[HN Gopher] Grindr to be fined almost EUR10M over GDPR complaint
___________________________________________________________________
Grindr to be fined almost EUR10M over GDPR complaint
Author : izacus
Score : 287 points
Date : 2021-01-26 09:29 UTC (13 hours ago)
(HTM) web link (noyb.eu)
(TXT) w3m dump (noyb.eu)
| Traubenfuchs wrote:
| Bug or user hostile design?
|
| Grindr presents me the third party data choice dialog every day.
| Sometimes multiple times per day. I reject every time. Also, it
| forgets that I set my units to metric regularly. Grindr is a
| mess. Besides it big user base, it is a garbage app.
| metalliqaz wrote:
| sounds like both. sounds like a feature designed to implement a
| dark pattern is broken.
| w_t_payne wrote:
| It seems to me that this precedent potentially kills off a big
| chunk of the ad-supported app economy.
|
| How are investors reacting to this?
| anticristi wrote:
| We need to separate "showing advertisement" from "surveillance
| capitalism". You can (and should) show advertisement without
| infringing the privacy of your users.
|
| I see two potential outcomes:
|
| 1) Ad-supported apps will serve ads without hoarding personal
| data, e.g., a weight tracking app will show weight-loss ads to
| everyone.
|
| 2) We will see more paid apps.
|
| Just as investors don't invest in companies doing financial
| fraud, I'm hoping investors will also do more due diligence on
| the privacy posture of their portfolio.
| kristofferR wrote:
| GDPR contains special protections for LGBT people, but Grindr
| shared their users private information with third parties anyway,
| since they argued that Grindr users might be straight...
|
| Pretty shocking and absurd.
| eplanit wrote:
| Why should one group have special protection relative to
| another?
| TheCoelacanth wrote:
| They don't. Tracking that someone is straight would be
| subject to the same rule.
| yarcob wrote:
| There's no special protection for LGTB, but sexual orientation
| is considered sensitive information. If you tell advertisers
| (implicitely or explicitely) whether a user is gay or straight,
| that requires explicit consent.
| Blikkentrekker wrote:
| That is quite silly if it truly be so -- are we moving to the
| Anglo-Saxon "protected classes" model now?
|
| If I understand this correctly, it is not a problem, or a
| lesser or different problem if such a company share that a
| client finds being stroked on his earlobes to be highly
| arousing, or is a big _aficionado_ of the "big black cock",
| as those are not "sexual orientations"?
|
| That seems like a rather arbitrary distinction I am not used
| to from E.U. regulations.
|
| _P.s._ : I see that someone else quoted " _data concerning a
| natural person's sex life or sexual orientation_ ", -- which
| is already significantly less arbitrary; the "or sexual
| orientation" is merely a superfluous inclusive.
| yarcob wrote:
| I just looked up the relevant section in the GDPR, and it's
| actually pretty clear:
|
| It's section 9 "Processing of special categories of
| personal data"
|
| https://gdpr-info.eu/art-9-gdpr/
|
| > 1. Processing of personal data revealing racial or ethnic
| origin, political opinions, religious or philosophical
| beliefs, or trade union membership, and the processing of
| genetic data, biometric data for the purpose of uniquely
| identifying a natural person, data concerning health or
| data concerning a natural person's sex life or sexual
| orientation shall be prohibited
|
| > 2. Paragraph 1 shall not apply if one of the following
| applies:
|
| > (a) the data subject has given explicit consent to the
| processing of those personal data for one or more specified
| purposes, except where Union or Member State law provide
| that the prohibition referred to in paragraph 1 may not be
| lifted by the data subject;
|
| > (...)
| Blikkentrekker wrote:
| So any data that does not fall under that blacklist is
| free game?
|
| I still find that quite arbitrary to make that
| distinction, not to mention the wiggle room it leaves
| with many of those categories being rather ill-defined.
|
| At what point does an opinion become "political"? what is
| "racial" an "ethnic origin" is quite open to
| interpretation; when is a belief "philosophical"?
|
| The way I understand this paragraph, it could conceivably
| be so that an opinion that, say, consoles are not suited
| for f.p.s. games could freely be processed, but an
| opinion that U.K. roads are unsuitable for cycling could
| not, as the latter would be more easily classified as
| "political" even though the former could too, and the
| later could conceivably not as well?
|
| I find that very arbitrary.
| yarcob wrote:
| > So any data that does not fall under that blacklist is
| free game?
|
| No. That list are data that are considered especially
| sensitive, and so it's generally prohibited to process
| personal data of this kind. As far as I can tell it's the
| strictest part of the GDPR, so it's probably also the
| easiest to enforce.
|
| If some data doesn't fall into these "special
| categories", the rest of the GDPR still applies. The GDPR
| applies to any data linked to natural persons.
| Blikkentrekker wrote:
| Yes, so we arrive at " _if I understand this correctly,
| it is not a problem, or a lesser or different problem_ "
| as I first asked.
|
| I find this distinction to be bereft of a proper
| justification. As I said elsewhere, I cannot think of any
| salient reason to not cover name and address as a means
| to identify a person, but do cover far more obscure and
| unlikely biometric data.
|
| It should not be protected in any different way.
| yarcob wrote:
| This is getting a bit off-topic, but there are good
| reasons why biometric data is especially sensitive.
|
| For example, the GDPR emphasizes the "right to be
| forgotten". If something bad happened to you, you may not
| want to be forever defined by that event. A kidnapped
| person might not want to be forever known as just a crime
| victim. So they can ask Google to remove mentions of
| their name, and they can even legally change their name
| as a last resort.
|
| But if eg. Facebook stored their face measurements and
| then automatically tagged them in a newly uploaded photo
| all that would be pointless.
|
| So it makes sense to treat certain data as more
| sensitive.
|
| At the same time, the GDPR doesn't want to go overboard
| with regulation. Name and address are data that lots of
| businesses need to process -- eg. every online store
| needs to collect customer name and address and pass it on
| to payment providers, shipping companies, etc. It would
| be really inconvenient if you'd need explicit permission
| for each use ("Do you consent that I can tell the post
| office where to deliver your package?").
|
| Sure, someone may find a way to abuse a list of names and
| addresses, but it's just not as sensitive as other data.
|
| I think the GDPR actually strikes a great balance between
| protecting people's privacy and not inconveniencing
| businesses. If you only collect and process data that's
| absolutely necessary for providing your service, the GDPR
| won't inconvenience you much.
| Blikkentrekker wrote:
| > _So it makes sense to treat certain data as more
| sensitive._
|
| I cannot change my name so easily as far as the Dutch
| government is concerned as well as that of many other
| European countries. I need a reason of significance and a
| simple " _I wish to be forgotten and start a new life._ "
| is not accepted, as it is in many European countries.
|
| If the E.U. cared so much about this, it would mandate
| that it's member states permit easier name changes.
|
| Simply put, it is easier for me in the Netherlands to
| have plastic surgery and change my biometric data, than
| it is for me to change my name so I am holly unconvinced
| by this argument and it seems _ad-hoc_ to justify what is
| purely an irrational distinction.
|
| > _At the same time, the GDPR doesn 't want to go
| overboard with regulation. Name and address are data that
| lots of businesses need to process -- eg. every online
| store needs to collect customer name and address and pass
| it on to payment providers, shipping companies, etc. It
| would be really inconvenient if you'd need explicit
| permission for each use ("Do you consent that I can tell
| the post office where to deliver your package?")._
|
| There are already exceptions in place in the law where
| data may be collected if it be essential for operations.
|
| As it stands, companies may ask for my name and address
| when they have no need for it to process anything, this
| information can surely be used to uniquely triangulate my
| identity with little effort, far more effort would be
| required to do so with a picture of my face, or a scan of
| my retina.
|
| This seems highly arbitrary and ineffective to me. I
| remain very much unconvinced that this distinction is one
| that was given any serious thought.
|
| > _Sure, someone may find a way to abuse a list of names
| and addresses, but it 's just not as sensitive as other
| data._
|
| It is far, far more sensitive.
|
| Would you rather that your name and address be placed on
| _H.N._ , or that your fingerprints or retinal pattern end
| up here? Would you rather a stalker have the former or
| the latter?
|
| To triangulate a man's identity from biometric data
| requires specialized equipment, to do so from name and
| address is a trivial endeavor a layman can undertake.
|
| > _I think the GDPR actually strikes a great balance
| between protecting people 's privacy and not
| inconveniencing businesses. If you only collect and
| process data that's absolutely necessary for providing
| your service, the GDPR won't inconvenience you much._
|
| I do not. I find the distinction made here to be
| completely arbitrary and undeniable that name and address
| are far more sensitive and open to abuse than biometric
| data, the latter requiring specialized equipment to make
| use of.
|
| Again, would you rather a stalker have your name and
| address, or your retinal scan?
| Blikkentrekker wrote:
| As another note on your claim of the necessity of
| address:
|
| It would be absolutely trivial to implement a system
| where one might requaest a randomly generated code with
| the postal service, that can be placed on a letter that
| maps to one's real address, except of course, that the
| real address cannot be retrieved from it, which is hidden
| with the postal service.
|
| With such a trivial scheme, it would be possible to
| receive mail without having to leak one's place of
| residence to the sender, simply give them such a code,
| which could even be set to expire within a set timeframe,
| at which point the postal service deletes the connexion
| to one's real address, for fear their data be leaked.
|
| It's trivial; it's of far greater importance than the
| sensitivity of biometric data, yet it is not there.
|
| I can only gander it's not, because the E.U. is extremely
| arbitrary at what points it cares about one's privacy.
| Name and address are absolutely, as I argued elsewhere,
| some of the most sensitive data available, and there are
| trivial measures that could be taken to secure it better,
| yet these are not implemented, for the E.U. is extremely
| arbitrary and not rational in it's decisions.
| anticristi wrote:
| "Jein" (German for "yno"). Look at it in historic
| context. This article can be seen as an anti-holocaust
| clause. Don't collect data that was too often used to
| harm minorities.
| Blikkentrekker wrote:
| Yet many data that aren't listed under it can also be
| used to harm minorities, and many data that are, can not.
|
| How exactly does biometric data to identify a person, but
| not a name and address to do the same differ in how much
| it can be used to harm minorities?
