Brussels Sets Out To Fix the GDPR

The European Union is (finally) coming to grips with the dysfunctionalities of its most famous tech law of all: the General Data Protection Regulation. From a report: The European Commission will propose a new law before the summer that's aimed at improving how EU countries' privacy regulators enforce the GDPR, a newly published page on its website showed. Adopted in 2016, the privacy rulebook was a watershed moment in global tech regulation, forcing companies to abide by new standards such as asking for consent to collect people's data online against threats of hefty fines of up to 4 percent of global annual turnover. The law effectively became European officials' poster child of powerful legislation coming out of Brussels. But five years after EU data protection authorities started their job, as GDPR entered into force, activists, experts and some national privacy watchdogs have become frustrated at what they see as an inefficient system to tackle major cases, especially from Big Tech companies.

Most notably, critics have lamented the powerful role that the Irish Data Protection Commission has under the so-called one-stop shop rule, which directs most major investigations to run through the Irish system because tech companies like Meta, Google, Apple and others have set up their European homes there. Under the GDPR, tech companies are overseen by the national regulator in the EU country where they are headquartered. Ireland and, to a lesser extent, Luxembourg, where Amazon's EU headquarters is based, have faced mounting criticism in recent years for lax enforcement, which they deny. The Irish data authority in recent months imposed some major multimillion-euro fines to sanction GDPR infringements from Meta, the parent company of Instagram and Facebook. Now, a new EU regulation that is expected in the second quarter of 2023 wants to set clear procedural rules for national data protection authorities dealing with cross-border investigations and infringements. The law "will harmonize some aspects of the administrative procedure" in cross-border cases and " support a smooth functioning of the GDPR cooperation and dispute resolution mechanisms," the Commission wrote.

That "one stop shop" rule...

[Anonymous Coward]

... is older than the GDPR, it's Steelie Neelie's legacy.

Probably not a popular opinion here, but...

[friedmud]

can we please get rid of the damn cookie popups? Or have a global way to accept them? I seriously don't give a damn, and they are just a nuisance. I wish there was a flag I could set in my browser that just accepts all of them... so I can get back to using the web.

Re:

[Anonymous Coward]

can we please get rid of the damn cookie popups?

Then contact the web masters: those web sites do not have to use cookie popups, it is just their strategy to annoy you and make you hate the GDPR.

Re:Probably not a popular opinion here, but...

[Anonymous Coward]

GDPR rules require obtaining consent before writing cookies

No, only tracking, analytics and marketing cookies need explicit permission, functional session cookies do not:

"Strictly necessary cookies — These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies will generally be first-party session cookies. While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user." (source [gdpr.eu])

thus the popups.

Non sequitur. They can just inform you by, for example, an non intrusive text on the bottom of the screen.

Re:

[ezdiy]

While it is not required to obtain consent for these cookies, what they do and why they are necessary should be explained to the user.

So do we get a nag screen with those or not?

Re:

[Anonymous Coward]

No, they can just explain their cookie use in the footer of the page, and put a link there to allow enabling tracking/analytics/marketing cookies.

Web sites do not have to use a nag screen because of GDPR, you get them because the web devs chose to. They do this because in the above scenario nobody would click on the link to allow those tracking cookies. They hope you click "allow all" by making the alternatives more annoying, while giving GDPR the bad rep at the same time.

Re:

[MS]

Mostly yes. The client committing the website to the web-developer has usually no idea about the necessity of cookies, the GDPR or technical possibilities ti implement a shopcart. It's the developer who suggests one solution or the other. A lazy developer resorts to libraries and tools from different sources (often from or hosted by Google, like jQuery, Fonts or Analytics) which allow Google or others to track visitors, thus making a nag-screen necessary.

Many lazy developers even rely on external vendors to

Re:

[bn-7bc]

there shuld be a common way to issue a gpdr popups because then web browsers could hav one way oof accept all, for every website.

Re:

[3247]

Nope. That's a lie.

To provide any sort of session based service cookies are the only reasonable technology.

You do not need a cookie banner for technically necessary cookies.

You only need a cookie banner if you want to spy on your users.

Re:

[morgauxo]

Hmm.. well, if I ever get back into working on my web projects I'll have to look that up. I really thought it was ALL cookies. I was considering just blocking all EU countries because I really HATE those popups and don't want to contribute any of them myself.

Re: Probably not a popular opinion here, but...

[Fons_de_spons]

A browser setting indicating you only want essential cookies would be nice.

