[HN Gopher] Amazon Gets Record $888M EU Fine over Data Violations
___________________________________________________________________
Amazon Gets Record $888M EU Fine over Data Violations
Author : Reventlov
Score : 317 points
Date : 2021-07-30 11:56 UTC (11 hours ago)
(HTM) web link (www.bloomberg.com)
(TXT) w3m dump (www.bloomberg.com)
| neonate wrote:
| https://archive.md/Uc2bg
| betaby wrote:
| Are those fines really collected? I know Russia has troubles
| collecting fines say from Twitter. Google always successfully
| "negotiate" them way down.
| doikor wrote:
| With the amount of physical assets and business Amazon has in
| the EU it will be easy to enforce the collection. The other
| option is to confiscate the warehouses and data centers and
| sell those to pay the fine.
|
| Also I'm not sure how Luxembourg laws work but here in Finland
| the government would just declare that company bankrupt and
| take all of their stuff to pay the fine. (Company not paying
| their bills in time is grounds for bankruptcy).
|
| This is also the easiest way to get a company to pay what they
| owe you. Just send a notice of wanting to declare the company
| bankrupt to the courts for not paying usually leads to the bill
| getting paid in a day or two. This has actually happened to
| some really large companies (mainly insurance companies that
| did not want to pay after losing in court when disputing their
| insurance decisions)
|
| Twitter in Russia is very different as they do not have any
| physical assets there.
| eitland wrote:
| > (Company not paying their bills in time is grounds for
| bankruptcy).
|
| Same here in Norway from what I hear:
|
| Even if you can prove that you have the money tomorrow if
| your taxes are due today and you don't pay they make you
| bankrupt.
|
| Simple as that, they rather take the loss and know that no
| one "forgets".
| whoknowswhat11 wrote:
| These cases are often ridiculous political statements - so they
| get appealed and the fines knocked way down.
| sproketboy wrote:
| Pocket change.
| neals wrote:
| That's one way of paying taxes ...
| yourenotsmart wrote:
| While from purely monetary perspective this seems like it tips
| the scales more to a balance, from systematic perspective, this
| is more corruption on top of corruption.
|
| You have politicians colluding with businesses to save them a
| billion in taxes, contrary to the intent of the law. Then you
| have the same politicians colluding to basically go pirate and
| surprise fine the same business a billion for some semi-
| arbitrary violation out of nowhere.
|
| There's no system here, no law, just both sides one-upping
| themselves in being absolute fucking assholes.
|
| The result is instability and environment not conductive to
| businesses or the people that makes them up.
|
| Think about it, how come everything is fine, and then out of
| the blue you get sued for a billion? Was there a warning? Was
| there a grace period, a chance to rectify things? No.
|
| This is not law enforcement, this is law abuse. It's like the
| US cops that stop random cars, and if the driver carries cash,
| they just take it under bullshit pretense.
|
| We're moving towards an anarchy, under the guise of justice.
| p_j_w wrote:
| >you have the same politicians colluding to basically go
| pirate and surprise fine the same business a billion for some
| semi-arbitrary violation out of nowhere.
|
| Your wording here implies that you think this fine is not
| justified and is nothing more than a shakedown against
| Amazon. Am I misunderstanding here or is that really what
| you're saying?
| himinlomax wrote:
| > n you have the same politicians colluding to basically go
| pirate and surprise fine the same business a billion for some
| semi-arbitrary violation out of nowhere.
|
| I work for an online retailer that's not Amazon, we took GDPR
| very seriously and have as a result stopped collecting a lot
| of data and spent months implementing compliance. It seems
| Amazon has done next to nothing compared to what we did and
| chose instead to ignore the issue. It's absolutely no
| surprise what's happening to them, it's precisely what our
| legal department warned us about. Are you saying that Amazon
| should be above the law?
| einpoklum wrote:
| > how come everything is fine
|
| I doubt everything was considered to be "fine".
|
| Also, the assumption that a grace period is due assumes that
| such behavior is only marginally inappropriate. Suppose
| Amazon was reading its customer's email; would you also argue
| that it needs a "grace period" after a demand to stop doing
| that before it actually stopped?
| james_in_the_uk wrote:
| It wasn't out of the blue. This complaint has been ongoing
| for a long time. Regulators have been vocal about these
| concerns for a while. Discussion of these issues,such as how
| the ad industry is at odds with privacy activists and
| increasingly regulators too, are common across various
| academic and industry forums. Amazon will have taken expert
| legal advice and likely have been involved in lobbying at all
| levels. Regulators typically have carefully constructed
| action policies which cover a range of measures, including
| warnings, which may well be delivered privately. Not
| everything that happens in the world makes the front page of
| Hacker News :)
| ectopod wrote:
| Do you think Amazon wasn't using personal data contrary to
| European data protection law?
| saddlerustle wrote:
| Do you think European data protection law actually prevents
| much tangible consumer harm?
| denton-scratch wrote:
| Do you answer straight questions, or do you just keep
| changing the subject?
| chopin wrote:
| The law presumably would if it was properly enforced.
| yourenotsmart wrote:
| Do you know what the phrase "throw the book at them"
| means.
|
| It means you have a rich set of laws, which punish
| various offenses which look fine on paper, but in
| practice everyone violates just to do their regular job,
| so they're widely not enforced.
|
| But if you want to fuck someone in particular, you can
| easily find them in violation of a dozen or two of them,
| and put them in jail for a long time or fine them
| substantial amounts.
|
| You threw the book at them.
|
| This is basically what most of EU's data privacy, cookie
| and so on laws are about, in practice.
|
| It's interesting how you can take a collection of
| seemingly or genuinely good-intentioned rules and use
| them to basically rule as a king, but there you go.
|
| And it's not a good thing.
| mrweasel wrote:
| That not really how, at least some, European countries
| work. Laws are written and companies are generally
| expected to follow them. We're try to catch up, going
| from an society where rules are followed, without the
| need for actual enforcement, to one where companies don't
| follow the law unless the court makes it unprofitable.
| yourenotsmart wrote:
| Are companies expected to follow laws the day they get
| signed, even if it might take over an year to implement
| compliance? Think about it. Because here's what happened:
|
| > The penalty is the result of a 2018 complaint by French
| privacy rights group La Quadrature du Net, which filed
| numerous lawsuits against Big Tech companies on the
| behalf of 12,000 people shortly after the GDPR was
| established that year.
|
| This privacy group waited for the law to get signed, and
| promptly sued every big company that clearly handles user
| data.
|
| Do you think finding everyone a billion or two would help
| them come up with a time machine and go back in time to
| implement a law before it exists so they're compliant by
| the time it's signed? Curious.
| denton-scratch wrote:
| The GDPR was enacted two years before it came into force.
| Companies trading in the EU had _plenty_ of time to come
| into compliance.
|
| LQDN didn't "wait for the law to get signed" - it was
| signed ages ago. They waited until it was enforceable.
|
| It's worth pointing out that the GDPR is an EU
| "regulation". It doesn't have to be ratified by member
| states, and they don't have to implement some kind of
| compliant national legislation. This is very different
| from the previous EU privacy legislation, which required
| member states to enact suitable laws, which many of them
| were apparently reluctant to do.
|
| The GDPR came into force the day the regulation was
| issued. It's just that "came into force" means that the
| 2-year breathing-space provided for in the regulation
| began at that time.
|
| [Edit: changed 3 years to 2 years]
| Symbiote wrote:
| "The GDPR was adopted on 14 April 2016 and became
| enforceable beginning 25 May 2018."
|
| They had two years from when the law was made.
| input_sh wrote:
| If we're talking about GDPR, it came into effect on 25
| May 2018, after being adopted by the European Parliament
| on 14 April 2016.
|
| That's two years, one month, and 11 days for
| implementation. Those additional days are days after it
| was published in the EU's Official Journal. It's not EU's
| fault that companies waited until 2018 to give a fuck
| about it.
