"The Commission said previously that the simplification plan will focus on reporting requirements for organizations with less than 500 people, but will not touch the “underlying core objective of [the] GDPR regime.”
Adjustments could include limiting requirements to keep records of data processing activities, or reforming how businesses provide data protection impact statements — two rules seen as overly cumbersome to smaller firms."
At the minimum I'd hope they a) do away with the worthless cookie banners requirement b) cut some generous but reasonable slack to small organizations.
Interesting timing with the digital sovereignty movement.
The cookie banners aren't worthless. The websites presenting cookie banners either don't know the law, or are engaged in spyware shit. You don't need a cookie banner if you need it to provide a service that the user expects (e.g., saving settings, login).
As an EU citizen, I'm not concerned about your need to observe my behaviour or to prevent ad-click fraud. What I care about is websites sharing my navigation history with Google or the rest of the advertising industry, so yes, I'd like to be informed of it.
Personally, instead of having banners, I'd just ban the practices altogether (e.g., targeted advertising, 3rd party analytics), which would certainly simplify business.
I don't see why small organizations should get to be more careless with my personal data than anybody else. The value of my privacy doesn't change just because of the size of the company.
Cookie banners are not a requirement in the first place. They are a convention set by giant risk-averse consequence-free tech companies, and followed by everyone else.
>At the minimum I'd hope they a) do away with the worthless cookie banners requirement b) cut some generous but reasonable slack to small organizations.
Cookie banners aren't a requirement unless you wish to store cookies that aren't strictly necessary (statistics, marketing, etc)[0]. Cookies that are essential for the user to browse the site (login tokens) don't require consent.
It doesn't help the situation that a large number of sites seem to maliciously comply with these regulations.
The cookie banners are largely a cargo cult and don't have to be nearly as annoying as they are.
Websites just love to say "we have to do this" rather than improve their UX because the latter just means more work while the former gets people to be wrongfully upset at GDPR.
>> a) do away with the worthless cookie banners requirement
My understanding is that if your site doesn't use cookies, you don't even need that. Don't use cookies, don't collect or share personal data, and GDPR is complied with. Apparently from TFA it sounds like even then you have a lot of proving it to the government, and that's a hassle.
Nope and nope, same rules are for all. You want to steal private data, you will be labeled. If it comes from libs, maybe don't use shitty private data stealing libs?
Move fast and break things - fuck that, anybody smart enough can project to what sort of society it leads down the road.
> do away with the worthless cookie banners requirement
There is no such requirement. You're free to make a website that doesn't require cookies.
This very website on which we're discussing doesn't have a cookie banner, and isn't required to have one.
(I'm not saying HN is GDPR compliant though, it's missing a DPO mail address to allow edit/deletion of older PII messages and a privacy policy even though said policy would probably be max 10 lines)
> cut some generous but reasonable slack to small organizations.
I can't say for other countries, but in France there is already already a lot of slack even for bigger organizations. We have mainstream websites that are obviously violating the GDPR (most visited cooking site, most visited tv content provider, not allowing free choice of refusing tracking)
> do away with the worthless cookie banners requirement
Not a GDPR thing, and the reason you see the banner is because companies refuse to understand the regulation correctly.
> cut some generous but reasonable slack to small organizations
Some more slack you mean, since they already have a lot of slack compared to larger organizations?
What exactly is so cumbersome for a small business to comply with? They're generally "common sense" requirements, and most organizations who already take care of their data basically had to do nothing to be compliant. What are you doing that is so complicated or essential that it's hard to comply, as a SME?
The GDPR does not enforce the use of cookie banners. Cookie banners is an IAB idea. My suspicion is that they were created to make people angry at GDPR, but they have nothing to do with GDPR.
On most website that I've analyzed (and it's quite a lot - into hundreds), you can remove the cookie banner and the website would be just as GDPR (in)compliant as with the cookie banner.
GDPR is not complex because it is hard to comply with but because seemingly no one wants to.
EU-US data transfers have been declared illegal numerous times [1], but instead of supporting European cloud providers those decisions are barely enforced and quickly circumvented by a new data transfer act.
Cookie banners are not hard to implement if you don't try to share user data with your "864 most trusted partners", there are clear guidelines [2] now on how they need to be designed, but instead of criticising these not being properly enforced, the requirement for them itself is criticised.
How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
noyb has managed to achieve more than a billion euro in fines with only 6 million euros in funding, we could be focusing on supporting NGOs doing incredible work for their budget and getting our DPAs to probably enforce the law.
