Google Fined $57 Million By French Data Privacy Body For Failing To Comply With EU's GDPR Regulations (venturebeat.com)

← Back to Stories (view on slashdot.org)

Google Fined $57 Million By French Data Privacy Body For Failing To Comply With EU's GDPR Regulations (venturebeat.com)

Posted by BeauHD on Monday January 21, 2019 @11:40AM from the drop-in-the-bucket dept.

schwit1 shares a report from VentureBeat: Google has been hit by a $57 million fine by French data privacy body CNIL (National Data Protection Commission) for failure to comply with the EU's General Data Protection Regulation (GDPR) regulations. The CNIL said that it was fining Google for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization," according to a press release issued by the organization. The news was first reported by the AFP. What the CNIL is effectively referencing here is dark pattern design, which attempts to encourage users into accepting terms by guiding their choices through the design and layout of the interface. This is something that Facebook has often done too, as it has sought to garner user consent for new features or T&Cs.

It's worth noting here that Google has faced considerable pressure from the EU on a number of fronts over the way it carries out business. Back in July, it was hit with a record $5 billion fine in an Android antitrust case, though it is currently appealing that. A few months back, Google overhauled its Android business model in Europe, electing to charge Android device makers a licensing fee to preinstall its apps in Europe. Google hasn't confirmed what its next steps will be, but it will likely appeal the decision as it has done with other fines. "People expect high standards of transparency and control from us," a Google spokesperson told VentureBeat. "We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We're studying the decision to determine our next steps."

109 comments

Min score:

Reason:

Sort:

Thank you may I have another! by Anonymous Coward · 2019-01-21 11:50 · Score: 0

Soon, the French can pay their people!
1. Re:Thank you may I have another! by olsmeister · 2019-01-21 11:57 · Score: 1
  
  I'm guessing Google will send some low level admin person to check between the cushions of the couches in the office to pay this.
2. Re:Thank you may I have another! by Anonymous Coward · 2019-01-21 14:18 · Score: 0
  
  So, they'll be stealing from their employees? How typical.
Speeding fine by Anonymous Coward · 2019-01-21 11:53 · Score: 4, Insightful

Based on that, my next speeding fine should be about $0.27
Corporate fines MUST be based on International turnover (they hide profits too well), or better year a minimum of 12 months in federal prison for all of the Management.
1. Re:Speeding fine by Anonymous Coward · 2019-01-21 12:26 · Score: 0
  
  Make that 12 years...or better yet 120 years!!
2. Re: Speeding fine by Anonymous Coward · 2019-01-21 12:42 · Score: 0
  
  Come on, we're the EU. People, even corporate criminals, have some rights here. You can't be executed, or thrown in jail for life for stealing two candy bars and downloading a movie.
3. Re: Speeding fine by Anonymous Coward · 2019-01-21 12:47 · Score: 0
  
  Well, if you are a EU citizen that is. Anyone else... who cares.
  The GDPR's sole reason to exist is to go after US companies, because the law is so difficult to comply with (a Mom and Pop shop cannot afford a full time DPO because they might have a visitor from the EU, or ship a package across the pond). If you look at europa.eu, you never see it used to clean house domestically.
  Jingoism at its best.
4. Re:Speeding fine by Opportunist · 2019-01-21 12:52 · Score: 1
  
  Lifetime + 70 years sounds good.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:Speeding fine by Anonymous Coward · 2019-01-21 12:57 · Score: 2, Funny
  
  So, Google was fined the amount of money they make in 8 hours.
  That will teach them a lesson.
6. Re: Speeding fine by Mr.+Dollar+Ton · 2019-01-21 13:11 · Score: 5, Insightful
  
  GDPR's sole reason to exist is to give me a legal option to force the likes of Facebook and Google to store and process my private information in a more responsible manner.
  It is not difficult to comply with. A Mom and Pop shop does't need "a full time DPO" if they have a visitor from the EU or ship a package occasionally.
  I looked at europa.eu, and I don't understand what you mean at all by "cleaning house domestically". The GDPR applies with the same strength everywhere in the EU, and to all companies that operate there. I've had personal data removed by EU companies after a GDPR request.
  Take a breather, nobody's buying your sad FUD.
7. Re: Speeding fine by Anonymous Coward · 2019-01-21 13:15 · Score: 0
  
  EU is a sham organization made of a small bunch of millionaire bureaucrats doing the US' bidding. If this law kills mom and pop sites and legalizes data rape under condition of putting up a small popup with an X and OK button that's probably a feature.
8. Re: Speeding fine by Anonymous Coward · 2019-01-21 13:35 · Score: 0
  
  "Data rape" is what the fined US company from TFA is doing to you just now. Are you relaxed and enjoying it? Or are you specifically waiting for the time when "data rape" might be legalized in the EU?
9. Re: Speeding fine by davecb · 2019-01-21 13:35 · Score: 1
  
  Stealing loaves of bread used to be pretty serious in France (;-))
  
  --
  davecb@spamcop.net
10. Re: Speeding fine by Anonymous Coward · 2019-01-21 13:42 · Score: 0
  
  Yes, but France has moved forward. In the US they still murder innocent people by death sentence and call it "justice".
11. Re:Speeding fine by fluffernutter · 2019-01-21 14:26 · Score: 1
  
  It's not really punishing the corporation unless it affects stock prices.
  
