100% agree with this and the other post, the biggest red flag is "Meta".
Whoever thought something good and user-first would come out of this wannabe Twitter killer is completely naive.
I expect that federation won't last and there's 2 things that can happen, either Meta decides it's not worth it, or they will find a way to draw out most of federated users and then deal a killing blow to the fediverse.
I was skeptical about being against Meta's Twitter being federated, but now I am totally in favor of it being banned by most instances.
For me the biggest red flag is that they have apps in the EU but what they're doing with this one is so dodgy that they're not even risking entering the EU.
Also, interesting to see a big international company actually back up their "we just won't do europe then"
The way I see it is a mix of all of that, but number 3 is the biggest.
Twitter is not big here. There’s people who use it, sure, but there’s a reason you don’t see that many EU issue trending on Twitter.
Here’s an example out of the top of my head: France is rioting and it barely registered on Twitter.
The biggest European market for Twitter is the UK and it has 19M users, the second biggest is France with 9.5M [1]
The only time I see EU events surging on Twitter is during continental sporting events like Champions League, or Eurovision.
Twitter is just that that big around here.
Instagram on the other hand, I don’t know anyone without an IG account - so that might muddy the waters on this dynamic.
Your point is well taken, and if anything that's a significant understatement. This is one of the most significant protests (or nearly civil war) to occur in France since the Revolution.
> and it barely registered on Twitter.
Indeed. I saw videos of what was happening in Wuhan in late 2019, but tbh it was mostly linked by comments on (where else) HN, so I may not have discovered it via Twitter's own tools.
> Your point is well taken, and if anything that's a significant understatement. This is one of the most significant protests (or nearly civil war) to occur in France since the Revolution.
As someone from Europe who isn't French. It's just another France rioting story. It might be big in France but for the rest of us, it's just looks like another France rioting story which they were doing for the past few months.
It's not just that it's barely registering on Twitter, it's barely registering anywhere because lots of us are just so used to France rioting that it's not really news. It's like mass shootings in the US. I think there was a new one over 4th July holiday period but I am not 100% sure because we're so numb to mass shootings out of the US. They need to do something super wtf like have the police stand outside a classroom while a school shooter is shooting children for us to register.
Yeah, but that may not be accurate. These aren't quite "just more French riots" - they have been unusually serious, violent and destructive. At least, the French seem to think so. (Though this might partly be because it's non-white kids from the banlieu rather than white gilets jaunes from the countryside, I don't know.)
Essentially it's like how the average protest with minorities is treated vs Jan 6....
The former the cops toss tear gas, kettle them and beat them with baton and "rubber" bullets while the latter theres cops literally moving the barricades aside and escorting the rioters around....
Pretty much all videos I've seen of the current riots (mostly filmed via phones from bystanders) in France show a very different picture then racism.
Even that unfortunate incident when they killed the teen was very much reactionary, as people have been throwing Molotov cocktails etc at them for weeks now.
Honestly, i do understand the perspective of the rioters. Not having a chance to improve your life would make me violent too, i think... But framing the police as racists acting out is misguided considering that most of the issues are social in nature and not caused by the police.
And this might be too nitpicky for such an emotional topic, but the term racism gets thrown around way too much. I think it's more akin to classism, as it seems like you're still gonna get discriminated against if you originate from the poor areas, no matter what the color of your skin is.
As a person who has been to many protests I must point out that it's not that the police act exclusively because of racism but rather that thier decisions and choice of tactics are heavily influenced thereby.
Because of thier racism and prejudices they are too quick to use force, tear gas and other "compliance methods" against those they deem undesirable, while they consistently avoid use of such methods at all when they self identify with the protesting group.
That's what's being referred to
It's not overt kkk or Nazi shit, it's the subtle underlying racism that makes them shoot tear gas on the first day into a group of entirely peaceful people, which then result in the escalation to this extreme violence we now see.
It's a well established fact that the police are the source of escalation in many cases, choosing to attack the whole instead of seeking to address the problematic few.
The cops even send in fake protesters to engage in violence so they can then attack the protest. It was caught in Quebec on video, so I highly doubt it doesn't also happen in France where tensions and racism are far more significant. (See agent provocateur)
What is the EU missing out on if Threads never enters it though?
I don't believe Facebook, Instagram, Tik Tok or Twitter were net gains for people. I don't see how Threads might be.
I do honestly believe that if all these services disappeared overnight we would live in a better world. I legit just don't want Threads to enter the EU, ever.