The issue with GDPR is not the law but the seeming unwillingness to enforce it leading to unclarity what is expected and what not. [4]
> How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
Because until now we've been treating American companies very leniently, with an occasional slap on the wrist. For example, when Poland wanted to regulate Uber, the American ambassador warned the Polish government that if they do that, they will regret it.[0] And because at that time the USA was in the business of of protecting the East NATO flank, the Polish government turned turned a blind eye on Uber.
Now that the USA turned away from Europe, nobody cares about the interest of American companies. When Trumps ambassador (Tom Rose) threatened the current government in the same way recently regarding planned "digital tax", the minister answered "We're nobody's fief".
Let’s roll back the stupid cookie notification. Replace it with “sites must respect the user setting in the browser” so we can set it once and be done with all that nonsense.
> "the simplification plan will focus on reporting requirements for organizations with less than 500 people"
I consider this extremely bad! It should be based on revenue, not people.
I can imagine extremely big data trading companies with less than 500 people. I can even imagine Meta/Facebook doing various employee redistribution shenanigans and managing to fit inside that limit.
So cookie banners go first? As an obsolote "requirement" when all that tracking will be finaly banned? Right ? Just like paper journals - they don't do any identify-your-page-flipper...
And employer will be finally allowed to know his employee name and address?? Without additional paper trail? No, they won't allow that, it will be to sane.
> The GDPR is seen as one of Europe's most complex pieces of legislation by the technology sector
Really? Now I'm no bureaucrat, merely an engineer, but GDPR was relatively easy to read through, even the official document (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...) is only 88 pages long, this cannot realistically be "one of Europe's most complex pieces of legislation". A lot of privacy-conscious SME basically had to do nothing to be compliant, telling me it seems to hit the mark of being not too complicated.
Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR, and have no way of reaching compliance without removing things they ultimately earn money from, which in my mind is the exact purpose of GDPR. Most orgs don't seem to be introspective enough to understand why they are having such a hard time with GDPR though.
I hope that their proposed "simplification package" doesn't actually remove what makes GDPR useful and good, but since they seem to be making a bunch of bad-faith arguments for this simplification, I'm not super optimistic.
I see lots of comments supporting it but I can see they are mostly from the business side. What does "simplification" mean for users? I'm expecting companies to be given way more room for exploiting user consent for shady data collection practices.
If the GDPR is simplified, the fines should be drastically raised. (At least for companies) E.g. to minimum 20% of the global last years revenue, for bigger companies (FAANG-Scale) to minimum 70% of the revenue. The GDPR must make companies afraid of breaking the law.
Cookie consent banners might be one of the most frustrating aspects of modern web browsing. A better solution could have been a thoughtful extension or fork of HTTP, specifically for EU implementations, something that handles consent through HTTP headers instead. That would allow users to easily opt in or out, either globally or per tab, without the clutter. Ideally, technical regulations like these should be designed by people with a strong understanding of technology, to ensure practical and user-friendly solutions.
It would have been easy to write in generic wording that the "do not track" header must be respected by websites. I'be been wondering for ages why this wasn't implemented.
cookie consent banners are a workaround GDPR, not a requirement from GDPR. If companies just stopped trying to track people by default, then we'd have the best of both worlds.
But as we see with Apple and DMA, they will instead do their best to drag it out.
As a big GDPR fanboy, one thing I would be happy for them to remove is the portability between providers requirement: it was essentially dead on arrival, is not implemented, and could be done away with.
The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
But as a whole, I push back against the idea that deregulation is the primary way in which the EU can or should become competitive with the US on technology. Lack of public investment, worse ability for companies to offer equity incentives, and timid private investment are all much bigger problems than consumer protection regulations.
> I would be happy for them to remove is the portability between providers requirement: it was essentially dead on arrival, is not implemented, and could be done away with.
Well, they actually shouldn't. There are non-EU email providers that show exactly what would happen - customers wouldn't be able to transfer out their email from that service provider. Unlucky if they won't notice that limitation in time.
> The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
Or simply start handing out fines for malicious compliance.
I don't live in Europe. I still believe GDPR is god send. I just send a chat-gpt generated e-mail to the company to forget me citing GDPR and voila it just works.
just have to lie as bit that i am a resident of EU though.
Uh oh. I'm all for cutting the red tape, but (in my opinion) the GDPR is: 1) easy to comply with if you're not doing nasty stuff with people's data, 2) actually needed.
You're on a forum supported by a startup accellerator for entrepreneurs who want to get stuff up and running with as little friction as possible. It's fairly obvious that Sinclair's quote would ring true here.
Smaller entities should still be required to fix/delete your personal data on request, imho.
