> It also found that the “family pairing” scheme, which gives an adult control over a child’s account settings, did not check whether the adult “paired” with the child user was a parent or guardian.
How exactly are TikTok meant to be verify parents? Are other tech companies expected to verify parents? It seems like no one else is being fined for this?
Use one of the many companies in this space to verify the users ID? Or push some development in this space to find a better way?
Or like, basically anything except pretending it’s not an issue and externalising the cost + issues onto everyone else while you reap fantastic profits?
I would imagine most social media platforms have already aggregated enough data to suss out familial relationships pretty confidently. That’s kinda central to their business model.
In fact, it’s probably more likely these platforms don’t want anyone to know how much they already do know about familial relationships.
Indeed. I mean, on the one hand, all that tech is indeed different - but on the other hand, it's not the law of physics that it has to exist in a form that makes compliance difficult. A service not existing, or existing in a vastly different form, are options too - options the tech industry doesn't want to talk about.
And FWIW, it's third-generation mobile-first social media platforms we're talking about. It's hard to make a case they're not a huge net negative for society. In any other thread, people would happily agree they shouldn't exist in the current form in the first place.
We're going to have state I.D to use any popular website alongside remote attestation and you guys are cheering us along the path there with cases like this
At this point, maybe we should reduce anonymization? We've had this idea since the 90s that an anonymous internet with signal amplification is a net good, but that's been turning out to be less and less true. If you want to self publish anonymously, you are not entitled to use of one of the big 5 platforms.
Maybe this causes fragmentation of large platforms, that'd also be a net good imo.
You can't really conclude that de-anonymization is good just by asserting that the status quo is bad. One has to make the positive case for de-anonymization on privately owned platforms. What are the trade-offs?
Society certainly didn't anticipate a lot of the drawbacks of anonymous presence.
I dunno, I was pretty careful not to assume that in my comment.
The town square metaphor is really not a great one for the internet. You don't run nearly as high a risk of getting doxxed or swatted for speaking your mind in a physical public place.
And if the unspoken suggestion is that anonymous doxxing would be impossible or too costly/risky in a hypothetical de-anonymized world, I'd call BS. Even if it worked, that would require some kind of "panopticon internet". Sounds bad...
Also, the town square is ephemeral. Sure, maybe it's written down somewhere, heck maybe the local scribe even publishes it in the next day's paper. But it won't show up 7 years later as the third Google search result when someone searches your name.
You either need the right to be forgotten, or the right to be anonymous.
This is the crux of the social good of anonymization in modern times.
Historically, it wasn't current-moment anonymization that was good, but ephemerality.
Sadly, I think the right/ability-to-record is a genie that can't be put back in the bottle (no one can scrape anything?), so we may need to switch from identifiable-but-emphemral (historical state) to anonymous-but-recordable (future state) to preserve the same freedoms.
IMHO, we'd be better off working to curb the worst consequences of broad anonymity (e.g. astroturfing / artificial amplification).
It’s all just that internet is neither a game to be hunted nor a fire to be started. No one knows how to deal with it. Because there isn’t any proper way to deal with it. It should not exist in the first place, says our minds, for which it is all unintelligible.
I guess in theory a government could strongly guarantee freedom of speech while not guaranteeing anonymity — you could say whatever you want, but you couldn't do so anonymously. I suppose until recently in history there was a limited number of methods of making public messages anonymously.
I think Internet anonymity has some benefits though: it's certainly helpful for whistleblowers revealing crimes committed by a company, government or other organization. While you could in theory still drop folders containing documents or a USB drive to different news organizations, with how widespread CCTVs are, so I think that path may become more difficult. In countries with oppressive regimes, that's even less of an option.
I'm also not sure that the lack of anonymity is a sure-fire way to improve public discourse: just look at Facebook comments (which are rarely anonymous.)
As you mention, perhaps anonymity could be allowed on the Internet, but not on the big 5 platforms — that could be a balancing act between chaos and oppression.
Though, while a policy like that might be a net good for someplace like the EU, the precedent of requiring government IDs for Facebook etc. could set a dangerous precedent for places that are less free. Not every country is a full-on liberal democracy OR an authoritarian state where Facebook etc. is outright banned — there are places in-between, where the government oppresses people but still has elections and some degree of dissent is permitted. It's in those places that I see government IDs being required to post on major platforms being a major issue. Being able to share instances of government oppression on major platforms is crucial for those places, but if the identity of those sharing it is revealed, then fewer people may speak up and share such instances.
I see this angle a lot; " Greater Internet Fuckwad Theory [1]" it's often called. However, Facebook -- the single largest social website in the world -- stands as stark evidence that anonymity doesn't really factor in all that much. I'm not saying it isn't a contributing factor, but it's not the boogeyman it is so very often made out to be.
I was wondering, I've recently picked up Tiktok and on the live streams, despite it saying that you need 1000 followers and be 18 years old, I saw so many kids, live streaming.
I was wondering why they didn't enforce their own rules.
I'm guessing, too large amount of streamers, but even if you had only one dedicated person, you'd certainly find enough teens or children live streaming.
So this is quite the timely ruling.
However why would people between 13 and 18 be prohibited from streaming?
If you say "the lurking perverts", that argument doesn't work for chat control, so why should it work here? It's a moot point. Sexual content is not allowed on Tiktok. You can see women in bikinis, but you can see them, even topless, in real life on public beaches too.
So what other reason would there be?
Instagram reels are even worse in this regard. Really, TikTok seems to actually be doing the best to keep kids safe in this space, despite constant criticism to the contrary.
This is a good start, but I'm going to be very curious to see if EU data law ever starts getting enforced against european companies at scale, as opposed to international companies.
It does get enforced against European companies, they just don't make HN headlines because they're not big-tech so nobody here would have heard of them.