While I wholeheartedly agree that Facebook, Instagram, et al are net negatives for society, I think that it could still be a worrying for the EU if major companies and services simply decide not to do business in the EU. It will be interesting to see if this becomes a trend, if it's a one-off situation, or if it's only a temporary limitation.
EU doesn't decide what product to allow or not. It has regulation, and any decisions are according to those rules, the same for all companies. Which is my point. They have no vendetta against Meta, as evidenced by Facebook and Instagram working fine in EU.
It seems pretty obvious that it's no more dodgy than any other app they have. Despite people crying loudly about how untrue it is and how unfair it is when sites block people in the EU, the EU's regulations require a lot of work to comply with (even in the case where you are already complying with the intent of the regulations). Clearly here Meta's number one priority was getting this app out quickly. There are a ton of pretty basic features missing. If supporting a release in the EU required just weeks of work, I'd expect that they'd have chosen not to delay the release for that. Given the extra scrutiny that Meta is under, I'd put the amount of work required at more like months.
It's reusing Instagram. Instagram is GDPR compliant yet, threads isn't. That tells me they added extra stuff that Instagram doesn't have by default. More dodgy than other apps. And considering how long it takes for anything to happen they could have released and fixed minor unknown issues. The fact they haven't seems they think what they've added is dodgy enough for major fines.
Threads will follow the usual tech trends. It will be enjoyable for users, and Meta will run it at a loss to try to defeat Twitter. If they succeed, they will eventually make it worse for uses to woo advertisers, and then when the advertisers and users are both captured, they will make it awful for both groups in order to maximize their own profit. It will become “enshittified.”
I figured Meta released threads now cause of the 2024 US elections: twitter has reached dead wood status for corporate/political/msm media, facebook hasn't learned its lesson in the eyes of lobbyists (no touch), forget tiktok cause of 'china misinformation incoming', streaming had it's run, Fox lost its main character (and a lawsuit) and nobody watches cable anymore. So where's that sweet $15B in campaign ad funds going?? Threads is being pitched as fresh and an alternative to twitter as well as "separate to FB"...so logical to release now as that the $15B flood gates open around Sep/Oct. I can already see those marketing agencies pivoting with a sigh on not spending it on twitter in a few months. But we'll see if this plays out by then.
I for one keep thinking: "Ah good, that that shit is not here yet." The longer it takes, the better. If they do not enter the EU at all, that would be perfect. But I probably am kidding myself, if I think, that they will never enter the EU. They will wriggle their way around the law somehow and if not, they will calculate and break the law, like they did many times before, in the name of profit.
A more charitable interpretation could be that they just haven't implemented a bunch of stuff that's required by the GDPR -- like being able to export data and deleting your account.
I'm pretty sure they'll launch in the EU eventually.
I would bet over 95% of companies don't comply with GDPR. I know some startups don't serve EU because of this. Facebook is under the microscope of the EU, they probably aren't risking getting fined until they can scale the product and implement the thing they need to lower the fine they would get and make being fined worth it. They are going to get fined most likely, but again 95% of the companies in the world could be fined as well if they were under the spotlight like Facebook is. GDPR compliance is NOT easy at all ask anyone who works in compliance they knows this.
It’s exceptionally easy: one just has to not do shitty things with personal information. Complying if you are doing shitty things with personal information is, by design, impossible - and that is good.
Ok, what if you do a database back up daily and someone requests you to delete their information. You're telling me you go through all those back ups and delete that person's information? If you don't you aren't complying with GDPR.
You don't even have to bet, you can just sample random websites and see how many make it more difficult to deny cookies than to accept. This is already a GDPR violation.
At some point it was definitely more than 95% of websites being shady with their cookie coercion banners.
I would say that no company or person is immune to arbitrary legal attacks. Complaining 100% with law is difficult if not impossible for companies or people with few resources. Laws could ge contradictory and/or inconsistent if you dig deeper.
That is why it is important to have sandboxes and/or laws that are based on size, number of consumers, etc. one thing is to ask for a full GDPR compliance to a bank and much different is for small companies.
What's interesting about the GDPR is that it's ambiguous and vague and it seems like "we're ok with that", whereas in the U.S. ambiguity works against the legislators because a court is supposed to rule on the side of the defense if a law is too vague.
In the EU, it's basically expected that the courts will apply the law on a case-by-case basis, which opens the door to inconsistent application of the law and ultimately to selective prosecution.