I'd also appreciate if the exception was conditional on not selling any data or using it for external advertising (i.e. "you might also like" suggestions would be okay, as long as they're part of the same service)
It's easy as long as you're a corporation. It's onerous for a human person. Like the EU's excellent Digital Markets Act, GDPR should be altered to only apply to corporations. It'd be better if like the DMA it only applied to very large corporations, but just corporations is still way better than the status quo.
I shut down a couple of my websites that provided a service for free (streetlend.com and cointouch.com) because the GDPR was too ambiguous for me to be 100% sure I complied with - and in the past online I have encountered vexatious people who have to tried to damage my reputation. On one of my other websites, those people used GDPR privileges (eg making vexatious SAR requests) simply to make my life more difficult.
At the end of the day, I create helpful and fun websites for free in my spare time because I enjoy it.
EU regulation created jeopardy and friction that meant I couldn't justify doing this anymore.
Whilst I don’t like cookie banner, I personally appreciate the EU GDPR simple style of cookie banners which are simply three options:
- accept all
- necessary only
- reject all
So many websites outside the EU have a mass of dark patterns for which I increasingly reject all or leave the website.
GDPR is really simple.
Only store data that you really need to service the customer’s needs, always permit the customer to correct incorrect data and allow them to delete it unless you have a legal reason to keep it. Report GDPR failures within 72 hours where customer data has been compromised and treat PII carefully.
The politicians cite competitiveness as the motivator for relaxing the GDPR. The real reason for the EU lagging behind the US in "big tech" is of course the lack of venture capital and the red tape in registering corporations.
The GDPR does not prevent US big tech from operating in the EU.
As it stands, this is just another attack on EU citizens' rights. It is also the least of the EU's current problems. De-industrialization due to high energy prices is, but of course von der Leyen will not mention that.
I think simplifying the law for companies smaller than the 500 person cutt-off makes sense. The Brussels effect is strong. I was just in a company of approximately ~150 people in America and a significant portion of our time went to GDPR/California law takedown requests. User data was everywhere, it was a nightmare. No one thinks of this stuff when everyone is still in sink or swim mode. We got it done though.
Maybe it's an argument for the other side though as well. The architecture of the system was designed to track people as much as possible so we could do A/B, app design, and marketing more effectively. It felt like it was the company's life blood.
I would say the law should at least make people get their architecture right when small so that when they're big it's not impossible to comply later.
One last thought: our company was small in head count but is getting much bigger right now in revenue. I've heard of small head count, billion dollar companies. What of them?
I spent four years working at a European fintech that serviced millions of end-users, and we had a self-service GDPR portal for users to export or request deletion of the data we had on them. (In some cases we were required to hold onto certain data due to other laws). Any feature that stored new user data had to get integrated into the tool, and then signed off from legal and the team that maintained the tool.
It got very little usage - maybe a few hundred to a thousand requests per year IIRC. I shudder to think what you could have been doing that would attract that volume of requests. Was it Clearview AI?
[+] [-] sega_sai|11 months ago|reply
[+] [-] bambax|11 months ago|reply
"Simplification" consists in adding exceptions, which are in effect additional rules and special cases.
Simplification actually means everything gets more complex.
[+] [-] remus|11 months ago|reply
"The Commission said previously that the simplification plan will focus on reporting requirements for organizations with less than 500 people, but will not touch the “underlying core objective of [the] GDPR regime.”
Adjustments could include limiting requirements to keep records of data processing activities, or reforming how businesses provide data protection impact statements — two rules seen as overly cumbersome to smaller firms."
Sounds pretty sensible to me.
[+] [-] drooopy|11 months ago|reply
[+] [-] terminalbraid|11 months ago|reply
Interesting timing with the digital sovereignty movement.
[+] [-] bad_user|11 months ago|reply
As an EU citizen, I'm not concerned about your need to observe my behaviour or to prevent ad-click fraud. What I care about is websites sharing my navigation history with Google or the rest of the advertising industry, so yes, I'd like to be informed of it.
Personally, instead of having banners, I'd just ban the practices altogether (e.g., targeted advertising, 3rd party analytics), which would certainly simplify business.
[+] [-] Hojojo|11 months ago|reply
[+] [-] ta1243|11 months ago|reply
[+] [-] thomastjeffery|11 months ago|reply
[+] [-] e2le|11 months ago|reply
Cookie banners aren't a requirement unless you wish to store cookies that aren't strictly necessary (statistics, marketing, etc)[0]. Cookies that are essential for the user to browse the site (login tokens) don't require consent.
It doesn't help the situation that a large number of sites seem to maliciously comply with these regulations.