| ithinkso wrote:
| You'd think that if this was a legit defense they would
| use it in court, instead of "There has been no data
| breach, and no customer data has been exposed to any
| third party" clinging to anything irrelevant, as I'm sure
| they don't hire incompetent lawyers waiting for an online
| poster to come up with a solution
|
| I think GDPR discussions are always heated on the 'EU vs
| US' line because of different approach to trust in the
| govt. In the EU people tend to (surprisingly maybe) trust
| politicians more because they at least want to be re-
| elected and distrust corporations/billionaires because
| they want to increase profit. In the US, I think, it's
| different, there is a distrust in the government because
| they are here to get us and more trust (surprisingly
| maybe) in corporations/billionaires because they are just
| like me working hard to earn money
| [deleted]
| himinlomax wrote:
| > Do you know what the phrase "throw the book at them"
| means.
|
| It's perfectly reasonable to throw the book at them,
| because unlike their competitors they don't seem to have
| made even a token effort to begin compliance.
|
| If they didn't have the book thrown at them, people would
| complain that the law is toothless.
|
| I've worked for two companies that had to implement GDPR,
| in both cases the legal departments were extremely
| serious about it and we had to do a lot of work to
| comply. Why should Amazon get a pass?
| shuntress wrote:
| I think the parent's point is that in a more well-
| functioning system Amazon would be given notice and time to
| rectify their presumably mistaken wrong-doing which they
| would then appropriately rectify in good faith or to avoid
| penalties.
|
| The parent is pointing out how the current system
| incentivizes "surprise" fines as an alternative to up-front
| tax and how this dynamic trends towards fines being seen as
| a simple cost-of-business rather than a true
| penalty/punishment.
| abeppu wrote:
| Why are they '"surprise" fines'?
|
| GDPR was published and companies had time to get ahead of
| it before it went into effect. There were special recital
| sessions where guidance was given for what parts of it
| meant. Many companies put into place a lot of changes to
| comply. Yes, parts of GDPR could be a little ambiguous,
| but as with every law, a company can be more or less
| conservative in making sure they're above reproach.
|
| Why should violations be "presumably mistaken" if a
| company has a legal department and the resources to
| comply with the law? If the speed limit is posted, I
| don't expect a cop to give me a warning when I've
| exceeded it under the assumption that it was inadvertent,
| and give me a reasonable period to come into compliance.
| himinlomax wrote:
| Yeah that's not how GDPR is written, there's no provision
| for notices, that's the law and it's available to
| everyone to read.
|
| All of Amazon's competitors, including my employer, have
| spent a lot of money and energy to comply. Why Amazon
| decided to just ignore what everyone else knew was a big
| deal is beyond me.
| shuntress wrote:
| > this dynamic trends towards fines being seen as a
| simple cost-of-business rather than a true
| penalty/punishment
|
| I'm sure they ignored it because they thought they would
| make more money that way.
|
| Edit: Also, to be clear, by "system" here I mean the
| overall environment not specifically the EU or the GDPR.
| cblconfederate wrote:
| We could broaden the conversation and also ask who are the
| people who got harmed to the tune of $1B, and how they will
| be redressed for that harm
|
| The point is not the legal matter at hand but the nature of
| the law itself and how it came to be. As much as i like
| that we don't get spam calls anymore in the EU, the problem
| was pushed under the rug, not solved (all the spam calls
| are now from UK numbers). The bigger problem is that while
| the legislators legislate for putting restrictions on eu
| businesses, they have not legislated an equal amount that
| would be conductive to business in the eu.
| AmericanChopper wrote:
| In reality, it's one way of implementing a tariff.
| ithinkso wrote:
| As long as fines are priced into the cost of doing shady
| business they'll be paid. Hopefully they will rise enough so
| that it's no longer profitable to risk them - we'll see then
| if the 'tariffs' as you call them will continue or will they
| stop
| AmericanChopper wrote:
| They will never stop, because the regulations are written
| so broadly that essentially any business could be found in
| breach of them.
|
| The EU's service sector is massively uncompetitive, and
| most of its regulation of this sector has been designed as
| either a tariff or just a general barrier to trade. In
| every GDPR related thread people complain that the law is
| not achieving its objectives (which you're almost doing
| here also, with your "maybe it will eventually work"
| comment), but the law is doing exactly what it's designed
| to do. It's implementing trade barriers (a generally
| unpopular type of policy), and generating popular support
| for them (by dressing them up as privacy regulations).
| frockington1 wrote:
| The EU's service sector will continue its downward spiral
| as these regulations increase. They are building an ever
| widening mote for US Tech giants and calling it a win for
| the people
| ithinkso wrote:
| > In every GDPR related thread people complain that the
| law is not achieving its objectives (which you're almost
| doing here also, with your "maybe it will eventually
| work" comment), but the law is doing exactly what it's
| designed to do.
|
| I think you might be misinterpreting those comments. It's
| not that hard to follow GDPR, what's hard is to work
| around it. If you want to do exactly what you did before
| but you want to weasel your way around GDPR it's not
| impossible, unfortunately, but harder.
|
| And people are complaining about it not achieving its
| objectives precisely because you can weasel your way
| around and that's why we have those stupid 'Accept all
| cookies' huge buttons and 'Change settings' small ones,
| that later change to another big 'Accept all' and even
| smaller 'reject'.
|
| Stop selling user's data without their consent and GDPR
| is a breeze to be complaint with. Try still selling it,
| eliciting the consent via dark patters, and complain how
| hard and complicated it is.
| AmericanChopper wrote:
| > Stop selling user's data without their consent and GDPR
| is a breeze to be complaint with. Try to still sell that,
| eliciting the consent via dark patters, and complain how
| hard and complicated it is.
|
| So it should be safe to entirely dismiss your comment on
| the basis that Amazon in this case hasn't even been
| accused of providing data to a 3rd party, let alone
| selling it?
| ithinkso wrote:
| Selling/collecting - I'm glad that GDPR seems to treat
| them at almost equal footing, even harder to prosecute if
| you leave a huge backdoor
|
| It's my data - fuck off, I'm interested in the business
| you're offering, not increasing your bottom-line at the
| expense of my privacy and especially I don't want to have
| a profile of me created just because you can. If I
| haven't consented to it, you won't do that - simple as
| that
| AmericanChopper wrote:
| It hasn't been accused of the wrongful collection of data
| either. Not that hard to follow for sure...
| amelius wrote:
| > That's one way of paying taxes ...
|
| But the EU hasn't figured out how to apply this technique to
| Apple yet ...
| frankfrankfrank wrote:
| Ironically, you may not realize how accurate that is because
| the amount that will end up being paid is far far less after
| all the bribing and court cases and buying off/buttering up
| politicians and judges, etc.
|
| It would be worth it for some government accountability group
| to track just how much the difference is between the fine
| levied and the amount paid. It's literally never the amount
| published so the people are assuaged.
| ithinkso wrote:
| > you may not realize how accurate that is because the amount
| that will end up being paid is far far less after all the
| bribing
|
| Sources? (Actually curious if there is some published
| statistics)
|
| Bureaucracy with all it's faults still has quite a lot of
| checks and balances that have to add up so I wonder how many
| appeal results are there that are not as interesting as the
| first fines reported
| high_byte wrote:
| as stock owner I can still safely lol at this.
| wutwutwutwut wrote:
| At what? Amazon having to pay a large fine for illegal
| activities?
| high_byte wrote:
| large for once but insignificant at the same time.
| qwertox wrote:
| >large for once but insignificant at the same time.
|
| This is beside the point.
| wutwutwutwut wrote:
| Laughing because the company you invested in has committed
| illegal activities and has to pay $888M seems strange to
| me. Not a high standard to set for your investments.
| high_byte wrote:
| amazon is a good investment and remains so. it does not
| derogate from the two facts, 1. karma and 2. the world
| isn't fair, as in this is a few days profits. comparable
| to you getting few thousand dollars fine for breaking the
| law.
| dcow wrote:
| That doesn't matter. As a shareholder there is absolutely
| no way this helps your stock price. While you may not be
| crying it doesn't make any sense to "lol" at it either.
| bildung wrote:
| Are you aware that the fines continue to grow until Amazon
| complies?
| afrcnc wrote:
| Non-paywalled report: https://www.politico.eu/article/amazon-
| fined-e746m-for-viola...
| EthOptimist wrote:
| Interesting to compare this to the $3B anti monopoly fine against
| Alibaba recently
| cpufry wrote:
| eh, tips scales towards balance and onwards we go.
| BurningFrog wrote:
| To me, these fines feel really arbitrary, and like the EU taxing
| US tech giants "through other means".
|
| What's the clearest evidence I am wrong?