In the case of Meta, it definitely seems inconsistently applied (even though I hate Meta and would never trust them again). They simply choose the seemingly worst offender (Meta) and try to kick it out of the EU, while leaving alone the actual worst offender (ByteDance). Prosecution becomes a case of politics rather than justice.
What I don't understand is why products like Facebook and Google Analytics (up to 3?) ship PII to US. The owners have data centers in EU and should be able to process the data enough for it to be OK to send to US.
It is not that difficult for most startups to be mostly GDPR compliant. At least not in comparison with trying to fix it later. In some business areas local law and GDPR clashes though which can be a pain.
You can view profiles and posts, but you can't do anything more on the website. They are working to build a working website, but their focus is on the app.
The UK has a separate data protection law (UK GDPR[1]) which is the more or less same as the EU. The current government held a consultation on possible changes[2], but I would doubt they could actually carry through on making a significant change given their current weak and divided state and the likelihood they will lose in the next general election.
> The UK is working on a separate data protection law and the attitude towards privacy is very different from the EU (hence the rewrite)
This is very speculative. My guess is that changes will be made, but they'll be incremental and some effort will be made to ensure broad alignment with eu GDPR so we don't have another SCC-syle mess (where some major EU to USA data transfers were determined to be illegal.)
They could be gambling on us not enforcing it (having shown signs that we think it's excessive). But others have said this is more about the Digital Markets Act.
They could be gambling on us not enforcing it (having shown signs that we think it's excessive). But others have said this is more about the Digital Markets Act.
*I get a GDPR-looking privacy popup on Threads in the UK so I'm inclined to agree
They're likely not launching in EU because EU requires user data be stored in EU, and their current launch stack is hosted elsewhere, look at this datacenter map of Meta:
They're mostly in the US, and most outside the EU. Given the record timeline from concept to launch for this app, it's normal they can't whip up a datacenter from nothing overnight.
Maybe it's because I grew up on IRC and ICQ, but I just cannot imagine an asynchronous text-based social network to require a full datacenter of the same scale as their video and ad-track platforms.
I kinda assume that Meta could do this if they wanted. Their Instagram and Facebook comments are legal and available in the EU no problem.
- Yes Instagram and Facebook are legal and available in EU (as I noted), but there's one data center in Ireland and one in Denmark as far as I see, and given the massive influx of users to Threads, they probably have no extra capacity on these two datacenters to cover all of EU with a new app, not right now at least. Compare with SEVENTEEN datacenters in the US.
- "Full datacenter" doesn't mean much. When we say "a datacenter" it doesn't mean a building of specific size and capacity. They likely collocate some servers in other people's data centers (in fact many of those are like that).
- IRC and ICQ still require a network of servers. IRC is a protocol that barely changes so you don't need as much centralization as with a product of rapid iteration and innovation as modern social networks. But you still must be quite familiar with IRC splits and lag, which comes with such architecture. If a social network broke as often as IRC did, people would simply not use it, modern audience have higher expectations. Resilience requires redundancy and more resource-intensive architectures.
- Modern social networks have way more people on, than IRC ever did. At the peak of IRC use, around 2004-2005 all networks, all servers, total, had about 10 million users. Today they're just about 350k. Compare with Threads, which gained 30 million+ users in ONE DAY. More users mean you need more servers and beefier servers, and more serious architecture (as things don't scale linearly by magic beyond a threshold).
- IRC has no content to host at all. How'd you publish a photo to the world on IRC? You can't. Or even text? I guess everyone has to be in the channel, or know where to find some logs? ICQ is also mostly peer to peer. If you lose your copy of the chat logs, that's it. At least how it was in the 90s when it was popular and I used it (I hear it's still popular in Russia or something? Dunno). So you can't compare social media with a peer-to-peer ephemeral messaging protocol. The peer-to-peer messaging protocol is a tiny part of what Twitter and Threads do.
- I haven't even mentioned algorithmic timelines and the like, which make the task even more complicated, nothing like IRC.
And then to pay for all these costs of hosting and algorithmic distribution, backup and so on, you need to collect said user data, profile ads, run the ad network UI and so on. That also adds to the cost and resource use of running this service.
We can probably discuss "is all this needed, can't we go back to something like IRC"? And I think about this a lot. The modern social media design is not the best way to do it, it's not the final way. But Meta wanted to clone Twitter, not IRC, and this comes with the cost & system requirements of running something like Twitter.