|
| They are both a means to uniquely triangulate the
| identity of a person, one is arbitrarily allowed but the
| other is not. It's as arbitrary as if not permitting
| murder with poisons, but permit it so long as it be done
| with a knife.
| anticristi wrote:
| A database of names and addresses does not tell you who
| in that list is a minority. You can't do:
| SELECT address AS to_harm WHERE sexual_orientation IN
| ('unusual');
| Blikkentrekker wrote:
| Neither does biometric data?
|
| How can I tell minority status from a fingerprint or
| retinal scan?
|
| It seems rather arbitrary to treat name and address
| differently from fingerprints.
|
| I would argue that minority status correlates more
| heavily with name than with retinal patterns.
| detaro wrote:
| specifically,
|
| > _data concerning a natural person's sex life or sexual
| orientation_
|
| is among the things with stricter rules under Article 9:
| https://gdpr-info.eu/art-9-gdpr/
| cblconfederate wrote:
| no more special than for straight people
| speedgoose wrote:
| Grindr collects and share quite a lot. Things such as HIV
| status, sexual preferences, body type, advertising ids, or
| GPS coordinates. To third parties from the app, and not
| always using encryption.
| cblconfederate wrote:
| I meant that gdpr has no special provisions for LGBT
| jacquesm wrote:
| What do you think would be the chances of having an
| article 9 provision specifically mentioning 'sexual
| orientation' if everybody was straight?
|
| https://gdpr-info.eu/art-9-gdpr/
| nulbyte wrote:
| Presumeably, similar arguments could be made in each of
| the other classes, but none of them work. While these
| protections might be related to a history of
| discrimination, they do not apply to some more then
| others. They apply to everyone in the class equally.
| Hamuko wrote:
| What would be the chances of having an article 9
| provision specifically mentioning "philosophical beliefs"
| if everyone had the same philosophical beliefs?
|
| Of course, people don't have the same philosophical
| beliefs which is a pretty caveat to the whole argument.
| user-the-name wrote:
| "Companies cannot just include external software into their
| products and then hope that they comply with the law. Grindr
| included the tracking code of external partners and forwarded
| user data to potentially hundreds of third parties - it now also
| has to ensure that these 'partners' comply with the law." - Ala
| Krinickyte, Data protection lawyer at noyb
|
| This has a pretty wide impact, I'd say.
| SiempreViernes wrote:
| The impact comes from Grindr being _responsible_ for the
| collected data, obviously just handing that data to a third
| party to do whatever is not responsible handling of it.
|
| Grindr actually distributed data from persons that had opted-
| out, reasoning that setting a flag should stop the down-stream
| processors from touching the data. That is literally the gossip
| girl using the the "don't tell anyone this" principle of
| privacy protection!
| user-the-name wrote:
| The thing is, third-party SDKs often do data collection on
| their own. Or, even if they don't, they _could_ do so, and
| you don 't really know if they do or not.
| speedgoose wrote:
| Yes Facebook's SDK is unfortunately very common for
| example.
|
| But Grindr and applications developers in general are
| responsible for the data. They have to know and have a data
| policy with their third parties.
| SiempreViernes wrote:
| Well, now the GDPR gives you 10% of your revenue as a
| reason for not using SDKs that will not give you control of
| data collection.
|
| You always had "respect the privacy of users" as a reason
| not to use them before, but we all know how well that
| worked.
| anticristi wrote:
| "We value your privacy" has never been truer.
| user-the-name wrote:
| The problem here is that if you want to implement
| Facebook login in your app, you have to include the SDK.
| It is against ToS to do it any other way.
| etripe wrote:
| Well, if that SDK contains tracking stuff, the question
| then becomes whether the SDK has an opt-out option. If
| yes, it's on the consumer of the SDK. If not, then
| whether the TOS is enforceable in Europe.
| SiempreViernes wrote:
| Seems like the specific problem there is Facebook
| enticing you to break the law. You could try filing a
| complain with some appropriate data protection agency.
| TeMPOraL wrote:
| Then don't implement Facebook login in your app, unless
| SDK becomes adapted to make its use GDPR-compliant. It's
| really a problem between you and Facebook at this point.
| anticristi wrote:
| This.
|
| The whole point of Facebook login and like was to collect
| data from unsuspecting users. Devs and product managers
| didn't care. GDPR makes this "laisser faire" attitude
| expensive.
| hamilyon2 wrote:
| I can't help but feel this not that simple. Wording in article is
| odd.
|
| If data sharing was conditioned on not paying for the app use,
| than this could be against what this forum usually stand for.
|
| I, too, will happily pay for my data being not used and seeing no
| ads.
|
| Wee need more details about this case.
| magicalhippo wrote:
| Here is what the Norwegian Data Protection Authority says:
|
| _In the cases of Smaato, OpenX and AdColony, Grindr "only"
| transmitted a signal conveying the data subject's "opt-out"
| preference. We understand that advertising partners could
| choose to ignore that signal. In any case, Grindr would have to
| rely on the action of others, either the user, the operating
| system, Grindr's partners, or a combination of the
| aforementioned, to halt its sharing of data where so required.
| In consequence, Grindr failed to control and take
| responsibility for their own data sharing, and the "opt-out"
| mechanism is not necessarily effective._
|
| _Furthermore, for a consent to be "freely given", accepting to
| the particular processing operation should be as easy as
| declining, and the choice should be intuitive and fair._
|
| [1]: https://www.datatilsynet.no/en/news/2021/intention-to-
| issue-... ("Advance notification of an administrative fine")
| nulbyte wrote:
| > I, too, will happily pay for my data being not used and
| seeing no ads.
|
| These are two different things, sharing data and displaying
| ads. The ad industry has forgotten that you can advertise
| without collecting hoardes of personal data, and they've
| convinced the rest of us that it can't be done.
|
| The point here is that sharing data in the way Grindr is
| sharing it with third parties is not core to its business. That
| is, no one signs up for Grindr because of that functionality.
| Folks sign up to Grindr to find and message others. That
| functionality does not require the type of data sharing being
| reviewed in this case, and that sharing of data is distinct
| from merely displaying advertising.
| progre wrote:
| Didn't know Norway has GDPR as they are not in the EU but
| apparently they have.
|
| https://www.lexology.com/library/detail.aspx?g=34dfb199-c9ab...
| [deleted]
| that_guy_iain wrote:
| EEA has all the laws and requirements of the EU but without
| representiation. So they have to follow the laws and rules but
| don't have a voice in the rules. I have no idea what the
| benefit of the EEA is for it's members other than political
| that they can say they're not in the EU but there must be some,
| maybe they don't need to pay in like EU members do?
| hkh28 wrote:
| > I have no idea what the benefit of the EEA is for it's
| members
|
| We have the option to reject certain EU-rules, and can
| negotiate special exemptions into our agreement. Norway has
| some exemptions in fishing rights that are central to our
| agreement. Under the previous government we also rejected the
| EU Postal Directive, though the current government has since
| accepted it.
| that_guy_iain wrote:
| The UK had those too while being a member.
| foepys wrote:
| The UK always got special treatment while they were in
| the EU. No other country was allowed to come even close.
| Which made Brexit so much more surprising to the EU.
| Hamuko wrote:
| Perhaps it's not that surprising that the curmudgeon with
| one foot out of the EU already decided to take the second
| one out as well.
| anthonybennis wrote:
| Benefit is equal access to Common Market as an EU member.
| that_guy_iain wrote:
| Sorry, I meant benefit of EEA over EU membership.
| izacus wrote:
| I think both EEA members could negotiate carve-outs where
| the EU rules don't hold for them and they keep certain
| privileges.
|
| E.g. Switzerland can still have customs and charge
| customs charges on some items.
| thefounder wrote:
| They have some "special rights" on natural resources. i.e
| oil, fishery. I think the EU will close that loophole
| soon.
| Majestic121 wrote:
| Is there any reason for the EU to close that loophole now
| ?
|
| It seems to be a pretty good partnership so far, and I
| did not read anything about a will from either side to
| change anything about it yet, but I might be misinformed
| kristofferR wrote:
| It's pretty stupid to call it a loophole at all. It's
| like calling the Xbox Series S a next-gen gaming
| loophole.
| kristofferR wrote:
| Not having to adopt the Euro is also a "special right".
|
| It's not well known, but all EU countries are required to
| adopt the Euro (except for Denmark who have a real opt-
| out). The countries who haven't are using a loophole to
| bypass the requirement of Euro adoption, by purposefully
| failing to fulfill some standards.
|
| https://en.wikipedia.org/wiki/Enlargement_of_the_eurozone
| vidarh wrote:
| They can't "close that loophole". It's an integral part
| of the EEA treaty. If the EU withdraws from the EEA
| treaty it would virtually guarantee that support for EU
| membership in Norway would sink like a rock out of sheer
| anger. It would lead to Norway withdrawing further from
| the EU, not joining, so it'd be entirely
| counterproductive.
| olavgg wrote:
| This is true, Norway and Switzerland are strong economies
| that can stay outside EU. Norway have a lot of oil
| compared to the number of people who lives there, which
| makes Norway a more independent economy than for example
| UK. I do think Norway would benefit by becoming a full EU
| member. But there are also good reasons not to. So the
| EEA treaty is the best of both worlds. Norway lose and
| gain some.
| xyproto wrote:
| Also, EU has a ruleset adapted to the climate of central
| Europe and not to cold places where almost no food grows
| and eating seals and fighting polar bears is how you stay
| alive. This is an extreme example, but Norway is more
| dependent on fish for sustenance than many other
| countries.
| vidarh wrote:
| Norway is dependent on fish mostly because of the
| _export_ value. A lot of fish is eaten in Norway, sure
| but the Norwegian economy is such that local production
| has very little to do with what people choose to eat.
|
| The only place in Norway Polar bears live is Svalbard,
| far North of the mainland. Most Norwegians have never
| visited because it's far away (a 1h 40m flight North from
| Tromso in Northern Norway - similar to how long it takes
| to fly South to Central Europe from Oslo) and way too
| cold and miserable.
|
| Seal is something few people eat very often. A huge
| proportion of the population will never ever have tasted
| it. Like whale, it's uncommon these days.