[0]: https://gdpr.eu/cookies/
[+] [-] DarkWiiPlayer|11 months ago|reply
Websites just love to say "we have to do this" rather than improve their UX because the latter just means more work while the former gets people to be wrongfully upset at GDPR.
[+] [-] pabs3|11 months ago|reply
[+] [-] phkahler|11 months ago|reply
My understanding is that if your site doesn't use cookies, you don't even need that. Don't use cookies, don't collect or share personal data, and GDPR is complied with. Apparently from TFA it sounds like even then you have a lot of proving it to the government, and that's a hassle.
[+] [-] jajko|11 months ago|reply
Move fast and break things - fuck that, anybody smart enough can project to what sort of society it leads down the road.
[+] [-] phh|11 months ago|reply
There is no such requirement. You're free to make a website that doesn't require cookies.
This very website on which we're discussing doesn't have a cookie banner, and isn't required to have one.
(I'm not saying HN is GDPR compliant though, it's missing a DPO mail address to allow edit/deletion of older PII messages and a privacy policy even though said policy would probably be max 10 lines)
> cut some generous but reasonable slack to small organizations.
I can't say for other countries, but in France there is already already a lot of slack even for bigger organizations. We have mainstream websites that are obviously violating the GDPR (most visited cooking site, most visited tv content provider, not allowing free choice of refusing tracking)
[+] [-] diggan|11 months ago|reply
Not a GDPR thing, and the reason you see the banner is because companies refuse to understand the regulation correctly.
> cut some generous but reasonable slack to small organizations
Some more slack you mean, since they already have a lot of slack compared to larger organizations?
What exactly is so cumbersome for a small business to comply with? They're generally "common sense" requirements, and most organizations who already take care of their data basically had to do nothing to be compliant. What are you doing that is so complicated or essential that it's hard to comply, as a SME?
[+] [-] awiesenhofer|11 months ago|reply
They wont, since they were never "required" nor are they part of the GDPR
> cut some generous but reasonable slack to small organizations
They will, thats the whole reason they are changing it!
[+] [-] kuba-orlik|11 months ago|reply
On most website that I've analyzed (and it's quite a lot - into hundreds), you can remove the cookie banner and the website would be just as GDPR (in)compliant as with the cookie banner.
[+] [-] arrty88|11 months ago|reply
i recommend everyone gets the chrome plugin that auto accepts these banners so you never have to see them again
[+] [-] xeonmc|11 months ago|reply
[+] [-] Rygian|11 months ago|reply
Disagree must be as prominent as Agree.
[+] [-] bcye|11 months ago|reply
EU-US data transfers have been declared illegal numerous times [1], but instead of supporting European cloud providers those decisions are barely enforced and quickly circumvented by a new data transfer act.
Cookie banners are not hard to implement if you don't try to share user data with your "864 most trusted partners", there are clear guidelines [2] now on how they need to be designed, but instead of criticising these not being properly enforced, the requirement for them itself is criticised.
How is it that Meta can regular break the law, with 7 of the 10 highest fines (or probably around a third of all fines) going against them [3] with seemingly no action taken to prevent this from continuing onwards.
noyb has managed to achieve more than a billion euro in fines with only 6 million euros in funding, we could be focusing on supporting NGOs doing incredible work for their budget and getting our DPAs to probably enforce the law.
The issue with GDPR is not the law but the seeming unwillingness to enforce it leading to unclarity what is expected and what not. [4]
[1]: https://noyb.eu/en/23-years-illegal-data-transfers-due-inact... [2]: https://noyb.eu/en/noybs-consent-banner-report-how-authoriti... [3]: https://www.enforcementtracker.com/?insights [4]: https://noyb.eu/en/data-protection-day-only-13-cases-eu-dpas...
[+] [-] benterix|11 months ago|reply
Because until now we've been treating American companies very leniently, with an occasional slap on the wrist. For example, when Poland wanted to regulate Uber, the American ambassador warned the Polish government that if they do that, they will regret it.[0] And because at that time the USA was in the business of of protecting the East NATO flank, the Polish government turned turned a blind eye on Uber.
Now that the USA turned away from Europe, nobody cares about the interest of American companies. When Trumps ambassador (Tom Rose) threatened the current government in the same way recently regarding planned "digital tax", the minister answered "We're nobody's fief".
[0] https://phys.org/news/2019-04-hundreds-cab-drivers-protest-u...
[+] [-] more_corn|11 months ago|reply
[+] [-] M95D|11 months ago|reply
I consider this extremely bad! It should be based on revenue, not people.
