From my (admittedly limited) understanding, this is not actually legal under the GDPR. Certainly the alleged (but not demonstrated) behind-the-scenes trading of personal info isn’t, but the shared id is also personally-identifying information, and directly regulated.
It is very not legal, but I think the parent was saying these regulations are more onerous to small dev shops rather than Google and the fine for this will be minuscule. Hopefully companies will find paths to revenue that do not require selling out there users to this level, maybe by just having ad auctions without any identifying information at all.
Like it or not. Currently the internet would not exist without the ad-supported business model. Regular users expect everything on the internet to be free. I know people that categorically refuse to buy a 1-dollar app. It‘s starting to change now with people getting used to subscription models (Netflix, etc). But it will take a while until we start paying for news again, for example. Apple news + and google news initiative are a step in the right direction. Even if it‘s just for aggregate sub management.
> Currently the internet would not exist without the ad-supported business model.
In it's current form, yes. However, I'm not so sure that everybody here would agree that "the web today" is fundamentally better than the web ten years ago, technological advances aside. Everybody smelling gold and starting a blog to mindlessly shill for products in hopes of getting a commission, super low quality texts written/generated/spinned entirely for SEO reasons to place ads between the paragraphs etc doesn't come to mind when I ask myself "what could be better on the web?" If those things disappear tomorrow, I don't think a lot of us would miss them. We'd notice them being gone because it might feel like being able to breath freely after a strong cold, but I don't think many would miss them.
> But it will take a while until we start paying for news again, for example.
Plenty of people pay for news. They won't pay for Gawker or Buzzfeed though. I don't think that's a problem for anybody not invested in or working for those companies.
"The more serious infringements go against the very principles of the right to privacy and the right to be forgotten that are at the heart of the GDPR. These types of infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher."
For Google that would be 4% of its worldwide annual revenue, I'd assume. Taking into account that it's not one infringement but multiple that could mean a pretty hefty fine.
The first GDPR fines handed down by the ICO have been hundreds of millions of pounds for negligent breaches - I don't think it would be out of the realm of possibility for breaches by _design_ to result in multi-billion pound fines.
Several billion pounds is still not much! They already broke GDPR once (or twice I think?) And received a 57MM$ fine.
57MM$ is nothing to Google. They've escaped even antitrust cases with minimal injury, it would be a truly shocking event if the EU actually managed to touch them.
This has always been absurd. Large companies have way more code and features in general which need to be checked for compliance, whereas small shops with small sets of data and features will have a far easier time complying with GDPR.
Large companies have the means to pay for the manpower (lawyers/consultants, developers, etc) to certify compliance with GDPR. Small companies often don't.
I paid $2K for my first GDPR consulting session for a $7K MRR app and was quoted ~$25K for consulting while I would personally implement what needed to be done. $25K is nothing for a large company, but it's prohibitively expensive for a lot of small companies. This cost also doesn't include the (probably hundreds of) man hours required to implement and certify GDPR compliance, which are also disproportionately valued when it's being done by 1 person in a <5 person company versus N people in a >5K person company.
Hopefully these costs will fall as more people become lawfully knowledgable about what GDPR entails and the market of people available to help grows. Unfortunately there's no "feel free to wait if you can't afford it yet" clause in GDPR.
Another issue is that as a small company you generally lack the resources to effectively contest violations. Google can, and will, drag these things out in court for years. And ironically for free. Their legal costs are going to be covered by inflation on the fines themselves. 2% inflation on a $1 billion fine reduces it by $20 million a year. And also factor in the interest Google is earning on that $1 billion on top of the 2% 'principal' reduction per year.
The whole penalty system is quite silly. The fines destroy small companies who are the ones struggling to comply, and do little more than offer extremely gentle pokes on the wrist for megacorps that have relatively unlimited resources available for complete compliance, if they actually wanted to comply.
Even from the basic point of view: People go to Facebook, Amazon and Google daily. They accept the GDPR privacy policy once. Every single other website is bombarding users with popups, so there's a far greater chance users will click off from a startup's website.
It's not legal but there isn't much the EU can really do. It would be shocking if they actually managed to prosecute Google which has so far avoided much hassle in antitrust and the like, taking I think a billion dollar fine which sounds like a lot but is basically a slap on the wrist.
That's why, IMO, GDPR sucks for small businesses that can be outed to the ICO for a minor oversight and not so much for big data abusers that can take on GDPR and come out unscathed.
That sounds like something fairly trivially avoided by having the punishment be proportional to revenue. And I believe this is already the case for GDPR?
EU have shown that it's willing to scale up the fines all the way if the company in question keep on violating the law. Alphabet global revenue 2018 was $136.8 billion, so the maximum fine is $5.5 billion which is in the vicinity of fines they've already received. It's a separate post in their yearly financial report. The gain must be significant if they continually keep violating the laws.
This is being quoted in every comment but if you have enough lawyers anything is possible.
Google has come out of antitrust cases relatively unscathed. They've even violated GDPR itself once before explicitly, and got out with a 57MM$ fine. This case won't be any different than all the other times that Google has blatantly violated laws and walked away with a slap on the wrist.
I would be very very very shocked if the EU actually managed to touch Google. I welcome and hope to be proved wrong.
I would argue that it's the same problem and the reason GDPR is privacy theater.
It's a lot of regulations that can be worked around and the fines are hard to and rarely enforced. There are a bunch of poster children of GDPR fines that make it seem like it's doing a lot but the principal abusers (i.e. Google) just walk away with a light slap.
It needs the ability to be enforced, and I think this much should be obvious to lawmakers -- a law that can't be enforced well is useless.
That's why I'm calling it privacy theater. It's the EU saying "look what we did!" but in practice it doesn't really do much without enforcement that still does not exist both at a national and global scale.