| ginko wrote:
| > eating seals and fighting polar bears is how you stay
| alive
|
| Your image of Norway may be a bit off..
|
| It's true though that Norway is overly protective of its
| food industry. And arguably for good reason since it
| wouldn't be competitive at all if integrated with the
| rest of Europe.
| xyproto wrote:
| I am Norwegian, apparently I just didn't express myself
| clearly enough.
| vidarh wrote:
| As a Norwegian, I do like the idea that foreigners see me
| as capable of fighting a polar bear.
|
| As for seals, I've eaten seal, I think, but it's hardly
| been a dietary mainstay... We used to have whale
| regularly when I was a kid, mostly because back then it
| was much cheaper than beef (and much tougher, and oily...
| it was not great meat - it's expensive now due to low
| supply and nostalgia).
| martin8412 wrote:
| For Norway the reason is fish. Since they're not in the
| EU, they don't have to allow others access to fish in
| their waters.
| detaro wrote:
| and agriculture (and agriculture subsidies).
| vidarh wrote:
| This is a big one for Norway as food security has been a
| big strategic focus for Norway ever since the British
| naval blockade against Denmark-Norway during the
| Napoleonic wars, reaffirmed by the hardships during the
| Nazi occupation.
|
| It's still largely politically untenable in Norway to
| oppose agriculture subsidies.
| jacquesm wrote:
| There is something a bit sad about having present day
| policy be determined by the Napoleonic wars.
| vidarh wrote:
| At this point it's more of a curiosity than something
| most people are aware of. It was the starting point of a
| realisation that choking off just a handful of trade
| routes could starve the country.
|
| Today the main reminder is that Norwegian school children
| still tend to learn the epic poem "Terje Vigen" by Ibsen,
| about a man who braves the blockade to feed his family
| and is captured - coupled with food security being a
| talking point in other subjects. It's not pushed very
| hard, and many probably at this point don't even make the
| connection.
|
| The main modern justification is WW2, where the subject
| of food security gets reinforced with stories of bread
| made with bark etc., and post-war rationing.
|
| Couple that with the constant fear of the Soviet Union
| (to the point that when growing up, we had regular air
| raid siren tests - today they're so rare the newspapers
| write articles to explain what they are) only reducing to
| unease about Russia, and food security is still a
| political topic.
| jacquesm wrote:
| We still do the air raid tests here too, every 1st Monday
| of the month at noon, but they are more for other kinds
| of disasters (pollution, gas leaks, large fires and so
| on). That system is about to be phased out completely,
| because mobile phones are a much faster way to reach
| people.
|
| Personally I don't mind the sirens, they tend to work
| pretty reliably and every time the mobile phone network
| was used to indicate something was up for some reason I
| totally missed the message, never received it or received
| it more than a day later.
| xyproto wrote:
| It's tragicomic that this was part of the reason for
| Brexit, but they ended up with letting other countries
| fish in their waters anyways.
| josefx wrote:
| Weren't pretty much all the reasons for Brexit bullshit
| from the start? I heard that some politicians even gave
| nonsensical statements in more recent interviews so that
| searches for various keywords would hit those instead of
| the original Brexit promises.
| gridder wrote:
| And can fish without any external limit. See the pilot
| whales hunt in the faroe islands:
| https://youtu.be/ws99HlPBySA
| vidarh wrote:
| The Faroe islands are not Norwegian, and Norway does not
| allow hunt of pilot whales.
|
| EDIT: That's not to say Norway doesn't still do whaling,
| but quotas are only for minke whales. Of a quota of 1278
| for 2019, 429 where caught. But pilot whales explicitly
| still do not meet the conditions required (size of
| population etc.) for Norway to allow hunt.
| [deleted]
| momento wrote:
| Contrary to popular belief, the EEA is not required to follow
| every law set within the European Union.
|
| > The EEA Agreement does not cover the following EU policies:
| common agriculture and fisheries policies (although the EEA
| Agreement contains provisions on trade in agricultural and
| fish products); customs union; common trade policy; common
| foreign and security policy; justice and home affairs (the
| EEA EFTA States are however part of the Schengen area);
| direct and indirect taxation; or economic and monetary union.
|
| See section 5, "What is not covered by the EEA Agreement?":
| https://www.efta.int/eea/eea-agreement/eea-basic-features
| yarcob wrote:
| There are also passport checks when you fly to Norway from
| other EU countries. For flights between other EU countries
| you generally just show the QR code on your phone. At least
| that was my experience, but it's been a few years since I
| last flew. (Except flights to UK before Brexit, I think they
| always required passport checks)
| dmitriid wrote:
| > There are also passport checks when you fly to Norway
| from other EU countries.
|
| Except countries in the Nordic Passport Union:
| https://en.wikipedia.org/wiki/Nordic_Passport_Union You
| need zero documents to travel between these (well, you need
| a ticket if you fly or travel by train or a bus).
| yarcob wrote:
| So I read the article, and in theory there should be no
| passport checks with other EU countries either because of
| Schengen, but apparently they have "temporary border
| controls" since 2015 in violation of the agreements.
| dmitriid wrote:
| Indeed.
|
| I flew to Norway from Stockholm before 2015, and I was
| very surprised to just pass directly to the gate (and
| same on the way back).
| gspr wrote:
| > There are also passport checks when you fly to Norway
| from other EU countries.
|
| This is incorrect. And the presence or absence of these
| checks is not a EU/EEA matter. The passport free movement
| is a matter of the Schengen agreement. This is why the UK
| had passport checks with most of continental Europe back
| when they were EU members (but not Schengen members).
|
| Norway is a Schengen member, and an EEA member, but not an
| EU member.
|
| This Venn diagram might help (note that it hasn't been
| updated for Brexit): https://upload.wikimedia.org/wikipedia
| /commons/3/3c/Supranat...
| yarcob wrote:
| > This is incorrect
|
| You are right about Schengen.
|
| But I had to show my passport a couple of years ago on a
| flight from Vienna to Norway, so I thought they weren't
| part of Schengen. I'm not sure why, but I believe the
| reason must have been the "temporary border controls"
| introduced in 2015.
| gspr wrote:
| Yes. But that was a temporary, exceptional situation of
| border checks all over Europe.
| xxs wrote:
| >note that it hasn't been updated for Brex
|
| Ah, even Croatia is outside the EU on the diagram - so
| it's way worse than that. That being said: Croatia is
| outside Schengen as well.
| xxs wrote:
| >passport checks ... between other EU countries
|
| The passport checks have nothing to do with the EU, it's
| the Schengen treaty[0] that allows omitting that part.
| Norway is a part of the treaty, so is Iceland for example.
| Some EU countries still don't meet the criteria to join,
| e.g. Romania, Bulgaria. Ireland and the UK are/were outside
| (voluntarily) of the treaty as well - which is one of the
| weirdest parts of the Brexit with the UK actually checking
| its own borders more than most of the rest of the EU.
|
| For example traveling from Poland to Norway by car (and
| ferry Tallinn - Helsinki) requires zero passport/id card
| checks. (id cards are a valid traveling document within the
| EU and Schengen)
|
| [0]: https://en.wikipedia.org/wiki/Schengen_Area
| hoppla wrote:
| Clearview AI has the same impression. They do not allow
| Norwegians to opt out (by uploading your face) - however they
| recognize that Switzerland have GDPR despite not being part of
| EU
| stevespang wrote:
| Could not have happened to a better group . . . .
| xtracto wrote:
| The GDPR has always amazed me. It changed the playing field from
| "you can use our free app as long as you give us data for
| marketing or not use it" to "you can provide a free service in
| the EU as long as you dont collect data for marketing or dont
| provide it"
|
| Without making a judgement on the merits of the approach, as a
| user/individual I appreciate the power this gives to protect my
| data. As a company/developer the conplexity of navigating the
| landmines that this poses makes me understand why a lot non EU
| companies decide to just block EU users. Is it "good riddance "
| in both cases? Maybe, but still the fact that innovating becomes
| more expensive sits there.
| panpanna wrote:
| I see this as a "it's so hard to run a business with all these
| rules" argument.
|
| We both know rules are extremely clear and simple. They get
| complicated when companies try to go around them.
| anticristi wrote:
| But but but, what about my boilerplate frontend code to add
| zillions of trackers. Do I have to stop copy-pasting those?
| Too hard, GDPR sucks. :))
| throwawayzRUU6f wrote:
| Same whining in finance. Every loophole is ruthlessly
| exploited, shady tactics employed, malicious compliance or
| borderline fraud are commonplace. The legislature changes to
| address that => the actors kvetch about red tape.
| aenario wrote:
| As a company/developer starting from scratch, there is really
| no complexity nor landmines : Do as you say, Say what you do,
| Give the user options.
|
| You can offer the user the choice between targeted advertising
| or non-targeted. You can offer the user the choice between paid
| subscription or advertising.
|
| Cant get enough users to pay or consent ? Then you did not find
| market-fit in the real world.
| xtracto wrote:
| Oh but GDPR is more than "don't do marketing". There's stuff
| like "Right to be forgotten" that implementing controls for
| it would require a company starting from scratch to spend
| resources in "getting it right", and then you have things
| like backups, that may or may not fall in scope. And this is
| only one of the 8 rights that the GDPR provides.
| aenario wrote:
| First of all, it's not "don't do marketing", it's don't do
| "user-tracking-and-profiling based advertising". Marketing
| is so much more, like actual market research to provide a
| service users actually want.
|
| You have to handle a "right to be forgotten" query within a
| month, surely this is enough time for one sysop to run a
| prepared query. If your database is so byzantine that you
| cant find all reference to a given customer, you are either
| google or in need of a new architect.
|
| Backups do not need to be deleted immediately, they should
| however expires and be destroyed in accordance to your data
| retention policy (Say what you do, do as you say).
| foepys wrote:
| This fear mongering is absurd. You won't get fined millions
| just because you didn't delete something by mistake. You will
| get fined however if you do this repeatedly and deliberately.
| [deleted]
| pimterry wrote:
| > As a company/developer the conplexity of navigating the
| landmines that this poses makes me understand why a lot non EU
| companies decide to just block EU users.
