Why?
A thing it seems like a lot of people are missing is that European companies are taken to the same (if not a higher) standard for compliance with EU law.
The EU regulates to ensure that market participants work fairly - these rules are generally not about trading barriers (if they were, they'd do it poorly)
France is not exempt from its anti privacy law attempts around mass surveillance.
Most parts of Europe long moved away from any social media dependency all that's left is IM/chatting.
Where only WhatsApp is a somewhat popular American software, the rest isn't.
Edit:// to clarify I am not saying people aren't using Instagram or even Facebook. My point is they don't use it to socialize anymore
Everyone I know is tired of the concept and tired of the tracking and profiling it entails.
Glancing at people's phone screens while riding public transport, I beg to differ. Doom scrolling everywhere. Though much of it is arguably not really 'social network'-like, as most posts appear to be from strangers half a globe away.
they are just doomscrolling ad platforms not social media in my opinion. It didn't replace anything it just invented a new thing, social is stell well and alive in IMs, slack, discord, ...
I know a lot of people with children quasi depend on WhatsApp for their children activities, when in other circles Telegram or Signal would be way more common and the obvious choice.
Edit:// also do they use it as social media or to consume media/ads? If they don't use it as mainly social my point might still be true
On my own Instagram people who I know make up maybe 1 piece of content every second day.
Otherwise it is Ai generated content that is, unfortunately, very engaging but of a very low quality.
So I understand why there are a lot of people on Instagram.
(personally, I prefer to ruin my health with i IPAs over doom scrolling)
I don't think you're right on the timing, but a related essay:
https://www.imightbewrong.org/p/why-doesnt-hitler-mcfuckface...
The reality is both things have always been true:
- The EU took the role of shake down artis... er I mean, guardian of consumer privacy because they have no homegrown players who'd be harmed
- American companies use consumer data to make money in ways that are actively harmful to consumer privacy
But anyone who's ever tried asking people for 99 cents for an app that provides hours of utility from people who spend $5 on a daily coffee they're going to urinate out by dinner knows, our ad-driven tech ecosystem is a result of the consumer.
"My grandparents have a clean iPhone for 40 years because of the Snapp Store!! Nobody should be able to install things from 3rd party Snapp Stores, they might be harmful!!"
Hell, you can find some of the same moronic arguments on this very thread still.
Spotify found in violation of EU data protection laws by Stockholm Court - https://www.investing.com/news/stock-market-news/spotify-fou...
Or what about Enel (Italian): https://www.reuters.com/business/energy/italy-regulator-fine...
Or Criteo (French): https://techcrunch.com/2023/06/22/adtech-giant-criteo-his-wi...
H&M (Swedish) fined for breaking GDPR over employee surveillance: https://www.bbc.com/news/technology-54418936
etc.
Additionally, it helps to actually learn how the current law developed - it primarily was modeled after the german Bundesdatenschutzgesetz, which was put into law in a modern form in the 90s, long before FAANG.
[0] see the tracker: https://www.enforcementtracker.com/
Speaking from personal experience, American companies, especially the big ones, tend to treat everyone else as "Americans that they don't know they're American yet" or alternatively "slightly dumb Americans".
At least for one of them, yeah, they apply the legal laws, but the general decisions are taken in the US with little regard for local "non-impeding laws", I would call them. "Impeding laws" would be laws that would block the launch of something (for example they wouldn't attach an AR-15 to every product sold). "Non-impeding laws" would for example be, labor laws. They just assume that what works in the US sort of works everywhere else and deal with the consequences along the way.
Again just a rough feeling from the list but I would speculate that over 50 percent of fines in total were towards US or non-EU based companies.
In fact Meta alone is fined more than everyone else combined.
What exactly am I missing ?
It's a bit like the sweatshop argument. If your company wins out by using sweatshops, yeah, you're going to end up with the billion dollar argument. But if a certain market doesn't want stuff produced by sweatshops, and they decide to dis-incentivize it by tariffing it, that:
a) makes sense from their point of view
b) is moral from a global perspective
Similar approach here.
But saying that the fines are mostly towards EU members when over 2/3 is fined towards US companies is misrepresenting the data and the opposing viewpoint.
If a company does business in the EU, it's dealing with EU citizens, giving the EU jurisdiction over how that business is conducted.
The EU absolutely has full legal standing for this; if big tech doesn't want to abide by it, they can always leave the EU.
American companies get fined more often for the simple reason that they break the GDPR more often since the US lacks the same legal privacy framework, which means they don't have the same incentive to comply with it and instead try to rules lawyer around it.
It's not a shake down, it's the fucking law which they don't follow and have to pay fines accordingly. Every single business in the EU has to follow these laws, if the US-based ones are not taking proper measures to not act illegally that's on them, not on the legislation, this shake down narrative is quite tired by now.