| PedroBatista wrote:
| The evidence that you're wrong starts by the fact you already
| started from the "We" are the winners and "They" are the
| losers, so "They" are playing dirty and "We" are the real
| victims here.
|
| If you haven't read the investigation documents and ruling ( as
| I didn't ), the most we can do is having a hunch and googling
| Amazon's past and track record in everything from business
| tactics to employee policies, I think no one is surprised they
| have problems with the law.
|
| And speaking of law, each place has their own laws, customs and
| views on how society should look.
| igorkraw wrote:
| Usually the burden of proof is with those making the
| accusations
| richwater wrote:
| Why do you think EU tech companies are nonexistent?
| laurent92 wrote:
| Because they have mild success only. DailyMotion is great as
| #2, but Youtube is about 1000x bigger. Other startups exist,
| but are far from Apple-style success. Who would let any
| company own a campus anyway.
| bildung wrote:
| If "tech giant" equals "web advertising platform", then
| sure. But there are quite a few big physical tech companies
| within the EU. Bosch and Facebook have about the same
| revenue, for example. ZF Friedrichshafen, a company noone
| has heard of, has double the revenue of Youtube.
| frockington1 wrote:
| I wouldn't call making dishwashers tech. I'm not
| disparaging, I love how quiet my Bosch is, but I would
| classify it as an industrial company not a technology
| company
| borodi wrote:
| You should probably read more about the other things
| Bosch does i.e the entire automotive part of it.
| valenceelectron wrote:
| They do more than that, e.g. IoT and PaaS stuff:
| https://developer.bosch-iot-suite.com/ Also, when
| googling I found this: https://tpl.informatik.uni-
| stuttgart.de/wp-content/uploads/2...
|
| Don't know how successful these endeavors are.
| bildung wrote:
| Bosch is quite big, they are also a major supplier of the
| things e.g. a Tesla is made off, e.g. of the hardware
| behind the self driving functionality. And health tech
| like germ detection.
| denton-scratch wrote:
| ARM Holdings.
| mritun wrote:
| ARM holdings is owned by a Japanese fund and being sold to
| a US corporation.
|
| European salaries are paltry in comparison to US and the
| businesses are either stagnant (Bosch) or dying off except
| for a few successful ones that are being sold off to either
| Chinese conglomerates (Volvo) or USA/Japan (ARM holdings)
| mpweiher wrote:
| The EU's focus on data protection, particularly the German
| view, which is to a large extent that which now prevails at the
| EU level (though the others were very similar), predates the
| existence of these tech companies. By a huge amount.
|
| In Germany, it is considered a "Grundrecht", a "basic right" of
| constitutional rank.
|
| https://de.wikipedia.org/wiki/Datenschutz#Deutschland
| bildung wrote:
| It's actually pretty easy to see the pattern, isn't it? The US
| tech giants' business models most often are based on data usage
| that is inherently incompatible with GDPR (Most are
| esssentially advertisers). And apparently most of these
| companies continued that practice despite the GDPR.
|
| Most EU tech giants are B2B and mostly don't have this problem
| in the first place.
| mpweiher wrote:
| Yes, in the EU a company whose business model is violating
| its users' privacy rights (and those existed pre GDPR) would
| never have gotten off the ground.
| jefftk wrote:
| https://en.wikipedia.org/wiki/Criteo ?
| whitepaint wrote:
| How are the size of these fines determined?
| mhitza wrote:
| > How much can an organization be fined for a GDPR violation?
| The GDPR allows the EU's Data Protection Authorities to issue
| fines of up to EUR20 million ($24.1 million) or 4% of annual
| global turnover (whichever is higher).
| eitland wrote:
| Importantly however they'll often first contact the company
| to ask them to fix the problem first instead of going
| straight to fines.
| theshrike79 wrote:
| And the best part is that the fine is calculated according to
| the parent company, so you can't create a subsidiary to
| handle all the iffy GDPR stuff and have it work with 0
| turnover.
|
| So if any of Google's properties F's up, the fine is
| calculated from Alphabet's annual turnover.
| vdfs wrote:
| Usually in way that doesn't hurt the company or make it change
| it's behavior
| mpweiher wrote:
| Begun the GDPR wars have.
|
| Popcorn ready.
|
| But seriously, the industry has largely been in a Wil-E-Coyote
| moment ever since GDPR came into force, because most of the
| "standard practices", and for companies like Facebook and Google
| their business model, became illegal at that moment.
|
| The industry reaction has been to mostly ignore it and carry on
| as always, running on air and making sure not to look down. Oh,
| and trying to their best to annoy users by running nasty and also
| mostly illegal "consent popups", in an attempt to do a repeat of
| the very successful campaign against the cookie directive.
|
| I don't think it will work this time around, because the EU
| learned from their earlier mistake, and specifically came up with
| fines that will really, really sting.
|
| As far as I know, cases against Facebook are currently making
| their way through the system (not sure about Google, but they are
| also guilty as can be), but haven't resulted in a ruling and fine
| yet.
|
| Immovable business model, meet irresistible regulation.
|
| Popcorn ready.
| singlow wrote:
| The EU is not going to get into a war because it doesn't have
| any countries capable of fighting a war. The GDPR is not
| powerful because as much as they think they can extract revenue
| from a multinational company, the pacifist EU countries don't
| have the power to enforce it at scale. China, Russia and the
| U.S. aren't going to help them enforce the GDPR. If the
| companies don't like it they will just ignore it and exclude
| the EU from the world economy.
|
| The EU will moderate its enforcement to a degree that is
| tolerable by the companies to avoid any major conflicts.
| denton-scratch wrote:
| What's this about war? Who mentioned war? The EU is not
| fining a nation-state with an army; it's fining a corporation
| with EU subsidiaries and assets.
|
| If you want to trade in a place, you either obey the laws of
| that place, or you shut down operations there, or you get
| fined.
|
| Are you suggesting the USA might use armed force to prevent
| the EU fining Faceache? I don't think I've heard even
| nativist nuts suggesting anything remotely like that.
| singlow wrote:
| The post I replied to:
|
| > Begun the GDPR wars have.
| denton-scratch wrote:
| Oh, OK - I read the OP as referring to _HN_ , so I didn't
| get your satire!
| winrid wrote:
| I guess they are Stanley Parable fans.
|
| https://youtu.be/oV-nDRkhgvk
| grumblenum wrote:
| >$ _888_ M
|
| Google, is that you?
| hu3 wrote:
| Haha. Is that a reference to Google's DNS 8.8.8.8?
|
| https://developers.google.com/speed/public-dns
| grumblenum wrote:
| Exactly!
| talentedcoin wrote:
| As long as GDPR exists, a European tech company than can
| challenge FANG dominance will never emerge.
| pyrale wrote:
| There are many other reasons why large tech companies have a
| hard time emerging in Europe. One could argue that none of the
| really big tech companies that emerged in the US is recent
| either.
|
| So it makes sense, if companies can't be helped, for EU to at
| least try to protect the consumers.
| adventured wrote:
| > One could argue that none of the really big tech companies
| that emerged in the US is recent either.
|
| That can't be reasonably argued. The US has dozens of large
| tech companies that have emerged more recently than the
| classic big tech giants. The EU, or Europe more broadly, has
| exceptionally few.
|
| More recently, for large tech companies, is the past ~20
| years. It typically takes a long time to become worth $20
| billion or $50b or $100b. That time frame _excludes_
| Microsoft, Apple, Google, Amazon, Netflix, Adobe, Cisco,
| Intel, Oracle, Nvidia, AMD, Dell /Emc, Vmware, Salesforce,
| PayPal, Applied Materials, Texas Instruments, Qualcomm,
| Broadcom, Verisign, Intuit, IBM, HP, Autodesk, eBay, Booking,
| Expedia, Cadence, Marvell, Micron, Lam, KLA, Western Digital,
| Seagate, among many others.
|
| So what exists from the past 20 years for the US?
