Stories with Tag GDPR

• Apple and Meta fined millions for breaching EU law

  permalink

  Posted: 2025-04-23 10:01:04

  Verbose tl;dr

  France's data protection watchdog, CNIL, fined Apple €8 million and Meta (Facebook's parent company) €60 million for violating EU privacy law. The fines stem from how the companies implemented targeted advertising on iOS and Android respectively. CNIL found that users were not given a simple enough mechanism to opt out of personalized ads; while both companies offered some control, users had to navigate multiple settings. Specifically, Apple defaulted to personalized ads requiring users to actively disable them, while Meta made ad personalization integral to its terms of service, requiring active consent to activate non-personalized ads. The CNIL considered both approaches violations of EU regulations that require clear and straightforward consent for personalized advertising.

  In a significant development concerning data privacy regulations within the European Union, two technological behemoths, Apple and Meta Platforms (formerly known as Facebook), have been subjected to substantial financial penalties for contravening the General Data Protection Regulation (GDPR). The French data protection watchdog, the Commission nationale de l'informatique et des libertés (CNIL), levied these fines following thorough investigations into the companies' practices related to personalized advertising on mobile devices.

  Specifically, Apple was fined €8 million (approximately $8.5 million USD) for failing to adequately obtain user consent prior to the utilization of identifiers for personalized advertising within the App Store on iOS 14.4. The CNIL contended that while Apple solicited consent for personalized advertising within its own applications, it did not extend this same practice to advertising displayed within the App Store itself, thereby violating the stipulations of the GDPR, which mandates explicit and informed consent for such activities.

  Meta, on the other hand, faced a considerably larger penalty of €60 million (approximately $64 million USD) for its practices on Facebook and Instagram. The CNIL determined that Meta made it exceedingly difficult for users to decline personalized advertising, effectively nudging them towards acceptance. The regulator asserted that this design, which presented users with a complex and cumbersome process to opt-out of personalized ads while offering a simple one-click acceptance, did not meet the GDPR’s requirements for free, specific, informed, and unambiguous consent. The CNIL emphasized the importance of providing users with an equivalent level of ease for both accepting and rejecting personalized advertising, ensuring genuine user autonomy in this matter. This ruling underscores the continuing scrutiny of large technology companies and their advertising practices under the GDPR, signifying a firm stance by European regulators in upholding user privacy rights in the digital sphere. Furthermore, it highlights the complexities of implementing personalized advertising in a manner that fully conforms to the stringent requirements of data protection regulations, posing a significant challenge to companies operating within the EU.

  • Apple
  • Meta
  • EU
  • European Union
  • Fine
  • Penalty
  • privacy
  • Data Privacy
  • GDPR
  • General Data Protection Regulation
  • Law
  • legal
  • Technology
  • Big Tech
  • Antitrust
  • Competition
  • Ireland
  • France
  • CNIL
  • DPC

  Summary of Comments ( 174 )
  https://news.ycombinator.com/item?id=43770337

  Verbose tl;dr

  Hacker News commenters generally agree that the fines levied against Apple and Meta (formerly Facebook) are insignificant relative to their revenue, suggesting the penalties are more symbolic than impactful. Some point out the absurdity of the situation, with Apple being fined for giving users more privacy controls, while Meta is fined for essentially ignoring them. The discussion also questions the effectiveness of GDPR and similar regulations, arguing that they haven't significantly changed data collection practices and mostly serve to generate revenue for governments. Several commenters expressed skepticism about the EU's motives, suggesting the fines are driven by a desire to bolster European tech companies rather than genuinely protecting user privacy. A few commenters note the contrast between the EU's approach and that of the US, where similar regulations are seemingly less enforced.

  The Hacker News post "Apple and Meta fined millions for breaching EU law" generated a modest number of comments, primarily focusing on the perceived absurdity of the fines and the EU's regulatory approach.

  Several commenters expressed skepticism about the effectiveness and rationale behind the fines. One user questioned the logic of fining companies for allegedly violating user privacy while simultaneously mandating features (like ATT, App Tracking Transparency) that purportedly aim to protect user privacy. They highlighted the seemingly contradictory nature of being penalized for not adhering to a standard while also being forced to implement a mechanism that seemingly leads to that penalty.

  Another commenter pointed out the relatively small amount of the fines compared to the companies' vast revenues, suggesting that such penalties are unlikely to deter future behavior. They argued that these fines essentially amount to a "cost of doing business" rather than a genuine deterrent.

  The discussion also touched on the complexities of obtaining user consent and the practical challenges of adhering to regulations like GDPR. A commenter sarcastically remarked on the expectation that users should meaningfully engage with complex consent pop-ups, noting the impracticality of expecting users to carefully consider and understand the implications of every consent request.

  One comment questioned the actual impact on user privacy, suggesting that the fines might be more about generating revenue for the EU than genuinely protecting users. They also suggested the possibility of regulatory capture, implying that regulators might be influenced by larger tech companies.

  Finally, a comment highlighted the seeming disparity in the application of GDPR regulations, observing that smaller companies face stricter enforcement while larger companies often seem to escape significant consequences. They used the analogy of enforcing traffic laws strictly on bicycles while ignoring violations by large trucks.

  In essence, the comments reflect a general sentiment of skepticism and cynicism towards the EU's approach to regulating tech giants, questioning the effectiveness and motivations behind the fines, and highlighting the practical difficulties and perceived inconsistencies in their application.