> Again just a rough feeling from the list but I would speculate that over 50 percent of fines in total were towards US or non-EU based companies.
Perhaps because the US companies are more eager in breaking laws and figuring it out later? Isn't that the whole take on EU vs US business approach, the US ones are big risk takers (including in acting illegally) vs EU ones being risk-averse?
I feel disheartened that this narrative is still spewed on HN, it's just vitriol, the US companies are breaking the law of EU members, if they do business here they need to follow the law, it's absurdly simple.
Whatever this is based on - OP was misrepresenting the data.
US companies have been fined larger sums because their transgressions are more common, they do it repeatedly, and their global revenue is higher, there's no conspiracy here, it's exactly how the law is written.
I invite you to re-read their point:
> The vast majority of fines are towards european businesses.
Which is true, the majority of fines are towards EU-based businesses, not the majority of the amount in fines.
Again, if US-based companies with a much higher revenue and market penetration weren't breaking the laws they wouldn't be levied the higher fines.
No, the EU is trying to protect the rights of its citizens.
If they wanted to "shake down big tech" they'd just do a Turkey or India and pressure them to do their bidding in terms of censorship and information exchange.
We are already leaning on US intelligence agencies for data and every audit finds no problem in how the US handles EU data... get real - the EU is just not in the position to pull the same move because it is not the same kind of entity or legal structure, they do tariffs and regulations/collecting fines.
Though probably safe to assume the smaller fines against smaller companies with smaller lobbying^H^H^H^H^H^H legal teams most likely have :-)
has it? if anything, EU continues to fleece US companies with nonsensical, hastily-implemented laws and absurd fines.
Or, you know, they could just respect the law. Like other companies that operate here. Novel concept I know.
And, to complement your lack of research, EU companies are subject to those laws and are frequently fined as well for those violations.
spend a lot of time and money moving your things there
live there for a decade
the landlord shows up and informs you that you are forbidden from using the toilet between 6 PM and 8 PM, effective immediately, punishable by a fine equal to your monthly income. why? fuck you, that's why. if you don't like the legal environment you can just pack up and leave
As far as I hear from the HN crowd if the company feels it's not profitable anymore they will just pack up and leave (hence why many here defend not taxing corporations), this is exactly that case: there's money to be made, they will stick around, perhaps realising that paying fines is eating into their profits and change behaviour. If they don't like it, just pack up and leave, corporations are only interested in making profits, housing is not an analogous to that as much as you might want to play that card.
Just to clarify I completely agree with the fines in both the US and EU, remember big corporations are not your "team" (for the vast majority of you).
But in the end this kind of thing shouldn't be regulated by lawsuits from individuals. The fines as I remember it can be up to 4% global annual revenue and it's about time someone actually handed a fine of 4% global annual revenue to a company the size of Meta, so companies finally realize that the law isn't just a recommendation.
Most of the world, actually. Pure common law systems are just in CANZUKUS (and a few dozen of other minuscule former British colonies).
There is a EU directive that allows for "representative action" but it's much narrower scope compared to what Americans are familiar with in class action.
For example there's a law that says the airline needs to pay you 400€(?) if your flight is delayed by more than 2h if it's due to the airlines fault.
There's a company that handles these cases for 130€.
That's 270€ you get and you just need to enter some data.
I never used one of the "collection agencies", because it's an incredibly easy process to do yourself. Yes some airlines try to wiggle out of it, but you just threaten them with going to arbitration (I think that's what it was? I've moved away from Europe several years ago), and show that you know the rules and they quickly let up, because IIRC they get fined (not just your compensation) if they get found to be in the wrong.
There are some issues with contingency fees in German legal professional law. However, it can be argued that suing for these 5,000 EUR is just "collections", so it may be allowed.
The risk lies elsewhere: As I outlined in another comment, there is reason to believe that this may not stand on appeal, or at least that other courts in other parts of Germany may decide differently. As a result, it takes a lot of capital to keep all of these lawsuits going until the Federal Court of Justice or the ECJ have decided and there is legal certainty.
Germany doesn't have the same litigation incentive structures as the US - no contingency fees, loser-pays costs, and relatively limited collective redress options. Most German consumers aren't going to file individual €5,000 lawsuits over tracking pixels, especially given the legal costs and time involved.
Personally, I hope this gets picked up by a consumer protection organization or a well-funded litigation group. Germany has been gradually expanding its collective action framework, but it's still primarily driven by qualified entities rather than individual plaintiffs.
Completely agree that if it's a similarly straightforward process there will be businesses offering to litigate on the users' behalf and collect a fee, I'd be jumping on it if I only had to file a report and wait for the work to be done to collect a couple thousand €.
This seems like the bizarro world version of American debt collection firms, cool!
More and more European alternatives pop up, governments and companies are switching stack.
