No announcement yet.

Eu gdpr

  • Filter
  • Time
  • Show
Clear All
new posts

  • Eu gdpr

    Apparently US companies see themselves unable to comply with laws. After all it was only passed two years ago. And became active today.

    Click image for larger version

Name:	gdpr-ct.jpg
Views:	2
Size:	21.1 KB
ID:	1485742

    (above message applies for at least all newspapers owned by Tronc)
    GDPR: US news sites blocked to EU users over data protection rules

    A number of high-profile US news websites are temporarily unavailable in Europe after new European Union rules on data protection came into effect.

    The Chicago Tribune and LA Times were among those posting messages saying they were currently unavailable in most European countries.

    The General Data Protection Regulation (GDPR) gives EU citizens more rights over how their information is used.

    The measure is an effort by EU lawmakers to limit tech firms' powers.

    Under the rules, companies working in the EU - or any association or club in the bloc - must get express consent to collect personal information, or face hefty fines.

    Which sites are unavailable?

    News sites within the Tronc and Lee Enterprises media publishing groups were affected.

    Tronc's high-profile sites include the New York Daily News, Chicago Tribune, LA Times, Orlando Sentinel and Baltimore Sun.

    Its message read: "Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market."

    Lee Enterprises publishes 46 daily newspapers across 21 states.

    Its statement read: "We're sorry. This site is temporarily unavailable. We recognise you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time."

    CNN and the New York Times were among those not affected. The Washington Post and Time were among those requiring EU users to agree to new terms.

    What is GDPR?

    Lawmakers in Brussels passed the new legislation in April 2016, and the full text of the regulation has been published online.

    Misusing or carelessly handling personal information will bring fines of up to 20 millions euros ($23.4m;£17.5m), or 4% of a company's global turnover.

    In the UK, which is due to leave the EU in 2019, a new Data Protection Act will incorporate the provisions of the GDPR, with some minor changes.

    All EU citizens now have the right to see what information companies have about them, and to have that information deleted.

    Companies must be more active in gaining consent to collect and use data too, in theory spelling an end to simple "I agree with terms and conditions" tick boxes.

    Companies must also tell all affected users about any data breach, and tell the overseeing authority within 72 hours.

    Each EU member state must set up a supervisory authority, and these authorities will work together across borders to ensure companies comply.

    The new chair of the European Data Protection Board, Andrea Jelinek, told the FT they expected cases to be filed "imminently".

    "If the complainants come, we will be ready," she said.

    Ireland's data regulator Helen Dixon also spoke to the newspaper, saying the country was ready to use "the full toolkit" against non-compliant companies.

    Both Facebook and Twitter have their EU headquarters in Ireland.

    The new rules come amid growing scrutiny about how major tech companies like Google and Facebook collect and use people's personal information.

    Facebook founder Mark Zuckerberg faced questions from MEPs earlier this week about his company's collection of data.

    See also

  • #2
    Activists Are Already Targeting Google and Facebook Over Europe's New Data Privacy Law That Went Live Today

    By David Meyer 3:53 AM EDT

    Europe’s sweeping new data privacy regime came into effect this morning, and privacy activists are not wasting time in flexing their muscles. One organization has already made official data protection complaints about Google, Facebook, WhatsApp and Instagram, while another is going after the shadowy data brokers that trade people’s information behind the scenes.

    The complaints about Google, Facebook and Facebook’s subsidiaries come from a group called None Of Your Business (NOYB)—a non-profit founded by the very successful serial Facebook litigant Max Schrems. Schrems, the Austrian lawyer who annihilated the U.S.-EU Safe Harbor data-sharing agreement a few years ago, formed the crowdfunded NOYB in order to take on big tech firms that break the EU’s new General Data Protection Regulation (GDPR.)

    The new law only lets companies process people’s data if they have a valid legal basis for doing so. Several justifications are acceptable, and consent is one of the most frequently-chosen options. However, users have to be able to freely give their consent—the law says people can’t be forced into consenting to their data being processed, in order to use a service.

    According to Schrems and his NOYB group, Google and Facebook are railroading users in this way.

    “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the ‘agree’ button–that’s not a free choice; it more reminds of a North Korean election process,” said Schrems in a statement. “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”

    So NOYB has lodged complaints with a variety of European privacy regulators, “to enable European coordination.” One complaint, covering the consent requirements of Google’s Android, has been filed in France. The main Facebook complaint has been filed in Austria, while those for Instagram and WhatsApp are in the inboxes of the Belgian and Hamburg regulators respectively.