Re:

[VeryFluffyBunny]

Unless you log in to a site, there's no need for cookies.

Re:

[pacinpm]

Not really. I may set some preferences (dark theme) for website even without creating account there. Cookies are also necessary for keeping permanent items in shopping card between browser sessions etc.

Re:

[VeryFluffyBunny]

Well, then they can ask for permission to store such cookies ONLY when a user needs them, e.g. a "Save settings/items" option. The truth is, the vast majority of cookies have little or nothing to do with the website itself & are often from 3rd party surveillance services. Web browsers need some serious statutory constraints on them on what they're allowed to store & send to websites, similar to the way data protection laws prevent govt. agencies, utilities, etc., from sharing info about you with eac

Re:

[Merk42]

It's UAC prompts all over again.

Re:

[itsme1234]

YES. Who doesn't want cookies can just not accept or save them or can save them just until the browser is closed or whatever. I trust more my browser than some never-ending blurb you would never be able to enforce (most likely against some site from a different continent), fuzzy regulations and so on.

Re:

[SvnLyrBrto]

Likewise. I've been managing my own cookies in my own browsers on my own computers not just since before GDPR, but since long before its "safe harbor" predecessor. I don't need or want some unaccountable pinhead bureaucrat on some other continent making those decisions for me. And I definitely don't need or want that bureaucrat's annoying-AF popups either.

Re:

[VeryFluffyBunny]

But that only covers ONE popup. What about the autoplay video, subscribe, give us your email, etc., popups? Remember all the popups BEFORE the GDPR? Remember when Apple & Google killed Flash & everybody said, "Great! No more noisy, flashy, distracty, ads."? Yeah, didn't happen. This isn't a legal problem. This is just advertisers being advertisers.

Re:

[thegarbz]

No one cares about advertisers. That's a solved problem. The only popup I ever see is the cookie popup. Everything else is under control, managed or otherwise blocked by the browser.

The exception being mobile. The stupid popups that appear after you scroll a few pages on mobile are f-ing stupid.

Re:

[pacinpm]

Try AdGuard. It's not a perfect solution but so far the best one I have found to block ads on mobile websites.

Re:

[anonymous scaredycat]

Try the browser add on "I don't care about cookies" https://www.i-dont-care-about-... [i-dont-car...cookies.eu]

Re:

[Damnshock]

Why is that not a popular opinion?

I am almost 100% sure **everybody** here doesn't want the pop-up either.

If only there was a protocol [kde.org] which could be used to tell websites one doesn't want to be tracked and, thus, there is no need for any pop-up...

If only...

Re:

[Damnshock]

I apologize! Wrong link! Copy&paste... yikes

Do not track [wikipedia.org]

Malicious compliance

[khchung]

can we please get rid of the damn cookie popups? Or have a global way to accept them? I seriously don't give a damn, and they are just a nuisance..

Those popups were MADE TO BE A NUISANCE, designed to make more people hate GDPR and hence gain political pressure to neuter it.

You should be angry at the website operators for these popups.

Re:

[Anonymous Coward]

Global accept OR deny. Cookie popups are a plague on humanity.

Better yet, don't even answer. Even clicking "Deny all" indicates you read and accepted their cookie terms and conditions. Don't give them that power. Just hide all the cookie banners and consent form bullshit and proceed with your browsing.

Fortunately you can bypass almost all of them with a bit of simple css rules and the stylus extension. It helps that more and more websites lazily use cookie cutter crap. Block any elements with "

Re:

[thegarbz]

can we please get rid of the damn cookie popups? Or have a global way to accept them?

They are working on it, albeit at the usual speed of EU politics. There was a draft leaked a few years ago which among other things would have repealed Directive 2002/58/EC, and while the replacement directive still required cookie popups it basically said you only need to show it if the browser hasn't set a Do Not Track flag.

Re:

[MS]

Yes, that's simple. I'm in the EU and I do webdesign and -programming for a living. My websites need no cookie-warning or consent-popup. I simply host all data on my server and do not link resources (jQuery, Fonts or whatever) from servers outside the EU. I also do not track users. I only use session-cookies to hold shopcart-contents, user-settings or the likes. No consent is needed for that under the GDPR. Even Google Analytics can be used, if the IP-masking function is used and data will not be crossed wi

Re:Probably not a popular opinion here, but...

[AmiMoJo]

Complain. Those pop ups are mostly illegal.