It will take a while to migrate, but I am sure effects will be visible soon enough to US companies
For example, the court ruled that the plaintiff is entitled to these damages without even hearing them personally on what kind of injury they sustained. This is an interesting direction, and we will see how it is argued in the decision itself. I would assume this could be something that Meta challenges on appeal.
Another way to go would be to argue that this lawsuit involves unresolved questions of EU law that need to be addressed by the ECJ.
In either case, this verdict will create some legal uncertainty in the short term, and I assume many people will sue---but we shall see what happens on appeal and perhaps at the ECJ, which will perhaps be a couple of years out.
"Meta, Betreiberin der sozialen Netzwerke Instagram und Facebook, hat Business Tools entwickelt, die von zahlreichen Betreibern auf ihren Webseiten und Apps eingebunden werden und die Daten der Nutzer von Instagram und Facebook an Meta senden. Jeder Nutzer ist für Meta zu jeder Zeit individuell erkennbar, sobald er sich auf den Dritt-Webseiten bewegt oder eine App benutzt hat, auch wenn er sich nicht über den Account von Instagram und Facebook angemeldet hat. Die Daten sendet Meta Ireland ausnahmslos weltweit in Drittstaaten, insbesondere in die USA. Dort wertet sie die Daten in für den Nutzer unbekanntem Maß aus."
It doesn't matter whether GDPR mentions any specific word. What matters is what the technologies referred to by the word "tracking" actually do. And what they do clearly requires consent under GDPR.
The paragraph you posted implies (but does not explicitly state) that Facebook's ability to identify individual users would still be noncompliant even if the website has received consent from the user to embed Facebook's technology. Or does the court blame the website's noncompliance on Facebook?
"The court’s decision exposes all websites and apps using tracking technology to significant lawsuits, experts said."
1. The sum. You are tracked and you get shown some ads. How does that causes you 5k EUR in damages?
2. Responsibility. If a site decides to add tracking or ads from a company, is only the ads company responsible for the tracking and damages?
3. Many of the services on the internet are free or cheaper because of ads. Because of that I find the attitude of the judges making these rulings disingenuous.
4. How much of this is outrage against American companies caused by the rift between US and Europe?
gherkinnn•8h ago
verst•7h ago
Walf•7h ago
herbst•6h ago
JimDabell•6h ago
Facebook’s latest approach is to give people instructions on setting up a relay server in their own infrastructure so that privacy software that blocks third-party tracking still works, even when it looks at IP addresses to detect things like CNAME cloaking.
https://developers.facebook.com/docs/marketing-api/conversio...
Walf•4h ago
rkagerer•7h ago
I recently told my bank I don't agree to their new privacy terms. I sent them all 26 pages, marked up with various red lines crossing out the objectionable clauses. One was about tracking pixels, web beacons and the like.
There was also much worse stuff contained like behavioral profiling and sharing my data with outside advertising conglomerates.
After-the-fact opt out mechanisms were described for a lot of it, but I explained very clearly that I am not consenting in the first place. The fact they provide an opt out for some of the most shameful portions reinforces that they don't need consent in the first place to provide me with banking services. I don't know who in their right mind would accept such terms. Unfortunately most individuals I know wouldn't have a clue what the jargon means or how it affects them.
A meeting was set up with my bank manager, and to underscore my point I brought in the original, aged-parchment paperwork I signed over two decades ago to open the account. That was only 5 pages long by comparison.
I also brought in a screenshot from Facebook that proved the bank uploaded some information about me to them in a Custom Audience customer list (a tool offered to advertisers that perversely deputizes them in Meta's quest to ingest all of our personal information). They have no business telling Meta or other third parties who I bank with (which is what the hashed uploaded lists are used to match & confirm).
The manager was quite understanding of my concerns and agreed none of what I objected to is legitimately needed to provide me with banking. I politely explained if they expected me to agree to this garbage I would take my personal and business deposits elsewhere.
I was pragmatic, and realize they're not going to reprogram their whole web portal just for me, but told them if they were going to go ahead and embed web beacons and the like in pages served up to me, or engage in more aggressive privacy violations, then they're doing so without my consent (an important distinction if I suffer damages down the line). In the end, my redlined version of their policy was affixed to my file to document that I do not in fact accept their terms, and they got to keep me as a customer. Not as good as a countersigned revised agreement, but enough to indicate my intent should consensus ad idem come into question.
I realize this was a lot of time and effort (and some risk of further nuisance if it failed and my accounts had to be closed), expended for something most people don't seem to care about. But the growing trend of companies outside tech adopting all our worst dark patterns really gets my gears grinding.
The story goes to show that if you choose to push back, sometimes you can win.
Good job Europe, keep blazing a trail which I hope my country eventually decides to follow.
vasco•6h ago
rkagerer•6h ago
Mainly, they'd have a much harder time basing a defense on having had my consent, should I have cause to sue them down the line.