    In case you’re wondering how a company is supposed to deliver a service without users giving their consent to their personal data being processed, here’s the deal: If the data really has to be processed in order to deliver the company’s services, then that’s a valid legal justification in itself. For example, an email service doesn’t need to get consent in order to send and deliver people’s emails. Consent is only needed when the company is trying to do other things with that data, such as using it to make money from advertisers.

    Schrems and his non-profit argue that, if their complaints are successful, the victory should put an end to all those annoying consent popups that many companies think the GDPR demands.

    “If companies realize that annoying pop-ups usually don’t lead to valid consent, we should also be free from this digital plague soon,” he said. “GDPR is very pragmatic on this point: Whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”

    “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on May 25th,” said Facebook privacy chief Erin Egan in a statement.

    “We build privacy and security into our products from the very earliest stages and are committed to complying with the EU General Data Protection Regulation,” said a Google spokesperson.

    Meanwhile, a separate group in the U.K.—Privacy International—has launched an investigation into the companies that do behind-the-scenes trading of personal data.

    The organization has sent letters to firms like Acxiom, Criteo and Quantcast, asking them how they handle personal data. The GDPR is pretty firm on this stuff—people are supposed to know when a company has their data, and companies are not supposed to be using that data to build profiles of people if that’s not the case.

    “We welcome GDPR taking effect,” said Privacy International legal officer Ailidh Callander. “It’s been a long time coming, and GDPR is an important step in the right direction, providing essential safeguards to our human rights to privacy and data protection, by imposing more stringent obligations on companies, strengthening rights of individuals, and increasing enforcement powers. GDPR is a key tool to empower individuals, civil society, and journalists to fight against data exploitation.”

    The GDPR threatens companies with massive fines for breaking its many terms—up to €20 million ($23.4 million) or 4% of global revenues, whichever is bigger. While these are big, scary figures, though, it is deeply unlikely that fines will be that high in any but the most egregious cases.


    • #3
      Probably comes down to, do these companies derive enough revenue from EU customers to be worth making all the changes required by GDPR? I'm not talking about the Googles and FB's of the digital world, and not so much the LA Times or WaPo, but the smaller operators who aren't so big. How many people from the EU read the Orlando Sentinel? The few dollars a day they derive from ad revenue from EU visitors wouldn't pay for the changes required.

      In my mind, it's sort of amusing that this Schrems guy has to say.

      “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the ‘agree’ button–that’s not a free choice;
      FB is the quintessentianal waste of time. It's definitely a choice on whether or not to use it. The site is all about giving up your personal thoughts, positions, pictures and anything else that you are willing to click on or post.


      • #4
        As long as Facebook offers its services to European customers it has to offer doing so while providing the option to selectively opt in to the various ways Facebook sells your data to others for advertising. That's what the "choice" has to be about.

        Originally posted by JCT View Post
        Probably comes down to, do these companies derive enough revenue from EU customers to be worth making all the changes required by GDPR?
        Ah, but it's moderately simple to "make that change" - if the ad revenue lost from European customers doesn't bother you either way.

        This is how USA Today does it:

        Click image for larger version

Name:	usatoday.jpg
Views:	2
Size:	88.8 KB
ID:	1476564


        • #5
          Apparently the Boston Globe on May 23rd already made sure its policy isn't just compliant on May 25th 2018 - but also on March 30th 2019, throughout the policy in every instance mentioned:

          Click image for larger version

Name:	ukeea.jpg
Views:	2
Size:	44.2 KB
ID:	1476565

          Also see that link for a probably fully GDPR-compliant data policy with a US entity. Or at least an attempt at one - because it doesn't work. In order to set your options on them transferring your data you have to accept the entire privacy policy with default settings first.

          Oddly enough the geographical thing seems to be something particularly challenging to people writing privacy policies. You alternately get in descriptions of where GDPR concepts apply:
          • "in Europe" (wrong)
          • "in certain European countries" (the cop-out variant)
          • "the European Union" (correct as of May 25th)
          • "the EEA" (there was a draft proposal to apply it on June 1st, currently tentatively postponed to July or August 2018)
          • "the EEA and Switzerland" (Switzerland has its own data protection policy that's being overhauled to embed the same principles)
          • "the EEA and the UK" (not until March 30th 2019)