Ask HN: Had anyone already had to deal with the GDPR fines / abuse?

50 pointsforthispurpose7y ago27 comments

Recently there was a fair amount of concerns about GDPR being a harbinger of doom for smaller companies and fears of user abusing GDPR requests or other companies using GDPR as a tool for taking down competitors.

Had anyone on HN had experience with people / companies / institutions abusing GDPR?

50 pointsforthispurpose7y ago27 comments

Had anyone on HN had experience with people / companies / institutions abusing GDPR?

27 comments

18 comments · 5 top-level

jarnix7y ago· 7 in thread

Well, in France yes already (and the links are in French, basically the first one is about a basic hack where you could change the id of the user in the URL of the current page to get others users' invoices -no comment-, and the second one because the users could not decide what cookies could be stored on their computers, they did not offer any choice eg through a CMP or something else)

Optical Center : 250 k€

https://www.clubic.com/rgpd/actualite-844065-sanction-rgpd-p...

Challenges.fr : 25 k€

https://www.legalis.net/actualite/le-conseil-detat-confirme-...

donthavekeepass7y ago

These links are misleading as neither of those fines was imposed based on GDPR: The first article says that the fine was imposed based on a national law due to a data breach in 2017 (and says that the fine could’ve been higher now under GDPR), the fine in the second article was handed out based ePrivacy / Cookie legislation. Neither of those are directly related to GDPR, although the first case would also be punishable under it (but wasn’t when it happened).

I would’ve been surprised if the authorities had handed out fines that fast, as they usually need to give companies a reasonable amount of time to fix problems after they are revealed.

IdontRememberIt7y ago

Will the interpretation depend on the country until someone raises the case to the highest court? Do we have to check the precedent of all European countries?

scoom7y ago

Users always can decide what cookies can be stored on their computers - Europe is braindead on this issue.

shabble7y ago

How do I allow this site to set the 'user' cookie, but not the '_cfuid' one? Since Cloudflare is proxying, both cookies are first-party.

FF61 on Mac. Solutions for Chrome would also be interesting.

Note that I specifically don't want 'self destructing cookies' or session- or time-limited ones. I just want to white/blacklist by site, cookie name, and perhaps cookie content.

I've briefly looked for suitable extensions, but not yet found anything.

genericid7y ago

They can't. It may be technically possible, but users can't. Even for power users it's a pain in the ass.

1 more reply

0x4f3759df7y ago

The first one frames it as lucky because the fine could have been 20mil€...

jiveturkey7y ago

magnifique!

buro97y ago· 4 in thread

I've had trolls whom I had banned from online forums attempting to use GDPR as a tool for trolling me (with the chore of gathering all data, but I already had an API that did this). And then attempting to use it to gut forums by claiming several identities and requesting deletion of all comments (try and imagine HN if comments by patio11 were deleted throughout).

On the forums I run email is the only identifying property and in my case the trolls (2 of them I think) were unable to sign in as the users in question, so I have refused to recognise the request (and then had the threats of legal action... but what else can one do if someone cannot prove their identity?).

duxup7y ago

I was wondering about a catch 22 where someone misbehaves, then gets banned, cites GDPR and demands their data be deleted (they can do that right?) ....and signs up again later with the same data.... wash rinse repeat....

phiresky7y ago

You can keep storing an identifier (like email address) without any problems if you have a reason (like to blacklist them)

1 more reply

RaleyField7y ago

Does signing in really prove identity? What happens if I share accounts with someone else (against TOS potentially) and one person then abuses GDPR to dox the other person? GDPR seems so poorly thought out.

jarfil7y ago

Right now most forums are pseudonynous, which has its own considerations in the GDPR. They also don't require personal data other than the email, which is required to log in, so if someone logs in, it means they already had access to that data by some other means. And data that's made public by the user, which they could ask you to remove, but can't claim that you made it available without their consent.

