Google, Amazon, and the entire tracking industry relies on IAB Europe’s consent system, which has now been found to be illegal following complaints coordinated by ICCL.
EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.
Ok but I don’t get how this consent system ran for years?
How can one get pre approved?
The issue here isn’t that they collected data (it’s own problems), but they they didn’t use the right language!
Does this mean it will be a long term of conditions like apple does every time we use a website?
ICCL might have made internet worse with this. Not better.
> Does this mean it will be a long term of conditions like apple does every time we use a website?
No. Freely and unambiguous given informed consent means that the users need to actually be able to understand what they consent to. Encrypting the information in a 500 page novel, obfuscating it beyond human ability to understand or interpret it, is not informed consent.
ToS are not currently under the same requirement of Freely and unambiguous given informed consent. They just require consent, which for now has been interpreted to mean basically anything that a lawyer want it to mean. People have given away their spiritual souls and first born child in ToS, through the ability to enforce such contracts is open to debate.
The issue here is larger than using the right language. I'm browsing through the full ruling [0], but C.1. Breaches, pages 115-117 is a good summary.
- "First, the consent
of the data subjects is currently not given in a sufficiently specific, informed and granular
manner"
- "Second, the legitimate interest of the organisations participating in the TCF is
outweighed by the interests of the data subjects, in view of the large-scale processing
of the users’ preferences (collected under the TCF) in the context of the OpenRTB
protocol and the impact this can have on them."
- "In the absence of systematic and automated monitoring
systems of the participating CMPs and adtech vendors by the defendant, the integrity
of the TC String is not sufficiently ensured, since it is possible for the CMPs to falsify the
signal in order to generate an euconsent-v2 cookie and thus reproduce a "false
consent" of the users for all purposes and for all types of partners. As indicated above248,
this hypothesis is also specifically foreseen in the terms and conditions of the TCF" - no way to verify consent
- "The Litigation Chamber also finds that the current version of the TCF does not facilitate
the exercise of the data subject rights, especially taking into consideration the joint-
controllership relation between the publisher, the implemented CMP and the
defendant. " - no way to revoke consent, or request your data
As to why the system ran for so long: yes, enforcement is (too) slow.
- Many complaints were made to several European DPAs in 2019.
- Litigation commenced 13 October 2020
- Interim Decision 8 January 2021, amended 23 February 2021
It looks like IAB made a lot of procedural complaints when it became clear their arguments were rejected
The DPAs are not in the business of pre-approving, much like your local court won't pre-approve your pre-nup and so you might have to fight over it in court in an acrimonious divorce.
You can of course retain outside help to advise you but there's no guarantee that they are right and many of the consultancies and providers were incentivized to compete on maximum opt ins. Maybe the CMPs and the adtech companies can fight it out in court over whether the CMPs misled the adtech companies or they just gave the adtech companies options which the adtech companies misused.
The ruling is not just "fix your language", though that's what the industry will be incentivized to try, again. They all bandwagoned on hiding secondary opt out checkboxes under "legitimate interest" and this wrist slap tells them it's not ok:
> Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR)
> Fails to respect the requirement for “data protection by design” (Article 25 GDPR)
The route to complying is clear. Don't track without opt in. Know where the user data is going, not just "whichever vendor happens to be in the winning ad". Don't use dark patterns to encourage the opt in. It's the industry's attempts to bury its head in the sand because it hurts their bottom line and their search for increasingly convoluted workarounds that is making this complicated.
Ironically, nothing about GDPR itself is clear and understandable, as is evidenced by the fact that everyone keeps discovering years after implementation that some random country disagrees on their interpretation of it.
The only people who misunderstand GDPR are people whose salaries depend on misunderstanding GDPR. The requirements are quite clear, advertiser just don't like them and are trying to avoid complying with them.
Yeah? So nobody in the EU is using Google Fonts, AWS, GCP, Azure, CloudFlare, Akamai or any other US provider then, given that this ruling is based on the fact that loading the consent settings screen from the shared domain requires "sharing" an IP address? Nobody in the EU runs an online business reliant on advertising? Of course they are.