I find it odd that I'm downvoted. Is the information I stated incorrect? Or simply doesn't align with the narrative in this thread of bashing Meta? I'm simply trying to stay objective. Facebook is as intrusive as it can be, even more than Threads can be I'd say. And it's running fine in EU. So, let's not ignore facts.
The US is not in the list of countries with equivalent protections, in fact most of the world isn't in that list. Which means in effect it should be in EU. Another nearby location that's permitted is UK, but they have no data center there at all.
Not sure I buy this. Some of the EU stuff is good, I think a lot of it goes to far and it's a terrible nightmare to navigate now, never mind in a decade when we're all using software that doesn't exist yet.
Can you say specifically what goes too far? I don't find it onerous or unreasonable at all, but my business model doesn't improve by violating it either.
Even with the best of intentions, these laws can be labyrinthian and ambiguous, and therefore expensive to (try to) observe. And there is still always the risk that you are found guilty of something. For a small or medium business, you are likely to be far enough out of the radar to avoid issues. But as a large company you may easily end up in legal crosshairs, costing millions or billions of euros, even if you ultimately prevail. And if you lose…
These laws being byzantine is the result of almost two decades of legal battles. Meta and Google have batteries of competent lawyers and lobbyists, constantly testing for legal loopholes, interpretations and contesting complaints in European courts.
Privacy laws aren't new, they existed before the GDPR. But they were fractured and not up-to-par with the new digital reality of large scale collection of personal data. These laws are geared exactly against the very business model of Google and Meta: offer free services, be first to market and become a gatekeeper, collect user data as broadly as possible, sell business intelligence and marketing services to actual paying customers.
When Meta states that it can't release Threads due to "unknown legal liabilities" that's a round-about way of admitting that their business model doesn't entirely square with European laws, such as they are.
Finally, as far as size in terms of user base, revenue and expenses go, the likes of Meta, Google and Twitter are very much a league of their own. Given their business model and its profitability, it's inevitable that their goals and motives are at odds with the interests and legal rights of citizens.
People keep saying this and yet it’s never happened despite the GDPR being in place for 5 years now.
As a tech manager for an EU company, I can honestly say that it isn’t that hard to be GDPR compliant.
Even when I worked for a company that did need to collect customer information, we pretty well understood what we could and couldn’t do under GDPR.
This whole “GDPR is dangerous” meme needs to die because businesses aren’t being dragged in court over trivial things because of it. The only people moaning are those who were abusing peoples data to begin with. And those are exactly the types of companies this law is protecting people from.
> As a tech manager for an EU company, I can honestly say that it isn’t that hard to be GDPR compliant
It's pretty easy for a business to be GDPR compliant unless their business model or processes in some way involve collecting and processing or selling personal data of their users. Before GDPR a lot of businesses used this as a nice little second income stream, or just grew used to being able to freely analyze every aspect of their users private data that they could get a hold of. Suddenly they can't do this anymore, and what's actually difficult is not being compliant with GDPR, it's reconciling their business to a new way of working where they have to be considerate of their user's right to privacy.
For example, you have a deeply entrenched analytics system that you base a lot of your decisions on. Suddenly you have to basically gut it, or even throw it out entirely. No matter that's there's plenty of GDPR compliant systems to replace it, they don't feel as effective and it's easy to see why a business would make these changes begrudgingly and with a lot of complaining about how unfair it all is.
That looks to me as though the system is working exactly as intended. When I do business with company 'A' I do not expect or consent to them passing that data on to company 'B'.
That’s the point I’m making though. The law isnt a problem. It’s companies who abused user data that’s the problem.
It’s also worth noting that you can still using customer data for analytics under GDPR. GDPR doesn’t prevent legitimate analytics from happening. It just gives consumers power to be excluded from analytics and to force companies to be transparent about their usage of personal data.
> As a tech manager for an EU company, I can honestly say that it isn’t that hard to be GDPR compliant.
> This whole “GDPR is dangerous” meme needs to die because businesses aren’t being dragged in court over trivial things because of it.
Ah, yes, the one weird trick of GDPR "compliance" by being a smaller, less appealing target to the enforcers.
The "GDPR is dangerous" meme needs to stay alive because it's massively ambiguous and different country's interpretations vary wildly. The types of companies the law is "protecting people from" are non-European ones. It's just economic protectionism in the guise of privacy.
Even if that were true, it isn’t but for the sake of the discussion I’ll humour you, America is far more open and aggressive with its protectionism policies. As is China. So I don’t understand the complaint. You’re either in favour of laws that promote the growth of local economies or you’re not.