  --
  Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
12. Re: Speeding fine by Anonymous Coward · 2019-01-21 18:43 · Score: 0
  
  "A Mom and Pop shop does't need "a full time DPO" if they have a visitor from the EU or ship a package occasionally."
  They have HOW many hours to react to a breach? A mom and pop store that might make one shipment a week? HOW MANY HOURS? They DO need a DPO if they are to comply with the "GDPR". If you read the GDPR it entirely talks about the member state it is based in or agent is based in. Which doesn't exactly work for mom and pop stores in non-EU countries..
  Also, for non-EU countries, my country's law may mandate recording information in 'breach' of the GDPR (because the GDPR doesn't allow for compliance with local legislation as an excuse...)
  does raise the question, what right does any EU court have over me? I guarantee that Chinese firms simply ignore European court nonsense.
13. Re: Speeding fine by gravewax · 2019-01-21 19:02 · Score: 4, Informative
  
  NO THEY FUCKING DON'T need a DPO. The regulations are quite clear on that, only organisations that process large scale data processing and collecting. You don't have any "hours to react to a breach", you have to act in a timely and responsible manner. NO your country DOES NOT mandate recording information in breach of the GDPR, The GDPR excludes government requirements for data storage, what it mandates is that you must store and process data in a responsible manner.
14. Re: Speeding fine by Anonymous Coward · 2019-01-21 19:58 · Score: 0
  
  A Mom and Pop shop that isn't situated in the EU can just ignore the GDPR. The EU doesn't have a way to force the EU in outside companies that don't have a legal presence in their territory.
15. Re: Speeding fine by thegarbz · 2019-01-21 20:41 · Score: 1
  
  They DO need a DPO if they are to comply with the "GDPR".
  Since you're so sure about that, show us the line saying that every company needs a DPO from the regulation. Otherwise you're just making stupid assumptions based on your own ignorance.
16. Re:Speeding fine by ayesnymous · 2019-01-21 21:06 · Score: 1
  
  It's a rounding error for Google.
17. Re: Speeding fine by Anonymous Coward · 2019-01-21 21:16 · Score: 0
  
  Let me guess, you're an EU sycophant.
18. Re: Speeding fine by Anonymous Coward · 2019-01-21 21:57 · Score: 0
  
  Wrong guess, I don't even reside there. The only time I use my EU passport is when I go in and out of the place, because I don't want to stay in the same line with the loud and obnoxious US citizens. "All Passports" for you.
19. Re: Speeding fine by Anonymous Coward · 2019-01-21 22:35 · Score: 0
  
  So what would you folks in the EU do it Google decided rather than continue to be extorted on multiple fronts by various European Governments, instead they just shut off their services to anyone with an EU based IP address. No Google, no Gmail, all android phones cease to work. Sure there are other services but can they step into the void quickly enough? Or would the EU be in a world of hurt if Google were to take it's ball and go home? And if Amazon, Apple, Facebook and Microsoft were to decide to join the No EU party? How long would the GDPR last?
  
  Yes oversight is needed but if the EU sets a rule, then the EU needs to be the entity to prosecute and apply any fine, not France here, Germany there, and Latvia over there.
20. Re: Speeding fine by Anonymous Coward · 2019-01-21 22:38 · Score: 0
  
  As opposed to the police shooting unarmed yellow jacket protestors in the streets? France has nothing to say on killing innocent people.
21. Re: Speeding fine by Cederic · 2019-01-22 01:23 · Score: 3, Insightful
  
  The EU hasn't set a rule on companies. The EU has agreed collectively that its member states must pass rules on company behaviour.
  The benefit of the EU is that complying with one country's rules means you're (broadly) automatically complying with all of the other countries' rules. You still have to obey the law in each country in which you operate.
  Is that so hard to comprehend?
22. Re: Speeding fine by kaur · 2019-01-22 01:39 · Score: 3, Insightful
  
  GDPR is very simple to comply with:
  - know how your business uses personal data
  - be open about it - inform your customers
  - secure the use of personal data by access control & logging
  - check your contracts with third parties, and try not to share personal data unless necessary
  - educate your employees
  That's about it.
  The real effect of GDPR is implementing reasonable data management practices across the board.
  Say I want to save the hair colour of customers. Shall I create a new database? Or should I put it into an existing one? New database is easier, I don't need to discuss with anyone, I'l just spin up a new mongo instance, done. But I'll lack all security that the old database already has. Now GDPR forces me to implement security, which means it will be easier to put the data into the existing DB, even if this has management overhead for me - I need to get my change into DB team's backlog, etc. However, in the long run I am better off with all data being in one place, not split across multiple platforms.
  Or say I need to email / message / call my customers. GDPR incentivizes using service providers that have been already set up, with contracts and security and compliance in place. This is a price to pay, you won't be as flexible as you could, and you will pay extra for the compliance. However, this is a reasonable tradeoff.
  Mom & Pop should thus know what personal data they have, know how they handle it, and say it out in a public statement.
  Not much to ask.
23. Re:Speeding fine by AmiMoJo · 2019-01-22 03:08 · Score: 1
  
  Unfortunately this predates GDPR so the fine is relatively small. If they don't fix the problem there could be a GDPR fine of 4% of annual world-wide turnover, which is over $5 billion.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
24. Re: Speeding fine by Anonymous Coward · 2019-01-22 05:03 · Score: 0
  
  The GDPR's sole reason to exist is to go after US companies, because the law is so difficult to comply with (a Mom and Pop shop cannot afford a full time DPO
  Bull. There are Mom and Pop shops inside the EU too, and they have no problem complying. The "easy way" is to collect no more information than strictly needed for doing business (such as name, address, money paid/owed, the product purchased and date of transaction.) And then you don't share this info with others. A business like this already complies with the GDPR.
  Now, if you want to "monetize" the information and sell it to an agency - then you need to read the law very carefully! Especially if you also collect as much information as possible. But this is not what a typical Mom and Pop shop does - they mostly sell products and chat with customers.
25. Re: Speeding fine by houghi · 2019-01-22 05:23 · Score: 1
  
  The thing about the haircolor: if you do not need it for the workprocess, you should not have it. E.g. a bank should not. It can operate without it. A hairdresser could need it .
  The question a company should ask is "do we need this information to be able to do our jib?" If yes, then there is no issue, if no: problems. What are you doimg with that data?
  