Also EU companies tend to be more mindful and take data protection very seriously, even before GDPR was a thing, so finding gross offenders is a rare occurrence anyway.
If you are aware of SAP breaking the GDPR and it's being swept under the carpet or if enforcement is lackluster given the scope of the problem then please supply some evidence. That SAP is large doesn't matter, what matters is if they are breaking the law.
The GDPR applies to all companies, social network platforms or not. It's not even about the internet in particular, it's about how companies can store and process private information of EU citizens.
SAP is B2B, the vast majoritybof personal data is professional (supplier and customer business contacts) and emoloyee data (payroll and such). Not much to fine here. Also, since SAP as a company isn't handling any of that data, SAP isn't really affected.
If they're deemed a data processors then yes in fact they do need to care about the application of the laws. SAP has user management at least in terms of companys' own users which will likely have PII.
The personal data handled by SAP, the ERP system not the company, is very well compartementalized and accessible only need-to-know. Assuming proper user rights policies and roles are in place, but that is on SAPs client, amd not SAP themselves.
Sure, but SAP's business model doesn't depend on doing as much privacy violation as they can get away with (this is basically the business model of all adtech) so they're far less likely to fall afoul of the GDPR. The main risk to a company like SAP would be _accidentally_ falling afoul of the law; this tends to happen where companies are grossly negligent in their handling of personal data, and this is then exposed in a major leak.
I'm absolutely in favor of making it impossible for adtech to make any profit at all as long as they build their business on monetizing user data and exposing their users to all kinds of hazards.
I find it funny that so few people here see a problem with that kind of behavior. It's as if they expect society to serve the market, instead of the other way around.
SAP is the company you go to to help you with potentially GDPR-affected processing. It would be quite a thing if they were doing any kind of non-accidental violation of GDPR.
The Netherlands DPA has fined CP&A, an unnamed orthodontic clinic, Transavia, a local political party, the municipality of Enschede, Booking.com B.V. (yes, Booking.com is Dutch), OLVG (a hospital), a redacted data trader, the Dutch national tennis association, an insurance company, another hospital, a semi-governmental organisation and 7 governmental bodies.
Some of these do business in foreign countries, but all of them are unmistakably Dutch.
I've left out the largest news organisation in the Netherlands, the Belgian company BPG Media, but they have bought up a bunch of local news organisations.
Non-EU-originating companies on the list:
- Tiktok
- locatefamily.com
Tiktok got fined by the Dutch DPA for not providing their privacy statement in Dutch while still doing business in the Netherlands. Further research into Tiktok was transferred to the Irish DPA (this fine). I suppose the Dutch DPA could've lodged a complaint with the Irish DPA for not providing the necessary documents in Dutch, but that seems rather silly to me.
locatefamily.com did not have EU representation at all so there was no need to process the complaint anywhere else. I doubt the fine will ever be collected, but who knows, maybe the owners are stupid enough to open a business in Europe somewhere down the line.
France against french companies: 40M€ for Criteo, 1M€ for Total, 1M+€ for AG2R, 2M€ and 800000€ for Carrefour, 600000€ for EDF, same for Accor, two 300000€ fines for Free, 125000€ for CityScoot, 500000€ for Brico Privé, 400000€ for the RATP. Perhaps others, didn't bother to check any further.
So you haven't researched the actual fines and warnings the EU gave out to EU and non-EU companies. but you just feel like the vibes are totally off?
I was really expecting better comments from hackernews. If we're talking about vibes you should acknowledge that it makes sense for the EU to protect their people and their personal information from really large foreign companies. Even more so from companies that are aligned with the state that has one of the largest military powers in the world.
> I was really expecting better comments from hackernews.
You really shouldn't on topics related to the EU. There is an incredible amount of misinformation peddled, and asking for sources or actual analysis beyond simple statements that keep being repeated is usually met with either silence or insults.
No. All I did was opening enforcement tracker, click on France, and look for familiar names. It was faster than writing my previous comment. I knew about one of the Carrefour cases, and the Criteo case though.
>The authoritarianism and the insanity of the laws in the first place is/are a far bigger problem
What is authoritarian or insane in GDPR? Or its previous iteration, the DPD (from 1995)? Oh no, we expect companies to handle personal data with care, the horror.
They kinda are but most EU companies just avoid it by not really collecting your data to begin with beyond what they need for service operation.
At least in my experience, when I deal with a service in the EU, their privacy policy fits on a few A4s, with the important bits frontloaded and written in an easily understandable way. Even most banks don't really hide what they collect on you and they explain why they collect it.
It's only foreign companies that tend to insist on massive privacy policies that border on being incomprehensible and use them to skirt the law. Seriously, just look at Googles privacy page for example - it's a single giant page that mostly just restates over and over "Google may collect info about you". It's unclear what the data is being used for, it's extremely reliant on other pages to detail what's being used and your average person has probably lost the plot by now.
It's difficult to put it in any other way, but foreign companies are the ones who think they can get away with breaking the law and make it as difficult as possible to trace what they're doing with your data. European companies just tend to actually follow the law. That's why all the landmark cases are against foreign tech giants.
And every organization in the EU has had to deal with the fact that this is now law, and had to think what they needed to change to comply with it. All companies, but also e.g. tiny volunteer run organisations (my local scouts group asks for health insurance, medical information, allergies etc of the kids again and again for every camp they go on because they don't keep the forms around anymore for the next one like they used to) .
It's probably different for organisations coming from outside the EU who get EU customers over the Internet.
> (my local scouts group asks for health insurance, medical information, allergies etc of the kids again and again for every camp they go on because they don't keep the forms around anymore for the next one like they used to) .
A lot of people were wrongly influenced by DPD consulting wannabes on their first gig. I have seen small org burn years of contacts they could have kept or easily manage in respect with the provisions of the law.