|
| The only places I've seen actually do this are local newspapers
| in the US. Are there many other substantial companies doing
| this?
|
| In general, dropping the EU is an expensive game: it's 450
| million people, including many rich developed countries. GDPR
| doesn't mean you can't advertise or do other freemium
| upselling, it just means you can't precisely track people's
| personal data to do so, and the rules for that are fairly
| common sense & clear imo. It's not difficult for most
| businesses to make good money and stay inside the rules.
| anticristi wrote:
| Also, privacy is an international trend. Many countries are
| enacting national GDPR equivalent. Even California enacted
| the Consumer Privacy Act.
|
| I'm not even sure why GDPR is so foreign to the US. Think
| HIPAA for everyone, not just healthcare providers.
| fckthisguy wrote:
| There are definitely a couple of big one. They get posted on
| here every now and then but I can't remember them because I'm
| in Europe and if they don't want me, I don't want them.
|
| I'd rather not interact with a company that disrespects my
| privacy and it's rather helpful they have to tell me this up
| front.
| abstractbarista wrote:
| Man, I'm glad we don't have that legislation over here.
| esarbe wrote:
| I'm pretty happy that GDRP finally starts being used to limit
| that type of data agglutination. Max Schrems and NYOB are doing a
| great job pushing for better privacy protection in Europe. I just
| hope that the big ones also either change their behavior or get
| forced to account for it.
| Vinnl wrote:
| > Grindr is now relying on a new consent system and alleged
| "legitimate interest" to use data without user consent. This is
| in conflict with the decision of the Norwegian DPA, as it
| explicitly held that "any extensive disclosure ... for marketing
| purposes should be based on the data subject's consent".
|
| This "legitimate interest" shenanigans is coming up more and more
| often, where you have a modal with lots of options to opt in to
| specific forms of tracking which. Most of those are now off by
| default, as it should be, except that if you scroll down you
| still see a number of "legitimate interest" ones enabled, even
| though you _can_ turn them off manually.
|
| Edit: And worst of all is this _very_ confusing pattern with two
| columns of toggle buttons, one of which concerns "legitimate
| interest": https://toot.cafe/@peter/105367185171860458
| danielbarla wrote:
| The various dark patterns employed by these consent systems are
| fairly opaque to anyone who bothers to open them, and are
| clearly deliberate attempts at maintaining the old status quo
| of "opt-in by default". Frankly, I am surprised at how few of
| these fines are flying around, though I am quite happy to hear
| they _are_ happening.
|
| I do get that this type of regulation is very disruptive to
| many companies, but if they cannot survive with informed
| consent, then perhaps they should not have been so successful
| without it in the first place.
| HotHotLava wrote:
| I'm baffled by the number of companies that should not have
| any need for third-party cookies and still go full-on dark
| pattern. In particular online shops: I'm already on their
| site, why would they loudly advertise "we're shady and want
| to trick you into selecting all cookies"? I've cancelled more
| than one purchase because I didn't want to bother with this.
| javajosh wrote:
| It's certainly down to bad legal advice. Lawyers are
| trained to take everything they can get. If it turns out
| that was too much, then they frame it as a bargaining chip,
| as leverage to at least recover some fraction of what they
| previously took.
|
| It's sneaky, immoral, unethical and illegal. It also works.
| Taylor_OD wrote:
| Taking everything one can get is not exclusive to
| lawyers. Many engineers would rather have more
| information/data than not enough. Better yet get all the
| data up front and then decide what you need later.
| pbhjpbhj wrote:
| One expects it of many companies. But the BBC seemingly
| have a dark pattern here - if you follow the cookie link it
| shows all cookies are turned off already, so there's
| nothing to do, no confirmation, nada. If you don't follow
| the link they of course have set tracking cookies ... so
| the cake^w link is a lie.
|
| IMO it would be fine to say "we were tracking you but when
| you followed the link we deleted those cookies and won't
| now set them". "Reject all", or default off ("no cookies
| are set, cock here to enable the committee types you wish")
| is better.
|
| What's far worse is the admission that they still use ad
| networks even when those networks are clearly breaking the
| law (ie they offer no settings to disable tracking). Indeed
| BBC should be going further and not allowing advertisers on
| their network to drop cookies if a user has disabled first-
| party cookies. Instead they say "go to these networks and
| disable it yourself", good luck with that!
|
| This from an org funded in [minor] part by taxation and
| whose rausin d'etre is supposed to be serving the public
| interest.
| hadrien01 wrote:
| They use ad networks only outside the UK, so the
| taxpayers are not tracked by these networks. They're very
| explicit about it in their cookies explanation: 'Set your
| cookie preferences for performance cookies. And if you're
| outside the UK you can set your preferences for
| personalised advertising.'
| colejohnson66 wrote:
| I've also wondered why there aren't "enough" fines. Are the
| countries just being cautious because they want to establish
| precedent before going after the "big fish" like Facebook or
| Google? Or is it something else?
| corty wrote:
| Data protection officials are generally understaffed and
| underfunded. GDPR has increased public awareness, scope and
| thereby caseload. The rest of the normal justice system
| isn't responsible to handle data protection cases and will
| just refer you to the data protection officials. So while
| fines are happening, things move very slowly if at all.
| Nasrudith wrote:
| It sounds like a fear of backlash - essentially if you find
| like 3% of the population with parking tickets it is fine.
| If you fine 40% to 60% then you get a large contingent
| pissed off at you - regardless of validity of the laws and
| enforcement unpopularity is perilous to laws and officials.
| mamon wrote:
| If 40% to 60% of population gets fined then that means
| the law is stupid* and should be abolished. Backlash on
| law enforcement is totaly understandable.
|
| *"stupid" is relative term. Laws are made for particular
| society, if almost a half of that society disagrees with
| the rule then it shouldn't be a rule.
| danielbarla wrote:
| With this logic, there's essentially no regulatory way
| out of local minima, lemon markets and such. And, the
| freemium for personal data mining model is very much such
| a situation.
|
| And I don't think it's a fair statement that any large
| percentage of _people_ oppose this particular law; in my
| experience, most people don't seem to have a strong
| opinion about it, and those that do have a strong
| negative opinion very often don't really understand it
| (and are mostly reacting to the irritation that the
| various stakeholders are deliberately putting them
| through). Sampling the opinion of companies that live off
| ads is a bit like asking printer companies how they feel
| about toner prices.
| anticristi wrote:
| GDPR is pretty recent (2018) and legal opinions on how to
| apply it (e.g. marketing tracking) are still in the making.
| I think fines are still applied "slowly" so that the
| industry has time to change.
|
| Constantly applying fines is not sustainable. You
| eventually want to get to the point where privacy "just
| happens".
| Moru wrote:
| The way of things in EU is a bit different than some other
| areas. The goal is to change the industry slowly. You don't
| change industry by killing them quickly so these things are
| first made into law, then there is usually a number of
| warnings, then the fines starts showing up small and then
| the gets ramped up if the industry doesn't change.
|
| These dark patterns we keep seeing shows that the sites
| didn't do their homework and is trying the usual weazel way
| of getting past on "you clicked accept so now you are
| stuck.". Consent can only be given knowingly, if you hide
| it in the fineprint (or behind a "show more" button) it's
| not valid according to GDPR. To invent things like selling
| customer data to third party and call it fair usage of
| private data is not ok either.
|
| The agreement has to be easy to understand and very short.
| And it has to be presented close to the actual entering of
| data or the accept button. No hiding, no shenanigans, no
| trying to fool with colors or design. It's that simple.
| colejohnson66 wrote:
| > The goal is to change the industry slowly. You don't
| change industry by killing them quickly...
|
| I completely agree. People calling for an immediate 4%
| fine are ignoring that killing companies is bad for the
| economy. If a "pitiful" fine of $200,000 fixes the
| behavior, why fine the living daylights out of them?
|
| I'm just wondering why the fines have been so "slow" to
| happen. Enforcement Tracker[0] lists only 533 of which
| the majority appear to be against individuals (such as
| "Doctor", "Private person", etc.) I just figured there
| would be more by this point.
|
| [0]: https://www.enforcementtracker.com/
| MereInterest wrote:
| This is a great example, that I intend to hang on to. I've run
| into a few people online with some severe willful ignorance
| about the GDPR. The worst was somebody arguing that since
| targeted advertising was their business model, that in itself
| constituted a "legitimate interest". So, pretty much exactly
| the sort of thing that GDPR forbids.
| ardy42 wrote:
| > Edit: And worst of all is this very confusing pattern with
| two columns of toggle buttons, one of which concerns
| "legitimate interest":
| https://toot.cafe/@peter/105367185171860458
|
| That's pretty awful, how are you even supposed to interpret
| that? I'm guessing it's something like "first || !second",
| because that would be the sleaziest.
| Vinnl wrote:
| I think the left column is the "legitimate interest" version
| of the cookie type, and the right column the "consent"
| version (whatever that means). So you can enable and disable
| either independently, but the former is enabled by default.
| dthul wrote:
| On some websites I get a tracking / cookie consent popup which,
| if I choose not to consent to everything, leaves me hanging for
| a _very_ long time while "saving my settings". I am talking
| about 30-60 seconds here. That must be deliberate to keep you
| from denying consent. I forgot which company it was but I
| immediately recognize those popups.
| privacylawthrow wrote:
| Some tools call APIs from a whole bunch of ad networks. That
| 60 seconds is likely spent getting opt out cookies from
| dozens of different ad network domains.
| hlasdjlfhalwjk wrote:
| Doesn't GDPR require opt-in for tracking?
|
| So as long as you didn't interact with the banner, _every_
| page load should take ~60s?
| zaroth wrote:
| Of course they have to track that they aren't tracking
| you, or else you would get the consent banner repeatedly
| on every page load.
| TeMPOraL wrote:
| The _actual_ way this should be implemented, if they
| wanted to be morally irreproachable, would be this: a
| consent popup always available, tucked down somewhere in
| the corner of the site. It defaults to opt-out from
| everything, you can click on it to expand it if you want
| to opt into something.
|
| An acceptable option is to pop up a consent form as
| needed, and set a cookie recording whether user made a
| consent decision. That can be classified as essential
| cookie to fulfill a legal obligation.