  --
  Don't fight for your country, if your country does not fight for you.
26. Re: Speeding fine by IamTheRealMike · 2019-01-22 08:02 · Score: 2
  
  Why are you so angry? GDPR is clear about exactly nothing, I've read it. If you broadly agree with strong executive power you'll think GDPR is peachy and wonderful and people arguing with it are just stupid or malicious. If you think law should clearly enumerate in exacting detail what it forbids or allows you will think GDPR is incompetent and probably intended for political advantage.
  The DPO issue is exactly like every other part of the GDPR - so vague as to be entirely open to interpretation. "Only organisations that do large scale data processing and collecting"? Yeah? What's large scale? What's processing, exactly? What is the precise definition of collecting? What does the term 'responsible manner' mean? None of these things are obvious and all can be argued with without limit.
  Do you seriously believe Google hasn't invested huge sums of money in trying to be GDPR compliant? Do you seriously believe CNIL has precise and detailed guidance they followed when reaching this decision? If you do I wonder how much you've really dealt with regulators. Because I have and this is playing out exactly as I predicted - nothing these companies can do, no matter what, will ever be deemed in compliance. GDPR is a fine factory.
27. Re: Speeding fine by Anonymous Coward · 2019-01-22 08:27 · Score: 0
  
  I am a GDPR DPO for a large organisation. The GDPR is actually very clear on the DPO issue for mom and pop stores and small businesses. They are completely unnecessary, no ifs buts or maybes.
28. Re: Speeding fine by Anonymous Coward · 2019-01-22 08:54 · Score: 0
  
  I'd actually like it if my bank kept some biometric data on me to reduce fraud. It would be nice if they had a picture of me, etc. Maybe something fancy like facial recognition or fingerprint. Hair color can change over time; dye or graying .
29. Re: Speeding fine by Anonymous Coward · 2019-01-22 10:18 · Score: 0
  
  He is probably so angry as like many of us he is sick of the FUD around GDPR generated by poorly informed individuals that have no clue screaming about how it affects A of B when it has absolutely no affect at all on said items (e.g. mom and pop stores). GDPR is squarely aimed at the top end of town and is all about putting accountability on them for safe handling of privacy data.
30. Re: Speeding fine by Anonymous Coward · 2019-01-22 14:34 · Score: 0
  
  You enjoyed the loud and obnoxious sounds of our aircraft, cannons, and bombs during WW2, ya ingrateful bitch. We, the US, should definitely sit out the next war there.
31. Re: Speeding fine by Anonymous Coward · 2019-01-22 15:54 · Score: 0
  
  LOL. The US sat out the WW2. It sent a token force into Europe late in 1944 just so that it could save some Nazi war criminals from justice and plunder some German tech for its military. But keep retelling yourself the fake history you learned from "Captain Murricah" about you "fighting Nazis" when the only fighting about Nazis was how to avoid bombing US factories in Germany.
  The largest Nazi collaborator and investor in Germany's was the US, buddy.
  Half of your post-war political elite sat out the war in Geneva getting rich on the stolen shit the Germans sold there. And before the war, they were working hard on starting it - in Europe and in the Pacific.
  Criminal fucktards.
32. Re: Speeding fine by Guybrush_T · 2019-01-23 05:12 · Score: 1
  
  I think that's exactly the point of GDPR. Keep Google/Facebook/Amazon in check so that they don't know exactly how far they can go and refrain from playing the odds. If you write the law too precisely, then you can be sure those precisions will create loopholes, playing with words. If you don't, then it's up to the interpretation of a court (some say this is what democracy is about) i.e. have the People determine whether what you are doing is OK or not.
  Now, if you don't want to worry about GDPR, stay away from the line, which is fairly easy for all business not related to data management.
  The only intrusive part of GDPR for all businesses is the enforcement of sane computer security practice. Agreed, this may have a cost, but really, that's a good thing. Unfortunately, in a world where anyone on earth can hack you computer and sell information, if you don't want to properly manage your computer, don't use it to store customer information. Write your database in a book. I know it was easier in the 80's, but that's just how things turned out to be.
If it's an EU rule then why... by Anonymous Coward · 2019-01-21 12:04 · Score: 0

Is a specific country fining Google?
I know it's in to hate google and all tech companies blah blah blah.
But looking at this froma generic point of view, doesn't this open up the door for a company to be destroyed by a partnering of a few countries that want to see the dominating company in a particular field be brought down?
Figured there should be one fine from one single governing board.
1. Re:If it's an EU rule then why... by AHuxley · 2019-01-21 12:28 · Score: 0
  
  The different EU governments are spending in new and unexpected ways.
  Their expected patterns of spending on their own populations in the 1970-2000's no longer adds up.
  Vast amounts of new wealth has to be taxed in new ways to cover changes in population size and to cover demands on gov services.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-21 12:46 · Score: 3, Informative
  
  Vast amounts of new wealth has to be taxed
  A fine for violating a law with a 2-year grace period is not a tax, stupid.
3. Re: If it's an EU rule then why... by AHuxley · 2019-01-21 12:56 · Score: 0
  
  When a gov gets to spend the money, its a tax AC.
  