But to be clear, the GDPR is not about protectionism. If it feels that way then perhaps you need to have a hard look at whether the bigger problem is the companies that you feel are being persecuted by GDPR and whether the countries they originate should have done more to regulate them to begin with.
I'm neutral on protectionism: I'm in favor of laws that are precise and unambiguous, and not up to the interpretation of whatever courts and enforcement agencies wish to impose.
For example, which of the following statements are true according to the ECJ's interpretation?
American companies cannot run datacenters in Europe, because the CLOUD act might compel them to give up data to American authorities.
Canadian companies cannot run datacenters in Europe, because Canada might pass legislation that compels companies to give up data to Canadian authorities.
American citizens cannot work at datacenters in Europe, because they're subject to U.S. law, and the U.S. might pass legislation to compel them to steal data.
Germany cannot host datacenters, because they lack an independent nuclear triad, meaning that they're subject to U.S. invasion to seize the datacenters.
> I'm in favor of laws that are precise and unambiguous, and not up to the interpretation of whatever courts and enforcement agencies wish to impose.
So am I but unfortunately the topic itself is highly nuanced. If it were that easy to say this type of usage is ok but this type isn’t then we would have been able to put better technological measures in place to keep our data safe.
And let’s be honest, GDPR is hardly an outlier. Most laws end up being nuanced when it comes to cutting edge technology. Whether it is intellectual property laws, computer misuse laws, etc. The only difference here is that innocent people aren’t being harmed by GDPR.
So if you’re going to complain about vague laws harming people, then GDPR is the literal last one you should be concerned about at this point in time.
The only reason people moan about GDPR is because entities like Facebook have brainwashed you into believing it’s bad. They say it’s “anti-business”, “harms innocent companies”, etc. but it’s all BS. And I say this as someone who has had to work inside the GDPR every day since it’s inception.
Now if you want to moan about innocent people being arrested in America for “hacking” because they send bug bounties, or even just click “view source” in Chrome…then I’m all ears. Or complain about how IP laws are being abused to hoard monopolies on obvious ideas. Or about how companies are sucking up other peoples copyrighted content for free to train proprietary GAN. Or about the abuses of DMCA.
The thing is, companies don’t to moan about those things because those abuses empower them. Whereas GDPR levels the playing field. So despite the fact that GDPR has never once been abused and the others frequently are, GDPR is the law that everyone gets pissy about.
This is absolutely not my experience while working in an Ad agency in EU. There are companies like Iubenda which basically handle all the normative side of things, and if required by third parties they also do the compliance checks.
We've had no more than two disputes since the GDPR was passed and they both ended up with a simple "Please remove their data and make sure that X services are deactivated too when the user fills their consent form".
No scary lawyers or multimillionaire suits. I guess that part is reserved for those that consciously decide to ignore the rules.
> Seriously though, GDPR compliance isn’t that hard
Unless compiling data on your users and selling it is your entire business plan.
One of the issue I see it that many companies have been lured into this impression that they need to track everything, in great detail, but it doesn't actually provide that much value. I blame the snake oil sales people in the advertising/remarketing/up-selling/cross-selling business.
This is correct. So many websites don’t actually need to collect any user data. It’s just a distraction, slows down and bloats their site and worsens UX.
I recommend to simply get rid of any tracking. If you want user feedback, ask them or do tests. It’s cheaper and more effective.
So many websites don’t actually need to collect any user data.
Any commercial organisation is going to have customers and therefore customer details and payments data.
Any commercial site needs to record enough logs to investigate events like outages or security threats.
Any site that isn't purely informational and read-only probably works with user-provided data in some way.
People keep writing about GDPR and similar laws as if they only apply to data-harvesting analytics plugins on ad-ridden content farms but the same laws apply to everyone else as well. For many it will be reasonable and indeed necessary to process personal data in order to do whatever the site or app does.
> Any commercial organisation is going to have customers and therefore customer details and payments data.
Necessary for the performance of a contract or to comply with legal obligations.
> Any commercial site needs to record enough logs to investigate events like outages or security threats.
Legitimate interest, and possibly legal compliance if the nature of your site means you have a legal duty to collect those logs or that they could help in the course of an investigation.
> Any site that isn't purely informational and read-only probably works with user-provided data in some way.
If it's a UGC-based website, then collecting some data is necessary as part of the provision of a service or legitimate interest for fraud/spam prevention.