| alkonaut wrote:
| Still not acceptable to make a worse experience when the
| consent is rejected.
|
| They'd need to queue those things and process them async
| later, or find a solution that doesn't need those requests
| at all.
| ratww wrote:
| TrustArc's doesn't, or at least didn't the last two times I
| inspected it deeply. It is possible to reproduce this claim
| by checking the browser inspector Network tab and by
| debugging trough the source code: it's just a bunch of
| setTimeouts.
|
| Not to mention that if there were any hypothetical API
| calls those could be made asynchronously after closing the
| modal.
|
| It's purely a dark pattern.
| privacylawthrow wrote:
| >Not to mention that if there were any hypothetical API
| calls those could be made asynchronously after closing
| the modal.
|
| If you did that, users wouldn't be able to see whether
| their opt out was successful.
| ratww wrote:
| It should not matter if they're following the law.
| Failure to access some API doesn't mean the user
| consented.
|
| Like the sibling poster said, the default should be opt-
| out.
|
| It's not as if this TrustArc modal is some old product
| that was repurposed for GDPR. This is all planned and
| done in bad faith, period. It's a dark pattern.
| rkachowski wrote:
| users can't see if their opt-out is successful in any
| case, only that their preference was submitted
| cuu508 wrote:
| You should be opted out by default. The "Allow All" is
| the one that could in theory need to make N separate opt-
| in requests.
| Nextgrid wrote:
| I thought so as well but if I recall correctly someone
| explicitly disproved that. Should be fairly easy to confirm
| by checking the traffic in the network tab - unless the ad
| networks themselves take 60 seconds to respond there should
| be no reason for that much delay.
| throwaway2245 wrote:
| So (in this hypothetical), it's sharing your data with ad
| networks, in order to not share your data with ad networks?
|
| That seems really wrong.
| elliekelly wrote:
| Why is the "opt out cookie" necessary? Why can't they just
| assume that anyone who doesn't have an opt in cookie hasn't
| opted in and can't be tracked? Isn't the opt out cookie
| itself a form of tracking? If you have the cookie I know
| you've been to a site I advertise on/track/am affiliated
| with.
| privacylawthrow wrote:
| The opt out cookie was created by ad networks prior to
| GDPR when many EU countries allowed for opt in by
| default. The opt out cookie was the tool to allow users
| to opt out. It still has value today as it allows an ad
| network to remember a user's choice not to be tracked.
|
| The opt out cookie is set by the advertiser, not the
| publisher, and the contents of the cookie have generic
| text like "OPT OUT".
| notimetorelax wrote:
| I agree with your point here, it's in spirit of GDPR,
| unless expressly permitted the sites must assume that the
| user has opted out. The ad agencies with their cookies
| have it backwards.
| alkonaut wrote:
| Clearly a violation too, since the experience is now worse
| when not giving consent. That its clearly deliberate doesn't
| help either.
| Anther wrote:
| Ziff Davis sites do this. Very aggravating.
| spoiler wrote:
| Oracle does this. I've had this happen the other day while
| trying to access some documentation.
| LeonM wrote:
| Yep, that's TrustArc
|
| These fake progress spinners are only there to deter you from
| opting out (hint: if you just accept all, the modal closes
| instantly).
|
| I wish the EU would throw massive fines at these companies,
| and ban the persons in charge from over working in the
| business again.
| TeMPOraL wrote:
| At least in some cases I've seen, the progress seems to be
| tied to a staggering number of network requests happening
| in the background. I've heard this explained as being
| necessary to communicate your opt-out to all the relevant
| parties, but honestly, that smells like bullshit. More
| likely it's designed like this on purpose, to have
| plausible deniability for the dark pattern.
| patrickmcnamara wrote:
| If the default is to be opted-out, why would they even
| need to communicate at all with third parties? I'd say
| that it is bullshit.
| sseneca wrote:
| Is it TrustArc? I remember having a similar experience with
| their pop-up, for example on Oracle's website when I'm
| looking for Java docs: https://docs.oracle.com/en/java/
|
| That example doesn't have the long loading times for me any
| more, but I'm almost certain it was the TrustArc pop-up.
| dthul wrote:
| Yes, I believe it was TrustArc.
| mikestew wrote:
| _Most of those are now off by default, as it should be, except
| that if you scroll down you still see a number of "legitimate
| interest" ones enabled, even though you can turn them off
| manually._
|
| Taking a page from the RealNetworks playbook from twenty years
| ago, I see. Put the shit you don't care about up top and
| unchecked, keeping the interesting stuff checked but below the
| fold.
| sseneca wrote:
| It's almost impressive what these people have created. Now,
| when I stumble across the rare "Reject All" button on one of
| those pop ups, I don't know if they even really mean "all" or
| if it keeps the trackers under "legitimate interests" enabled
| because they're... "legitimate". So the only safe option ends
| up being disabling all of them manually, which is absurd when
| these websites list hundreds and hundreds of trackers.
|
| It's as if they used decades of HCI research precisely to make
| the user experience as horrible as possible. No wait, I'm sure
| they did exactly that.
| randac wrote:
| Also the 'reject all' button is often drawn in a greyed out
| style to make people assume you can't interact with it. The
| 'accept the status quo' button is always brightly coloured
| and may as well have blinking arrows pointing at it...
|
| It's honestly absurd the amount of different dark patterns
| they're using to try to trick users.
| sseneca wrote:
| I've already seen websites which I (cynically) assume
| exploit this new-found aversion I and many others have to
| green buttons in cookie pop-ups by using differing colour
| schemes, e.g. https://hltv.org, whose "Allow all cookies"
| button is actually blue, whilst "Allow selection" is green.
|
| "TrustArc" is a funny name considering it and its pals have
| obliterated any trust I had in this stuff.
| piva00 wrote:
| With that they win the public's opinion. I make an effort to
| always explain to people I hear complaining about those pop-
| ups why they've been made to be annoying. Usually it helps to
| turn their opinion against GDPR towards the companies
| employing the dark patterns.
|
| No one likes to be blatantly manipulated.
| curryst wrote:
| I think that's a long lost battle and they know it. They're
| going for attrition. People don't want to be tracked, and
| clicking all the don't track buttons 78 times a day is
| annoying, so eventually they say fuck it and just start
| clicking Accept All.
|
| There need to be fines for this. They're clearly violating
| the spirit of the law, if not the exact letter (and I think
| much of Europe has legal systems that follow the spirit
| more than the letter, don't they?)
| TeMPOraL wrote:
| They're often violating the letter too.
|
| I'm in favor of a lot more fines, and substantial fines.
| Few companies need to be made example of. The current
| situation does further damage to how EU citizens perceive
| GDPR and EU itself - companies do their best to make the
| consent control experience as bad and tiresome as
| possible, and then they tell people to blame GDPR for how
| web browsing just got more annoying.
| corty wrote:
| In practically all cases it is against the exact letter
| of the law: "It shall be as easy to withdraw as to give
| consent."
|
| Article 7 (3) 4. https://gdpr-info.eu/art-7-gdpr/
| Macha wrote:
| I've found the Reject All button _more common_ in the last
| few months, but due to a lot of sites that have added it also
| adding a legitimate interests section which is seperate, to
| the point I'm less trusting of sites that have recently added
| reject all.
|
| For all the hate that Yahoo gets for theirs (shown above), at
| least it does have a mostly functional reject all function,
| even if it requires two button presses (the end of the footer
| does tell you to go manually opt out of facebook/twitter).
| anticristi wrote:
| "I will invade your privacy for the legitimate interest of my
| AdTech network."
|
| A few more GDPR fines and that hole will also be plugged. :)
| switch007 wrote:
| I've also had "legitimate interest" used as a catch-all reply
| when you raise any concerns internally.
|
| It reminds me of "reasonable" wording in English law.
| rawbot wrote:
| I have met few websites where you cannot uncheck the
| "legitimate interest" fields.
| jiveturkey wrote:
| That is how it should be. Legitimate interest means they
| don't need your consent. They actually shouldn't be prompting
| for it at all. Adding it to the consent box is a kind of
| cargo culting going on.
| Blikkentrekker wrote:
| Most of these data consent forms are purposefully complicated
| so that many opt in to all to save time. The "advanced options"
| menu even loads suspiciously slowly at times.
|
| It should be required by law that there be a simple to access
| "opt out to everything" option that should be as easy to access
| as an "opt in to everything" option.
|
| Also, I would not be opposed if some browser standard were
| developed under governmental oversight that sends a blanket
| "opt out to everything" that websites would be required to
| respect by law.
| poizan42 wrote:
| > It should be required by law that there be a simple to
| access "opt out to everything" option that should be as easy
| to access as an "opt in to everything" option.
|
| It arguably is already required with the language of article
| 7.2 and recital 32, especially this part
|
| > If the data subject's consent is to be given following a
| request by electronic means, the request must be clear,
| concise and not unnecessarily disruptive to the use of the
| service for which it is provided.
|
| But we will see how it gets interpreted as more cases works
| their way through the system.
| Blikkentrekker wrote:
| Yes, that is very arguable.
|
| The phrasing " _The-opt-out-to-everything option must be as
| easily accessible as the opt-in-to-everything option._ " is
| far less arguable and hiding one behind a further menu, but
| one not, is a clear violation of this rule.
| alpaca128 wrote:
| Once again proof that what we need is the opposite approach;
| companies need to actively get explicit permission not just
| from the end user, but also from authorities to collect and
| share data, and the full report should be publicly accessible.
| Also I wouldn't mind a general ban on using personal data for
| marketing purposes, I don't know a scenario where this would be
| necessary and beneficial for the user.
|
| Right now companies just keep doing what they always did and
| hope for the best. As long as they're convinced they can just
| try not to get too much attention this data sharing problem
| will persist with barely a dent.
| dmitriid wrote:
| I've seen this also in a separate tab:
| https://twitter.com/dmitriid/status/1347577262682607616
| mjw_byrne wrote:
| I was a little surprised by this: "The DPA highlighted that users
| should have a real choice not to consent without any negative
| consequences."
|
| Does this mean that it is unacceptable to run a service which
| requires consent to share data? That seems overly restrictive -
| where does that leave services in which sharing data is the whole
| point of the service?