Read Recital 32 of GDPR. It says that agreement can't be coerced. A big banner than makes it easier to agree than to reject all is clearly coercing the user.

None Of Your Business (NOYB) has been working on this for a while. You can complain and escalate to your local data protection authority if they refuse to fix it.

Re:

[Errol backfiring]

Off course. Most of them are illegal anyway. It is "malicious compliance" with the ePrivacy Directive (not the GDPR). The ePrivacy directive is about tracking, and it does not even seem to contain the word "cookie". The privacy violators obviously do not like that law and called it a cookie law, implementing cookie-walls that are meant to piss you off, with all dark patterns that make it almost or sometimes really impossible to deny tracking. These dark patterns are already illegal, but going to court is so

Re:

[Gravis Zero]

Here: https://www.i-dont-care-about-... [i-dont-car...cookies.eu]
However, I suggest also using https://github.com/Cookie-Auto... [github.com]

Re:

[neutrak]

There was a flag you could set in your browser to automatically block (not accept) tracking cookies, called Do Not Track ( https://en.wikipedia.org/wiki/... [wikipedia.org] )

Unfortunately websites didn't honor it and it was ultimately abandoned as being another attempt at creating the "Evil Bit".

However we CAN automatically remove a large number of cookie popups, using browser addons.

The most popular is consent-o-matic, which detects popups with heuristics. This can be configured to allow tracking cookies if you want, but

Really? Get serious...

[jenningsthecat]

The Irish data authority in recent months imposed some major multimillion-euro fines to sanction GDPR infringements from Meta, the parent company of Instagram and Facebook.

When they start routinely levying fines in the multi-hundred-million-euro range they may possibly get the attention of the tech giants. Until then, it's just a pocket-change cost of doing business that's probably dwarfed by what these companies are already spending to purchase legislation in various other areas of the world.

Re:

[Local ID10T]

[I]t's just a pocket-change cost of doing business[...]

This is intentional. The Irish regulators do not want to dissuade the mega-corporations from headquartering in Ireland, as that would reduce the amount of tax money that Ireland earns, as well as reducing employment in Ireland.

Whosoever regulates lightest gets to host.

Re:

[thegarbz]

Fines from the EU are to drive change. Fines are never given in isolation, it is always a fine + a notice that they need to correct the behaviour which led to it. If the behaviour isn't corrected the fines increase heavily for non-compliance.

They *have* the attention of the tech giants, giants who very much make changes at the whim of the EU regulator or sometimes produce special products for the EU only. Precisely because they are afraid of a second fine, the first is just a warning shot.

Re:

[AmiMoJo]

The way these fines work is to increase if they don't change their ways. The goal is more to do with enforcement than punishment.

Re:

[jenningsthecat]

The way these fines work is to increase if they don't change their ways. The goal is more to do with enforcement than punishment.

Thanks to both you and thegarbz for providing information I wasn't aware of - it appears I shot from the lip without realizing it.

Re:

[Tom]

They do. I mean, issue fines in two and three digit million Euro ranges. /. has regular postings about it. This is one of the things the GDPR does right - the fines depend on your global, corporate revenue - it cuts right through the trickery of setting up tiny subsidiaries.

Re:

[MS]

There's no need to fix the GDPR. The GDPR is an excellent law, well written and easily understandable for anyone with a minimum of technical knowledge. It's the big corporations who should stop ignoring it and respect peoples privacy.

Re: Bravo sir!

[spyfrog]

You, sir, doesn't work in EU or is ignorant of the law. The GDPR is not a well-written law without problems. It is a badly written law that intersects with other laws and makes those impossible to adhere to. I word with data in the healthcare system and the GDPR makes following some demands regarding medical journals impossible. Yes, I have heard the nonsense that this doesn't occur and that GDPR doesn't take precedence - I have seen decisions by authorities that says otherwise

Re:

[MS]

I am an EU-citizen, I live and work in the EU and know the GDPR well, as it is part of my daily work. If authorities take stupid decisions, because they ignore the law, it is not the fault of the GDPR. The GDPR explicitly has excemptions for the purposes of carrying out legal obligations and exercising specific rights in the field of employment, social security and social protection law as well as scientific work and even small entities (with less than 250 employees, like a kids football club - as someone e

GDPR: endless clicking on enable cookies

[terrorubic]

GDPR: endless clicking on enable cookies and that is all.