|
| Facebook, Zoom, Tesla, SpaceX, Workday, Twilio, DataDog,
| Cloudflare, Splunk, DocuSign, ServiceNow, Snowflake, Square,
| Coinbase, Stripe, Airbnb, Uber, Lyft, Roku, MongoDB,
| Pinterest, Twitter, Snapchat, CrowdStrike, Palo Alto
| Networks, Zscaler, Okta, The Trade Desk, Teladoc, Veeva
| Systems, Dropbox, DoorDash, Unity Software, Etsy, DraftKings,
| Palantir, Proofpoint, Zillow, Qualtrics, Roblox, Robinhood,
| HubSpot, Five9, Zendesk, Coupa Software, Sofi, AppLovin (and
| I've probably missed a few)
|
| Most of these companies have solid growth profiles and will
| be far larger in ten years than they are today. Beyond that
| are dozens of single digit billion dollar tech companies born
| in the past 20 years that will join that list.
|
| The EU should also be asking itself why Atlassian and Shopify
| didn't originate there instead of Australia and Canada. Why
| didn't UiPath move its HQ to Berlin or Paris instead of NY?
| Why didn't Elon Musk start SpaceX or Tesla in the EU? Why did
| the Collisons build Stripe in California? Why is the EU
| competition for AWS companies like Hetzner, OVH and Scaleway
| (which are actually DigitalOcean peers)? One may not like
| Bezos, however he's going to push tens of billions of dollars
| into attempting to build up Blue Origin, where's the EU
| comparable by one of their zillionaires? All the biggest US
| fortunes are first generation and in technology, except for
| Buffett. The biggest EU fortunes are in fashion, cosmetics,
| retail. That's representative of the EU being left behind,
| stagnant.
|
| The US badly beat Europe in the IBM-HP-Fairchild era. The US
| badly beat Europe in the Apple-Microsoft-Intel era. The US
| badly beat Europe in the early Internet & Web era (Google,
| Amazon, Netflix, Nvidia, Cisco). The US is badly beating
| Europe in the cloud era.
|
| And that's understating things. It's not a race. The EU isn't
| even participating, they're stretching on the sidelines,
| watching the US and China compete to see who can build the
| largest tech companies (China's tech companies are largely
| locked inside of China, and that's about to get worse, so the
| US will win that contest). There's no indication that the
| Europeans have figured out how to compete, how to scale
| quickly through their own markets and then rapidly push
| globally to win markets before the US companies do. So far
| all they've come up with is top down command schemes whereby
| countries like France think they can will an AWS competitor
| into existence magically, or alternatively they scheme to use
| regulatory capture to entirely avoid having to compete.
| 908B64B197 wrote:
| It seems to be popular for European bureaucrats to bash on "evil
| foreign tech giants".
|
| I suppose if you can't grow tech at home, the next best thing is
| to regulate and tax it as much as possible.
| nolok wrote:
| There is a law. You respect it, otherwise there is a fine.
|
| Are you saying european companies that are leaders in their
| fields should not be fined by the US if they disregard its law
| when doing business there ? If yes, you should inform the US.
| If not, then you're being an hypocrite.
| boudin wrote:
| So, according to you, european countries should not be able to
| have laws and apply those? Companies like Amazon, Apple,
| Facebook and Google should not be regulated? They should be
| able to do whatever they want to do? Still seeing people in
| support of such imperialism is quite sad to be honest..
| stacker8888 wrote:
| Just forwarded this news to my executive team who held up my
| attempts at getting us GDPR and CCPA compliant for 8 months last
| year. They said the laws were 'toothless'. Happy to be proven
| correct!
| londons_explore wrote:
| Unpopular opinion:. It should be illegal to _not_ use purchase
| history to make better ad placements.
|
| Forcing companies to not use all the information at their
| disposal to make business decisions leads to worse decisions. It
| would be like a superstore not being allowed to see the
| demographics of the area the store is located when deciding if
| they should stock more types of toys or false teeth. Clearly the
| families will likely be interested in toys, while the retirees
| want false teeth. Forcing families to hunt through aisles of
| false teeth is wasting their time, reducing the businesses
| revenue, and is bad all round.
|
| "We're just taking money from the megacorps" isn't true - you're
| also forcing every user of a website to get a worse experience,
| sometimes severely to their detriment.
| simion314 wrote:
| You are clearly uninformed, This companies need to ask
| permission.
|
| So a few Google, Ms, Amazon devs could put their brains to
| work, create a standard for people like you to get a beaut full
| experience, you could give them permissions to watch your
| browsing, access your health data, listen to your microphone,
| scan your files, data mine your images and social posts. You
| could even help this nice companies by filling a form where you
| tell them what kind of ads you want to see, what things you
| like, what you hate.
|
| The only problem is that either there are few people like you
| that want to give permissions, the giants don't want to share
| the profits and for sure don't care about your experience, or
| this giant devs are incompetent or are focusing on easy
| projects like throwing some npm modules to some source
| code/social posts/images and prentend they made an AI
| developer/writer/artist etc.
|
| TLDR GDPR asks for permissions, you can just click Accept ALL ,
| after you clicked Accept All and the ads are still garbage then
| is not EU fault that Amazon devs that work on ads are
| incompetent or are optimizing for the thing you don't care.
| inetknght wrote:
| > _Unpopular opinion_
|
| Very.
|
| > _It should be illegal to not use purchase history to make
| better ad placements._
|
| I'm not sure about legality but I think your argument should be
| made to stock regulators. I don't agree with it but I can
| certainly see your argument, on the face of it, has merit. I
| also think it's distasteful and wrong and I don't care to
| elaborate on that.
|
| > _Forcing companies to not use all the information at their
| disposal to make business decisions_
|
| There are plenty of laws which force companies to not use all
| of the information at their disposal. Privacy laws, for
| example, are set to help _people_ (not necessarily _customers_
| ) have a better life. Corporations don't have a right to profit
| from people who don't wish to be profited from.
|
| > _you 're also forcing every user of a website to get a worse
| experience, sometimes severely to their detriment._
|
| I fully disagree. I don't believe that using customers'
| purchase history guarantees in any way that the customer's
| experience will be better. The only thing it's likely to
| guarantee is a more profitable company. The two metrics may be
| correlated but they're not causal.
| eitland wrote:
| Seing how unreasonably bad Googles ad quality was the first
| decade after buying DoubleClick I don't buy this.
|
| For a decade Google threw away information about what I
| searched for or what website I visited and presented generic
| "dumb male age 20 - 40" ads to me. They still do sometimes if I
| browse without adblocking enabled.
| pjc50 wrote:
| Well, that's not chicken feed, even for Amazon. Still a bit light
| on detail?
|
| The original complaint is linked from
| https://www.laquadrature.net/en/personnal-data/ - it's in French
| https://gafam.laquadrature.net/wp-content/uploads/sites/9/20...
|
| The lack of publicity or even publicly available copy of the
| ruling is odd. I guess the choice of Amazon to reside in one of
| the secretive tax haven jurisdictions of Europe has the side
| effect that it also has a really secretive information
| commissioner.
| thepangolino wrote:
| In most European countries court rulings are quite hard to get
| a hold off.
| doikor wrote:
| Not they are not. They are public records in most. Luxembourg
| is one of the few exceptions.
|
| They might not be available online but can be ordered from
| the court clerk (which is the case here in Finland for
| example) but the 2 largest EU countries (Germany and France)
| has them online for free.
|
| Though as most European countries are not using a case law
| system the actual value of getting these is not that
| important for lawyers etc.
| corty wrote:
| In Germany you do not get all the cases, just the ones the
| courts deem important enough. E.g. if the ruling is
| different from earlier ones in some aspect, if it is a
| higher court or if the case was of particular public
| interest.
| xxpor wrote:
| Is this a them being lazy thing or a German privacy
| thing?
| isbvhodnvemrwvn wrote:
| It's not just a _German_ privacy thing. There is little
| reason for the vast majority of lawsuits to be public.
| starik36 wrote:
| > can be ordered from the court clerk
|
| I would classify that as hard to get.
| Anthony-G wrote:
| Thanks for providing relevent details. I first came across this
| story on local media (syndicated from Reuters) and they were
| similarly light on detail. I then checked the News page for the
| Luxembourg National Data Protection Commission1 but there was
| no mention of this case.
|
| 1. https://cnpd.public.lu/en/actualites.html
| throwawinsider wrote:
| The EU is doing politics, trying to capture population
| resentment at big tech, with a disproportionate fine for
| breaking rule 29.6.4.23.iv, while european companies have
| gotten away for decades with national monopolies.