  --
  Domestic spying is now "Benign Information Gathering"
4. Re: If it's an EU rule then why... by guruevi · 2019-01-21 13:05 · Score: 0
  
  A law that is designed so literally nobody understands or can comply with. Virtually any collection of data is liable under GDPR -worldwide-, logging IP's on your server anywhere, you're liable, any website reachable from the EU with an online form, liable. Employ anyone from the EU - you're liable; travel through the EU - you're liable, serve an EU citizen in your hotel, liable.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
5. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-21 13:32 · Score: 1
  
  What a load of crock. Logging IPs is not even covered by the GDPR, only collecting personal information is. A website has to comply only if it serves EU residents. If you employ people "from the EU" that are legal residents of a non-EU country, GDPR does not apply to them. If you apply EU residents, you obviously employ them in the EU, so you have to comply with all of the EU legislation, not just GDPR. If you operate a hotel, you're liable only if you sell your offers within the EU.
6. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-21 13:39 · Score: 2
  
  No, when a government gets to spend money it is a disbursement from the government budget. A tax is an amount collected from a group of citizens that support the operation of their government. A fine is a measure to discourage criminal behavior, by a person or a corporation.
  Get the reasons for the different definitions, just being loud and ignorant doesn't strengthen your argument.
7. Re:If it's an EU rule then why... by Anonymous Coward · 2019-01-21 13:48 · Score: 0
  
  You are making too much sense. Expect to be systematically flamed and torn apart by the "EU good, China good, Russia good, US bad" people.
  The EU has been doing kangaroo courts on Google and Microsoft for decades now. If you look at europa.eu and court verdicts, they never clean their own house. If Google were a German company, it could sell what it felt like, and never see the scrutiny of officials.
  The EU is just doing a very simple tactic. Xenophobia. Anti-Americanism sells, and it keeps their jobs, similar to how another leader of another country points at "immigrants" and demonizes then (who, ironically, are leaving more than entering.)
  The GDPR is just a trade war tool, because few European companies deal in data control, so it is crafted explicitly as a bill of attainder, which in more civilized countries is illegal.
8. Re:If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-21 13:55 · Score: 4, Informative
  
  If it's an EU rule then why... Is a specific country fining Google?
  Because the EU is a confederation, in which the EP and EC draft the rules, and then each member is tasked with enforcing them on their territory, which is an obligation they have accepted by ratifying the EU treaties.
  it is really simple and straightforward.
9. Re: If it's an EU rule then why... by guruevi · 2019-01-21 14:57 · Score: 3, Informative
  
  You obviously have no idea. IP's are "personal information": https://www.alstonprivacy.com/... ; A website by definition serves anyone on the internet ; The rest of your post is likewise red herrings, GDPR is not concerned with whether or not an individual is an EU citizen, anyone located in an EU country is protected by GDPR and can apply for the protections under it. According to one law firm that tries to explain it: "it is likely that EU citizens residing in the US will be given the same protections as those living in an EU country". If you operate a hotel, how would you limit your offers, the goal is to sell yourself to as much visitors as possible, not serving people from the EU would be discrimination in many countries.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
10. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-21 15:38 · Score: 4, Informative
  
  You obviously have no idea. IP's are "personal information": https:
  Wrong, it is you who has no idea. And let me quote the relevant part of the decision for you:
  However, the ECJ did not state that in all cases, IP addresses in the hands of a website operator should be considered personal data. Instead, it required an evaluation of “whether the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.”
  GDPR is not concerned with whether or not an individual is an EU citizen, anyone located in an EU country is protected by GDPR and can apply for the protections under it.
  Wrong, only legal residents of the EU are protected by GDPR. Clearly stated in the law, which you have not read.
  According to one law firm
  Well, find a competent one, or just read the guides that EU has helpfully posted for more than 2 years now.
  If you operate a hotel, how would you limit your offers
  Well, you just advertise locally, or if you want orders from within the EU, you comply.
11. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-21 19:07 · Score: 0
  
  sorry it is you who has no idea, IP is not considered personal information under GDPR. GDPR requires residency as a minimum. Your law firm is a bunch of incompetents if they are unable to read basic legal text.
12. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-21 20:02 · Score: 0
  
  If you're a hotel outside the EU, you just ignore the GDPR even for EU citizens. You can't be forced to comly with a foreign(to your non-EU country) law.
13. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-21 20:07 · Score: 0
  
  I think most of it is thinly-veiled nationalistic fighting. They hardly have any comparable companies so they're straight-up stealing our money.
14. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-21 20:42 · Score: 0
  
  However, the ECJ did not state that in all cases, IP addresses in the hands of a website operator should be considered personal data. Instead, it required an evaluation of “whether the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.”
  Which means what, exactly? "Possible" is so vague as to be meaningless. It's "possible" for me to look through Apache logs and use the timestamp to link IPs to activity like clicking on a payment button, which links to things like a delivery address. It's also "possible" that no one in my company knows how to do that because the person that set the system up left. Who knows? The same action, with the same data, might be trivial or nearly impossible depending on the company staff.
  And why is this down to what the ECJ say? It should be in the law itself. The ECJ is just a bunch of people and will change over time. In 2030, will the ECJ STILL think that this is the interpretation that applies?
  The GDPR is a crock of badly written shit constructed by people who neither know nor care about what they're doing.
15. Re: If it's an EU rule then why... by thegarbz · 2019-01-21 20:44 · Score: 2
  
  *THIS*. People lose sight of the fact that EU law doesn't apply outside the EU. Outside the EU includes companies that have no presence in the EU.
  That hysteria from some random mom and pop shop having their website visited by someone in the EU was just that: dumb hysteria. If you want to do actual business in the EU then comply with EU law. If you don't then you rightly have nothing to fear.
16. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-21 21:45 · Score: 2
  