I'm convinced pro-GDPR views are always ideological in nature. It's impossible to read GDPR or related case law from the perspective of trying to comply with it and not be disgusted. Every single requirement is vague and subjective - words like "appropriate", "necessary", "reasonable", "proportionate" etc aren't just a part of this law, they are the entire essence of it. And even the occasional term that looks precise often has totally unintuitive definitions, like the way they define large random numbers as "personally identifiable" even though there's no database that links these numbers to any actual personal identity.
Even this announcement about a new ruling is a fog of confusion. Why is asking users for consent, a key piece of GDPR compliance previously, suddenly not OK? Why is this being phrased as "freeing users from consent spam"?
This sort of thing wrecks the EU in the eyes of people actually building things. It makes it seem that this is a part of the world without rule of law of any kind. You can invest hundreds of millions into GDPR compliance and years later discover it was all in vain, without any warning whatsoever. You're being constantly trolled in courts by random academics and "civil liberties" organizations who don't seem to care about actual civil liberties issues like mandatory medical interventions but who define advertising cookies as a grave threat. Dealing with the EU gets ever more painful and if this keeps up, people there are gonna discover they're being denied services or simply charged more as a "GDPR litigation premium". And then they'll be stuck, because the home grown EU software industry is stillborn.
> Every single requirement is vague and subjective - words like "appropriate", "necessary", "reasonable", "proportionate"
This is how laws work and why the "law as code" people are not going to succeed. The US leaves this to the enforcement stage, e.g. many tests in US law for ascertaining enforcement include things like the reasonable person test (https://en.wikipedia.org/wiki/Reasonable_person). Proportionality is a well enshrined standard in EU law in particular, and cuts both ways - it's why this ruling is not the maximum fine out the gate.
Or let's take this clause from the DMCA (regarding what is considered obsolete and therefore the library may format shift): "For purposes of this subsection, a format shall be considered obsolete if the machine or device necessary to render perceptible a work stored in that format is no longer manufactured or is no
longer reasonably available in the commercial marketplace."
> Does this mean it will be a long term of conditions like apple does every time we use a website
We call that a privacy agreement. But having a proper privacy agreement that lists what data is collected and what happens with it is far from the only part of the ruling
GDPR enforcement is completely arbitrary (in both senses of the word). People might cheer for the downfall of the tech giants but it's really just a way for the EU to control US companies, extending their power beyond their jurisdiction.
If those companies extend their business beyond the US' jurisdiction, why do you feel they shouldn't be subject to some form of control where they operate? I'm legitimately asking. This is about something that was done within the EU to EU citizens. Why shouldn't the EU have a say?
I don’t feel that, actually. I’m not sure where you got that impression - maybe straw men are easier to debate?
There are laws and then are how laws are enacted. Hint: pay attention to how homegrown EU companies are treated.
EDIT: https://www.enforcementtracker.com/ Look here specifically. Sort by fine amount. Look at the companies that are being fined the hardest. It's not just the US that is being targeted. There's this island nation that recently decided they didn't want to be part of the EU...
The largest fines are to US tech companies, which is expected due to (a) the fines being proportionate to revenue and these being the largest companies in the world and (b) these businesses having a significant involvement in large scale tracking of users.
I think the argument of like "well the law was passed to harm US companies specifically because US companies specifically do this" ignores that this is a undesirable behaviour with significant negative externalities, so this feels a bit like complaining that encouraging green energy at the expense of fossil fuels is discriminating against Russia and the middle east.
Once we get past the tech companies the next biggest fine is for H&M, for surveillance of call center employees, not just at workstations (which is probably also not allowed), but in their private lives, disclosure of that detail with managers, and targeted harassment from that information. This seems pretty egregious, and not political retribution against the UK.