Every single point you mentioned would explicitly be allowed under the GDPR with either compliance with legal obligations, necessity for the performance of a contract or legitimate interest, no consent required even.
There should be no debate that the items I mentioned are allowed under the GDPR because one or more of the lawful bases for processing applies. My point is that on many sites you're still going to be collecting and processing personal data for many legitimate reasons and therefore you still need to have all the policies and provisions in place for that data to be compliant with the data protection regulations. "Just don't collect the data in the first place" is mostly not a very useful argument for how easy it is to comply with the GDPR.
On numerous occasions in GDPR-related discussions I have seen people seriously questioning whether you can keep a basic server log with IP addresses in it of the kind that every web server has generated by default for decades. Often there are suggestions that such logs must be automatically deleted after a short period or the IP addresses masked in order to be compliant. And yet having records of which addresses were doing what on your site can be useful information for security and fraud prevention purposes months or even years after the records were originally created. So who is right? GDPR doesn't actually say and as far as I'm aware neither have any of the relevant data protection authorities yet so if you're running a site with these security concerns but also making an honest attempt to be compliant then you literally have no way to know how far you're allowed to go without crossing a line and upsetting a regulator.
That's just one everyday example that would probably apply to millions of different websites and that has been discussed many times but still with no clear answer. There are many more areas of ambiguity that even a well-intentioned organisation can easily run into. Backups and archives. Soft deletes when a user asks to delete something but you know for a fact that many users subsequently contact your support staff saying they've made a mistake and asking to restore the data. It's a long list with few clear answers.
How are you going to "fix" that "design flaw" when the personal data in question is the result of legally required customer age checks? Evidence needed to support your tax filings? Used to identify and block people who are repeatedly trying to defraud you or breach your security? Subject to a legal hold because it might provide relevant evidence in some legal action between other parties or it's been requested as evidence by some government committee?
Data protection laws like the GDPR might take the position that you should minimise the collection and use of personal data. Many of us might even agree with that position in principle. It can still be complicated to work out what "minimal" actually means if you did have good reasons to collect the personal data in the first place and you might still need to keep the data or some part of it for those purposes or to comply with other laws or regulations.
> How are you going to "fix" that "design flaw" when the personal data in question is the result of legally required customer age checks? Evidence needed to support your tax filings?
This kind of wilfully ignorant argument is extremely tedious and indicative of the fact that you do not understand the actual construction of the GDPR, or choose to misrepresent it.
Let’s put this nonsense to bed once and for all by quoting the Irish summary [1] of articles 17 and 19:
> You have the right to have your data erased, without undue delay, by the data controller, if one of the following grounds applies:
> - Where your personal data are no longer necessary in relation to the purpose for which it was collected or processed.
> - Where you withdraw your consent to the processing and there is no other lawful basis for processing the data.
Information pertinent to tax records is not collected on the basis of consent, and nor is anything else legally required.
This is HN. Please don't post comments with that sort of hostile tone here. Assuming ignorance and/or bad faith does not further constructive or interesting discussion.
I absolutely agree though, this argument is extremely weak, like a developer being asked to step outside their comfort zone locking up and declaring something unknowable levels of complexity so they don't even have to try.
The GDPR is extremely easy to understand. It's not always trivial to comply with, because we all know that enterprises are held together with instant glue, a networking VM in a basement nobody has logged in to for 10 years, at least 3 layers of management between a DPO and feature teams and one all-knowing employee everyone hopes will never leave or take too much vacation because things will slowly crumble in their absence. It's pretty hard to be absolutely compliant in that environment. But if you're a startup, or even solo? You can absolutely design your app to not have these issues in the first place.
I respectfully disagree. And I write that not only as a very experienced developer but also as a director who has been legally responsible for GDPR compliance in more than one relatively small organisation.
The GDPR in its official format in English is 88 printed pages. It contains 173 introductory paragraphs followed by 99 specific Articles some of which span multiple pages by themselves. As is customary for legislation made at EU level a lot of the provisions are written more as statements of intent with considerable ambiguity about concrete implementation that is left to regulators or courts to clarify.
The specific legal basis of "legitimate interests" and the overarching obligations to collect and process data only where it is reasonably necessary are good examples of this openness to interpretation. And yet much of the data processing that most of us would probably agree is reasonable relies on the legitimate interests basis for its lawfulness. Several enforcement actions by regulators have already been brought against data controllers who apparently believed they were acting in compliance but were still found to be infringing the general principles around necessity and proportionality.