The boardroom can’t argue about whether or not to steal from the cookie jar when there is no cookie jar to begin with.
These are the moments I’m grateful to be living in the EU. GDPR was a huge circus of blame on EU bureaucracy back when it was introduced. A lot of hate poured out that every single paper you sign now needs to have a second separate GDPR thing for you to sign. Stupid Brussels making your life more complicated! But now everyone seems to be used to it.
But also, primarily European companies did generally take it a lot more seriously than multinationals. (Sometimes too seriously; while this has calmed down a bit, you'll sometimes see companies enforcing absolutely absurd policies around data on the basis that they incorrectly think they're required for compliance).
In my experience, this is absolutely not true. Sometimes mind-boggling so.
For example, it was US companies that stopped serving ads until they had GDPR infrastructure in place, while some very bad actors in the UK where not collecting consent at all.
Is there any reason to do that? European companies are more likely to follow the laws already, and taking less liberty in bending or even ignoring them. Mostly because the people working there have a better understanding and focus of them.
On the other side, European companies are usually smaller, so their get lower fines, which won't make the headlines. Which is, why you might not hear so often about the fines against European companies, which still happen. And if we are honest, we usually only hear about the super-penalties anyway.
There's plenty of EU companies getting fined: on top of the fact HN will naturally bias toward reportage on well-known US unicorns, there's also a language barrier: most reportage of fines outside of Ireland won't be in the English language.
The Irish DPC is also reportedly quite busy, by virtue of shouldering a disproportionate amount of the enforcement work for non-EU companies (due to tax-driven HQing there). They have taken cases against European entities as well however: notably they even even taken cases against the Irish government for violations around mandating biometric public service ID cards.
If you ignore Ireland and Luxembourg there (most of the big multinationals are subject to one or the other), then you'll get a much more balanced picture. For most of the countries, most of the top offenders are European.
You keep throwing around the "unbelievable" and "unreasonable" fines.
Why do you think that these fines are "unbelievable" and "unreasonable"? Because for me they are rather on the low side, given the business practices, the reach and the potential for abuse that these companies have.
1) They stopped it 3 years when their was an inquiry.
2) 2.6% of revenue for a company that isn't even profitable.
3) 2.6% of revenue for a global company, how much of this then is only EU revenue?? Are they supposed to get their legs cut off just for breaking one law of the 5 million that they're suppose to comply with?
4) This was a first offense for this company.
5) They're not doing anything harmful with the data. It's a social media platform. We need to relax. The burden should be on the parents.
1) GDRP has been in effect since 2018. It doesn't matter that they were in violation of the law "only" two years - they broke the law.
2) Just because they are incompetent doesn't mean they get to break the law. Why should incompetent businesses be absolved from any wrongdoing?
3) If they want to do business in the EU they have to play by the EU's laws. If they cannot abide by the EU's rules, they probably should not try to make business in the EU.
4) That's why they only have to pay 2.6%.
5) There were multiple breaches that exposed user's data. You might think that exposing user's data is not that serious, the EU has decided otherwise. The burden by law is with the company, not the parents.
I understand the tool of hyperbole, but this is a very flawed hyperbole.
We do have to keep people around if they behave in ways that harm society, but society is not morally bound to keep companies existing despite them misbehaving. They are not living conscious entities. They are organizations created for the purpose of accumulating money. And if they cannot do that without violating the laws, then they should be dissolved.
That's not an "authoritarian mindset". That's just the mindset "the law applies to everyone".
They wouldn't even notice 100'000 Euros and so the fine would be useless as a tool of discouragement. The laws have been specified so that they scale with the size of a company. Tiktok it's a big company. They make a lot of money. They can afford the 345 million. They will notice that.
The article says the Irish agency is enforcing this for the entire EU. I think this is called the "one stop shop" solution which a lot of large foreign companies and Twitter use to avoid being fined by each member state individually. It also involves some closer oversight I think.
I'm explicitly saying Twitter not X Corp because Musk in his infamous wisdom fired everyone at Twitter Ireland who was involved in ensuring they remained compliant. I think part of the requirement was also that every feature launch is run past the Ireland team to make sure it doesn't violeate EU data laws. Musk has not done that for any of the changes he introduced since the leveraged buyout.
You've repeatedly claimed this fine is unbelievable, but that seems like a skill issue on your part. I have no trouble believing the reality of this fine. And tech corps should have no trouble believing it either. They better wisen up and respect the EU's laws if they think these fines are too large to bear (in reality, the worst violators can bear these fines just fine, and the EU should be issuing arrest warrants for the executives to make a real impact.)
The fines are escalatory. If Tiktok doesn’t wise up, the next one will _absolutely_ be bigger.
The reason you don’t hear about a lot of fines this size, is because most companies aren’t egregiously out of compliance and also correct things when first poked. TikTok did neither.
I suspect it's "unbelievable" because we are so used to fines being tiny "slaps on the wrist" that companies just treat as minor costs of doing business. Finally a real fine! When a company that makes $10B a year gets a fine of $100K, it's proportional to me getting a fine of $1. How is that effective?
Massive fines is the only deterrent for large corporations, it affects their bottom line, it can't be taken just as a cost to do business and ignored. When a corporation is on the hook for paying up to 4% of global revenue then the shareholders will care about not breaking the law.
>What next, we'll legislate away selling drugs to kids?
And that worked out great; drug use among kids nowadays is way higher than it was in past, the drug industry is larger than ever, and cartel violence is killing countless more kids in the third world than drugs ever killed.
That's not exactly true. China has a firewall which restricts access to the internet at large so you can't use Tiktok or Instagram for that matter in China. Tiktok and Douyin (Tiktok in China) are essentially the same app. Douyin has more features and of course since it's in China, more content control.