• It is no longer safe to move our governments and societies to US clouds

  permalink

  Posted: 2025-02-23 15:48:19

  Verbose tl;dr

  The author argues that relying on US-based cloud providers is no longer safe for governments and societies, particularly in Europe. The CLOUD Act grants US authorities access to data stored by US companies regardless of location, undermining data sovereignty and exposing sensitive information to potential surveillance. This risk is compounded by increasing geopolitical tensions and the weaponization of data, making dependence on US cloud infrastructure a strategic vulnerability. The author advocates for shifting towards European-owned and operated cloud solutions that prioritize data protection and adhere to stricter regulatory frameworks like GDPR, ensuring digital sovereignty and reducing reliance on potentially adversarial nations.

  The blog post "It is no longer safe to move our governments and societies to US clouds," argues vehemently against the reliance of governmental bodies and societal infrastructure on cloud services offered by United States-based companies. The author posits that this dependence represents a significant and escalating security risk, jeopardizing national sovereignty and citizen privacy. The central premise rests on the assertion that the CLOUD Act, a piece of US legislation, effectively grants American law enforcement agencies access to data stored on these servers, regardless of the physical location of the data or the nationality of the data's owner. This extraterritorial reach of US legal authority, the author contends, essentially renders any data stored within these cloud environments susceptible to surveillance and seizure by the US government.

  The author meticulously elaborates on the potential ramifications of this vulnerability, painting a picture of governments rendered powerless to protect sensitive citizen data from foreign access. This loss of control, the argument continues, undermines national autonomy and democratic processes, creating a situation where critical infrastructure and societal functions are exposed to potential disruption or manipulation. The post underscores the inherent conflict between the interests of nation-states and the global reach of US cloud providers, emphasizing that these companies are ultimately subject to US law, potentially placing them at odds with the legal and regulatory frameworks of other countries.

  Furthermore, the post asserts that relying on US-based cloud infrastructure introduces a single point of failure, creating systemic vulnerabilities in essential societal services. This dependence, it argues, exposes governments and societies to the risks associated with US domestic policies, political instability, and even natural disasters occurring within the US. The author argues for a shift away from this reliance on US cloud providers and advocates for the development and adoption of sovereign cloud solutions – infrastructure controlled and operated within national borders – to ensure data security and protect national sovereignty. The author contends that this approach offers a more robust and secure foundation for government operations and societal functions, insulating them from the potential overreach of foreign legal frameworks and ensuring the protection of sensitive national data. The underlying message is a clarion call for governments to prioritize digital sovereignty and data security by reclaiming control over their critical digital infrastructure.

  • Cloud Computing
  • data sovereignty
  • National Security
  • government technology
  • Cybersecurity
  • US CLOUD Act
  • GDPR
  • privacy
  • digital infrastructure
  • geopolitics
  • European Union
  • Cloud Security
  • technology policy
  • data privacy regulations
  • digital autonomy

  Summary of Comments ( 553 )
  https://news.ycombinator.com/item?id=43150085

  Verbose tl;dr

  Hacker News users largely agreed with the article's premise, expressing concerns about US government overreach and data access. Several commenters highlighted the lack of legal recourse for non-US entities against US government actions. Some suggested the EU's data protection regulations are insufficient against such power. The discussion also touched on the geopolitical implications, with commenters noting the US's history of using its technological dominance for political gain. A few commenters questioned the feasibility of entirely avoiding US cloud providers, acknowledging their advanced technology and market share. Others mentioned open-source alternatives and the importance of developing sovereign cloud infrastructure within the EU. A recurring theme was the need for greater digital sovereignty and reducing reliance on US-based services.

  The Hacker News post "It is no longer safe to move our governments and societies to US clouds" sparked a discussion with several insightful comments. Many commenters agreed with the premise of the linked article, expressing concerns about the influence of the US government on cloud providers and the potential for data access or service disruption.

  One commenter highlighted the CLOUD Act, suggesting it gives the US government broad access to data stored by US cloud providers, regardless of where the data resides physically. They argued that this makes US-based cloud services unsuitable for governments or organizations handling sensitive data. This point was echoed by others who expressed concern about potential legal and political pressure on US companies.

  Another compelling comment focused on the risk of extraterritorial jurisdiction, suggesting that the US government could compel US cloud providers to hand over data related to foreign governments or citizens, potentially bypassing local laws and regulations. This raised concerns about national sovereignty and data security.

  Several commenters discussed the need for alternative cloud solutions, including developing sovereign cloud infrastructure within individual countries or regions, or exploring open-source cloud technologies. One user specifically mentioned GAIA-X as a European initiative aimed at creating a federated data infrastructure, offering greater control and data sovereignty.

  The discussion also touched on the broader geopolitical implications of relying on US cloud infrastructure. One comment argued that it creates a dependence on the US, which could be exploited for political or economic leverage. Another user pointed out the potential for service disruptions due to political disputes or sanctions, emphasizing the importance of digital autonomy.

  Some commenters offered a more nuanced perspective, acknowledging the security concerns but also pointing out the benefits of US cloud providers, such as their advanced technology, scalability, and reliability. They suggested that a balanced approach is needed, involving careful risk assessment and potentially using a hybrid cloud strategy that combines US-based and other cloud services.

  A few commenters expressed skepticism about the feasibility of completely avoiding US cloud providers, given their dominance in the market. They suggested that focusing on strong encryption and data governance policies might be a more practical approach to mitigating risks.

  Overall, the comments on Hacker News reflect a growing awareness of the potential risks associated with relying on US cloud providers for government and societal functions. The discussion highlights the need for careful consideration of data sovereignty, security, and geopolitical implications when choosing cloud solutions.