|
| The article goes on to say: "Grindr made use of the app
| conditional on consenting to data sharing or to paying a
| subscription fee."
|
| Is this the unacceptable part? I.e. Grindr is creating a
| financial penalty for users who exercise their data privacy
| rights?
|
| Would it be acceptable under GDPR to run an app where the choice
| is "consent to sharing data or do not use this app at all"?
| zinekeller wrote:
| If a marketing service are upfront about "asking your
| preferences to serve as a reference to participating companies"
| and that is the primary purpose, they would be allowed under
| GDPR. Now the _real_ question is would someone wants to do
| this? Knowing that around 17% of Americans would do this, it
| would fly in America. Now, would this fly in Europe?
| remus wrote:
| > Does this mean that it is unacceptable to run a service which
| requires consent to share data? That seems overly restrictive -
| where does that leave services in which sharing data is the
| whole point of the service?
|
| In this case the issue was that the consent was not informed.
| That is, Grindr weren't making it clear enough that the highly
| personal information they collected was then shared with
| hundreds of advertising partners.
| izacus wrote:
| > Does this mean that it is unacceptable to run a service which
| requires consent to share data? That seems overly restrictive -
| where does that leave services in which sharing data is the
| whole point of the service?
|
| GDPR literally says that you're allowed to run a service that
| requires data and you don't even have to ask for consent for
| that type of data.
|
| What you're not allowed is to collect data that's NOT critical
| for your service without consent.
| mjw_byrne wrote:
| Thanks, that makes sense.
| yarcob wrote:
| > where does that leave services in which sharing data is the
| whole point of the service?
|
| When you actively share data with others, consent to process
| the data for this implicit. So as I understand it, a dating app
| would not need your explicit consent to share a profile photo
| with others on the platform since that is the whole point of
| the app.
|
| But if the service decides to provide your personal data to
| advertisers, explicit consent is required, since that is not
| essential for providing the service. The service could just as
| well show anonymous ads, or target ads without tracking the
| user.
| mjw_byrne wrote:
| Right, so the article is talking about data sharing which
| isn't core to the service, that makes sense.
| conistonwater wrote:
| I also find this confusing. Article 7 says
|
| > _When assessing whether consent is freely given, utmost
| account shall be taken of whether, inter alia, the performance
| of a contract, including the provision of a service, is
| conditional on consent to the processing of personal data that
| is not necessary for the performance of that contract._
| https://gdpr.eu/article-7-how-to-get-consent-to-collect-pers...
|
| So it does sound to me like you can't tie data sharing to
| provision of service because then consent is not freely given.
|
| Also:
|
| > _Consent is presumed not to be freely given if it does not
| allow separate consent to be given to different personal data
| processing operations despite it being appropriate in the
| individual case, or if the performance of a contract, including
| the provision of a service, is dependent on the consent despite
| such consent not being necessary for such performance._
| https://gdpr.eu/Recital-43-Freely-given-consent
|
| I think this means that even if Grindr obtains consent the way
| they do, it's still not freely given consent so even having
| obtained it they still don't have permission to use the data
| the way they want, since only freely given consent counts as
| consent. But I'm not sure, maybe it's more complicated.
| orangepanda wrote:
| > Consent must be unambiguous, informed, specific and freely
| given.
|
| A bit ironic, for a dating app.
| jhanschoo wrote:
| If I'm not wrong, dating apps are among the worst for user
| privacy. Google `dating apps user privacy` and you'll find no
| shortage of news articles.
| Blikkentrekker wrote:
| They are places where people write profiles and post their
| pictures.
|
| They seem somewhat scary to me, in that anyone one knows
| might encounter one on it.
| labawi wrote:
| Are you perhaps talking about services owned by Match
| group[1]? Though Grindr is not on the list, so maybe
| unrelated services are the same.
|
| [1] https://en.wikipedia.org/wiki/Match_Group#Dating_services
| _ow...
| Laarlf wrote:
| Yeah, same thoughts. The gdpr didn't change much but made small
| companies like these more vulnerable and web browsing more
| unbearable. Data is still getting collected and big companies
| don't care.
| rsynnott wrote:
| > In March 2020, Kunlun announced that it will sell its
| 98.59% stake in Grindr to U.S.-based San Vicente Acquisition
| LLC for $608.5 million
|
| You may be using a slightly expansive definition of 'small
| company'.
| gspr wrote:
| > The gdpr didn't change much but made small companies like
| these more vulnerable and web browsing more unbearable. Data
| is still getting collected and big companies don't care.
|
| You do know that GDPR fines scale with _revenue_?
| Laarlf wrote:
| Do you see Google, Microsoft and Apple? It's nearly been 3
| years and they don't really seem to care. Pretty sure the
| EU is too scared to touch them.
| icebraining wrote:
| Two years ago Google was fined 50 million euros by the
| French regulator. Last year it was 7 million by the
| Swedish. More will come.
| foepys wrote:
| WhatsApp's privacy update differed quite a lot between
| the EU and the US. That alone shows that the big tech
| corps are careful.
| rsynnott wrote:
| That's partly down to agreements with the EU competition
| regulator from the acquisition, AIUI.
| ganzuul wrote:
| Great news! They have been preying on a very vulnerable
| community.
| peteretep wrote:
| Are gay men in Norway a very vulnerable community? My
| impression was no, but I'm willing to have that countered
| netrus wrote:
| I cannot speak for Norway specifically, but there is, as far
| as I know, not a single openly gay player in the (male!)
| Bundesliga. Apparently, even high-status, well-earning men in
| progressiv societies can be vulnerable to disclosure of their
| sexual preferences.
| est31 wrote:
| See also: https://www.theweek.co.uk/football/108141/gay-
| premier-league...
| magicalhippo wrote:
| Individuals, even in Norway, can still be significantly
| affected if their sexual orientation or preference were
| discovered by others.
|
| Anything from getting shunned by family members or religious
| community, losing out on job offers, to foreigners visiting
| Norway from a country where their sexual orientation is
| punishable by law.
| tallanvor wrote:
| Yes, the LGBT community in Norway is still a vulnerable one.
| While physical violence is much less of a fear now, people
| have long memories, and people still report being subject to
| abuse (hate speech, being pushed, etc.).
|
| Further, there are still people living in the closet here,
| afraid to come out for fear of being disowned by their family
| or ostracized by their community. Grindr plays a double-edged
| sword here, because on the one hand it gives people a chance
| to meet others, but it also creates a risk of them being
| outed. --That makes people vulnerable to blackmail.
| csunbird wrote:
| Think of people who are curious but do not want to disclose
| that to people.
| ChrisRR wrote:
| I think gay men anywhere are a vulnerable community. You can
| live in the most progressive society in the world, but many
| people still don't want their sexuality to be common
| knowledge
|
| It's no different to straight people's sex lives, I'm sure
| many people wouldn't want it to be common knowledge what
| they're into, and who they've slept with
| eznzt wrote:
| They have more disposable income than the median.
| throwaway2245 wrote:
| Could you cite that? If you're comparing median to median,
| I find that very unlikely.
|
| There are plenty of soft barriers to progress for gay men.
| nxpnsv wrote:
| Compare to the median of straight men+women, or the
| median of straight men? In median, even in Norway women
| earn on average 80% of men. Assuming sexual orientation
| otherwise doesn't matter, there should then be a
| difference between gay men and straight people in
| general...
| ganzuul wrote:
| You are assuming the single foundation of your argument.
| Please don't do that.
| nxpnsv wrote:
| I made likely what the post I answered to found unlikely.
| I could not find reliable stats for gay wages in Norway.
| Gender paygap is however very well monitored by
| http://www.ssb.no/ Arguably my point is not great. If you
| really want to know about gay conditions in Norway, try
| this report https://www.ssb.no/a/english/publikasjoner/pd
| f/rapp_201038_e...
| jusssi wrote:
| Gay men are less likely to have children, so not having
| the expenses resulting from that leaves more disposable
| income.
|
| This is what I've seen cited as a reason multiple times.
| I have no reference to point to, maybe someone else does?
| Saint_Genet wrote:
| A fairly substantial part of the Grindr usrbase is made
| up of ostensibly straight married family fathers.
| pbhjpbhj wrote:
| Wouldn't that be "bi[-curious] married family fathers",
| mainly, assuming you're not suggesting they all fathered
| children against their will. Or, maybe you mean people
| who never had/never intended to have homosexual sex?
|
| Are there published stats you're referencing?
| Saint_Genet wrote:
| I mean men who have self-internalized being straight due
| to living in a homophobic society. And I speak from
| personal experience as a long time Grindr user.
| [deleted]
| moritonal wrote:
| Why do you say that? The app was founded in LA where I wouldn't
| describe the gay scene as vulnerable. Is the situation in
| Normay different?
| martin_a wrote:
| Being gay can still get you arrested or killed in some
| countries of the world. Even if not, discrimination of gay
| people surely is a thing all over the world.
|
| Besides that, dating apps of any kind should be held to very
| high data protection standards for the sometimes very
| delicate matters.
| neilsense wrote:
| Being Hindu can get you killed in some countries too, that
| doesn't make me, a Hindu, in the UK, vulnerable.
|
| Has everyone just decided that words have no meaning
| anymore?
| lukebitts wrote:
| Why is the country relevant? The app is used globally
| tluyben2 wrote:
| > Has everyone just decided that words have no meaning
| anymore?
|
| Yes. It seems a lovely social media trend. And on
| instagram many (most?) people don't seem to actually be
| able to use words, only emoji's. Not sure if that's worse
| or better.
| ChrisRR wrote:
| That doesn't mean you speak on behalf of all hindus. Just
| because you don't feel threatened and free to be a proud
| hindu
|
| What if a person lives near racists, people who keep
| directing hate at hindus because of their (unjustified)
| hate against muslims? They may feel unsafe if people knew
| they were hindu no matter the area of the world
|
| It's good that you don't feel threatened, but
| unfortunately not everyone is so lucky. And we should
| respect people who want to keep any aspect of their lives
| private.