  It means exactly what is says - that an IP address is not "personally identifiable information" (which, incidentally, is what the law says, too) except in very rare circumstances.
  What you describe (linking an IP address and the data that come from it) is nonsense, because even if you have some data that you can connect to a dynamic IP, you cannot be certain that a second connection over that IP will be by the same person based on the IP number only.
  Complaining about the GDPR without haven't even read the law produces a crock of badly written shit constructed by people who neither know nor care about what they're doing.
17. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-21 22:00 · Score: 2
  
  Theoretically, the EU can ask a foreign court to apply the fines if there are relevant treaties in place (the US does this quite often, sending extradition requests left and right, for example). In practice, yeah, it is irrelevant for practically everyone operating outside of the EU.
18. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-21 22:03 · Score: 0
  
  We're also luring your womens with our big dicks and body hair.
19. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-21 22:14 · Score: 0
  
  What you describe (linking an IP address and the data that come from it) is nonsense, because even if you have some data that you can connect to a dynamic IP, you cannot be certain that a second connection over that IP will be by the same person based on the IP number only.
  More ambiguity - you say I can't be "certain". Well, that's technically true. I can generally be 99.99% certain but not (usually) 100%. Of course, courts don't work on "certainty" in that sense, it's usually "balance of probability" or "beyond reasonable doubt" depending on various factors and jurisdictions. So, how do I know what level of certainty is safe for me?
  An IP address is frequently "personally identifiable information" in combination with other logged data. It's not "except in very rare circumstances" at all. I can't imagine anyone who deals with website backends ever thinking that.
20. Re: If it's an EU rule then why... by Cederic · 2019-01-22 01:28 · Score: 1
  
  A law that is designed so literally nobody understands or can comply with.
  So like every other law then.
  Still, it's amazing how many companies are managing to comply with this one. It's also amazing how much leeway regulators will give you if they feel you're in breach of it, especially inadvertently.
  
  Virtually any collection of data is liable under GDPR -worldwide-
  Only if you're operating or interacting with someone in the EU.
  
  serve an EU citizen in your hotel, liable
  Oh please. I'm typing this from a hotel in Florida that under EU law I could put out of business in a week, their management practices are so scummy. Luckily for them they're in Florida where consumer protections are fuck all.
  Yeah, I'm leaving them some seriously abusive reviews on online sites. No, I'm not going to try and make them comply with EU law because - unlike you - I know it doesn't apply here.
21. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-22 01:34 · Score: 0
  
  How about the lawmakers themselves?
  From "What is personal data?" we get an answer. It clearly states in "Examples of personal data" that it includes "an Internet Protocol (IP) address" as personal data.
  As to whom it applies, it does include companies outside the EU.
  A web server sending static pages with no cookies, JavaScript, or other active content from a server in the Brazil and owned by a company in Brazil is still subject to GPDR according to the EU. If any EU citizen ever visits because the IP Address is needed technically to service any access of those pages, then that triggers data protection requirements. Brazil may differ on this interpretation and it might be difficult to prosecute someone in this scenario, but the words from the EU are specific and clear.
22. Re:If it's an EU rule then why... by Cederic · 2019-01-22 01:39 · Score: 2
  
  It's always ACs posting bulllshit about GDPR and claiming its protectionism.
  This stinks of a disinformation campaign.
  GDPR applies to everybody. It does not target foreign countries.
  EU based companies are required to comply with data protection.
  EU based companies are prosecuted for failing to comply with data protection.
  US and other companies are also prosecuted for failing to comply with data protection.
  To avoid prosecution under this law stop fucking break it.
  To avoid prosecution for misusing consumer data, stop fucking abusing consumers.
  
  The EU has been doing kangaroo courts
  Where? When? Show us all where there's a fucking EU court that hasn't followed due process and has ruled against EU law.
  
  If you look at europa.eu and court verdicts, they never clean their own house.
  Nobody ever looks at europa.eu. As for court verdicts, most cases never even get to court. In the UK for instance, the ICO issues legally binding fines without needing to use courts, because the law is pretty fucking clear.
  
  If Google were a German company, it could sell what it felt like, and never see the scrutiny of officials.
  Given that Germany's first fine issued under GDPR was against a German company you're looking pretty fucking stupid.
  
  The EU is just doing a very simple tactic. Xenophobia.
  
  Consumer protection applied consistently across companies from anywhere on the planet - including the EU - is now xenophobia? Someone buy this cunt a dictionary.
  
  The GDPR is just a trade war tool, because few European companies deal in data control
  Almost every fucking European company deals in data control. Most businesses these days are IT companies with a sideline in manufacturing, retail or something less tangible.
  
  it is crafted explicitly as a bill of attainder, which in more civilized countries is illegal
  Just because your shitty business practices are made illegal by the law doesn't make it a bill of attainder. It only criminalises people that refuse to respect and protect the data they hold on others.
  Stop being a cunt and you wont be breaking the law. Simples.
23. Re: If it's an EU rule then why... by thegarbz · 2019-01-22 02:29 · Score: 2
  
  Theoretically, the EU can ask a foreign court to apply the fines
  
  They can ask foreign courts a lot of things. In practice the only time this works is if courts determine if the fine is legitimate. In practice even the GDPR legislation recognises the difference between doing business in the EU and just having some random person visiting your site incidentally. I can directly buy something from someone outside the EU just fine and they still wouldn't necessarily need to comply with the GDPR.
24. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-22 04:13 · Score: 1
  