Forums which collect other personal data, like maybe date of birth, and allow it to remain hidden... those might have a problem, depending on the sensibility of the data, but still if you shared the account details with someone, it seems to me difficult to claim that the forum and not the user is the one responsible.

1 more reply

codycraven7y ago· 2 in thread

Drone.io nearly immediately received the Nightmare GDPR letter and closed its Discourse forum to avoid the overhead that providing a forum for an open source tool now causes.

It instead moved to a much less useful Reddit subthread.

mr_toad7y ago

Discourse is exactly the kind of thing the GDPR is aimed at.

duxup7y ago

What do you mean?

2 more replies

butz7y ago

Some shady web development agency sent spam emails to several smaller websites, pretending to be local Data Protection Authority. Email mentions complaints received from users and lists some fake fines. They went so far as buying custom domain and redirecting it to actual website of Data Protection Authority. Later, they contact website owners trying to sell their services.

Rjevski7y ago

Given how many sites blatantly ignore or violate GDPR (no opt-out, etc) I'd say there doesn't seem to be any enforcement. At the moment, GDPR is just scare-mongering but in the end is just as useless as the previous privacy directives. I wish this would change but I'm not holding my breath for it.

> Had anyone on HN had experience with people / companies / institutions abusing GDPR?

Any site that gives you a consent box with the bullshit tracking enabled by default, or that lets you know they use cookies with no way to opt-out. Per GDPR tracking should be opt-in so even pre-ticked checkboxes aren't allowed.

The only site that I've seen do this right is Quartz. They have a simple modal "we use tracking for X and Y", do you want to allow or deny?

j / k navigate · click thread line to collapse

27 comments

18 comments · 5 top-level

jarnix7y ago· 7 in thread

Optical Center : 250 k€

https://www.clubic.com/rgpd/actualite-844065-sanction-rgpd-p...

Challenges.fr : 25 k€

https://www.legalis.net/actualite/le-conseil-detat-confirme-...

donthavekeepass7y ago

I would’ve been surprised if the authorities had handed out fines that fast, as they usually need to give companies a reasonable amount of time to fix problems after they are revealed.

IdontRememberIt7y ago

Will the interpretation depend on the country until someone raises the case to the highest court? Do we have to check the precedent of all European countries?

scoom7y ago

Users always can decide what cookies can be stored on their computers - Europe is braindead on this issue.

shabble7y ago

How do I allow this site to set the 'user' cookie, but not the '_cfuid' one? Since Cloudflare is proxying, both cookies are first-party.

FF61 on Mac. Solutions for Chrome would also be interesting.

Note that I specifically don't want 'self destructing cookies' or session- or time-limited ones. I just want to white/blacklist by site, cookie name, and perhaps cookie content.

I've briefly looked for suitable extensions, but not yet found anything.

genericid7y ago

They can't. It may be technically possible, but users can't. Even for power users it's a pain in the ass.

1 more reply

0x4f3759df7y ago

The first one frames it as lucky because the fine could have been 20mil€...

jiveturkey7y ago

magnifique!

buro97y ago· 4 in thread

duxup7y ago

phiresky7y ago

You can keep storing an identifier (like email address) without any problems if you have a reason (like to blacklist them)

1 more reply

RaleyField7y ago

jarfil7y ago

1 more reply

codycraven7y ago· 2 in thread

Drone.io nearly immediately received the Nightmare GDPR letter and closed its Discourse forum to avoid the overhead that providing a forum for an open source tool now causes.

It instead moved to a much less useful Reddit subthread.

mr_toad7y ago

Discourse is exactly the kind of thing the GDPR is aimed at.

duxup7y ago

What do you mean?

2 more replies

butz7y ago

Rjevski7y ago

> Had anyone on HN had experience with people / companies / institutions abusing GDPR?

The only site that I've seen do this right is Quartz. They have a simple modal "we use tracking for X and Y", do you want to allow or deny?

j / k navigate · click thread line to collapse