I would like the EU to focus on making laws that actually help us and move us forward. The EU can by the way introduce all sorts of ways to encourage parents to not buy their kids smartphones if they're too young to go on TikTok!
It's the *internet*. You can't regulate everything, it's not going to happen. If they have a smartphone, the kids will get out and explore it if they want to. No amount of GDPR laws and unbelievable penalties are going to stop that.
We need to get back to paper and pencil and the value of social skills. Or use a Chromebook in a sandbox if you must use tech.
I think that number is their revenue rather than their profit, which is probably closer to $3 billion. So, this fine would be (very roughly) 10% of their profits for the year.
I think they should be based on guidelines that take into consideration the damage the company did, irrespective of the amount of money they make or have in the bank. That's how it works for the likes of you and me.
Does this comment in any material way relate to either my comment or the comment to which I was responding? I'd love to know more about how it works in Finland, but I can't figure out why you left this message.
I think the point was that, in some countries, fines are scaled to wealth level. The typical example case is traffic violation: a $100 speeding ticket can be life-destroying for a poor person, and a pocket change for a wealthy person. The intent of the law is neither, so by scaling the fine by wealth of the offender, you can achieve the designed level of pain/annoyance regardless of one's material status.
An alternative to that, used e.g. in my country - Poland - is to create a "secondary currency" of penalty points. Rich or poor, you only have 24 of them, and if you lose them all, kiss your driving license goodbye.
One would think that penalty points could work here too, instead of scaling revenue, but the problem is, companies can rapidly split, merge, or otherwise shed their legal identity, so there's nothing to pin those penalty points to.
This is a good start as a starting fine as I said and have been calling for instead of a ban.
Increase the fines into the billions of dollars if they repeatedly continue to violate the privacy of their users. This has happened with Facebook before.
There is no defense in large compaines getting away with this and all social media companies with over hundreds of millions of users that violate their users privacy should be fined, as found with TikTok. No more exceptions or excuses.
So that concludes that TikTok is no different to Meta when they screw over their own users privacy.
God damnit. You presented a simple question, and at this time 3 different people have answered your question with contradictory answers "General government budget", "The country issuing the fine", and "Into the EU budget".
If you don't know the answer, don't just make up fictions and present it as fact.
It generally stays in the country issuing the fine, and it's up to that country what to do with it:
>“While the GDPR determines which infringements can lead to the imposition of a fine and which DPA [data protection administration] in the EU/EEA has the power to impose a fine for infringements, the GDPR does not determine what happens to administrative fines [my emphasis]. This is determined by national law and differs between member states. For all aspects of enforcement not governed by the GDPR, national law applies.”
This is pretty interesting time with the social media / data companies. Will this be the new normal? Where, like clock work, another fine gets announced? Or will we transition through this period into one where they know how to, and also do, comply and the regulations don't change a ton?
These are serious, proportionate fines that meaningfully affect the bottom line. These companies are demonstrably making big changes in order to comply. They have been testing out the boundaries and seeing how close to the wind they can sail, but I think that's coming to an end now that they're seeing the impact of the new approach to enforcement.
The clearest sign for me was Meta's decision to delay the launch of Threads in the EU. Even for a company with the financial might of Meta, two billion euros in fines in the past two years has put the brakes on the "move fast and break stuff" mentality. Of course that creates the possibility of a two-tier internet where EU customers simply don't get access to products that are inherently intrusive, but I think that's a feature rather than a bug - either respect the privacy of our citizens, or take your seedy surveillance business elsewhere.
> Of course that creates the possibility of a two-tier internet where EU customers simply don't get access to products
this has already happened. google’s bard took it’s time to launch in europe.
the young kid in me that always thought we finally have a piece of tech that is beyond what politicians can control, that transcend borders and nationalities is saddened. but it is what it is, and without some breakthroughs (a system that cannot be controlled, censored etc by design) i don’t think there’s going back.
It's very naive to think that the Internet can transcend in any way law enforcement. You may have distributed protocols and crypto, but the state has a monopoly on violence, it controls all infrastructure, and therefore can control all inputs and outputs.
You can't change the world just with technology, as society is a "social construct". And if people want regulation, that's what they are going to get.
Speaking of EU's data protection regulations, it's funny because many people here claim that it doesn't work, and then are shocked to see that it does.
For what is worth, I think EU's data protections are a good thing. Big Tech acted irresponsibly for too long.
Oh, huh, I actually didn't realise Bard _had_ launched here.
> without some breakthroughs (a system that cannot be controlled, censored etc by design)
This isn't really a technical issue; some small criminal entity could run an AI bot on Tor (or even, realistically, on the open internet) which forwarded all your personal data directly to the North Korean government and the Mafia or whatever, and realistically they'd get away with that. But if there's a large company behind the service, then that company is going to have to _obey the law_, and no amount of technology will change that.
> But if there's a large company behind the service, then that company is going to have to _obey the law_, and no amount of technology will change that.
i agree on the first part. but that second part could probably also be reinvented by new tech, futuristically speaking.
Interesting, right? It's like they can make so much money from tracking people in other countries/jurisdictions that paying a fine to the EU once in a while is just part of the payroll.
You'd be correct. Anyone that actually has to deal with regulators quickly understands how easy it is to game the regulations if you're someone of Meta's stature.
Or people will think twice about opening companies in your jurisdiction. There's a reason pretty much all the new fortune 500 companies created in the last few decades are not from the EU.
Why exactly is it that the quality of a society is measured by how many big companies they have? Does Philip Morris contribute to society or detract from it? Can we dispense with the notion that big companies inherently improve society? Letting go of this does not imply you are a communist, regardless of how many seem to think so. You can believe that society achieves better outcomes by having tighter rules of play, rather than an anything goes mentality. Yes it makes it harder to create megacorps with billions upon billions of revenue. And so what?