  Like many other GDPR "critics" on /., you don't understand the basic ideas of GDPR because you have not read the law.
  So, let me explain it to you in simple terms.
  GDPR regulates *personally identifiable information* that someone who is a legal resident of the EU has shared with you. If someone just visits your website and does not leave any personally identifiable information with you, then you cannot identify them, and you have no obligations under GDPR, even if you collect their IP address. This is all there is to say about IP addresses as a GDPR issue.
  If you have collected and processed information from a legal resident of the EU, information that you can identify them with, things like national ID, name, address, credit card or bank info, whatever, you have obligations under GDPR. They are very simple and straightforward.
  You must keep the information safe, keep only what you need to deliver the service you're providing, explain what you are keeping and why in a simple language, explain how it is used with specifics, and let the person edit it if it is no longer relevant and remove it if it is no longer necessary, or if the user asks you to do so and you don't have a good reason to refuse.
  That's all.
25. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-22 04:27 · Score: 1
  
  How about you read the law text itself for a change?
  Here, let me post the relevant parts for you:
  "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
  "The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. 6This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes."
  The only time when an IP address is a *personally identifiable information* is when "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
  So, just an IP address by itself is definitely not personally identifiable information, and that is what the law says on the matter.
26. Re: If it's an EU rule then why... by guruevi · 2019-01-22 06:36 · Score: 1
  
  GDPR states that you are liable even if you are a foreign entity. Kind of like the US laws apply abroad to US citizens.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
27. Re: If it's an EU rule then why... by guruevi · 2019-01-22 06:55 · Score: 1
  
  The GDPR law together with various treaties like the ones on copyright, make sure that those laws in the EU apply to US companies... like Google and Facebook too.
  There is a reason so many US companies are worried about GDPR compliance - it applies to anyone interacting with any EU resident or presence, through the Internet, this means worldwide.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
28. Re: If it's an EU rule then why... by Cederic · 2019-01-22 09:55 · Score: 1
  
  those laws in the EU apply to US companies... like Google and Facebook too
  Of course they fucking do. Google and Facebook (and other US companies) do business in Europe. It's not fucking unreasonable to expect them to obey the same laws applied to other companies doing business in Europe, including the ones based there.
  The alternative is that you only ever hold a company accountable to the laws in the country in which it is registered, in which case watch every fucking company on the planet get registered in some African shithole that eliminates all controls and regulations on corporations.
  You might not have a problem with that but I fucking promise you the US government would.
29. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · 2019-01-22 18:46 · Score: 1
  
  Stop lying, GDPR is nothing like that. GDPR states that you have obligations under it if you serve EU residents within the EU. That is, you do business within the EU. If I go to Japan, and pick a hotel there to stay, GDPR does not apply at all and has nothing to say about it.
30. Re: If it's an EU rule then why... by Anonymous Coward · 2019-01-23 08:37 · Score: 0
  
  Actually, what is clearly stated is that the GDPR âprotects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.â (article 1(2))
Good. by Anonymous Coward · 2019-01-21 12:29 · Score: 0

You want to do business in a democratic capitalist country? Well, you do your best to comply with its laws, and if your best isn't good enough, you face the consequences of your own behavior.
1. Re:Good. by guruevi · 2019-01-21 13:20 · Score: 0
  
  Do you say the same when it comes to China or North Korea? Oppressive, protectionist laws are equally oppressive regardless of the current regime.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:Good. by Anonymous Coward · 2019-01-21 13:23 · Score: 0
  
  North Korea has it right. If you use Google without authorization, you're putting the security of your country in danger and thus all its service personnel and inhabitants therefore you should be tried and sent to a concentration camp.
3. Re:Good. by Mr.+Dollar+Ton · 2019-01-21 13:48 · Score: 1
  
  You don't know much about GDPR (proof: https://slashdot.org/comments....) so your opinion as to whether it is oppressive or protectionist is completely irrelevant.
4. Re:Good. by gravewax · 2019-01-21 17:07 · Score: 2
  
  Do you say the same when it comes to China or North Korea? Oppressive, protectionist laws are equally oppressive regardless of the current regime.
  I certainly do, if the regime is Oppressive and you disagree then don't do business there. Businesses do not and should not EVER get to select which laws they will and will not obey.
5. Re:Good. by Anonymous Coward · 2019-01-21 17:14 · Score: 0
  
  yes the guy is completely clueless idiot when it comes to GDPR, but sinking to ad hominem attacks makes you little better.
6. Re:Good. by Malc · 2019-01-21 20:21 · Score: 2
  
  As an EU citizen, albeit for another two and bit months, I don't find these laws oppressive in any kind of way and I'm glad that a level government that represents me is doing something to protect my interests and privacy. Somebody's had to reign these corporations in and the US government has shown no leadership in this area. Put it down to a failed experiment with a new business model and expect companies to adapt or fail. I won't cry if Google and Facebook fail and go the way of the likes of Yahoo Search and My Space.
7. Re:Good. by Anonymous Coward · 2019-01-21 20:38 · Score: 0
  
  He didn't call him anything.
8. Re: Good. by Anonymous Coward · 2019-01-21 21:20 · Score: 0
  
  If American companies are so terrible and Europeans know it then why aren't they making better ones in Europe?
9. Re:Good. by Anonymous Coward · 2019-01-22 21:44 · Score: 0
  
  An Ad Hominin attack doesn't require you to call him anything, it just means he is attacking the person rather than what they said.
Re: How France understands computer use by Anonymous Coward · 2019-01-21 12:39 · Score: 0

France needs more money to cope with the fallout of US Middle East wars.
But that has nothing to do with Google violating privacy laws and getting fined for it.
You don't do the crime if you can't pay the fine.
It's a fine, not a tax by Anonymous Coward · 2019-01-21 12:53 · Score: 1

A product or service from the USA to be taxed.