Next up are some Italian companies fined in Italy, UK companies getting fined _by the UK_, and Vodafone subsidiaries getting fined everywhere. You could argue Vodafone is a UK company being unfairly targeted, but from what I remember of coverage of the (Spanish, I think?) ruling, they're a repeat offender in this regard.
Because judgements are arbitrary and in practice unfairly hurts foreign companies.
There's an analogue that has happened in the U.S. Let's say that my little white town passes a law that forbids jaywalking. Protects pedestrians... Makes it easier to drive... Sensible law right? But in practice, it's the 1940's and the cops ONLY ticket black people. In practice, it's not a law against jaywalking - it's a law to drive out all the black people and make the white town inhospitable to anybody with skin tone.
GDPR claims to protect the people but is used as an economic weapon.
Or maybe the problem is that the US and UK also happen to be places that foster an attitude in their people that everyone else should just bow to them and do things the way they want...?
The scary thing is that it's the EU doing this. Our national elected governments are not interested in actually fixing things like this because it doesn't immediately win votes, and there is only a limited number of national civil servants so nobody is working on this kind of thing on a national scale.
But put those civil servants in a committee in Brussels with not as much short term pressure, and they can work out regulations that achieve the right thing.
The "EU doing things" is not detached from your national government. In fact all EU legislation is being approved by your national government in the EU Council and the EU commission has to report there. (As well as the EU parliament, however the EU parliament is weak ...)
Edit: maybe as addition in the last point in parentheses: The EU parliament is purposely weak, as the EU is a union of states and the member state government want the power in the council and don't want to give up power.
Well said. I'd add that the EU has for decades been a convenient scapegoat for member governments to point to, when "forced" by the EU to do things that needed doing but are politically difficult. Think of all the national champions forced to live by market rules, like flag carriers, telecom monopolies etc.
I know that. What I consider "scary" is that the EU can only do this because they're aren't directly elected and so not as subject to the typical democratic pressures.
Pressure your government to vote "no" on policies you don't like or pressure your government to initiate other legislation. They have the power and responsibility.
And yes, I personally would like to have a stronger EU Parliament relative to the Commission and Council. However there is no reason to let the national government escape with "it's EU law" after they approved it. (And yes, Council doesn't require unanimous vote for most items anymore since the Lisbon treaty, thus it is possible your government voted "no", but that then is democracy and they have to convince other governments ...)
(Just a side note: I like GDPR and think it is to large parts good and push my government to support it)
Almost all law coming out of the EU is really beneficial for the people, in my experience. Making a law like the GDPR and implementing it is hard work that doesn't grab headlines and first gives us a few years of annoying popups, but in the end it will actually improve privacy for EU citizens.
And national politicians can't do this anymore, because they have to be in the news each day and be in constant campaign mode because the next election may come sooner than expected. They need big words and shiny results.
If we make the EU more democratic, will it become less effective too?
> If we make the EU more democratic, will it become less effective too?
This is probably the first time I'm hearing somebody claiming EU was effective ;)
However you are right - the fact that there is less attention on EU legislation enables different dynamics.
However I think it is quite different between countries how well they do. Here in Germany I am quite optimistic that the new government will do quite a few good things ... but maybe I'm too optimistic, but lots of good signals from my pov
No it doesn't. Democracies don't do this because it's posturing designed to appeal to a particular kind of person (e.g. your kind of person).
Normal people don't care about cookies or consent popups and merely find them annoying/frustrating. I've never, ever heard anyone praise these popups outside of Europeans posting on Hacker News. That's a small community and it's a bubble convinced of its own purity.
Here's why democracies don't do this kind of thing: democratically elected governments are expected to generate economic growth and jobs by voters. Constantly levying massive fines on companies who aren't actually upsetting most citizens, via ultra-vague laws that create "tails we win, heads we also win" outcomes for the bureaucracy, is something that most mature democracies realized don't work out well in the long run. So they don't do it.
The EU has no such concerns because it's not accountable to anyone, for anything, despite what sometimes people like to try and claim. Result: a stagnant economy with an ever shrinking proportion of global GDP that tries to cover up its damningly consistent failure to produce successful tech firms by pretending it's too morally righteous to do so.