|
| EU has many problems of acceptance among the population, so
| they will play dirty as a marketing campaign (see case against
| AstraZeneca and anything british)
| ElKrist wrote:
| Summarized conclusions of the original complaint [1]:
|
| 2.2.3.1 claims that Amazon does not disclose anything proving
| they intend to get consent from their users to process their
| behavoural data for ad targeting purposes
|
| 2.2.3.2 is a rebuttal against one potential line of defense
| from Amazon. This defense is "We have to collect/use data
| because this is precised in our contract with our users and so
| we need to respect this contract". The rebuttal is that the
| main goal of the contract is a marketplace to buy/sell goods.
| Ad targeting is not essential to fulfill this goal and it is
| not something that can be considered as reasonable user
| expectations
|
| 2.2.3.3 It says that Amazon does not explicitly states that
| it's in its legitimate interest to process data and do ad
| targeting. It then refers to section 2.1.3 which shows that
| Amazon could not claim legitimate interest anyway. Section
| 2.1.3 is too complicated for me as it quotes a lot of precedent
| rulings in European law to prove it can't be legitimate
| interest
|
| Please keep in mind that it is the complaint, I don't have
| details on the ruling of today
|
| [1] https://gafam.laquadrature.net/wp-
| content/uploads/sites/9/20...
| [deleted]
| fmajid wrote:
| At least the Luxembourg DPA is doing its job, unlike the Irish
| DPA that seems to think it is a division of the Irish
| Industrial Development Agency charged with shielding
| multinationals from accountability.
| ElKrist wrote:
| That's also the reaction [1] of "La Quadruature du Net", the
| association that brought the complaint
|
| "(...) this historical fine shows even more blatantly the
| complete resignation of the Irish authority for data
| protection, which in 3 years hasn't been able to process any
| of the 4 other claims we made against Facebook, Apple,
| Microsoft and Google."
|
| it also goes after the French authority for data protection
| (CNIL) to say basically: you used to be one of the best in
| Europe, now you're a mere shadow of your former self
|
| [1] https://www.laquadrature.net/2021/07/30/amende-
| de-746-millio...
| [deleted]
| za3baec wrote:
| TL;DR: LQDN claims Amazon used their users' data for targeted
| advertising without their consent
|
| The interesting bit is section 2.3 page 17 and is very short.
| whoknowswhat11 wrote:
| Which is an absolute joke because everyone using amazon to
| actually purchase anything signs their terms and data
| collection is clearly part of those terms (as one would
| expect for an online retailer).
|
| In addition, they run Amazon Marketplace and a well known
| recommendation engine and clearly allow sellers to advertise.
|
| This always seems to be more about posturing than anything
| else. Or rely on weird logic loops.
| freeone3000 wrote:
| The ruling states their EULA doesn't actually say that they
| are using the data they're collecting in order to
| advertise. Collecting data doesn't mean you're allowed to
| use that data for advertising without explicit, revocable
| consent.
| isbvhodnvemrwvn wrote:
| Consent is only valid if it's informed and specific. More
| than that the data minimization applies - you can't require
| using personal data if it's not necessary.
|
| https://gdpr.eu/article-4-definitions/
|
| https://ico.org.uk/for-organisations/guide-to-data-
| protectio...
| whoknowswhat11 wrote:
| They run a marketplace and make $20 billion in ad revenue
| (or more) per year.
|
| Obviously - targeting ads helps them make this money -
| how is this not a legit business purpose?
| isbvhodnvemrwvn wrote:
| Legitimate business purpose is another basis for
| processing personal data, but it can't override interests
| of the data subject:
|
| https://gdpr-info.eu/art-6-gdpr/
|
| It's like asking why a doctor can't sedate you and
| transplant your kidney, you have another one so you don't
| need it and they'll make a ton of money.
| HelloMcFly wrote:
| If the statement "collecting this data without consent so
| we can more effectively sell ads helps us make money, so
| it's a legitimate business interest" was considered a
| valid argument, would that make much of GDPR toothless?
| einpoklum wrote:
| In many jurisdictions, even if consent is informed and
| specific, a contract which is not the result of actual
| negotiations but is standard - e.g. between a client and a
| large company - can often have clauses nullified by the
| courts, either for being unfair/detrimental to the client,
| or for their presence being detrimental to public interest.
| bosie wrote:
| Is it reasonable to assume I can agree (as a non-lawyer) to
| terms and conditions that are 50 pages (wild guess) long?
| Especially since they are written in legalese?
| whoknowswhat11 wrote:
| They are very long because of things like the GPDR.
|
| That said, amazons are pretty darn clear.
|
| "We receive and store any information you provide in
| relation to Amazon Services. "
|
| "We use your personal information to display interest-
| based ads for features, products, and services that might
| be of interest to you"
| bosie wrote:
| TC have always been long and legalese and it wasn't
| because of GPDR. I can't find your examples in the T&C,
| it seems to be about 'privacy notice'.
|
| Am i supposed to read that too and keep up to date? I
| signed up in 2003, do you mind showing me what i agreed
| to?
|
| And out of genuine curiosity, 'any information' seems to
| be a superset of 'personal information', isn't it? what
| is "any information"? and are you saying amazon is only
| using personal information (which is what, exactly?) to
| display ads?
| saddlerustle wrote:
| It's sad this article makes absolutely no attempt to describe
| what, exactly, Amazon did wrong.
| shakeitlikea wrote:
| Maybe it is the fact that their pseudoanonymisation is simply a
| sha256 hash with the same salt for every user, which is "salt"?
| fmajid wrote:
| Essentially using your Amazon purchase and browsing history to
| target you on its ad network.
| londons_explore wrote:
| I am reasonably certain that they earned more than $1B by
| using this targeting information... Their ad network is quite
| small as just $28 billion annually, but it seems unlikely
| that purchase history wouldnt uplift value more than 4%.
| saddlerustle wrote:
| It's impossible they _earned_ more than $1B _from
| europeans_ , since Amazon's entire international retail
| business still hasn't turned a profit overall.
| high_byte wrote:
| just because the profits are deferred to some time in the
| future does not mean these actions did not help the
| company expand, establish monopoly and devour other
| businesses in the meantime.
| saddlerustle wrote:
| To me it doesn't make much sense for a fine to be based
| on money a company _might_ make in the future.
| MikeUt wrote:
| They're not being fined for making too much money, but
| for the harm they've caused the market or consumers
| through anti-competitive practices.
| saddlerustle wrote:
| This is entirely tangential, but I'm interested to hear
| how, exactly, you think consumers have been harmed?
| CogitoCogito wrote:
| You seem to be changing the subject. In your post here
| you seem to be arguing that the fines should somehow be
| related to profits:
|
| https://news.ycombinator.com/item?id=28007958
|
| Frankly that argument doesn't really make sense. If I ran
| a car stealing gang and didn't turn a profit (say due to
| costs related to my underlines), then my punishment
| wouldn't just go away because I made no profits. The
| punishment would be related to the total value of the
| cars that were stolen.
|
| A similar line of reasoning here would show that Amazons
| profits are irrelevant. It does't matter if they have
| zero profits today due to magic accounting or due to
| future strategy or due to monopoly building or anything
| else because the profits don't matter at all.
|
| Of course you're correct that if there's not damage
| caused by Amazon (equivalently that Amazon did nothing
| illegal), then they wouldn't have to pay any fines, but
| in that case you're changing the subject and arguing
| something than than your original point. The EU however
| seems to believe the actions to have been illegal which
| makes profit irrelevant to the discussion.
| MikeUt wrote:
| I was stating what was probably the court's opinion, not
| necessarily my own.
|
| But to answer your question, consumers can be harmed
| through loss of choice, as Amazon forces out other
| businesses.
|
| I'd also caution against focusing exclusively on harm to
| consumers. The harm to businesses is just as real, and
| something governments are justified in trying to prevent.
| Their citizens, business-owner and consumer alike, will
| not thrive in an environment where a handful of companies
| dominate, crushing or absorbing any competitors through
| underhanded means. Businesses and consumers do not live
| in separate worlds.
| james_in_the_uk wrote:
| Privacy is a fundamental right in the EU. Data protection
| law is not consumer protection law, and thf. "consumer
| harm" is the wrong lens.