Except it didn’t. My daughter in the US created an account and it didn’t require any family pairing or verification that the adult paired with her was her parent
Consider that GDPR has been in effect since 2016, with a grace period until 2018 before the EU started to hand out fines.
It's been 7 years that every company operating in the EU knows about these rules, 3 years ago it was already 4 years into effect. There's no excuse, they broke the law, pay the fine.
It's pretty normal for these things to take a while; most fines (and for that matter most prosecutions) would related to historic offences, not ongoing ones.
Obviously. That doesn't mean its good to drive our companies into the dirt, just because they're not people. People depend on them. People work for these companies. Their significance is perhaps far greater than actually ruining just the lives of one person.
Our companies? TikTok is Chinese... That being said, I do not consider jobs or companies benefits a valid argument when it comes to anti trust and regulations.
But you sure know capitalism, and corporations, abuse the goodwill of hoverents, local and national, and communities. You just want to be ultra edgy for some reason.
If it is a single McD employee, fine said restaurant (which is already the case, but you onow that don't you?). If it is a general issue with a franchise chain (McD is running a franchise, so the company to go bankrupt is most likely a franchise in your example), fine them. And yes, that can lead to bankruptcy, as happened a couple of years ago with a Burger King franchise chain in Munich.
If McD is knowlingly selling carcinogenic burgers world wide and reguses to stop, sure, bankcrupt McD.
Data privacy violations are certainly minor. Until we get that through, our companies are going to suffer. We have far, far, far greater problems in the world than privacy issues of usually meaningless data.
I think if that's the case, the fines will have to be increased until we reach a point where they succeed at their task of disincentivizing this behavior.
This was a one occurrences, and TikTok stopped it 3 years ago. The laws are getting tighter and tighter (and vaguer and vaguer), that's why "it keeps happening".
I always picture companies see regulatory bodies as a slalom course with regulations representing the slalom poles.
The course changes occasionally, but companies adapt quickly and learn to handle the course changes efficiently on the next run, skimming by the poles on the way to the finish line.
Every once in a while a new pole smacks them in the face, but by the next fiscal year, they’ve learned to navigate past it as if it weren’t there.
Lawyer are usually damn fine slalom racers, but occasionally you do need to donate money to the course to encourage the owner to move the poles.
Look, those apps can work without collecting any PII whatsoever. But if they make collecting PII part of their main revenue, then they should take the laws in their respective markets (countries) serious.
Since TikTok implemented the required changes and also (apparently) did not complain about the policies themselves (e.g. being to complicated/ambiguous to implement) it really looks like it is solely on them. They violated the law so they are to be punished accordingly.
It's like doing tax fraud in a year and then complaining that you were compliant in the following years. Penalties for this can be way beyond 2.6% of someones personal revenue. What would you say if someone complains here? Would you agree with them?
It's a social media platform, of course they need PII.
We need to relax all laws. Our laws are unbelievable cruel. Business are expected to follow so so so many bureaucratic laws. To fine them 2.6% every time they break one is insane. Imagine how many countries there are out there, how many business laws there are, how much they have to comply with.
A lot of these companies already operate on extremely thin margins. This can destroy companies. It doesn't make sense.
No, because, realistically, jaywalking is not a serious problem (it's not even an offence in some places). However, this sort of thing _is_ a serious problem.
You don't have to do anything if they change, and they did. Written and formal notification to change their policy. Then if it still happens one small fine of IDK 100,000 EUR would be enough.
This is a false analogy. Corporations are not people, corporations have massive legal teams to go through every single piece of legislation that might affect them, if they break the law you should consider it's willingly given their resources.
They break the law once, get a small fine, they break it again and the fine increases, and keeps increasing until they follow the laws. What is the other option? You can't jail a corporation.
Yes, not being small fines is the whole point. If this was a 5 Million Euro fine, TikTok wouldn't care at all and factor it into their cost of doing business.
Large companies have repeatedly shown that they don't care about small fine. As were speaking Meta is paying to the tune of 100k a day in Norway.
Meta knew this was an ongoing issue because the Irish DPC has ruled against them in December, yet they did nothing.
> Large companies have repeatedly shown that they don't care about small fine. As were speaking Meta is paying to the tune of 100k a day in Norway. Meta knew this was an ongoing issue because the Irish DPC has ruled against them in December, yet they did nothing.
One case doesn't mirror the entirety of all of them. Also, that Meta case I'm pretty sure was about something else completely that is questionable in its own right if it should be enforced!
> This company changed it and stopped it, and they still imposed a 2.5% revenue fine for a first offense!!
Knowingly an offense at the time they did it. The company was aware of GDPR, was aware of the consequences of breaking it and still decided to break the law, a large fine is a pretty good and fair punishment given the egregious behaviour.
Are you really defending that just because it was a first time offense a slap on the wrist would be ok to a massive corporation? It's a rules-based system, where the law matters, and the law is to apply a proportional fine to the infringement, no special treatment. I won't be sorry for TikTok, it's criminal behaviour.
TikTok knowingly allowed children to get their personal data harvested against the law, they deserve the punishment.
> These fines are insane. Especially for a company who stopped it then a few years.
GDPR has been around since 2016, 5 years is a long enough period to comply to regulations (as you're complaining about 2021), even more given the size of these companies. They didn't comply, they get fined, as an EU citizen I appreciate that they have teeth to subjugate even behemoth corporations.
> But GDPR, Digital Markets Act, etc are f** insane and causing huge problems.
Why do you think they are fucking insane and causing huge problems? As an individual I'm very, very glad these regulations exist and are being enforced, corporations won't change behaviour without massive penalties to these practices, so punish them until they behave decently, that's the only way.
