretation or benefit of the doubt, I figured it might be safer to rely on the consent approach.
If the service I offer is “communication tools with in built personal ads”, or “latest news reports with personal ads on the side” it is not possible to offer those services without access to personal info.
And if the service you offer is „communication tool with the ability to sell weapons online“, then the authorities are out of luck, because you have cleverly phrased your mission statement?
Oh no. The trouble with “chat app with weapons sales feature” is that it is illegal to buy or sell weapons (online or offline) without specific licenses.
Now If I made a “communication tool” exclusively for registered gun dealers and people with valid (and verified) hunting licenses, it would in fact be perfectly legal. Similarly, if the tool were for use by government agencies and defense contractors or registered weapons manufacturers, it would also be legit.
In the context of “chat tool with personalized ads on the side” - there is nothing specifically illegal about “personalized ads”. Is there? (As long as there is user consent of course). So what’s the specific legal hurdle? Which paragraph of the GDPR prevents this?
Because online privacy is now an inalienable right. Users can't sign it away permanently, and companies can't ask for it in return for something.
> No business is obliged to allow all and sundry to use their product/service
No, but they can't discriminate with regards to submission to online tracking.
> the companies also have a right to decide whether they want non-compliant users using their service.
In the EU there are no "non-compliant" users when it comes to agreeing to tracking; there are only non-compliant publishers. These publishers are free to shut down EU operations and block EU ip-addresses, and I wish they would instead of these now common "opt out of any of our 50+ 'partners' individually through this terrible interface" shenanigans, designed to make it cumbersome to exercise one's right not to be tracked online.
I want to know if all the "semi-forced consent" options that most news websites have adopted are legal.
If you go to https://www.independent.co.uk/ for example on mobile, most of the screen is filled with a consent message. But it isn't "yes / no" like the GDPR would like, it's "yes / visit a difficult-to-navigate consent manager to not give your consent".
It is perfectly reasonably to have two versions of a service - one with ads/cookies and one without. The user uses the one they want.
If one considers personal information as a currency, it is something one can choose to or not to pay. If the user's privacy is important enough to them, they won’t give the company the right to track them or do whatever else with their data. The user decides whether access to that service is worth paying the price in terms of privacy. I think Facebook is too expensive (in terms of my personal data they get) so I don’t use the service. But I cannot complain that FB doesn’t service me for nothing. It is a for-profit company. The company is not obligated to service everyone - it is not public transport or the electricity company.
Where do you get the impression I am arguing against the GDPR? I quite support it in fact. The discussion was about whether the complaints of the type mentioned in the article are valid under the GDPR.
You argue about what you think is „perfectly reasonable“. But that‘s not the question to ask when that is obviously illegal. You cannot counter „that‘s not allowed by the GDPR“ with „I think it should be“, unless you want to talk about a hypothetical alternative.
Consider a company which offers two services - 1. Latest news stories with personalized ads on the side. 2. Just news stories.
There is nothing illegal about having the above two lines of services. But when a user wants service no. 1, their personal data becomes neccessary to show personalized ads. If the user chooses to not “pay” in the curreny of personal data, it is perfectly fine, they can use service no. 2.
Why is this illegal? Please, be specific with which part of the law prohibits this.
Morally, ethically, I agree with you. 100%. I was in fact involved in a spread-the-word about GDPR campaign few months back. This discussion is about the legality and the technicality.
If the personal information is not necessary you need explicit consent.
> Processing shall be lawful only if and to the extent that at least one of the following applies:
>
> 1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
>
> 2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
>
> (there are a few more cases)
Given that there is no contract for which the personal information is necessary when you view a news site, they have to ask for consent. Which is why they ask for consent. However:
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data [...]. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance [...]. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. [...] the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
I would say that this especially violates the last sentence. It is definitely unnecessarily disruptive.
Unfortunately this is in a "Recital", not in the main text. I have no idea what that means but I expect we will have to wait for a court case to find out the real answer.
Here is a great article by one of the top EU privacy attorneys out there explaining the interplay of the ePrivacy Directive (which governs use of cookies) and the GDPR, which often get confused. https://privacylawblog.fieldfisher.com/2018/gdpr-plus-e-priv...
Pestering GooAmaBookSoft through GDPR complaints is fine, but won't actually accomplish anything in terms of privacy improvements - they're all in bed with governments anyway.
The only real solution is to stop letting these companies invade your privacy, by ceasing to use their services.
That doesn't mean "THIS.. IS.. STALLMAN!", but it will be less convenient than letting them continue.
Some'll say big companies like regulations, increases barrier of entry. Then others'll respond that GDPR is looking to be flexible with small companies, looking for intent to comply
Is it not obvious that politicians don't want to bust their biggest (potential) campaign contributors for GDPR violations?
Isn't it obvious that we don't have any more privacy now than before GDPR, because governments are still spying the shit out of us all?
In light of that, is it not obvious that GDPR's real goal is something other than improving our privacy?
Do you genuinely think governments (or EU bureaucrats) actually care about us or our privacy? If not, why would you think GDPR was devised for our benefit?
And gosh, it sure makes it more difficult for small businesses to stay viable, and wouldn't it be nice for big corporations to have fewer potential competitors/disruptors around?
> Do you genuinely think governments (or EU bureaucrats) actually care about us or our privacy?