I contend that any legal document running to nearly 100 printed pages of densely printed text cannot credibly be described as "easy to understand". Indeed I must have read hundreds more pages of analysis and discussion by legal scholars, professional data protection officers and other experts and there have been plenty of disagreements over interpretation or sometimes outright contradictions between those papers.
Of course the only things that actually matter are the actions of the regulators or other official bodies that interpret the regulations and potentially sanction those who infringe them in specific cases. That means we also have to consider the stated opinions and actions to date of all the different national regulatory authorities and the outcomes of the cases that have been formally considered and resolved so far. And once again it is clear that even among the national regulators who are responsible for the interpretation and implementation of the rules there can be considerable disagreements about how the rules should be interpreted and sometimes which cases should be brought at all.
Now I don't necessarily disagree with some of those outcomes but I do think that if a data controller honestly believed their prohibited actions were in compliance and was subsequently penalised and required to make changes then evidently there is a problem with how accessible/understandable the rules are and those rules demonstrably failed to prevent the unwanted behaviours in those cases until the regulators did take action.
I will take your point, but I'd say you also need to account for how the GDPR has been enforced to this point. I regularly submit complaints to supervisory authorities and I've been employed by a few companies that regularly have meetings with their local SAs for guidance regarding potential pitfalls.
Most enforcement is directed towards total disregard of the GDPR. Data that hasn't been properly deleted after requests, requests that go unanswered, and entities like Meta who think their legitimate interest towers over protected categories of information (i.e. allowing microtargeting based on health). Companies also get away with a lot of easy to see violations (i.e. I've complained about Microsoft doing dark patterns to obscure whether agreeing to data collection is a requirement for a service to work).
Usually you'll be fine if you understand the basic framework and intent.
And I'm not sure how you get to 88 pages. It comes out to 68 pages with very generous margins and a line-height of 22pt on A4 for me.[1] (also, all EU law, including translated judgements, is canonical in all member state languages, FYI)
I will take your point, but I'd say you also need to account for how the GDPR has been enforced to this point. ... Most enforcement is directed towards total disregard of the GDPR.
I agree this is true. And at least here in the UK the regulators appear to be acting in good faith and according to the spirit of the law. However I don't like the principle that not enforcing a bad rule somehow makes it better.
If something doesn't need to be enforced then it doesn't need to be a rule at all. Then it can't be selectively and possibly punitively enforced against someone the authorities take a dislike to or simply because of a bureaucratic mistake caused by incompetence rather than malice.
Moreover having rules that are rarely enforced effectively penalises those who do make a good faith effort to comply but probably would not have suffered any ill effects if they had not done so. They're being penalised by paying extra compliance costs for trying to do "the right thing" and that doesn't seem like a good idea to me. In a business context it is literally giving a direct financial advantage to competitors who bend or outright ignore the rules and get away with it.
Also, legal texts are the always longer than a conceptual tl;dr of them. Covering for all eventualities. It's not a flaw of the legislation itself that some boilerplate is required. Also, a lot of it is contextually relevant (e.g. there's entire sections for regulating specific industries).
Your average contract contains the same boilerplate by percentage.
I don't know where your actual problem is. The GDPR allows holding data for most of these purposes. You intermingled legal obligations with data legal departments would like to hold in the end there. Only one of those is required.
Also, some of these are pure theoretical in the EU. You're not even allowed to photocopy an ID in Germany; age verification is a checkmark someone sets upon verifying the ID is valid and then (metaphorically) handing it back, not a copy of a legal document that you probably don't want deduplicated to random S3 buckets held by all the companies you do business with. They're not exactly resistant to replay attacks, after all.
My point is that knowing which personal data you need to redact and under which circumstances is not always easy. Before you can build a system that does something you first need to identify exactly what something is required.
- Payments, particularly from P2P transactions. If I send you money, and then you request the deletion of your profile, there's plenty of complexity there.
- Enforcement records from illegal content / violating content
- Local data cache for offline mode in mobile apps
I'm not saying all of these apply to "Threads". But there are tons of edge cases to consider that need code changes t o behave as expected.
There's really no complexity there. The right to be forgotten doesn't superseed other laws, and it is required by law in most countries, that transaction data be stored for 5 years plus running year, so in case you request to be forgotten, that can only happen once the mandatory data retainment has expired, which can easily be handled by a "transaction date", and simply run a batch job that matches each user to their transactions (and desire to be forgotten), and once transaction are expired and the user has requested to be forgotten, you simply delete.