TikTok is not stabbing anyone just for being a social media platform for kids older than 12. These "kids" are teenagers and young adults. That's nothing even close to stabbing someone. If social media is so bad, that these "kids" shouldn't be using it, then either social media should be banned, or "kids" shouldn't have a smartphone!
keep (someone) in subjection and hardship, especially by the unjust exercise of authority.
I can't agree that TikTok or other recipients of such fingers could yet be considered to be in "subjection and hardship". Nor would I consider the fines so far issued to be particularly unjust.
Large corporations are definitely being subject to *unjust* exercise of authority. "Hardship" on a corporation doesn't really apply at the scale of very large corporations because the "hardship" is spread out among the many, many shareholders and stakeholders of the successful company; of course, it's not to be seen - it's a relatively successfully company being attacked, in comparison to non-successful companies not being attacked, so hardship isn't to be seen - but the unjustment is still completely there.
The relevant regulatory authorities at national and European level decided that the company had breached the law of the land and applied the appropriate fine based on that law. Would you agree with that?
It's fair to take issue with the GDPR itself, or how e.g. the people working at the Irish DPC are selected or something like that. While I have sympathy for criticisms of the system, these are free democratic entities which rule by consent (rather that tyranny) and they're applying law that was written by a great many people across many legitimate institutions. That looks like "justice" to me, unless you feel it contravenes some natural law. If you think it does this, please explain the relevant principle under which you find the fine unjust.
"It found that the “family pairing” scheme, which gives an adult control over a child’s account settings, did not check whether the adult “paired” with the child user was a parent or guardian."
Chapter 8, Article 1 of the GDPR[1] states:
"Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child."
The law is from 2018. And described exactly what was forbidden for underage children privacy. The fact that Ticktock didn't comply until 2021 is their own fault.
Small correction: GDPR was passed in May 2016, but only came into effect in Apr 2018, precisely so that companies had two years to make the necessary changes.
In other words, GDPR is literally older than TikTok by 3-4 months (initial release: September 2016).
The oppressor is the lawmaker, who has infinite power over the corporations. "oppressed corporations" is a phenomenon that can and does exist in this context.
One angle that makes it interesting is that the very existence of the corporation is determined by the decision of the lawmakers. The sovereign state is the full authority on that matter, and by its right, through the legal process, can change any aspect of it.
Can a sculptor oppress his sculpture?
This feels like musing about the nature of property- Like how many people think property is some sort of natural phenomenon, when it's actually a legal concept defined by the state.
Any breaking of the law in regards to children needs to absolutely incinerate the offending party, this fine seems like a drop in the bucket. Kids these days are bombarded by terrible industry practices because companies know if they can get a child hooked, they could be a customer for life(or at least a period of time in their adulthood). In the US, kids are advertised to at literally every corner of their life...in their apps, when they go to school, TV, etc...it is actually WILD that this kind of stuff is legal.
This would require all TikTok users to submit selfie + ID for verification and all those who don't would need to be assumed to be children and have their accounts deleted, right?
That's the end goal, so anonymity is basically destroyed on the internet, and people are condemned to digital dystopia and inescapable surveillance under the guise of "protecting the children".
If you make $100k in a year in wages, and after all your expenses you net $16k in savings, 1/8 of that is $2k. Imagine violating some law that harms children and your fine is $2k.
>Imagine violating some law that harms children and your fine is $2k.
"Harms children". To make the analogy fair, imagine you're keeping a diary, and recording the observable information of every child that walks past your house. $2k seems like a reasonable fine.
I've seen people walk past news reporters with children. They even asked them questions about Santa Claus. Then they sold advertising to display before and after that event. Then they showed it to the public. What fine should we impose? 10%
They'll just write bigger golden parachutes into their contacts to offset the risk. That or suddenly everyone is an EVP and the C levels all are just paid fall guys.
This is an EXCELLENT proposal. They would fight just as hard to ensure they never receive the second strike to avoid the forever-doom that will loom over investors.
When a CxO gets their 2nd or 3rd company broken up they'll find it very hard to find a ship willing to let them on board.
If you let the company get away with crimes over and over and only punish a CxO the company will simply hire a guy to take the fall for them. There's an endless number of people working minimum wage who would happily take a CxO title and salary for years knowing full well that there's a chance they might get fired eventually.
#1: If a guy breakes the rules so much he gets a 3rd strike, I think it is perfectly reasonable he should never have a CxO job again. It is too easy getting away with serial white-collar crimes.
#2: It is not the company to decide who to take the fall. It is the court/judge.
Assigning blame to the CxOs can be tricky. In this case the actual violations were from 2020, well before the EU even began its investigation, and some of the C-suite staff has changed.
Should it be the current C-suite that’s fired or the ones in charge when the violation occurred? Or maybe the ones in charge when the original policy at TikTok was created? Or what if the current C-suite was in charge, briefly, for the violating period but they’re also they ones that changed things to be in compliance before the investigation began, should they still be fired?
The diffuse responsibility makes this stuff tricky to implement.
Make such larges fines you end up with even fewer companies and the European Union gets even poorer, people keep wondering why their standards of living keep getting worse and GDP hasn't increased in over a decade. There's a reason European companies have such low tech salaries; even places like Singapore, Shanghai and the gulf countries have higher average tech salaries now than e.g. France or Germany.
Let's be real, the actual money paid out will be much less, and over a long period of time most likely. The number needs to be big enough to make other companies do everything they can to not let this kind of stuff happen. In current state these kinds of fine are probably just line items to account for if these companies get caught.
How about 100% of TikTok's profit in 2022, and go from there.
The frame of reference is a revenue of $13.2 billion dollars. What is 2.6% of your annual revenue? Does that seem like a fair fine for illegally violating the privacy of children?
As I understand it, Tiktok changed their practices a few years ago. This fine is just for what their practices were before that, and the prosecution just took a few years to resolve.
