theres a background amount of radiation. its everywhere, even in higher amounts than youd expect like bananas and airplanes. no amount is safe, but the risks are neglibly small when exposure is minimized. concentrated amounts can be safe when exposure is controlled and managed with oversight programs in place. disasters can be managed with disaster programs, but its still possible that unforseen problems can cause big issues. unregulated handling can poison local populations. corporate influence on government can be a problrm.
what a comparison! there should be an award for this.
Most companies have zero data controls and it ends up getting passed around everywhere and saved off by employees for their own personal use.
It's like waving money in front of people when you have no way to determine if it gets stolen or by whom.
I was raised in a family bookeeping business that handled all of the vital business data for hundreds of clients. Data protection and privacy (respect for clients) were always job #1.
This came to be my philosophy for all user data in any context. A philosophy that very few people share--and the rise of the web seems to have reversed any possibility of such a philosophy taking hold as user data became a form of currency.
I’ve thought of this way in a broader sense.
If you have any data from user data to internal data from various LOB it should be : Data is the new uranium.
Grinder surely made much more from data sales than the 6.something million Erous it was find. The paltry fines under GDPR do nothing to dissuade this behavio. That's been a recurring theme in previous HN discussions on this topic.
Right now, I would posit that these low penalties are for show. Governments don't want to lose the economic benefit of having these companies operate in the EU and the general public can be satisfied that their governments are on top of the issue.
Imagine your a government who doesn’t like homosexuals. Pay a fee - $5-$10m and you’ll get a list of users globally. Probably with travel patterns. Next time they enter the country, arrest or block visas before they enter.
Nah, this fine (which I don’t even know if they’ll pay) is the cost of doing business.
It's the users themselves who actively register on Grindr to announce their services and picture on the platform.
If this activity is illegal in the country of the user, the best Grindr can do, is to prevent users from these countries from registering on the platform based on their national ID, but that's basically it.
That way users would have an incentive to sue companies (i.e get rich quick). That way personal data would really have to be considered a liability if companies don't want to start giving millions to their users left and right.
When we have products that we produce that are required to keep customer data, we figure out what the _minimum_ amount of data required is to deliver the value required _to the end customer_ and do our best not to expose any more data than that.
For everything else, the goal is for our systems to hold _zero_ end customer data and _minimal_ employee data. We don’t want the liability. We do a lot of security engineering around what we do, but we want to make sure that we aren’t the source of a data breach on behalf of our customers because we aren’t holding the data in the first place.
Disclosure: I'm one of the founders of YourDigitalRights.org, a free service that makes it easy to send these sort of requests.
But if you suspect that a company is abusing your data, selling it, enriching it with data that they shouldn't have: fire away.
That this doesn't align with the free-for-all that was the WWW for the first two and a half decades doesn't change that, morality isn't all that hard and each and every company that crosses those lines is very much aware of it. These are not accidental misinterpretations of the law by any stretch of the imagination, they are wilful abuse.
- Tell people up front what you will do with their data
- Let them opt out
- Track what services your own service uses (Ex: your website -> google analytics)
- If people want to know what data you have about them tell them
- If people want you to delete their data (and there is no legal obligation to keep it) delete their data
- Take reasonable steps to keep user data safe
In this case Grindr was passing (per the article): advertising ID, IP address, GPS, location, gender, age, device information and app name to a bunch of Ad Services with "no control".
So beyond just "handling data" Grindr was getting paid (ads) for sharing your data to companies that could then also turn around and do whatever they wanted with that data.
EU member states and representatives decided that not having certain business models is preferably. Them leaving the single market is a welcome result.
Yes, operating in the EU is a liability; operating anywhere that has laws is a liability. And the risks of operating somewhere that doesn't have laws is an even greater liability.
Because 'dont abuse your ownership of personal data' is pretty much what it boils down to.
100x this fine would have been appropriate. Anything less just encourages other companies to treat privacy and data security as a joke.
This way most developers would refuse to write systems that could potentially get them in trouble, until their employer transparently ensures that no laws are broken. Some kind of engineering ethics.
Particularly interesting is that it is not allowed under GDPR to have a free version of an app with the condition that it shares personal data (in this case for targeting and profiling for ads) as the consent of the user is not freely given in this case - in a "Take it or leave it" situation, consent cannot be seen as freely given.
Link to the section "Consent as a condition to access the service ": https://gdprhub.eu/index.php?title=Datatilsynet_(Norway)_-_2...
> Sharing Grindr's users personal data with advertising partners for online behavioural advertising purposes was not necessary for the performance of the Grindr's services.
Charging money for your services is also not necessary for the performance of the said services. Still businesses are luckily still allowed to charge money. Why can't data be considered as a means of payment in this case?
It's a political decision that charging money (or displaying not personalized ads) is preferably.
So the Norge argument here would go further and I would like to see this challenged to the European Court as this would provide a final verdict.
Currently I feel that different countries see these things quite a bit different.
On the other hand it would only mean that you can't have a free version refinanced through advertising, but would need to find other ways of converting users into paying customers while still providing a striped down free app for generating reach.
Not sarcasm - I think that while it's obviously a different scale, the reasons are similar and boil down to "we don't want that as a society" and "the environment this creates is not conductive to a free and informed rational decision". Many people don't understand the value of their data and the risk it poses, there is an information imbalance, there is a power imbalance (the company sets the terms, and you only get to take it or leave it).
The pre-GDPR situation also showed that the market doesn't really work, because everyone was collecting your data, people have limited energy and incentive to care because it doesn't cause immediately visible pain. It's similar to workplace safety - we don't allow employers to create easily avoidable dangerous situation in exchange for extra pay either, for similar reasons.