| giantDinosaur wrote:
| Being gay means that simply holding hands with one's
| partner puts one at direct risk of being attacked. This
| is certainly still true in places like the UK. Are you
| saying you're at as much of a risk of being attacked like
| that in the UK for being Hindu? If so, it sounds like the
| UK has some major safety issues.
| tallanvor wrote:
| Most likely as a Hindu you never had to fear the response
| you would receive by telling your parents or other family
| members that you are a Hindu.
|
| As long as people have to fear getting kicked out,
| disowned, subject to slurs, or otherwise being ostracized
| by their family, friends, or community for being gay,
| lesbian, bi, or trans, then yes, the LGBT community
| remains vulnerable. And once you've been vulnerable like
| that, it never goes away. There will ALWAYS be a part of
| you that remembers it and it will affect you for the rest
| of your life.
|
| That alone is enough vulnerability. The fact that the
| LGBT community still deals with a lot of verbal and
| physical assaults as well just makes things worse. And
| yes, this is still an issue in the UK, in Norway, the US,
| and other western countries.
| moritonal wrote:
| Totally agree. All dating apps should be held as critically
| personal information. I was genuinely just curious what the
| situation was like in Norway.
| ChrisRR wrote:
| And why would you say LA is 100% gay friendly? There's
| absolutely no hate crime? Absolutely every gay or LGBT person
| is perfectly happy with the intimate details of their sex
| life being shared? Every person who isn't openly gay is happy
| with their identity being shared?
| secondcoming wrote:
| 'Preying' is a bit much. Nobody is forced to use grindr and the
| whole point of the app is to meet same-sex people
| geographically close to you.
|
| This whole case seems to revolve around whether the 'Legitimate
| Interest' legal basis is valid or not. It was only a matter of
| time before it was legally challenged.
| nulbyte wrote:
| Animals higher up on the food chain don't need force. Many
| get to know the habits of their prey to entice them without
| forcing them to do anything. Prey is a very appropriate word
| when talking about this kind of marketing and manufactured
| consent.
| ganzuul wrote:
| If they misled their customers about how their PII is used in
| order to make a profit, that makes them predators.
| gingericha wrote:
| Question in regards to the user consent pop-ups on websites: On
| sites that continue to let you browse without making a selection
| (say the consent banner in on the bottom of the browser window),
| If I don't make any choice, accept or reject, what happens? Am I
| giving consent by default?
| anticristi wrote:
| Consent needs to be unambiguous. If they assume consent, they
| operate illegally.
| pbhjpbhj wrote:
| By law or it has to be informed, active consent AIUI. Some
| sites say 'by continuing you are giving consent' but that's not
| how it works.
|
| You have to be able to use the site without giving consent too.
| robertlagrant wrote:
| No, you aren't.
| ffpip wrote:
| NYOB seems to be a great company.
|
| I have heard of their lawsuits against Apple, Facebook and now a
| large fine against Grindr.
|
| If anyone wants to help them - https://noyb.eu/en/support-us .
| (no affiliation)
| helmholtz wrote:
| Decided to put my money where my mouth is and signed up to
| donate to them. Thank you for the link.
| StavrosK wrote:
| Thanks for that, I figured advocating for my privacy is worth
| at least 50 EUR/yr, so I subscribed.
| Lapland wrote:
| Thanks for sharing, haven't heard about this organization
| before but happy to support them now.
| Dumbdo wrote:
| It was founded by Max Schrems, whom some of you might now for
| his lawsuits against Facebook a few years back, which ended
| the EU-US Safe Harbour and Privacy Shield data trade
| agreements.
|
| It's mainly EU-centric which might be the reason why people
| here haven't heard of it before.
|
| https://en.wikipedia.org/wiki/Max_Schrems
| simongray wrote:
| It's incredible what one dedicated man can accomplish
| through the court system. Makes me wonder what the world
| would be like if we just spent a little time educating our
| children about their digital rights in school.
| magicalhippo wrote:
| Here[1] is the press release from the Norwegian Consumer Council,
| which initiated this along with noyb based on their earlier
| findings[2].
|
| [1]: https://www.forbrukerradet.no/news-in-english/historic-
| victo...
|
| [2]: https://www.forbrukerradet.no/side/new-study-the-
| advertising...
| matsemann wrote:
| And previous discussion [3] here on HN from the complaint filed
| last year.
|
| [3]: https://news.ycombinator.com/item?id=22043209
| stemnic wrote:
| The notice letter itself submitted by the Norwegian Data
| Protection Authority to Grindr
| https://www.datatilsynet.no/contentassets/da7652d0c072493c84...
| Hitton wrote:
| I'm surprised about:
|
| >Consent must also be freely given. The DPA highlighted that
| users should have a real choice not to consent without any
| negative consequences. Grindr made use of the app conditional on
| consenting to data sharing or to paying a subscription fee.
|
| I thought that this was allowed. Kind of puts companies depending
| on advertising in really bad position. One would expect that
| having choice of paying or getting tracked would be, at least for
| some people, better than just having to pay to get to the
| content.
| stretchcat wrote:
| > _Kind of puts companies depending on advertising in really
| bad position_
|
| Good. I hope these companies die. This business model is more
| toxic than Dow Chemical.
| dmitriid wrote:
| You can advertise without bulk collection of personal data.
| Blikkentrekker wrote:
| What kind of financial losses are we realistically talking
| about from being denied such tracking? what kind of
| percentages of lesser revenue?
| TeMPOraL wrote:
| Probably net zero, as long as everyone follows the same
| rules. Advertising is a zero-sum game, and changing the
| height of the playing field shouldn't impact relative
| revenue all that much.
| cm2012 wrote:
| As an advertiser, not true at all. Promoting products to
| any niche smaller than "man" or "woman" basically
| requires targeted advertising to make work.
| dmitriid wrote:
| Nope. There have already been articles/studies showing
| that "targeted advertisement" is about as effective as
| plopping a billboard sign on a motorway.
| anticristi wrote:
| Couldn't this be done based on content, without looking
| at personal data? "Here is an article on investment. How
| about I show an ad of an investment bank."
|
| If only one company does it, they lose. But if everyone
| is forced to do it, noone will lose.
| Blikkentrekker wrote:
| And it's more commercially effective to be more specific
| than that and take the reader's profile into account.
|
| It's also not a zero sum at all. An advertisement that is
| not within the user's interest is wasted, rather than
| going to the competitor.
| cm2012 wrote:
| In theory, yes, in reality, no. The strongest, biggest
| signal of what ads people will click is what kind of ads
| they clicked in the past. Content based ads have really
| bad performance comparably.
| dmitriid wrote:
| > biggest signal of what ads people will click is what
| kind of ads they clicked in the past. Content based ads
| have really bad performance comparably.
|
| Has anyone actually compared this over long stretches of
| time and compared apples to apples, not apples to
| oranges?
|
| Additionally, most people don't want personalized ads
| based on tracking: https://www.emarketer.com/content/do-
| people-actually-want-pe...
| Blikkentrekker wrote:
| No one denies that they don't want it.
|
| I'm sure customers also don't want planned obsolescence.
| -- it is very good for business, however.
| dmitriid wrote:
| There's very little planned obsolescence anywhere. It's
| more about racing to the bottom and building the chepest
| possible product that will hold for a while.
| Blikkentrekker wrote:
| Surely male and female also require targeting? It's not
| as if browsers come in pink and blue editions and
| broadcast that.
| freebuju wrote:
| Yeah, but personal data is way more profitable. Hence why
| every popular site puts all the opt-out buttons & privacy
| terms behind tiny fonts placed in some hidden inconspicuous
| corner.
|
| I recently stopped thinking of myself as an Internet user on
| the web but rather an advertising ID holder.
| donohoe wrote:
| I would dispute the profitability of contextual vs
| personalized advertising (see NYT's experience) but is too
| early and coffee hasn't kicked in yet.
| matsemann wrote:
| > I thought that this was allowed.
|
| No, that's one of the big wins of GDPR. You cannot just force
| the users to sign away their rights.
| Hitton wrote:
| How is giving choice between paying with money or paying with
| data forcing users into signing their rights away?
| robin_reala wrote:
| Everyone (in the EU/EEA) has the right to not to have their
| data processed if there's no applicable basis. So if Grindr
| requires money to keep their service active, then everyone
| should pay the same fee (leaving aside service levels) and
| not be forced to give up their rights. Alternatively,
| Grindr could come up with a business model that allows them
| to offer their service for free without processing their
| user's un-needed personal data; an obvious first idea would
| be advertising targeted at gay men, but not at any one
| specific user.
| TeMPOraL wrote:
| I'm not sure if I've ever seen such choice being offered in
| the first place. It's always either "pay with your data or
| don't use it at all", or "pay with your money _and_ your
| data, or don 't use it at all".
|
| Also, prior to GDPR, the "pay with your data" aspect wasn't
| even mentioned by the companies. Ultimately, GDPR doesn't
| prevent people from donating their data - it just requires
| that it's explicit and not mandatory.
| virgilp wrote:
| Well, to make it more obvious - if users had the choice of
| paying with money or paying with their future voting
| rights, would that be "forcing users into signing their
| rights away?". Surely, not "forcing" since it's their
| choice - but, I hope we agree that it's a choice that
| should NOT be presented to them, at all.
|
| You may or may not agree on whether the right to privacy
| should be on the same level as the right to vote, but other
| than that, it's really the same principle.
| Hitton wrote:
| I don't share your paternalistic view of having to police
| people's actions. Giving informed consent to use some
| data (and eventually ability to withdraw that consent
| when the business between the parties ends) should be
| enough. And your comparison between sharing users'
| personal data, something that influences only them and
| voting rights (which are not transferable btw) that
| influence everyone is absolutely ludicrous.
| aenario wrote:
| I'd like to sell you some cough medication, it's all
| natural, made from a concentrate of two south-american
| plant called "coca" and "tabaco", everyone who tries keep
| asking for more, even when we increased the price !
|
| Too bad the big bad governement regulation prevent me
| from selling it. It's absolutely ridiculous, all my
| customers wants it and I pay my taxes.
| Hitton wrote:
| I'm not a hard core libertarian to argue about whether
| banning drugs is good, but even in your scenario
| customers having information about what is the
| "medication" made of and any addictive properties those
| things might have would go a long way. And lets not
| pretend that whether a drug is legal (alcohol, tobacco,
| even marijuana somewhere) or not is result of rational
| process and not just result of lobbying and historical
| custom.