> TikTok said the investigation looked at the company’s privacy setup between 31 July and 31 December 2020 and said it had addressed the problems raised by the inquiry. All existing and new TikTok accounts for 13- to 15-year-olds have been set to private – meaning only people approved by the user can view their content – by default since 2021.
We have our own issues, including voter apathy, political corruption, unsustainable economic policies, extreme inefficiency and the occasional batshit crazy tech laws being pushed by politicians who probably never touched a device with more than two transistors. But I still love it here.
I would say least evil significant power... I believe their intentions are mostly good but that kind of paternalism in such a powerful entity can be a kind of evil.
The EUs fight against encryption is a good example
That's the whole point of a democracy, you vote on things like this. The flip side is that anyone can put to a vote all sorts of stupid things they don't understand.
The EU is ridiculously pluralist and consensus-driven. This makes it a sort of small-c conservative; it's not prone to whimsical bad ideas and grandstanding. Its failure mode is in the opposite direction of just gradually over-regulating small business out of existence.
The EU's behavior during the Greek debt crisis was pretty evil.
Imagine if a US state were in serious debt, and the US federal response were to slash Social Security, Medicaid and Medicare benefits to the state. The EU view was that Greece should get out of debt by massively slashing government spending, including on virtually all social services, which sent the country spiralling into a Great-Depression-level economic collapse. That made repaying the debt even more difficult, which necessitated even deeper cuts, which made the economy collapse even further, and so on for years. Greece endured years of 20+% unemployment, and GDP/capita has fallen to the level it was 20 years ago.
I agree that European lenders went overboard, but I can't blame them for requiring strict measures after the corrupt government of one member state threatened the economic stability of the entire EU bloc.
Years of government mismanagement and fraudulent reports had put Greece in a state where nobody reputable would lend them money, in extreme debt, and without an economy to recover by itself any time soon.
Greece could've decided not to take up the bailouts, of course. All austerity packages were passed by the democratically elected Greek parliament.
The EU would've liked Greece to magically go out of debt, but it's not like they were just going to hand the Greek government hundreds of billions of gifts and a pat on the back with a quick "try not to go bankrupt again, OK?". If you lend someone money, you want some kind of guarantee that you're going to get it back. The EU wasn't being evil, it was watching its own back while the worldwide economy took a hit. They weren't alone either; the IMF also demanded reforms to ensure their loans got paid back down the line.
At every step along the way, the Greek government was involved, including causing the instability in the first place. There are plenty of evil things the EU and its many bodies do, but this wasn't a good example.
> Greece could've decided not to take up the bailouts, of course. All austerity packages were passed by the democratically elected Greek parliament.
When the elected Greek government put the Nth austerity package to a popular referendum, the EU began cutting Greece off from the international banking system (one effect was that people were unable to withdraw more than a tiny amount from ATMs), in order to put pressure on the population to vote "yes." The population voted "no" anyways, because Greeks were massively against austerity by that point. The EU then put enormous pressure on the Greek government to ignore the result of the referendum, threatening to intentionally destroy the Greek economy. The Greek government caved and agreed to the new austerity package. This was extremely undemocratic: a popular referendum was simply ignored, and the government - which had been elected specifically to reject austerity - basically had a gun to its head.
> The EU would've liked Greece to magically go out of debt, but it's not like they were just going to hand the Greek government hundreds of billions of gifts and a pat on the back with a quick "try not to go bankrupt again, OK?".
If this were an American state, the citizens of the state would have received massive Federal transfers, in the form on Social Security, Medicare, Medicaid and unemployment payments. Instead, the equivalent of all of those things were massively slashed in Greece. This is the equivalent of throwing debtors in prison. In punishing them, you destroy their ability to pay back their creditors. It's an insane thing to do, even from the point of view of the creditors.
What the newly elected Greek government (not the old, corrupt government) was proposing was for the creditors to take a hit, and for stricter tax enforcement (particularly on the wealthy). It wasn't just saying, "Give us money and we'll do nothing." It was saying, "Don't force us into an artificial economic depression, and give us breathing space to reform the corrupt system we inherited."
The Greek government specifically asked the EU not to keep lending Greece money for the purpose of paying back creditors. The Greek government correctly pointed out that the inherited debt was unsustainable, and that you don't lend a bankrupt person money: you force the creditors to take a hit and create a realistic payment plan.
> There are plenty of evil things the EU and its many bodies do, but this wasn't a good example.
Imposing a completely unnecessary Great-Depression-level event on a member state - while running roughshod over that country's democratic system - was pretty evil. Greece went through years of massive unemployment, people's pensions and healthcare were slashed, and young people left the country in droves as practical economic refugees. The reason why the EU took this hard line was that some of the member states (like Germany and the Netherlands) wanted to send a message to the other financially weak states (like Portugal, Spain and Italy). In Germany, there was also a lot of populist politics involved: bashing "lazy Greeks" was good politics, and plenty of politicians made a lot of hay over being tough on the Greeks.
It's interesting that post-New Deal US is much more redistributive between the states than the EU has yet managed to achieve. Probably due to not having any direct taxation power of its own either.
EU "fiscal discipline" combined with bank bailouts looks so harmful in retrospect.
Greece has not been treated well, but you should also admit that Greece really fucked up. They even falsified their stats to adopt the Euro.
> Imagine if a US state were in serious debt
Except the EU is not responsible for and does not control their member states' finances. The EU has a limited jurisdiction. E.g. taxation, education and defence are not part of it. Being part of the Euro zone does bring certain obligations.
> They even falsified their stats to adopt the Euro.
"They" is ill defined here. The people who falsified the finances were not the people who suffered under austerity.
> Except the EU is not responsible for and does not control their member states' finances.