Except that France is not taxing them, but is applying a fine for non-compliance with french data protection laws. If you do business in a country, you have to be prepared to comply with local laws or else pay the penalties that arise.
Even Google agrees with that premise, at least in their official statement.
Offer them an alternative by Opportunist · 2019-01-21 12:56 · Score: 4, Interesting

Like, say, they could pay the taxes for the revenue they make in France instead of squirreling it away with some tax evasion tricks.
Then again, paying the fine is probably cheaper.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Offer them an alternative by Mr.+Dollar+Ton · 2019-01-21 13:59 · Score: 4, Insightful
  
  Tax avoidance is something entirely different from non-compliance with the privacy law. Why would you want to mix the two?
2. Re:Offer them an alternative by thegarbz · 2019-01-21 20:45 · Score: 1
  
  Why is the punishment for complying with one law the requirement to comply with another? If Google's tax evasion is legal then why is the punishment for complying with one law *not* complying with the letter of the other?
  Your post makes no sense.
3. Re:Offer them an alternative by Anonymous Coward · 2019-01-21 20:45 · Score: 0
  
  Tax avoidance is something entirely different from non-compliance with the privacy law. Why would you want to mix the two?
  It's all the same thing - is the company fit to be allowed to trade here? Answer: no, but there's nothing anyone can do about it except charge them trivial amounts of money in fines.
  The problem with little fines like this is that they amount to licence fees which the rich can afford. They become barriers to entry for competitors who have to obey the rules while the established players just get on with business as usual.
4. Re:Offer them an alternative by Mr.+Dollar+Ton · 2019-01-21 21:47 · Score: 1
  
  So, if you're very thirsty and instead of water I give you some nice salted pork and tell you, "since you just swallow it, it's the same thing", will you be happy?
5. Re:Offer them an alternative by Opportunist · 2019-01-21 22:27 · Score: 2
  
  It's an unfortunate fact that international corporations pay nowhere in the EU the actual tax they'd owe. By coincidence, the Süddeutsche Zeitung has an article about it today, with the biggest discrepancy in Luxemburg where the tax rate would be 29% while corporations pay closer to 2% due to tax evasion constructs.
  Whether this is actually legal is debatable, so far nobody bothered to drag anyone to court over it. Even if it is legal, it is by no means right, since it makes smaller companies uncompetitive, not because of their inferior production means or processes but simply because they can't abuse the same tax tricks. And changing it is no trivial matter because there are EU members like Ireland that benefit heavily from such practices and will fight tooth and nail to continue being a tax evasion haven.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Offer them an alternative by Anonymous Coward · 2019-01-21 22:40 · Score: 0
  
  So, if you're very thirsty and instead of water I give you some nice salted pork and tell you, "since you just swallow it, it's the same thing", will you be happy?
  No, it's more like
  "You can't come in without a jacket"
  .
  .
  .
  "Okay, I got a jacket."
  "You'll need to be a member too."
  What you're suggesting is that the non-member without a jacket should be able to simply bribe the doorman and that will be an acceptable solution.
  I'm guessing you're a monarchist of some sort.
7. Re:Offer them an alternative by Anonymous Coward · 2019-01-22 01:41 · Score: 0
  
  Whether this is actually legal is debatable, so far nobody bothered to drag anyone to court over it
  Given that the whole evasion structure was set up by the guy who's now President of the EU, it's unlikely to be challenged any day soon.
  Of course, when journalists came after about it, he played the old "ancient history" card - but still didn't actually do anything about it.
  http://www.europarl.europa.eu/news/en/headlines/economy/20170529STO76260/juncker-don-t-measure-my-credibility-on-the-basis-of-my-tax-past
8. Re:Offer them an alternative by thegarbz · 2019-01-22 02:24 · Score: 1
  
  It's an unfortunate fact that international corporations pay nowhere in the EU the actual tax they'd owe.
  So back to my point: Are they acting illegally? Then prosecute them. Are they acting legally? Then close the damn loopholes that allow them to get away with the practice.
9. Re:Offer them an alternative by Opportunist · 2019-01-22 03:24 · Score: 1
  
  Again, closing the loophole isn't that easy. For you US people, imagine the loophole was in the constitution and everyone but Alaska would love to plug it.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
10. Re:Offer them an alternative by thegarbz · 2019-01-22 04:29 · Score: 1
  
  Who is a US person? Are you writing this to involve others who may want to join in the conversation? You still haven't addressed my comment, in what fucked up world is punishment for disobeying a law simply complying with the intent but not the letter of another?
  Also in most cases closing the specific loophole is easy, the loopholes themselves are quite well defined. The problem is doing it without losing an election (corporations have deep pockets) and doing it without affecting the locals as a result (moving your headquarters is not as complicated as it once was as the UK is finding out the hard way right now).
11. Re:Offer them an alternative by Opportunist · 2019-01-22 22:02 · Score: 1
  
  Well, if you're European, you should be used to inventing a new law to counterbalance an old one that can't be changed for some reason...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
12. Re:Offer them an alternative by thegarbz · 2019-01-23 00:55 · Score: 1
  
  ... that's literally how all laws that change existing ones work.
Simple solution by Anonymous Coward · 2019-01-21 14:22 · Score: 0

Just declare war on them and threaten invasion. They'll surrender.
1. Re: Simple solution by Anonymous Coward · 2019-01-21 19:19 · Score: 0
  
  Google doesn't have any territory to invade.
2. Re: Simple solution by Anonymous Coward · 2019-01-21 20:15 · Score: 0
  
  We should put a tariff on France that will raise $57 million over the next year.
Re: How France understands computer use by Maelwryth · 2019-01-21 14:59 · Score: 4, Insightful

It's a fine, not a tax. If Google wishes to operate within the E.U. then they have to obey the laws of the E.U.