Most importantly, data grabbing is not necessary for advertising, it's just slightly more profitable and thus everyone does it, eventually pushing the "good" (privacy-friendly) players out of the market. If we want to change that, we need a de-facto ban (which a properly implemented GDPR would be, because so many people will click "No" if given a truly free choice that showing the popup won't be worth it).
One of the biggest reason would be that using data as payment has demonstrated to push out companies that don't want to collect data. Data as a mean of payment is less clear to the consumer about the costs, and there is no real good way to inform the public outside of an massive investment into the general education that focus on privacy, data laws, how data is gathered, why it is gathered, how it get traded and used, and what the outcomes are. The value added through data is also not taxed which creates an unfair advantage compared to other payment methods.
Screenshot of the "consent as a condition to access the service" https://imgur.com/a/neJya1e
Yes this is limiting the free market but it's a conscious decision.
It's still allowed to process data for your own analytics (e.g. to improve your offer) and make use of third party services. What the GDPR aims to prevent is your data being shared with the whole world way beyond the entity with which you originally interacted.
If that means services cannot finance themselves through advertising anymore then so be it.
I can imagine an oppressive government buying dating app data to blackmail their users. I noticed in the Tinder TOS thread people complaining about how impossible it is to meet folks in real life.
You can still have friends, friends have friends you can go out with. I'd say from a mental health POV you should be doing social things anyway.
Clearly people use the app because the app answers a user need. So what’s your answer to the user need?
But more to the point, Grindr got in trouble specifically for selling data to advertising networks presumably so they could also be targeted outside Grindr. Knowing someone's sex, sexual orientation, location, age and hobbies is great targeting data.
Edit: top of the article had an incorrect amount.
> As such, it considered that a fine of €6,500,000 (NOK 65,000,000) was appropriate and dissuasive.
The HN headline is also "wrong" (or at least imprecise) - the fine amount is in NOK, so the euro figure is ~6.418 million depending on exchange rates.
I'm sure it's more complicated but the general idea is economic coercion.
Now given that, the class of proximity based apps are all regional (such as dating, dog walking, delivery, etc).
I have no idea if Grindr has a market penetration in Europe to make it worthwhile. Companies have been known to completely vacate markets instead of honor fines or fees.
If they won’t leave or pay, the EU could possibly force app stores to remove the app from their region or something similar.
You put the company on a black list, then banks or other companies in EU or that have business in EU can't send them money or work with them, I am assuming they offer some subscriptions and other paid features so the banks not working with them will hurt.
Even though Norway is not a EU country, it's part of the EEA and various other treaties with the EU and hence they ended up implementing GDPR, it seems possible that they end up being having authority to enact EU/EEA wide enforcement actions.
https://www.lexology.com/library/detail.aspx?g=34dfb199-c9ab...
In particular, the revenue limit seems problematic. For a "normal" company whose profit margin is a relatively small fraction of revenue, 4% of revenue is huge. But for highly profitable large tech companies that make money primarily from ads, it may not be possible to issue a dissuasive fine if it is capped to 4% of revenue. Maybe "4% of revenue, or 200% of profit, whichever is higher" would be a better limit.
And after that I expect compliance will be a much easier subject. So far the whole roll-out has been exactly as I expected it to be.
Grindr made a profit of $31M and a revenue of "well over $100M". The maximum fine is 20M EUR or 4% of revenue (whichever is higher). So assuming under 500M EUR in revenue, the maximum fine is lower than Grindr's 2019 profit. So if Grindr is the lucky one that serves as an example, I don't see how even the absolute worst case fine would put them out of business.
Although the max fine is probably higher than the 2019 profit from the EU, I could totally see that changing, and someone deciding that getting slapped with the maximum fine is cheaper than the loss of revenue from complying, especially if it is a business that is entirely in ads.
In fact, anecdotally, it’s often the vocal critics of data-funded tech companies who post an archive.is version of every paywalled article.
https://docs.microsoft.com/en-us/aspnet/core/security/gdpr?v...
The first step in being GDPR compliant is not installing a tracking library in your project. Web frameworks have no control over that.
These built-in templates for cookie popups are a joke, IMO.
> In light of all the relevant criteria of Article 83 described above in sections 6.3-6.4, we consider that the imposition of a fine of NOK 65 000 000 is effective, proportionate and dissuasive in the present case.
https://www.datatilsynet.no/contentassets/8ad827efefcb489ab1...
This is approximately 6.49M EUR.
>The NO DPA reviewed the fine announced in its draft decision (10,000,000 €) on the basis that the revenue of Grindr (seems to-this part is redacted) seems different and that Grindr has made with the aim to remedy the deficiencies in their previous CMP.
Draft decision: https://gdprhub.eu/index.php?title=Datatilsynet_-_DT-20/0213...
I was on Tinder for about a week. I was receiving dating spam for a year - not "a phishing email". Hopefully Tinder will be the next up against the wall. They're shameless.
In 2018 researchers found that Grindr was sharing users' HIV status and location with marketing companies: https://www.buzzfeednews.com/article/azeenghorayshi/grindr-h...
Just this year there was a scandal where an anti-gay church fired one of its officials because a homophobic publication somehow got access to his Grindr account and his location data. The details on how the data got out are not clear. https://www.vice.com/en/article/pkbxp8/grindr-location-data-...
In My Own Opoinion - this "surveillance capitalism" is a huge, stinking cancer on free society and is only getting started.. history will show this is absolutely true. "I have nothing to hide" people can get a free Grindr subscription for all I care.. this is a rotten situation.