During austerity, the "troika" (which included the European Commission and the European Central Bank) micromanaged Greece's finances. The Greek government was basically held hostage and forced to take very specific measures, down to which tax to change by which amount and which state assets to privatize in which way. The EU publicly aspires to be much more than just some soulless customs and currency union, and throwing a member state under the bus in this way and immiserating its population goes against what the EU supposedly stands for.
You're justifying a policy that heavily punished the Greek population by pointing to the actions of a small layer of elites (i.e., investment banks that aided corrupt politicians in cooking the books). You're doing this by conflating this small group of people with the entire Greek population, as an amorphous "they."
It's a mixed bag, really. They come up with great legislation I wouldn't have thought possible like the GDPR, but then they go and try to ban E2EE messengers. They set up accountability for tech giants, but then add upload filters. They try to ban ICE cars, but extend the deadline for many years because of automotive lobbyists.
Every good EU idea seems to come with a terrible idea. On average things seem to get better, but it's a two-steps-forward-one-step-back kind of progress. It's better than an all-bad government, but they do plenty of shitty things. I'm very happy to live in the EU, but it's certainly not for everyone.
The EU has made a deal, investing massive amounts of money into North African countries to keep refugees from crossing the sea. The EU representatives negotiating the deal knew exactly what was going on, even before the deal was happening.
There's no easy solution to the mass immigration problem, but this "solution" makes things worse for everyone.
We're massively cutting back on our business with Russia over their atrocities in Ukraine, but when it comes to human rights in Tunisia, we're willing to let this stuff slide. Sure, there's no war, but handing a country money to enforce their deadly anti-refugee violence is very bad.
American nerds tend to think of laws as computer code, which is an oversimplification of a field that we don't understand (but arrogantly thing we do.)
seems dumb. there's nothing stopping a child from lying about their age anyways. how about parents who care about such things just block the TikTok app for their children?
if TikTok simply had an age selection box, and if you choose anything under 18 it said "too bad. wait until you're 18", I'm sure all of those children would say, "gee darn it, guess I'll wait" :eyeroll.
This sort of nonsense is why government's are trying to enforce age verification because god forbid your children go on a website or app.
at the end of the day these fines exist because it's easy money for the EU - there's really no way of stopping children from using TikTok, or any social media for that matter but the EU knows that so they fine the companies and keep the gravy train going.
>at the end of the day these fines exist because it's easy money for the EU - there's really no way of stopping children from using TikTok, or any social media for that matter but the EU knows that so they fine the companies and keep the gravy train going.
Actually, the fines exist to make sure laws are respected. Also, the issue wasn't about users lying about their age, it was about underage users signing up for an account and having access to all content, instead of only child-safe content, as other platforms do.
My point is that there's nothing stopping children from having access to all content to begin with because there's nothing stopping children from signing up as an adult.
The correct thing for the EU to do if they actually cared about this is to enforce true validation of ages on social media. This is exactly what's being proposed in the United States, with a 3rd party verification service being required for all social media to actually verify ages.
The law in its current form, both in the EU or United States, is pointless and trivially circumvented. Charging a third of a billion for something like this is so laughable.
> The correct thing for the EU to do if they actually cared about this is to enforce true validation of ages on social media. This is exactly what's being proposed in the United States, with a 3rd party verification service being required for all social media to actually verify ages.
Sure, this can be done already with KYC on the platform. YouTube and Meta already has this.
Even with those mechanisms, Meta still delayed their release for Threads in the EU after getting fined repeatedly and Google still got fined for privacy violations around user location again.
So fineing companies works well. They just need to increase it into the billions of dollars for repeat offenders for them to cave and think again.
> Sure, this can be done already with KYC on the platform. YouTube and Meta already has this.
This is not the case. You can easily create an account on both in the EU as an adult even if you're a child.
You seem to think fining is great, but consider the EU pretty much miss the boat on the internet economy. Consider even the richest country in the EU barely even compares to only California, let alone the entire country of USA. Bolstering their economy and innovation is better than strangling everything with regulation, but to each their own.
this is a naive take. companies will still be formed. they will just http 451 all EU users. like threads does right now. this will also mean losing out, but i guess europeans are used to losing out, and actually prefer it?
If Threads gains traction in the other parts, of course they will launch it EU wide.
The EU is often a too big market to be ignored, see Apple and USB C for example.
They caved and released the iPhone 15 with that connector now for the whole world.
Companies wanting to do business will need to adapt.
I dont think Tiktok will close up shop here to be honest.
Sure I'd prefer that. I don't need those companies.
I wouldn't phrase it as "losing out" though. I would put it as "not being in the crosshairs of endless streams of manipulative content whose only purpose it to induce a demand for low-quality consumerism products whose entire existence is a burden for our planet."
Those with FOMO can still use VPNs and pretend to be US citizens.
> but i guess europeans are used to losing out, and actually prefer it?
losing out on companies that are detrimental to our social fabric, democracy, and psychological health of children is a good thing. Mistaking company values on a stock market for population health is the human equivalent of acting like a paperclip AI
What’s funny is that Americans don’t seem to realize Europeans can see the cost of all the shiny things like trillion dollar companies, billionaires, “cool” services and the like all the way from across the ocean.
To most of them, everytime someone is trying to yank their chain by talking about “losing out” or lack of big tech companies, it’s the equivalent of someone suffering from the bubonic plague bragging about their fashionable buboes.
No-one is "losing out" by not having their personal data harvested, sold, and used willy-nilly - it might come as a surprise to some, but having one's rights be respected is actually beneficial.
Drop in the bucket. Meaningless if anything a way for the EU regulators to wave the flag that they are maybe doing something but not so much as to take on TikTok
How exactly are TikTok meant to be verify parents? Are other tech companies expected to verify parents? It seems like no one else is being fined for this?