Annoying

[nicubunu]

For me, GDPR meant that for every single site I visit, I can't access the content because I am served a big pop-up with options. If I have to disable the cookies, often I have to navigate a labyrinth of submenus and uncheck a lot of boxes (on desktop, with a small phone screen is even much harder). Most people I know just hit "accept all" to make it disappear fast, making the entire thing useless.

Re:

[thegarbz]

No it doesn't. GDPR is not the EU directive which lead to the cookie popup. That one predates the GDPR by quite a lot.

Re:

[thegarbz]

Why not provide a link then, you smug cunt?

Directive 2002/58/EC. Next time do your own Google search. I'm not your mother. Also we are not friends, and I'm sure you're not Australian so you don't get to call me cunt. You need to work up to that privileged position mate.

I am smug though. That comes with education.

Re:

[MS]

The GDPR does not require nag-screens. Session-cookies, that do not track, are perfectly legal and do not require any prior consent - not even a mention somewhere on the page. The GDPR even requires that the content of the websites must be accessible without the visitor being tracked. And also the button to DENY tracking or cookies HAS to be of the same size and visibility as the ACCEPT-button. The DENY has to be the default, so unchecking a lot of boxes to inhibit being tracked is illegal under the GDPR. M

Re:

[Tom]

Most sites by now understood that people actually DO opt out, and that people who want to opt out will leave the site if you make it too complicated. At least most of the sites that I visit give 2-3 easily chosen options, aside from "accept all" there's usually "accept necessary" and often "reject all".

If you have specific sites in mind - complain to them and ask them to make it easier to opt out of at least the not-functionally-required ad networks and trackers.

Re:

[Waccoon]

What's this "Accept" nonsense? They just set all the cookies from the get-go and give you a nice shiny button that says, "GOT IT!"

God, I absolutely hate "GOT IT!" as an option. As if such an informal phrase makes the exploitation more acceptable.

Please can it be explicit or clear ...

[Alain Williams]

that things like the use of Google analytics need user consent. Many web sites use this, very few ask the user or tell them what is going on. No: GA is NOT "strictly necessary" for a web site to work; the owner might like it but that is not strictly necessary. Once this is clear then some high profile prosecutions would be in order.

Clearly something needs to be done

[OfMiceAndMenus]

Let's just add more legislation on top of the broken legislation, on top of older broken legislation, ad nauseum.

They never get rid of the old broken legislation no matter how much it's warranted. Just pile on more bullshit that sounds good but helps nobody and make it more difficult to navigate. That's the EU way.

Re:

[MS]

You are misinformed. The GDPR has effectively replaced the old privacy laws in all EU countries. Yes, it is even uniform throughout the EU.

Re:

[OfMiceAndMenus]

You are misinformed. The EU itself replaced or overrode much of the laws in individual countries. That is not the same as deleting old broken laws or replacing them based on their lack of merit, it's just saying "use this set of broken laws instead". The EU has many more broken laws than they replaced to deal with.

Can you point me to the last time they actually removed a law in the EU entirely? Any law?

Re:

[MS]

You wrote, that the GDPR was *added on top" of broken legislation - which is not true. And now you are confirming, that the EU "replaced" older privacy laws. The older laws (which differed from country to country) are not valid any more. Nothing else did I say.

The "Data Protection Act" from 1998 in the UK was replaced in May 2018 by the General Data Protection Regulations (GDPR).
Same in Italy, where this new law replaces the "legge sulla privacy 675" from 1996 (yes, Italy was a precursor in privacy-laws) an

Re:

[OfMiceAndMenus]

Saying "Yes, we'll go with the laws of the EU now" doesn't mean the laws that existed prior were repealed. They were just overridden.

If another EU member country were to leave like Brexit in the UK, their prior laws would go back into effect. They were not replaced, just superseded.

So has the EU itself ever removed one of the terrible laws they came up with, or did they just modify and build on top of it adding to the mess?

Re:

[MS]

I do not like to repeat myself.
Those who can read have a clear advantage. ;-)

dysfunctional ?

[Tom]

Especially compared to most recent legislation, the GDPR is actually a pretty solid piece of work. Imperfect? Certainly. But all in all, it ticks off most of the boxes, had the intended effect, and has enough bite that even the multinationals are taking it seriously.

A couple initial confusions were cleared up by the courts, and now it's become a standard across Europe that small and big companies alike follow. Does it have some silly consequences, like the cookie banners? Sure, but that's mostly because of all the ad networks and external trackers everyone wants to run.

It's good that they work to improve it. But "dysfunctional" isn't a fair description. There's lot of other laws that fit that wording more.