But if you want to contribute to a privacy-violating network that tracks individual users, then that goes far beyond wanting "just to put up a website somewhere".
They are only tryin to keep their monopoly on government oversight which is reasonable for a governing body (our citizens = our control).
... you also have to ask for permission first.
The main difference is that for a data processor in France it seems possible to get all the right contracts in place, while a US based data processor is incapable of doing that thanks to FISA and similar US initiatives.
While that's not the issue being discussed here, you should by default only collect & process the minimum amount of data needed for the product/service to function. Analytics aren't part of that and would need to be opt-in.
Imagine that you run a workplace where floor space is relatively expensive. To avoid increasing the floor space, you determine exactly how wide each hallway must be, exactly how much space is required, and build everything to that specification. Your hiring decisions take the weight of an applicant into account, so that nobody will be too large for those hallways. Then a law comes along saying that your coal mine is dangerous, and your use of child labor is unethical. "But look at the cost!", you cry, "I can't afford to enlarge every tunnel to accommodate full-grown adults!" But there was no reason the tunnels couldn't have been built larger in the first place.
There was no reason why the web and the internet could not have chosen to respect privacy by default, and thereby avoid the current costs of changing their software and business models. If it is true that the default apache configurations violate privacy standards, just as any configuration of Google Analytics violates privacy standards, then that is a sign of just how much the regulation is needed.
https://law.stackexchange.com/questions/42438/do-default-apa...
It would appear public IP addresses are PII. Apache (and most web servers) log those by default.
A case can be made, on a site-by-site basis, that those are necessary for providing the functionality of the site. But that's a hard case to make if the logs are never actually read, and then if they're collected for that purpose, timely deletion is important (and unless your host also configures log rotation and disposal, timely deletion isn't happening).
I'm pretty sure all of this has to be declared in a privacy declaration anyway, even if they are collected for site operations purposes and deleted in a timely fashion. With all these constraints, probably safer to run in a privacy-configured Docker in one of the big Cloud hosts than to stand up one's own apache install.
Collect people's data (and that's what a user analytics system does) and then you're responsible for it, and you have to follow the rules.
Only things like tracking, ads, and sending data to areas without equivalent privacy laws are forbidden. The intent and usage of the collected information is a big part of what is and isn't allowed.
I have a collection of small, US-focused websites.
I'm investigating low-effort ways to geo-fence the EU. At some point it just becomes easier to ban Europeans, rather than keep up with whatever they'll come up with next. I saw in this thread that the Google fonts on my website are now a problem as well!? That's the first I heard of it.
This is the perfect example of why government oversight is needed. You run a bunch of websites and aren’t aware that you are inadvertently involved in violating the privacy of the people who visit your sites. How are non-technical people supposed to deal with this?
A bureaucrat on the other side of the planet comes to a conclusion and I, who never voted for this person or knew about their existence, am legally bound by their decision.
On pain of who knows what fines or penalties. I’m nearly overwhelmed by the amount of work on my core product, I can’t add “keep up with European legal opinion” to my todo list as well.
As I said, it’s simpler to just geofence everything.
I feel for my European brothers and sisters these days. As an American, I hardly ever see these banners. Went to an EU country for work and... Holy cow. Y'all get these banners every site. How do you tolerate it?
Yes, I think we're in a vastly better place, where there is a cost to doing bad things.
Good for Europe, they are just going to law themselves out of the internet. Up to the point were your ISP doing hops to send your TCP packet will be illegal unless you approve them sharing that info with all the shops.
(Also, the GDPR is not responsible for cookie banners)
The market responding to the law with billions of cookie banners was as predictable as prohibition leading to bootlegging.
Do virtually any business that involves user registration at some point, and now you need to be sure that you're compliant with all those rules, spending limited resources on that to avoid ridiculous fines.
It benefits only the big players who has lawyers to know exactly what to do and not, and a nightmare for anyone who tries to grow a small business or have a small website.
It's exactly the opposite.
It forces technology to be developed in a way that protects human rights (specifically the right to privacy).
Innovation is not automatically good if you're innovating in the wrong direction. Think of it as a vector, not a scalar.
If someone pointed a gun and forced me to go to a website, enter my personal data and give my data to trackers that would be something else (still not website's fault but anyway).
"Hey Google and Facebook is doing so well let's make harder for everyone using their services."
I neither have sympathy for those companies and never been to US, but adter all these GDPR regulations I actually started to sympathize.