|
| I don't read French and so haven't read the complaint,
| but I am a data lawyer, so I can make a fair guess. The
| harm alleged to have been suffered is likely to be that
| persons have been tracked and profiled without their
| consent, in breach of their legal right not to be, and so
| have suffered an unwarranted intrusion into their private
| life.
|
| To those from countries whose legal systems treat privacy
| as a consumer or constitutional right, this may seem
| anti-intuitive. Even within the EU, there is plenty of
| controversy around some of the legal points at issue in
| these types of cases/complaints. Regulators are not
| always immune from doctrinal thinking.
|
| It will be interesting to read the full findings of this
| specific regulator when available.
| corty wrote:
| It actually isn't.
|
| The fine is based on last annual turnover, not profit and
| certainly not future profit. Even if Amazon were taking a
| loss, they still would be fined this amount.
| mytherin wrote:
| So because Amazon is taking their immense revenue and
| expanding they should be immune from fines/consequences
| for their actions? Clearly they are receiving tons of
| revenue from their European operations.
| kube-system wrote:
| No but it does make sense to fine them based on how big
| their operations are
| CogitoCogito wrote:
| Aren't these sorts of fines usually based on revenue and
| not profit? The revenue is the money taken from Europeans
| and not the profit. Basing the fines directly on profit
| doesn't really make much sense.
| dybber wrote:
| It's based on their global revenue.
| CogitoCogito wrote:
| Thanks for the clarification. This makes a lot of sense.
| jjcon wrote:
| I'm pretty tired of this line - the way Amazon is
| choosing to use their revenues for tax purposes means
| they aren't turning profits but they are certainly
| profitable
| saddlerustle wrote:
| It isn't a tax dodge, it's a simple matter of Amazon's
| international retail business still growing quickly and
| so needs a lot of capital. Happy to look at any evidence
| otherwise.
| [deleted]
| whazor wrote:
| But they also have to fix it otherwise they will risk more
| fines.
| Bjartr wrote:
| Isn't that the point though? That violating the
| restrictions has negative return taking the fine into
| account?
| doytch wrote:
| I believe they're saying that it _doesn't_ have negative
| returns. The fine is under 1 billion dollars, and the
| poster you replied to is saying they're "reasonably
| certain that [Amazon] earned more than $1B by using this
| targeting information."
|
| So the poster is saying that they believe it was worth it
| for Amazon to break the law and pay an $888 million fine.
| benjaminjosephw wrote:
| But, of course, the fine isn't a price point for unlawful
| behaviour but a penalty levied in judgement of the fact
| that the company violated the social contract. Seeing
| fines simply as a business cost would be a serious
| distortion of the way society should function. Could
| people in boardrooms actually entertain that kind of
| reasoning in good conscience? I really hope not.
| threatofrain wrote:
| It's a principle in western law that punishments be
| specified ahead of time so that a person could choose to
| break the law if they felt it was worthy. In such a
| framework punishments cannot be so extreme that you would
| never consider breaking the law.
|
| IMO the dismay at this idea is coming from those who
| consider law as part of morality, in which case, it may
| be immoral to even develop a calculus for ignoring
| morality when the material returns are good enough.
| hobs wrote:
| Genuinely - are you being sarcastic or just a rube?
|
| People in boardrooms dont entertain reasoning in good
| conscience because conscience doesn't come into it - just
| "Does this make us more money?"
| benjaminjosephw wrote:
| Boardroom greed might follow a logical rational but this
| behaviour isn't reasonable in the long run. Disregard of
| fairness and civil conduct won't be worth the eventual
| cost of a society that becomes increasingly opposed to
| the system itself.
|
| Break the law once, shame on you - pay a fine. Break it
| twice, well, we might rewrite the law so the fine is
| enough to actually deter you. Break it three times and
| shame on us for letting you trade at all.
| hobs wrote:
| There's no long term strategic plan - people are mortal
| and time out of boardrooms just in time for their golden
| parachutes to open.
| adventured wrote:
| With Amazon there has been a long-term strategic plan.
| Bezos had been operating Amazon at a high level for a
| quarter of a century and most of his personal wealth is
| tied up in the stock. Your golden parachute premise
| doesn't apply in this case. There was a strategic plan,
| Bezos wasn't counting the seconds waiting on a golden
| parachute. Amazon is largely commanded by long-serving
| execs that notoriously take a long-term strategic view,
| not executives looking to bail out at any moment. Jassy
| for example has been there since 1997.
|
| Amazon's ad business has extraordinary margins and is
| growing fast. They knew they could afford speed bumps
| between the starting block and where they plan to end up
| (one of the world's largest ad networks, reliably
| printing $30 billion per year in operating income).
| hobs wrote:
| That's one company, and the long term you are discussing
| is for their own benefit, not to the long term benefit
| the poster was discussing, so you prove my point.
|
| Long term view is something like 1,000 years TO START. A
| 20-50 year viewpoint is a baby.
| thereare5lights wrote:
| > Boardroom greed might follow a logical rational but
| this behaviour isn't reasonable in the long run.
|
| We already see that boards don't care about the long run
| in the US. Companies chase short term gains at the
| expense of everything else all the time.
|
| > Disregard of fairness and civil conduct won't be worth
| the eventual cost of a society that becomes increasingly
| opposed to the system itself.
|
| This is true but it doesn't matter if the people running
| things are short sighted and selfish.
| miohtama wrote:
| It is not public yet. Amazon had to disclose ongoing
| investigation to the shareholders.
| markus_zhang wrote:
| I wonder whether these mega fines ever get paid in full?
| pdimitar wrote:
| Was always wondering the same. How much weight does "you have
| been fined $10M" have? Do they pay them in like 100
| installments over the course of 5-10 years?
| isbvhodnvemrwvn wrote:
| I don't know about other countries, but in Poland the fine
| has interest - no less than 8%, it's tied to the economic
| indicators. It's at the minimum of 8% right now due to covid.
| wongarsu wrote:
| > the Luxembourg data protection authority slapped Amazon with
| the record fine in a July 16 decision that accused the online
| retailer of processing personal data in violation of the EU's
| General Data Protection Regulation, or GDPR. Amazon disclosed the
| findings in a regulatory filing on Friday, saying the decision is
| "without merit."
|
| >"There has been no data breach, and no customer data has been
| exposed to any third party," Amazon said in a statement, adding
| that it plans to appeal. "These facts are undisputed. We strongly
| disagree with the CNPD's ruling."
|
| That sounds like Amazon saying "as long as we don't expose data
| we can do whatever we want with it", which isn't how the GDPR
| works at all.
| Jyaif wrote:
| When a company uses unrelated facts to try to steer the
| opinion, it means they have nothing else to defend themselves
| with.
|
| It still makes financial sense for them to fight this ruling
| even if they have 0 basis for it: simply delaying the paiement
| of a 800M euro fine cover the lawyers' fees.
|
| There should be interests on fines to account for this.
| whoknowswhat11 wrote:
| Dude, there has been no data breach.
|
| When you sign up with amazon you agree to their terms. These
| are pretty darn clear.
|
| The decision rests on a whole complicated series of make
| believe facts. That users were not told their data would be
| collected (false) or that they weren't told or aware that
| amazon used ads or targeting (despite amazon recommends stuff
| on literally every page or similar customers bought xxx).
|
| The idea that this is a data leak is crazy - amazon is doing
| stuff in-house there is no sale to third parties here.
| shawabawa3 wrote:
| Nobody is saying it's a data leak
|
| The fine is for not getting explicit consent to use data in
| targeted ads. Maybe they ruled that something buried in a
| huge T&C document doesn't count as consent
| whoknowswhat11 wrote:
| God, this is why these terms and conditions are so long.
|
| 1) Yes - they say they will use your data in this and other
| ways.
|
| 2) The T&C's and the presence or absence of this statement
| in them is NOT meaningful to any ordinary users - these
| things have had to get so long they are not useful anymore.
|
| 3) The ads and suggestions targeting you are obvious on
| these sites. There is no secret.
|
| Note - their T&C says the following:
|
| "We receive and store any information you provide in
| relation to Amazon Services. "
|
| "We use your personal information to display interest-based
| ads for features, products, and services that might be of
| interest to you"
|
| This is as clear as can be.
| robin_reala wrote:
| All the information you need to read and understand to sign
| up to Amazon (in English) is 12k words, or an hour and a half
| of average reading time. What percentage of users to you
| think spend an hour and a half to read and comprehend the
| terms. 1%? 0.1%? 0.01%?