--
I reserve the write to mangle english.
Re: How France understands computer use by Anonymous Coward · 2019-01-21 16:02 · Score: 0

Well that's easy then pull out of all EU countries and find out who begs who back first.
Re: How France understands computer use by Anonymous Coward · 2019-01-21 17:04 · Score: 0

pretty sure it will be google begging, They make 10's of billions from doing business there for Ad revenue and don't provide any essential services, others will happily step into the gap should google pull out.
All 'muricans getting their nickers twisted by Anonymous Coward · 2019-01-21 20:38 · Score: 0

You don't even fucking know what this case is about, so stop being such fucking whiners. Do you like to be fooled by corporations?
If Google has broken the rules, they will have to pay the fine. They operate in Europe and so they must comply. Just like any European company needs to comply to US laws, when they operate in USA.
You don't know the half of it what USA taxing etc. actually cause to people. USA is one of the few (only?) country that tax worldwide etc.
Re: How France understands computer use by Freischutz · 2019-01-21 20:44 · Score: 4, Insightful

Well that's easy then pull out of all EU countries and find out who begs who back first.
Yeah, go back to California to sulk and leave a market of 500 million potential customers to your competitors that you have poured considerable efforts and money into making sure remain 3rd rate players with marginal market share so they won't threaten your monopoly. On what level does that seem like an intelligent plan to you? Google is about as likely to abandon the EU market as a pig is likely to voluntarily move out of a field of clover.
When will they fine PayPal? by Anonymous Coward · 2019-01-21 21:04 · Score: 1

I have never seen any company that is so aggressive in denying customers their rights under the GDPR. When is the ban or fine coming? It's been taking too long already.
Re: How France understands computer use by Anonymous Coward · 2019-01-21 22:54 · Score: 0

And if they shut off all that advertising, All those companies they carry ads for suddenly see their revenues plummet. All Android phones cease to function. Anyone using the Google DNS servers can't get any DNS services (until they change servers, not difficult but still will have an impact. No Google Search engine, no gmail and other Google services.

Oh it would hurt Google, but getting hit with a few billion here and a few billion there also tends to hurt. And if Google were to lead the way, what's to say other major players wouldn't follow. Apple phones now cease to work, followed by all MacOS devices. FB is offline in Europe. Major Email services go down, for europe. All Windows PC's shut down, Amazon, Twitter, they all pull their services from the EU. Yes it's a fantasy but a concerted effort would be far more painful for Europe than for the companies involved.
Re: How France understands computer use by houghi · 2019-01-22 05:15 · Score: 1

If that where not the case, AB InBev, the largest brewer in the world, Heineken an Carlsberg would be selling beer to 16 year olds, like they do in their home counties in the US.

--
Don't fight for your country, if your country does not fight for you.
Because nobody's expecting google to pay the fine by rsilvergun · 2019-01-22 06:16 · Score: 1

it's a negotiating tactic. Because at this point when corporations (our defacto Ruling Class) break the law we have to negotiate with them to see how much of the law they will follow. Like a peasant begging it's king for relief.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Re:Because nobody's expecting google to pay the fi by Mr.+Dollar+Ton · 2019-01-22 06:29 · Score: 1

Yeah, kinda sad.
Re: How France understands computer use by IamTheRealMike · 2019-01-22 07:59 · Score: 2

Pulling out doesn't mean blocking access to all EU IP addresses. It means shutting down EU subsidiaries, at most. ISPs would then have to decide whether to block google.com or not, but, good luck with that, given how many third party websites load things from Google servers.
The idea that the EU market is so large the EU can pull whatever nonsense it likes is probably going to be tested severely in the coming years. It looks increasingly like a lawless place - GDPR is a classic example of a law that says nothing and everything simultaneously, in which enforcement is entirely political. But there are many other such laws. The idea that the EU is a fair and predictable place to do business is increasingly stressed, and there are plenty of ways to make money from people in it without needing to follow EU law, no more than everyone in Europe has to follow every aspecft of US law to sell products to it successfully.
Re:How AHuxley understands nothing by Anonymous Coward · 2019-01-22 21:43 · Score: 0

"uhm durp durp USA! USA! USA!"
blah blah blah to bypass filter
Re: How France understands computer use by Freischutz · 2019-01-23 01:06 · Score: 1

Pulling out doesn't mean blocking access to all EU IP addresses. It means shutting down EU subsidiaries, at most. ISPs would then have to decide whether to block google.com or not, but, good luck with that, given how many third party websites load things from Google servers.
The idea that the EU market is so large the EU can pull whatever nonsense it likes is probably going to be tested severely in the coming years. It looks increasingly like a lawless place - GDPR is a classic example of a law that says nothing and everything simultaneously, in which enforcement is entirely political. But there are many other such laws. The idea that the EU is a fair and predictable place to do business is increasingly stressed, and there are plenty of ways to make money from people in it without needing to follow EU law, no more than everyone in Europe has to follow every aspecft of US law to sell products to it successfully.
If Google is willing to bend over and spread'em to stay in the Chinese market then they are not about to pull out of the EU. Also, Google abandoning a market the size of the EU will basically create a protected reservation, a huge market where competitors can grow that one day might threaten Google. Then there is the fact that the EU much like the US is a very wealthy area and consistently delivers high level of profits for Google. The idea that Google will abandon the EU and go back to California to sulk is about as stupid as the idea that Europe will grind to a halt and devolve into a bronze age society because of an absence of Google. The only thing that will happen if Google goes away will be the same thing that happened when the Dinosaurs went away, the little furry critters living in the holes under the tree roots evolved into big critters with long sharp claws and fangs or pointy horns so please read the following and commit it to memory: GOOGLE will never abandon the EU market and go back to California to sulk!!!