I can imagine extremely big data trading companies with less than 500 people. I can even imagine Meta/Facebook doing various employee redistribution shenanigans and managing to fit inside that limit.
[+] [-] Woodi|11 months ago|reply
And employer will be finally allowed to know his employee name and address?? Without additional paper trail? No, they won't allow that, it will be to sane.
[+] [-] diggan|11 months ago|reply
Really? Now I'm no bureaucrat, merely an engineer, but GDPR was relatively easy to read through, even the official document (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...) is only 88 pages long, this cannot realistically be "one of Europe's most complex pieces of legislation". A lot of privacy-conscious SME basically had to do nothing to be compliant, telling me it seems to hit the mark of being not too complicated.
Most of the cases I've heard people complaining about GDPR being "complicated" or "impossible to implement correctly" have been from people/organizations who are breaking GDPR, and have no way of reaching compliance without removing things they ultimately earn money from, which in my mind is the exact purpose of GDPR. Most orgs don't seem to be introspective enough to understand why they are having such a hard time with GDPR though.
I hope that their proposed "simplification package" doesn't actually remove what makes GDPR useful and good, but since they seem to be making a bunch of bad-faith arguments for this simplification, I'm not super optimistic.
[+] [-] xinayder|11 months ago|reply
[+] [-] JCWasmx86|11 months ago|reply
[+] [-] Muromec|11 months ago|reply
[+] [-] m00dy|11 months ago|reply
[+] [-] DarkWiiPlayer|11 months ago|reply
[+] [-] johnnyanmac|11 months ago|reply
But as we see with Apple and DMA, they will instead do their best to drag it out.
[+] [-] _petronius|11 months ago|reply
The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
But as a whole, I push back against the idea that deregulation is the primary way in which the EU can or should become competitive with the US on technology. Lack of public investment, worse ability for companies to offer equity incentives, and timid private investment are all much bigger problems than consumer protection regulations.
[+] [-] Avamander|11 months ago|reply
Well, they actually shouldn't. There are non-EU email providers that show exactly what would happen - customers wouldn't be able to transfer out their email from that service provider. Unlucky if they won't notice that limitation in time.
> The other EU-level regulation that needs to be either removed or completely rethought (since it will clearly not be enforced in a way that makes sense) is the cookie regulation. It was well-intentioned, badly implemented, and the GDPR addresses more of the core problems, it is time to do away with it.
Or simply start handing out fines for malicious compliance.
[+] [-] boruto|11 months ago|reply
just have to lie as bit that i am a resident of EU though.
[+] [-] perch56|11 months ago|reply
[+] [-] jdiez17|11 months ago|reply
Any opposing views?
[+] [-] johnnyanmac|11 months ago|reply
[+] [-] DarkWiiPlayer|11 months ago|reply
I'd also appreciate if the exception was conditional on not selling any data or using it for external advertising (i.e. "you might also like" suggestions would be okay, as long as they're part of the same service)
[+] [-] superkuh|11 months ago|reply
[+] [-] cbeach|11 months ago|reply
At the end of the day, I create helpful and fun websites for free in my spare time because I enjoy it.
EU regulation created jeopardy and friction that meant I couldn't justify doing this anymore.
[+] [-] unknown|11 months ago|reply
[deleted]
[+] [-] junto|11 months ago|reply
- accept all - necessary only - reject all
So many websites outside the EU have a mass of dark patterns for which I increasingly reject all or leave the website.
GDPR is really simple.
Only store data that you really need to service the customer’s needs, always permit the customer to correct incorrect data and allow them to delete it unless you have a legal reason to keep it. Report GDPR failures within 72 hours where customer data has been compromised and treat PII carefully.
In the US - fuck the customer.
I know which I prefer.
[+] [-] cbmask|11 months ago|reply
The GDPR does not prevent US big tech from operating in the EU.
As it stands, this is just another attack on EU citizens' rights. It is also the least of the EU's current problems. De-industrialization due to high energy prices is, but of course von der Leyen will not mention that.
[+] [-] djha-skin|11 months ago|reply
Maybe it's an argument for the other side though as well. The architecture of the system was designed to track people as much as possible so we could do A/B, app design, and marketing more effectively. It felt like it was the company's life blood.
I would say the law should at least make people get their architecture right when small so that when they're big it's not impossible to comply later.
One last thought: our company was small in head count but is getting much bigger right now in revenue. I've heard of small head count, billion dollar companies. What of them?
[+] [-] xmodem|11 months ago|reply
It got very little usage - maybe a few hundred to a thousand requests per year IIRC. I shudder to think what you could have been doing that would attract that volume of requests. Was it Clearview AI?