> they didn't sign any of your changes
I didn't sign any new agreements of theirs, either.
The manager did of course check that all the relevant knobs and dials in their system able to be turned off were set as such.
And it caused them some minor grief. If enough of us were to push back like this, the grief might grow sufficiently for them to do something about (like maybe recognize nobody wants these godawful policies and there's a great business opportunity for companies that decide to build a brand premised on customer respect).
fsflover•5h ago
vasco•1h ago
bluecalm•6h ago
While GDPR had some good intentions the way it implemented in practice just makes things more difficult for consumers and changes little. For example in Poland one of the major banks still forces you to accept them sharing your information with advertising partners.
The main effect of the regulation is that you waste 30 seconds on every call to a business you make for listening about stuff about their privacy policy and the on every form you have to consent to something or be denied service.
rkagerer•6h ago
> you have to consent to something or be denied service
I hate this too.
But I hope consumers start to recognize it isn't always the case. Just because contracts are laid out on screens nowadays instead of paper, doesn't mean they're immutable and must uniformly be accepted as-is. We've been shepherded into a culture of just agreeing to whatever crap is placed in front of us. This is one reason I refuse to use DocuSign and always insist on paper or PDF's. I recognize not everyone has bargaining power, and I was fortunate in my case.
Interestingly, where there is unequal bargaining power, that fact itself can on occasion bite back against the company. Eg. In my jurisdiction, it obliges the judge to interpret any ambiguity of terms in favour of the party with less agency.
I generally think companies are overestimating how well some of the more unscrupulous terms we're seeing these days will hold up under the test of litigation.
noirscape•4h ago
Sorta yes. The "cookie law" is the EU ePrivacy Directive (not the same as the GDPR, it predates the GDPR by around a decade) and doesn't directly talk about cookies. Rather, it talks about any means in which a remote server can store data on your PC (which includes cookies, but also things like LocalStorage - the law is resilient to innovation).
Basically if you want to store data for things that aren't obviously necessary to provide service, you need to ask for consent to store this information (getting consent for using and sharing information obtained by using these cookies is a separate matter, that's what the GDPR is for). So a shopping cart or a session cookie don't need consent banners, since those get filled out in accordance with things users expect (if you login, it's expected that the site knows who you are in future requests, if you add an item to a shopping cart, it's expected to be kept somewhere and to be cross referenced. Rejecting a cookie consent banner can also place a cookie for this same reason; users expect to not be shown that popup again if they said no.)
Cookie banners are effectively an attempt to maliciously comply with this directive combined with legal paranoia. The second one is easier to explain; if you need consent to store some cookies, then legal is just gonna tell you that you need consent to store any cookies, no matter how trivial. This is standard legal paranoia, which leads to sites that don't place tracking cookies getting consent banners.
The first is more malicious; browsers can send indicators to servers that they don't want to be tracked at all. That's the DNT header or the GPC header. They are basically the same thing, except the GPC header allegedly has more legal backing - to my knowledge there's no evidence that DNT doesn't work for this purpose and in fact, GPC is worse at protecting against tracking. GPC only opts out against selling data, DNT opts out against tracking for any purpose whatsoever.
Advertisers habitually ignore/use these headers for fingerprinting, but a German court has decided that the DNT header has full legal backing as a "I don't want to be tracked" indicator in a case against LinkedIn and that spamming users with consent popups if these headers are present is essentially pestering them to relinquish consent that isn't going to be given. The GPC Header has no such protections, but might be more amenable to the (worse) Californian privacy laws. Advertisers and other companies like to pretend that the DNT header has no legal backing, but it does. Cookie banners could entirely be handled on the browser side, but browsers and advertisers refuse to take this idea seriously because it'd lead to mass rejection of tracking. (Due to perverse incentives at this point; both Mozilla and Google own/are ad companies respectively. This is why Mozilla quietly killed the DNT header at the start of the year, in favor of the GPC header.)
rkgkglflms•5h ago
What your bank is doing is clearly illegal.
bluecalm•5h ago
>>GDPR actually says that it’s illegal to condition content or services on the acceptance of tracking
Good intentions, doesn't work. You call a bank, they read a contract to you for 5 minutes you spot some sharing with partners (who knows who they are) there, you try to protest saying "ok but let's make sure it's not for advertisement" and the answer is "I can't do anything that's the contract you either accept or we can't open an account for you".
>>This is very easy for a layman to understand when reading GDPR.
What matters are laws of specific countries that implement it and what results are in practice. That's why I wrote about good intentions and real effects.
>>What your bank is doing is clearly illegal.
And there is nothing I can do about it.
mafuy•5h ago
Kbelicius•3h ago
> And there is nothing I can do about it.
So your argument for why GDPR is bad is that it is not being followed by all that it applies to... I mean, what do you expect as a response to that besides "That is stupid"?