|
| In addition, under GDPR consent has to be separate from terms
| and conditions, it has to be opt-in, and the explanation of
| what you opt in to has to be clear and concise.
| whoknowswhat11 wrote:
| And this is why folks hate the GDPR. AS soon as we have to
| jump through 10 more screens to do anything people are
| going to be even more annoyed at the cookie and now GDPR
| wall you have to fight through to use websites.
| aminozuur wrote:
| Considering Amazon's revenue of $443 billion (last twelve
| months), this fine is less than one day's worth of revenue.
| whitepaint wrote:
| Revenue != net profit; how on earth so many people are
| continuously mistaking it?
| [deleted]
| thrwyoilarticle wrote:
| Not the person you're replying to? They said revenue.
| triactual wrote:
| They said revenue but they don't understand what it means.
| Only a few percent of that revenue is actually profit -
| perhaps there is no profit depending on the market. It's an
| especially tiresome thing to point out since probably more
| than half of HN readers are paid a salary out of these kind
| of revenue figures.
| thrwyoilarticle wrote:
| It's unfair to assume they don't know what revenue is.
| Comparing it to the revenue is perfectly valid. Amazon
| famously didn't make a profit for many years, does that
| mean that they couldn't afford any fine during that
| period? I think it implies that the profit of a company
| is a poor indicator of their wealth and what they can
| afford.
| denton-scratch wrote:
| The law provides for fines to be a percentage of
| _turnover_.
|
| A fine as a proportion of profits just reduces your
| profits by a few percent; as long as your profits are
| still huge, it doesn't matter, and you pay up. If it's a
| percentage of turnover, you might well end up with losses
| for that year, and no profits at all.
|
| The regulation is designed to make your shareholders sit
| up, and put pressure on the board to come into
| compliance. It was targeted at turnover rather than
| profits for obvious reasons - corporate accountants are
| very good at making profits invisible. And turnover is
| relatively easy to measure.
|
| [Edit] Changed "revenue" to "turnover" - "revenue" was an
| alternative fact.
| mewpmewp2 wrote:
| The person seemed to be implying as if they were making the
| money back in 1 day otherwise this comparison would be
| meaningless, as they can have infinite revenue, but 0
| profit.
| thrwyoilarticle wrote:
| Who's better positioned to pay a fine, an individual
| contractor who makes $1mil profit in a year or an
| unspecified company that makes no profit but has a >$1B
| market cap and high revenues?
|
| It feels like the person I replied to first is so eager
| to assume others don't understand the difference between
| profit and revenue that they miss the forest for the
| trees.
| s1artibartfast wrote:
| I think it is unclear because the top level post didn't
| make a conclusion, just threw out a fact.
|
| If the implied conclusion is the fine won't hurt or have
| an impact because revenue >> the fine, they are missing
| the relevance of comparing the fine to profit.
|
| I'm not sure what other conclusion they would want people
| to take from the fact presented
| tpmx wrote:
| Luxembourg's government revenue is approx $33 billion.
|
| This fine is about 10 days worth of Luxembourg government
| revenue.
| 55555 wrote:
| Holy crap, what do they even do with that money? I'd love to
| read more about this. They have 615,000 people living there,
| meaning they get 55,000 USD in gov revenue per person.
|
| For comparison, the US gov got ~8,750 USD in rev per head in
| 2019.
| Anthony-G wrote:
| > Holy crap, what do they even do with that money?
|
| Free public transport for one.1
|
| I holidayed there a couple of years ago before they made it
| free and even then, it was still heavily subsidised. It
| cost only EUR4 for a ticket that covered bus, tram or train
| to anywhere in the country for that day. Even in rural
| areas, buses were travelling every half hour from early
| morning until late evening. It was great for long hikes (or
| kayak trips) and returning by bus. I loved the freedom of
| it all.
|
| 1. https://luxembourg.public.lu/en/living/mobility/public-
| trans...
| the_duke wrote:
| Does that figure combine all federal AND state taxes?
|
| That seems pretty low.
| 55555 wrote:
| I assume it was federal only. My bad.
| jsnell wrote:
| What matters isn't really the government revenue but the
| government spending. The discrepancy is a lot smaller for
| the latter metric. In 2020, the US government collected
| 10.5k/person but spent 20k/person.
| ndr wrote:
| The fines are obviously not intended to bankrupt them. Amazon
| had $7.8 billions in profit this quarter, 10% of that should
| hurt badly enough to course correct, shouldn't it?
| saddlerustle wrote:
| It's worse than that. Almost all of Amazon's profit comes
| from AWS and its US business, but this fine is entirely a
| cost due to its retail business in the EU.
|
| The operating income of Amazon's international retail
| business in 2020 was just $700m, it makes their entire
| European business last year overall unprofitable.
| adwn wrote:
| > _It 's worse than that [...] it makes their entire
| European business last year overall unprofitable_
|
| How's that a bad thing under the assumption that they
| behaved in an illegal way? Fines are supposed to hurt, and
| this fine won't bankrupt Amazon.
| denton-scratch wrote:
| Ever heard of transfer pricing?
|
| [Edit] I think I was rightly downvoted for being snarky.
| I'll try to remember not to snark.
| Dylan16807 wrote:
| > a July 16 decision that accused the online retailer of
| processing personal data in violation of the EU's General Data
| Protection Regulation, or GDPR
|
| Well that's sure vague, and the article didn't seem to have
| anything more specific.
|
| > Some lawmakers and regulators have raised concerns that the
| company has used what it knows to give itself an unfair advantage
| in the marketplace.
|
| That kind of thing has been a big concern but it doesn't require
| personal data, just a bunch of sales statistics.
| jstummbillig wrote:
| > Well that's sure vague
|
| I am currently implementing GDPR for a health related startup.
| This half sentence sums up the entire regulation pretty well.
| It's infuriatingly unspecific about what you can do, and full
| of vague hinting on things that you maybe really should not do.
|
| "Can I do this?" "Yeaaaah, not exactly saying that you can't
| but maybe it would REALLY be better if you don't, maybe"
|
| Absolutely disgusting. Lawyers must be thrilled to have it.
|
| Edit: My gripe is not at all with privacy protection laws but
| with laws that are unclear. Apparently I have been unclear.
| denton-scratch wrote:
| >Absolutely disgusting. Lawyers must be thrilled to have it.
|
| Well, if a company's determined not to comply with GDPR, then
| it's going to be on the lookout for loopholes, and ways
| around the legislation. And indeed, if that's its plan, and
| the legislation is vague, it's going to need a _much_ bigger
| legal department. That 's not the law's fault; that's because
| the company doesn't want to comply.
|
| If on the other hand a company wants to comply, then that
| very vagueness protects it, on my reading. It's hard to
| imagine being done for GDPR violations, if you've
| familiarised yourself with the provisions; and if you are
| affected, have a concrete plan to ensure you are in
| compliance.
|
| I confess that I don't like the vagueness. It gives greater
| discretion to the judge. I've lived all of my life under UK
| law, which is more specific and prescriptive than the laws of
| most EU states, where judges have much more power.
| joejerryronnie wrote:
| This is by design as most EU data privacy/competition laws
| are thinly veiled attempts to extract bribe money from large
| US tech firms. Sadly, the US gov is also following down this
| road.
| [deleted]
| mhitza wrote:
| I'm actually a proponent of GDPR and not a lawyer.
|
| I'm pro consumer protection so I might be biased. On the
| other hand it's an easy to read legislation https://gdpr-
| info.eu/
| lovemenot wrote:
| To what extent is your startup's business dependent on
| violating users' or others' privacy? Will it be uncompetitive
| if they don't?
|
| It's a broad question, not a legal one.
|
| If the answer is: it's very important, because our
| competitors will violate and win, then EU probably expects to
| apply industry-wide regulation.
|
| If the answer is, not much or we don't know yet, then just
| don't. Please.
|
| Law and money are certainly important, but there's other
| important things too.
|
| Look at it from the regulators' perspective. Regulators will
| always lag nimble startups. But if those companies are
| violating reasonable and widely-held priciples (perhaps not
| the law, yet) how should the EU best apply those principles
| into law?
|
| I find the vagueness of the GDPR exactly satisfies this
| dilemma.