Considering that almost all governments voted "yes" and only Austria voted "no" as they considered it to weak I think it is fair to say their government supported it.
In general you have somewhat of a point, but then it is democracy that the government would be responsible to argue for their point and convince others.
The enforcement of GDPR is still up to national civil services/judiciaries, in this case it was a cooperation of multiple national protection authorities.
Even the legislation itself necessarily involved national governments and national civil servants in national ministries
GDPR being an EU level legislation has more to do with the absolute nightmare it would be for the internal market to have 27 different standards and the drastically lower leverage available for enforcement than disinterest in the subject
• Austria: Datenschutz-Grundverordnung (DSGVO)
• Belgium: algemene verordening gegevensbescherming / règlement général sur la protection des données (RGPD)
• Bulgaria: Общ регламент относно защитата на данните
• Croatia: Opća uredba o zaštiti podataka
• Cyprus: Γενικός Κανονισμός για την Προστασία Δεδομένων
• Czech Republic: obecné nařízení o ochraně osobních údajů
• Denmark: generel forordning om databeskyttelse
• Estonia: isikuandmete kaitse üldmäärus
• Finland: yleinen tietosuoja-asetus
• France: règlement général sur la protection des données (RGPD)
• Germany: Datenschutz-Grundverordnung (DSGVO)
• Greece: Γενικός Κανονισμός για την Προστασία Δεδομένων
• Hungary: általános adatvédelmi rendelet
• Ireland: An Rialachán Ginearálta maidir le Cosaint Sonraí / General Data Protection Regulation (GDPR)
• Italy: regolamento generale sulla protezione dei dati (RGPD)
• Latvia: Vispārīgā datu aizsardzības regula
• Lithuania: Bendrasis duomenų apsaugos reglamentas (BDAR)
• Luxembourg: règlement général sur la protection des données (RGPD) / Datenschutz-Grundverordnung (DSGVO)
• Malta: Regolament Ġenerali dwar il-Protezzjoni tad-Data
• The Netherlands: algemene verordening gegevensbescherming
• Poland: ogólne rozporządzenie o ochronie danych
• Portugal: Regulamento Geral sobre a Proteção de Dados (RGPD)
• Romania: Regulamentul general privind protecția datelor
• Slovakia: všeobecné nariadenie o ochrane údajov
• Slovenia: Splošna uredba o varstvu podatkov
• Spain: Reglamento general de protección de datos (RGPD)
• Sweden: Dataskyddsförordning
• The United Kingdom: General Data Protection Regulation (GDPR)
I would argue that many national governments (and local data protection agencies) are doing things, this was the Belgium national data protection agency. The issue is really Ireland, whose data protection agency has been twarting enforcement efforts. The reason why they are important is that they are technically responsible for enforcement against many of the big guys because they have their hqs in Ireland, which was also the reason why they didn't want to enforce, economic interests.
Remember you have MEPs representing you as well. European elections too often play a distant second fiddle to domestic ones but this really should not be the case.
Domestic politicians have the ability to instigate changes to legislation. MEPs lack that power - all they can do is block bad legislation from getting passed.
MEPs sit in the European Parliament, which is a talking shop, with very limited powers. It's hardly surprising that few Europeans know who their MEP is.
Germany and France are saying it fairly loudly - they've never hidden their intent to make the EU a federal, unified, state.
And with Brexit, the biggest obstacle to that has been removed - the UK never wanted to be part of a Federal EU (because we always considered ourselves part of the British Empire/Commonwealth). There are other EU countries who aren't wildly enthusiastic about a Federal EU too, but it was always the UK being the most loudly opposed to it.
It's true that the UK was always the biggest opponent, but don't kid yourself that the rest of the EU is on board with federalizing. There is no popular mandate for that whatsoever.
Just look at what happens whenever some EU treaty needs ratifying by national referendum.