| virgilp wrote:
| Privacy absolutely affects everyone. If you gave consent
| to Facebook to track you & you are my friend, you'll give
| my phone number to Facebook, and photos of me, etc. I
| cannot opt out of that! And in fact FB is well known for
| building shadow profiles [+]
|
| Look, I understand if you feel "privacy rights" and
| "voting rights" are not in the same class of rights, I
| even mentioned explicitly that even though the same
| principle applies, you may not agree they're comparable.
| But you can't deny that the only reason voting rights are
| not transferable is because we said so - we have laws
| that dictate "voting rights are not transferable". It's
| easy to imagine a world where voting rights would, in
| fact, be transferable. It's just as easy to imagine a
| world where advertisers don't have the right to build a
| profile about you.
|
| What is happening now is that we started with a world
| where (online) privacy rights were non-existent, and laws
| like GDPR are aiming to change that. You may not agree
| with the change, but others do, and it's a legitimate
| sentiment to have. It's not necessarily outrageous to
| want to "impose on everybody" my view of privacy rights.
| No more than it was to "impose on everybody" the view
| that e.g. women should be allowed to vote.
|
| [+]https://theconversation.com/shadow-profiles-facebook-
| knows-a...
| Hitton wrote:
| I don't know why you are bringing Facebook into this. Its
| business model is completely different, afaik it doesn't
| offer paid subscription to opt out of all tracking. This
| is known as straw man fallacy - misrepresenting someone's
| position and then rebut that.
|
| What you are suggesting is not like "women should be
| allowed to vote" it's akin to "women must vote".
| virgilp wrote:
| What does the business model have to do with everything?
| I was merely replying to this:
|
| > sharing users' personal data, something that influences
| only them
|
| It does not influence only them, and I gave you an
| example. Also, I don't care what's FB's business model, I
| advocate that nobody should have an automatic right to
| build user profiles. I explicitly advocate that you
| should not have the right to demand payment in "data"
| because privacy should not be considered currency. Is
| that a strawman? I thought that was your entire argument
| "people should be free to decide to pay with their
| data!". NO THEY SHOULD NOT. Data is not currency, just
| like votes are not currency. You ask for currency, if you
| need payment - you don't ask for profile data.
|
| > it's akin to "women must vote".
|
| Well, it's an analogy, if you don't find it useful, let's
| drop it. The gist of it is, I feel very strongly that we
| should legislate that privacy is not currency, you seem
| to feel otherwise. It is fine to disagree, but it doesn't
| make my position irrational or absurd in any way. Yes, I
| feel that allowing people to pay with privacy _is_
| exactly "taking their rights away", in the same way that
| allowing them to pay with their voting rights would be.
| Hitton wrote:
| I didn't expect having to qualify everything I say to the
| context of a discussion and topic on hand. I don't agree
| on your definition of personal data. Phone numbers and
| email addresses of my contacts are personal information
| that don't belong to me, I have merely unwritten consent
| to use them (but not to give them to every spammer).
|
| But none of that seemed to be relevant to the Grindr
| fine. And one thing I should have probably mentioned
| before - I don't know Grindr and how the subscription
| works there, but my opinion on paying(subscription) vs
| giving data away would also depend if there were
| additional features granted in the subscription (now
| thinking about it probably yes) or not. This would in my
| opinion qualify as forcing user into paying even for
| thing he might not necessarily want to just to protect
| own privacy.
| virgilp wrote:
| Yet a very large number of companies do. Open Facebook in an
| incognito window - it'll give you a dialog with "Accept FB
| cookies"; options are, "Accept all" or "Manage" (already in
| violation of GDPR since rejecting is not as easy as
| accepting!). Click manage, and you get presented with a
| single button, "I Accept"; sure, there's one checkbox that
| you can leave unchecked, but it's really unclear from that
| wall of text what exactly you are "Accepting" and what you're
| not.
|
| If Grinder was fined 10% of revenue - why exactly aren't they
| fining Facebook 2.2 billion? It'd be much more impactful, and
| hopefully help put an end to those practices.
| Mauricebranagh wrote:
| So presumably the Norwegian government will be fined for
| publishing everyone's tax returns then :-)
| anticristi wrote:
| There are 6 legal basis for collecting and processing personal
| data: Consent, legal requirements, vital interests, public
| duty, contract requirement and legitimate interest.
|
| Collecting and publishing tax returns would fall under "public
| duty".
| Mauricebranagh wrote:
| Yes they can legally do that but there is the
| "Confidentiality" part of the CIA Triad which is very
| important in terms of GPDR.
| sleepyhead wrote:
| No because GDPR has exceptions for state usage. Tax returns are
| not published but some key figures are available but you need
| to authenticate to retrieve it and it is logged and the log is
| available to the searched person.
| Nasrudith wrote:
| The point is that comes across as hypocritical and makes the
| rationales come across as lies. "Consent for data sharing is
| important - except when we do it!" isn't a very good look
| even if there are valid reasons for tax return transparency
| it goes against their own stated principles.
| anticristi wrote:
| You don't always need consent. There are 6 legal reasons to
| collect data. "Public interest" as with tax returns is one.
|
| As another example, the post office is allowed to collect
| and process your address, since otherwise they could not
| fulfill their contract to deliver your parcel (contractual
| obligations).
|
| Similarly, paramedics don't need to worry about asking for
| consent from a patient that is unconscious: They can look
| into their medical records based on "vital interests".
| Hamuko wrote:
| Turns out that states have special rights. States also have
| a monopoly on violence.
| tyfon wrote:
| Note that this is 10% of revenue so it is quite substantial.
| ChuckNorris89 wrote:
| As it should be. If we only fine them fees equivalent to change
| found between the couch cushions, then they have no incentive
| to improve.
|
| Especially for private information regarding ones health and
| sexual activity.
| wongarsu wrote:
| Exactly. This isn't a small oversight from Grindr, they share
| especially sensitive information (the fact that someone is
| gay/Bi) without the option to opt out (nevermind that it has
| to be opt-in).
| StavrosK wrote:
| And 30% of profit, looks like:
|
| > Authority imposes a fine of 100 Mio NOK (EUR 9.63 Mio or $
| 11.69 Mio) on Grindr. An enormous fine, as Grindr only reported
| a profit of $ 31 Mio in 2019 - a third of which is now gone.
| pbhjpbhj wrote:
| I mean, if they're still make profit then it's not really
| hurting, is it? Any impact on the decision makers?
| StavrosK wrote:
| Well if you took away 30% of my year's income I'd be quite
| hurt.
| sofixa wrote:
| It's 30% of profit, not income, so more akin to someone
| taking 30% of your savings or "fun" money.
| fckthisguy wrote:
| For traded companies, the stock price usually takes a bit
| when this happens. That put a fire under their ass even if
| loosing a load of money doesn't.
| zxcvbn4038 wrote:
| They are sending all of their user's data with an "opt out" flag
| and leaving it to the ad companies to honor it? Slow clap?
|
| It also caught my eye that their TOS didn't allow users a choice
| in data sharing, it was either agree or don't use the app. That
| might have some wide ramifications, I've encountered many web
| sites that won't let you past the sharing opt-in until you click
| agree - i.e. it is impossible to disagree. It is a completely
| foreign concept for US companies.
|
| Wikipedia says Grindr is based in California, US. I wonder if
| they will pay the fine or refuse. If they have no assets in
| Norway I imagine it may be hard to collect from them.
| jononor wrote:
| If they try that, I guess the Norwegian authorities will
| escalate through EU - either on the EU level, or by
| collaboration with larger national agencies such as in Germany.
| This is not a case isolated to Norway, and the agency seems to
| see it as such.
| gspr wrote:
| > If they have no assets in Norway I imagine it may be hard to
| collect from them.
|
| I thought, but have never verified, that fines given as GDPR
| enforcement can be collected throughout the EU/EEA. If this is
| true, and if European courts uphold the fines when Grindr
| undoubtedly challenge them, then it's my understanding that the
| Norwegian DPA can have Grindr assets elsewhere in the EEA
| seized.
|
| Does anyone know for sure?
| lmkg wrote:
| If they are "established" somewhere in the EU, then all GDPR
| complaints get forwarded to the DPA for the country where
| they are established. This is called the "one-stop shop
| mechanism."
|
| If the Norwegian DPA is the one handling this case, probably
| that's because Grindr's EU operations are legally established
| in Norway. If they don't have an "establishment" in the EU,
| then I think it's up-for-grabs, and my gut is that NOYB would
| have preferred to file in France or Germany.
|
| This is why GDPR actions against Facebook, Google, etc. all
| go through the (under-resourced) Irish DPA: US companies are
| all based there for tax reasons. It's... becoming a problem.
| killingtime74 wrote:
| A lawyer would know for sure
| Blikkentrekker wrote:
| I think you underestimate how specialized law can be.
|
| I have a relative who is a lawyer and legal attorney who
| would definitely not know this and when asked would answer
| that it is not his speciality and that he would have to do
| more research.
|
| He's an attorney in employment law, and I asked him some
| things about criminal law and he did not know, and when
| pressed to make a guess, his guess was wrong.
|
| It seems that law is quite complicated, and that lawyers
| have their specialities.
| donohoe wrote:
| Not a lawyer, but I believe this is true
| fifilura wrote:
| There is a Norwegian connection there though. Grindr and Opera
| (browser) is owned by the same Chinese entrepreneur.
|
| Opera is still headquartered in Norway. Don't know if that
| helps, but there may be interesting corporate associations
| there.
| nitrobeast wrote:
| Grindr's Chinese owner has sold it to a US owner, forced by
| CFIUS (https://www.theverge.com/platform/amp/2020/3/6/2116807
| 9/grin...).
| ChrisRR wrote:
| Ironically that site asks you to agree to tracking cookies,
| with no option to opt out
| jellygraph wrote:
| This fine is going to be a pain in the backside for Grindr.
| ChrisRR wrote:
| There's no need to be making stupid jokes here at the expense
| of gay men.
___________________________________________________________________
(page generated 2021-01-26 23:02 UTC)