> Local data cache for offline mode in mobile apps
The right to be forgotten has a "grace period", so set your cache expiration to less than that amount of time and you're pretty much home safe, or better yet, don't cache GDPR sensitive data and you can pretty much cache for as long as you like.
There's a lot more to payments than raw transaction data. Payments are usually related to the exchange of goods or services. The delivery data of those could be essential for winning a chargeback dispute or a liability for a customer that asked to be forgotten.
such as the ability easily support redaction of personal data?
Errg: sorry folks. I miss read the thread and thought the "such as" was responding to the comment next to it about the design flaw of not being able to delete personal data.
Twenty-eight independent data regulators on a complain-investigate model. I’ve seen folks bury early-stage competitors with regulatory inundation as an effective, if unethical, strategy. Zero chance Musk wouldn’t have armadas of randos complaining raining in on Threads.
For EU-based business: The DPA of your country is responsible for you.
For non-EU-based business: Appoint a representative in the EU. The DPA of that representative's country is responsible for you.
So where do the other 20+ DPAs come in? They might be responsible for your customers - in which case, they'll contact your DPA and sort it out among themselves. You still won't have to become an expert in the nuances of Bulgarian, Swedish and Portuguese privacy law.
> they'll contact your DPA and sort it out among themselves
No, they won’t. They’ll help you coördinate. You won’t have to become an expert in other bodies of law, but you will need to responsive to them, which is time consuming, distracting and—if you’re running a real business—expensive.
I’ve seen this deployed to remarkable efficacy, with asymmetry in defence:deployment cost in excess of 10:1.
If anything, the GDPRs wording of "legitimate interest" makes it too weak, where corporations can justify every use of data that makes them money as legitimate until a court stops them, as happened to Facebook very recently over ad microtargeting.
That companies like Facebook push fancy theories of what is and isn't legitimate interest is not the fault of the law. People will always try to push the limits to see what they can get away with, esp. when there is money to be made. That doesn't mean it will fly - like Facebook has just discovered (and others before them).
Law cannot enumerate every single possible existing and future use case. It outlines the intent - and if there is a grey area somewhere, it will be ultimately tested and decided in court.
There are ways to make this problem less bad though. You have your permissive case and then write a number of examples into the law that show what you do not consider allowed and invite future courts to consider them. Pre-emptive case law (which is a lot cheaper than actual case law), if you will.
Which is exactly what has happened. GDPR (or any other piece of legislation, really) explicitly enumerates some of the situations.
E.g. Recital 47 on Overriding legitimate interest:
"The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
I.e. Facebook is entitled to use your data for their own direct marketing (e.g. sending you leaflets, sale offers or telemarketing) to you according to this. We can guess how did this provision get there (likely the lobbying has been fierce).
Or Article 22 on automated processing/profiling:
"The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
A lot of people make all sorts of comments on GDPR (and other regulation) but it is unfortunate that very few have actually *read* what they are commenting on.
It is interesting which special cases are explicitly noted in the GDPR (credit scoring for instance) and which classes of data are specially protected (political alignment, medical data) - and where the lobbying shines through by omission.
I would give the legislators some credit there. While it is certain that the lobbying has been fierce (as with any legislation) and that no law is going to be perfect and make everyone happy, it is a bit of a tall order to expect the lawmakers to anticipate all sorts of crazy business models and legal theories someone could come up with in response to the legislation and prevent them.
That's just not realistic, esp. not when technology is involved which evolves at light speed compared to the comparably glacial tempo of regulatory and legal world.
E.g. GDPR has been proposed in 2012, adopted in 2016 and fully in power since 2018. I.e. the entire process took over 6 years!
Where was e.g. Facebook or Amazon in 2012 and where is it today? What about siphoning of (also personal) data by various AI training systems - is that covered by GDPR too or not as they are not really "stored" in the resulting models? Not something one could ask the legislators in 2012 to anticipate, really.
The goal is ambiguity, so that lawyers and judges can argue about and decide each case individually based on their feelings and public sentiment of the parties involved.
The idea that GDPR is a nightmare to navigate is entirely fud. It's pretty clear and the case law has in the main been established. Most of the time when people are saying that it is a nightmare to navigate what they actually mean is they don't like the privacy protections that it gives to EU data subjects and the implications for the data harvesting they want to do as part of their business.
Meta's Twitter rival launched in over 100 countries today—but not in the EU
Anything more is simply detail - if a major launch of this sort of service omits the EU we immediately know exactly why.