| iamacyborg wrote:
| > It's infuriatingly unspecific about what you can do, and
| full of vague hinting on things that you maybe really should
| not do.
|
| It really isn't that complicated.
|
| You can collect and process data assuming you have a valid
| business reason to do so. You need to collect/process that
| data in a way that complies with the law based on what you're
| collecting/processing.
|
| Want to collect people's health data? Cool, ask them for
| consent and you've got the right to collect it.
|
| Want to process that data to make decisions about their
| insurance premiums? Sure, you can do that, but you'll need
| the user's consent.
| sterwill wrote:
| There's a lot of uncharitable talk in this thread, where
| comments like yours assume bad intent on behalf of
| businesses who find GDPR compliance challenging. It's a
| giant body of regulatory law, of course it's complicated!
| The GDPR probably _isn't_ hard to deal with if you don't
| actually care about privacy; it's easy to just not follow
| the law and hope you don't get caught. But if your company
| respects individual privacy, and collects personal data
| only with a lawful basis, and needs to make assurances to
| its customers that all the regulations are being followed,
| there's a lot of work you have to do to demonstrate
| compliance, and many specifics (for example, with regards
| to personal data erasure in backups and archives) are
| completely unspecified. How uncomplicated is that issue?
| denton-scratch wrote:
| The more collecting and processing you want to do, the
| more complying you're going to have to do, I can see
| that.
|
| With respect to the archives: don't you think that's best
| left to the company and their legal department? - As far
| as I'm concerned, an archive is by definition immutable.
| And if a company caan't protect its own archives, it's
| got worse problems than GDPR.
| jstummbillig wrote:
| > The more collecting and processing you want to do, the
| more complying you're going to have to do, I can see
| that.
|
| I am sorry, but this is too hand-wavy considering the
| insane complexity we are touching here.
|
| To illustrate, a super simple example: Someone writes you
| (a business entity, it's harder when it's in health) a
| mail with a random business related request.
|
| If you think, it should be fair enough to a)
| receive/store, b) read and/or c) answer to this very much
| unsolicited mail you are mistaken. If you think, that
| there is a clear/sane/minimal way to handle any of these
| scenarios, you are wrong again.
|
| Depending on your exact situation and request you might
| first have to respond by asking the party to waive their
| right to encrypted communication (which they, of course,
| couldn't even execute, since pgp is obviously not a thing
| with real people in the real world), and/or their
| physical address, to SEND THEM YOUR ANSWER VIA POSTAL OR
| FUCKING FAX, because that is deemed a sane way to get
| around problems with email storage/encryption, even in
| big companies and governmental agencies.
|
| You definitely also have to delete the email after some
| amount of time. All of a sudden you (as in some random
| person who just wants to do business in the modern times)
| has to figure out retention policy and implementation (or
| pay some consultant, who will be happy to be paid to
| figure out how to use email for your business without
| getting sued in 2021)
|
| In case you don't run your own email server on your own
| fucking physical server, you also better get a contract
| with every relevant so called Processor (Art. 28 GDPR) in
| the chain. This however might not suffice if if you want
| to use gmail/google workspace (or in any other non-eu
| hosted provider). Depending on the industry it might
| simply be illegal for you to use theses services. I say
| might, because, honest to god, there is no clear fucking
| answer on this. Trust me, I looked.
|
| But you know what, this is not my biggest gripe with
| GDPR. It's not the burden that it puts on seemingly
| simple processes, no matter how well intentioned you
| might just want to get your actual job done.
|
| The biggest gripe is that it's full of vague wordings
| like "meet requirements to ensure protection" without
| specifying the exact fucking requirements, or "careful
| handling of sensitive data", as if that explained
| anything. What the fuck? If you are _actually serious
| about creating a law to protect privacy_ you have to at
| least provide very serious specs - and, I would argue, to
| be not completely fuck all the normies trying to run a
| business, also easy and cheap implementation.
|
| After having done a very thorough trip through the entire
| thing, I am 99% certain that 99.9% of businesses are
| knowingly and/or unknowingly in violation of GDPR.
| denton-scratch wrote:
| That stuff about mandatory email encryption is nonsense.
| Nothing in GDPR impacts on the way a normal mailserver
| operates.
|
| And if you're running a mailserver, then you've got a
| retention policy. Either it's your policy, or it owns
| you.
| jstummbillig wrote:
| I envy you for your naivete but I sincerely hope you don't
| advice anyone on this topic.
| dekhn wrote:
| I worked on GDPR for a health related startup and at some
| point, I had to start explaining GDPR and HIPAA to the
| lawyers! The lawyers thought the startup was subject to
| HIPAA, but we weren't a health org or a BAA, and I explained
| that. They said "well it's probably better if you just follow
| that law anyway"
| sterwill wrote:
| Having worked in a US health tech start-up (and done some
| compliance work there), and now working with GDPR as a US
| company, I'm similarly frustrated with how imprecisely the
| regulations are worded. US health information privacy laws
| are much easier to interpret and follow. Large, important
| parts of GDPR compliance hinge on wording like "the
| processing is not occasional." "Occasional" is not defined in
| the regulations, and different countries' advisory bodies
| have completely opposite interpretations about what it means.
| wil421 wrote:
| Feel your pain. At my last job I worked with mostly EMEA
| and mainly EU countries. Worked directly with our lawyers
| in the EU to makes sense of it all. This was right when the
| GDPR was looming and it was stressful to figure out how to
| comply.
| izacus wrote:
| Well, on the other hand you have American corporations
| stealing data from every orifice because they can get away on
| technicalities of those ultra specific laws.
|
| "Well, actually we DID put a 8pt text on a subpage somewhere,
| the law doesn't define the text size of disclosure, MINE
| AWAY!".
|
| EU seems to have learned the lesson. Heck, even American
| corporations like Google, Apple and Amazon put vague
| descriptors in their terms of service and AppStore rules so
| they avoid rules lawyering.
| speedgoose wrote:
| I work in a IT health care company in Europe. The main
| difficulties are the laws and regulations, not the software
| development. But I think it's a good thing.
|
| Good luck for your work and if you aren't sure if you can do
| it, don't.
| Jyaif wrote:
| Apparently this is due to this french association whose main goal
| is to sue the big tech companies. They've sued Google, Apple,
| Facebook, Amazon, and Microsoft:
|
| https://gafam.laquadrature.net/
| ElKrist wrote:
| This is a misrepresentation of the association. They existed
| way before this campaign and GDPR
|
| The first paragraph [1] of their About section mentions they
| started in 2008 to fight against HADOPI, which is the French
| authority created to enforce copyrights in reaction to
| (illegal) streaming/p2p sharing of music/movies etc.
|
| Recently, they're fighting against new French laws allowing the
| government to collect/process more data on all its citizens for
| supposedly anti-terrorism purposes
|
| [1] https://www.laquadrature.net/nous/
| isbvhodnvemrwvn wrote:
| You can't sue companies under GDPR.
| quonn wrote:
| It would be better to require a license for (any) data processing
| at scale which is easily granted (covering all possible use
| cases) but can be perpetually revoked. That would be taken much
| more serious than these fines.
| paublyrne wrote:
| If it's already not allowed to use data in this way - thus the
| fine - what purpose would allowing and revoking the right to do
| so serve. It's already prohibited.
| colechristensen wrote:
| Not "in this way" but at all.
|
| in other words if you lose the right to process or possess
| the data at all.
|
| "corporate death penalty" kinds of regulation needs to happen
| more often
| laurent92 wrote:
| What if law defined the processes more closely? "Billing
| data must be kept for 2 years numerically and 10 years on
| an offline device or paper. Marketing data can be kept for
| 6 months until renewal of consent by the user. The rest is
| permitted upon license."
| [deleted]
| dahfizz wrote:
| And what is the punishment for operating without a license?
| Seems like a roundabout way to implement a fine.
| chopin wrote:
| The compelling thing with GP's proposal would be that it is
| easier to enforce. If the license is revoked there is no gray
| area for interpretation left.
| dahfizz wrote:
| Both proponents and opponents of GDPR have said that the
| ambiguity of GDPR is an intentional feature. It closes
| loopholes or allows for arbitrary power of politicians,
| depending on who you ask.
___________________________________________________________________
(page generated 2021-07-30 23:01 UTC)