The Lisbon Treaty did at least need a referendum in Ireland. It was rejected initially, partially as a warning shot to the then unpopular government between elections, and partially because of genuine concerns about the impact it would have on Ireland's military neutrality and for the concerns that the EU could then impose a minimum corporate tax rate on the country.
As a result, the EU agreed a set of guarantees [1] that the Lisbon treaty would not be used to do either of these things (to Ireland specifically), and only then did it pass in Ireland.
An EU army has more widespread opposition these days, so hasn't been raised since. Minimum corporate tax rates did not pass through the EU, though this year the US led an effort that is going to result in them globally via other avenues.
Say you live in a two-party first past the post system. If what you want to express is "I like privacy regulations", the single bit of information that your vote conveys does a very limited job of communicating what issues you actually care about.
The signal in traditional voting is very diluted.
You vote on a person that you think supports some of the things you care about. You are not allowed to weight in on individual issues in a way that matters.
The person works for several years, and the only feedback you have on that process, the only tether that holds that person accountable, is whether you vote for them the second time.
How many EU countries run a "two-party first past the post system" nowadays?
If you are in a first past the post system, and in a safe seat, vote for one of the no-chance-of-winning candidates who best represents your views. Although they won't win, the fact that they are getting votes will be noticed and the main 2 parties will respond by adopting some of their policies. E.g. in the UK as more people vote for the Green party, other parties will become more Green to get those votes back, even though the Green party has only ever got a single MP.
Even in a decent PR multi-party system. Our green party for example is environment first, left wing economics second, public transit, pro-agriculture, anti-nuclear, somewhere down the list is internet privacy.
Or maybe I could vote for the labour party, which are centre left economics, pro-EU, pro-housing expansion, pro-healthcare investment, pro-environment, somewhere down the list is internet privacy
The idea that there's a party that (a) both has the same views on all issues as you do, (b) has sufficient votes to get seats and (c) orders issues in the same importance you do, for everyone, is clearly not valid. More parties = more choices, and this is often better, but ultimately we'd end up with de facto direct democracy to have a party with the exact views for every person.
Similarly, even for myself, I consider internet privacy important. Maybe I should vote the for the pirate party then? Except I consider the environment more important and our pirate party is so small that it hasn't even considered a position on non-privacy related issues, never mind have an adequate plan for how we're going to make a transition from a heavily fossil fuel based power supply. Even on that environmental issue, I think the green party's anti-nuclear stance has historically been a mistake, but if the others are just going to build more gas plants, I'll deal with it.
More like if it was a choice between two, shitty giant douches and one was painted orange and the other was painted with a rainbow. They’re both the same thing with a different color paint.
Well, as a LoopBack developer, I am biased, but I don't think LoopBack is just yet another framework. There are already some big names already using our framework, for example GoDaddy or Bank of America. You can find more names here: http://loopback.io/users/
> We’re waiting eagerly for node v0.12 to be released.
> Unfortunately, the release may not happen soon since there are about 800 open bugs and about 180 pull requests waiting to be reviewed.
Is it a real problem? Seems that other popular projects like Ruby on Rails have a similar number of opened issues and it's not stopping them from releasing new versions.
Does the Node core team have any plans how to prevent this situation in the future?
That quote and those numbers are incredibly misleading, I'm not sure why they use that to prove Node 0.12 isn't coming soon. If you actually look at the issues on Github, only around 30 of those are marked as 0.12, with the rest being various other milestones including 0.13 and 1.0. It has also already been stated that there is only one more 0.11 release before 0.12.
No one is trying to "prove" 0.12 isn't coming soon, we've put lots of work into it, and look forward to its release, and its got some great new features.
I'm not sure the tag states are always up to date, perhaps they are, but the fact remains that 0.12 has been "real soon now" for quite a while, so saying it might be a while still is a pretty safe statement.
The core team is working hard, but I think the PR queue is a good indication of how scarce a resource review time is.
I'm thinking whatever db plugin you're using, but also this pseudo code actually has a lot of implicit things going in the background (koa/co, thunks, etc).
