1. 74
  1. 37

    It’s just … so beautiful I could cry.

    1. 4

      I wonder if there’s any mechanism envisioned by the lawmakers allowing us to be sure that the data that “must be deleted” actually has. Apart from assurances from the guilty parties, that is. The cynic in me expects them to say that these data cannot be distinguished from the “lawfully” collected data, and they can’t be compelled to delete all of it.

      1. 5

        mechanism envisioned by the lawmakers

        😅

        1. 3

          That would potentially put them in violation of https://gdpr-info.eu/recitals/no-42/ and likely into even more trouble. Mind you, the ruling already finds them in breach of https://gdpr-info.eu/art-30-gdpr/ for insufficient record-keeping.

          1. 2

            Actually, more importantly, there is no mechanism to delete this data because there is no way that there is consent attribution that captures where the consent came from and all the downstream data that can be attributed to it. I don’t see how these companies can delete this data. Unless they just delete all user accounts (and all associated data) that came into contact with these popups.

            1. 8

              That is a strawman. There’s a pretty clear difference between data the user entered themselves and data obtained by the system through tracking, for advertising purposes.

            2. 1

              Of course there is an audit process in place.

              Any company that works with personally identifiable information supposed to appoint a Data Protection Officer, whose responsibility is to ensure a GDPR compliance and to interface with a data protection authority on behalf of the company. This person is not liable for the GDPR breaches, but IS personally responsible for reporting organizations failures to comply with regulations (to the best of their knowledge of course).

              Sure, it’s always possible to cheat the system, but the bigger the company the harder it would be to keep such conspiracy a secret.

              Surprisingly, the system works pretty well it seems. Just in 2021 there have been major fines issued to, among others, the usual suspects Amazon, Google and Facebook. Sure those cases will go through the obligatory appeal process but those are (fortunately) rarely successful, since the GDPR regulations at this point are generally well understood.

              1. 3

                Sure, it’s always possible to cheat the system, but the bigger the company the harder it would be to keep such conspiracy a secret.

                While it’s true, also the bigger the company, the easier it is to have an accidental copy of some data which is not hooked up to the cleanup system. Not even out of malice.

                While I expect Google and others to actually try to keep the pii secure and isolated, there’s going to be lots of other pieces about users which just end up too distributed.

                1. 3

                  Interestingly enough this is also somewhat addressed in GDPR. Data should only be in places it is actually required for business purposes and can’t be just transferred „just in case“ or something. Furthermore, locations and reasons for data processing should be documented by DPO. Not that that’s bulletproof, but it’s not naive at least.

                  1. 2

                    I believe that companies actually care and try to keep the data distribution under control. But as you say it’s not bulletproof. I’ve seen silly and unexpected chains of events like: object with user data gets default string serialisation used by error reporter as part of message, which saves the info, which gets collated into a separate database for analysis. And that’s one of the more obvious problems.

                  2. 2

                    We’re 3 years into GDPR, no more excuses. With that amount of money and power, any negligence is to be considered malice.

                    1. 1

                      That’s not a GDPR-related excuse. It’s a reality of massive projects. In the same way we know things are not 100% reliable and work around it as needed, storage will have some exceptions where something got cached somewhere that you don’t have in your cleanup procedure.

                      1. 3

                        If an automated train or plane has a critical failure and kills people, the reaction we have is not “well it’s a reality of massive projects”; the manufacturers of the involved systems will have to spend a lot of effort fixing their issues, and fixing their processes so that the same issue does not occur again. These requirements have costs (in particular they increase the cost of producing software greatly), which is commensurate to the values that we decided, as a society, to give to human lives.

                        GDPR is not a “critical system” in the same sense that human lives are immediately in danger, I’m not trying to say that the exact same approach should be followed. But it’s on the same scale: how much do we value privacy and user protection? Europe has ruled that it values it seriously, and has put laws in place (and enforcement procedures) to ensure that people implementing systems that deal with personal information do it very carefully, in a different way that other sort of data is handled. “We know that things are not 100% reliable” is not an excuse in itself (as it could be in a project with no correctness requirements, or very weak expectations of quality); you have to prove that you took appropriate care, commensurate with the value of the data.

                        1. 1

                          See how quickly that excuse liquifies under the pressure of a daily non compliance penalty…

                2. 3

                  Incredible how much money, time and thinking is wasted on a problem that can be solved by installing one browser extension.

                  1. 5

                    Extensions only solve the problem for tech savvy users and, in my experience, come with side effects.

                    1. 2

                      I know what you mean, but users click on links and install software all the time, it’s not a new concept that only experts can understand. They’ll change font sizes, backgrounds, delete bookmarks. If they can do that, they can also click on a link to ublock.

                      And all browsers are moving towards block-by-default for 3rd party cookies anyway. Firefox and Safari already block it, and Chrome is going to do it starting next year (by default. you can already enable it manually).

                      My point is that having a giant EU bureaucracy that has their counterparts in every company isn’t free. Educating users about their own abilities seems like a more promising use of all of these resources, especially since not every user wants the same (for example, my mother always asks me to turn off the ad blocker i installed for her - she wants to see the ads).

                      Projects without a company structure can essentially never comply with GDPR. I’m working on the Fediverse, there’s no way for us to be compliant - we can’t even delete a user’s data because we don’t know where it’s saved. The only people who can afford it are the big players like Facebook, so they can stay, get fined every few years and nothing changes.

                      1. 3

                        First off, it becomes a tech arms race against blockers and ad networks if you say there should be no regulations (it arguably already is). Secondly, you can’t expect everyone to be equally savvy to install all these “necessary” add ons. How do you even explain that it’s necessary?

                        IMO it’s much better if this problem is fought on all fronts; technical, legal, societal and ethical.

                    2. 2

                      You can’t (easily) install browser extensions on mobile platforms.

                      1. 4

                        You can on android/firefox.

                        1. 4

                          Privacy is a right for everyone, and relying on the largesse of the world’s largest advertiser and the web browser it funds is not a long-term solution.

                          The GDPR has a lot of flaws and loopholes, but it’s the best we’ve got at the moment, and I sincerely hope it will lead to better laws all over the world protecting people’s privacy.

                          1. 4

                            I still think Iain brings up a good point. This is a problem that would be easy to solve if we had any control over our devices and software. Hell, browsers have the gall to call themselves “user agents” when they decidedly have not been acting in our best interest for a while.

                            1. 4

                              There is no contradiction between striving for FLO software / hardware and demanding legal restrictions on the exploitation of personal data.

                            2. 3

                              So now we rely on the ability of EU legislators to find just the right amount of privacy to protect, so that it hurts google and facebook but doesn’t kill off small competitors (many of which are free software) . I’d rather teach people how to click one link and follow the instructions.

                              And the reality is that most people don’t care at all about tracking. If you ask ‘do you think it’s okay that google tracks you to give you better ads’ most people won’t care. Of the rest, most of them will stop caring when you don’t ask the question in the abstract but actually show the alternative: Would you rather have free facebook and google with ads and tracking, or pay $price_of_a_coffee a month?

                          2. 2

                            With firefox and Safari it’s not harder than on desktop. Don’t know about Chrome. An even without, both FF and Safari block tracking cookies by default these days.

                        2. 1

                          Oh, I love this! Those popups are such utter trash and full of dark UI patterns.