Yes
> And gosh, it sure makes it more difficult for small businesses to stay viable, and wouldn't it be nice for big corporations to have fewer potential competitors/disruptors around?
This is just ridiculous. Politics is still driven by the will to improve societies instead of just a cold grab of money and power. Your level of cynicism is just over the charts.
Or maybe you should consider that good government and regulation, of which there is still much, is actually the most effective protection against uncontrolled corporate interest.
Government and corporation are one and the same these days. They graft onto each other and feed one another, like unions and other collectivist organizations.
Why do you think tax money goes to ship amazon packages?
As much as I don’t much like the concept of the state, could you please not apply American criticisms of the US Government to all Governments around the world? It makes you look silly - most of Europe have fundamentally different criticisms of their Governments, and especially of the EU.
I would like to learn those criticisms! I believe I read somewhere that most Scandinavians for example trust their government while they may disagree with individual policies. Are EU states similarly trusted on the whole?
There's a certain amount of distrust among the populace towards other states if that's what you're asking, though I'd say that depends on how anti-EU the individual is. This seems to be on a steady rise due to the populist movements all around.
And yes I can confirm, in Northern Europe there is a fundamental trust on the government. I, for one, believe that none of our politicians are outright bought; some of them may drive pro-business policies, but from my vantage point the level of cynicism exhibited in this discussion falls squarely to a bucket of loony conspiracy theories.
In my anecdotal experience, people in Eastern Europe (former Warsaw Pact countries) are extremely cynical towards politicians and the political system while Scandinavians in general have a lot of trust in the system even if they mistrust some individual politicians.
In the approach towards regulation, I think the major difference compared to the US is that Europeans mistrust businesses just as much as politicians. GDPR is a result of mistrust in businesses. Stating that politicians are corrupt, as Americans are wont to do, is not really an argument against regulation like GDPR unless you believe businesses never act against the interests of the public.
>Is it not obvious that politicians don't want to bust their biggest (potential) campaign contributors for GDPR violations?
In the UK, campaign contributions are almost completely irrelevant. Political parties can spend no more than £46,000 per candidate at each election. Our major parties literally have more money than they can spend. Most European countries have similarly strict campaign finance legislation.
>Isn't it obvious that we don't have any more privacy now than before GDPR, because governments are still spying the shit out of us all?
Corporate data mining and political surveillance are somewhat distinct issues. Here in the UK, government agencies have relatively broad powers to collect and use data on citizens. In Germany, privacy rules are extraordinarily strict. As long as member states are abiding by the ECHR, it's a matter for their national parliaments.
>In light of that, is it not obvious that GDPR's real goal is something other than improving our privacy?
No.
>Do you genuinely think governments (or EU bureaucrats) actually care about us or our privacy?
Some politicians are obviously pro-surveillance. Some are strongly pro-privacy. That's sort of how democracy works - a democracy where all politicians agree on everything isn't much of a democracy at all. There are major differences of opinion between member states and within member states, differences of opinion between parties and within parties. There are three parties in Germany's current coalition government, all of whom have significantly different policies with respect to privacy.
>And gosh, it sure makes it more difficult for small businesses to stay viable, and wouldn't it be nice for big corporations to have fewer potential competitors/disruptors around?
GDPR has little or no impact on a large proportion of small businesses, because their businesses don't depend on the processing of personal data. If your data processing operations are small-scale, straightforward and legitimate, it isn't hard to comply with GDPR. Some small businesses have been significantly impacted, mainly because they have been flagrantly disregarding the Data Protection Directive for many years. Most of the GDPR isn't new, it's just the old data protection laws with credible powers of enforcement.
The changes made by the GDPR are mostly updates to reflect the changing nature of personal data processing. The Data Protection Directive came into force in 1995. At that time, nobody really anticipated the sheer scale and pervasiveness of personal data harvesting that the internet would facilitate.
I understood the money is divided up corresponding to the number of votes: If you get 10% of the votes, you get 10% of the money.
There is a 'kiesdrempel' declaring you need 5% of a district's votes before you can function as a party. There are I think 11 districts, so the theoretical maximum is (100/5)*11=220 political parties.
New parties create a document, the 'voordrachtsacte' which needs a minimal number of signatures. When you get enough people to sign it (again apercentage of the inhabitants of the region that's holding an election), you have managed to start a new party.
In practice there are about 3-5 big ones for each half of the country, plus a lot of small parties which are mostly ignored as background noise and are mostly dead at the next election.
Some background noise parties I remember because of their humoristic values were WOW (Gething older with grace), and BANAAN (banana, who had a slogan like: dont be a pear, vote banana)
I'm not Belgian and don't know the intricacies of their political system, but they have no shortage of political parties. At the 2014 elections, 13 different parties won seats in the Chamber of Representatives.
in the netherlands, new parties are mainly formed from A) politicans from older parties who want to bring it to a new direction. or B) people who are already active in the political world, like journalists or social activists.
> Is it not obvious that politicians don't want to bust their biggest (potential) campaign contributors for GDPR violations?
In Europe, members of the judicial branch are not up for direct popular election and therefore does not campaign. I guess this is less democratic, but it means the judicial branch (which decides who to "bust") is not beholden to campaign contributors which is a good thing.
It appears the positive opt in requirement of GDPR is being universally ignored by the industry.