That the GDPR is “all bark and no bite” is factually untrue.
As an example of a service that was forced to change to get in line with GDPR: Facebook.
For user profiling, they first tried to use their Terms of Service, then they tried claiming a legitimate interest, then they tried offering paid subscriptions, and now they are at the point where they somewhat degrade the experience of those refusing to be profiled. I'm not talking about the fines, I'm talking about EU citizens being able to use Facebook while refusing to give their consent for profiling. I'm also talking about the ability to download your data or to delete your data from their servers, which was also the outcome of GDPR.
Facebook has also received multiple GDPR-related fines, maybe it's not enough, but it's only going to get worse, as EU regulators are also eyeing them for the spread of election misinformation. Actually, Zuckerberg has been kissing Trump's ring because he's hoping for some protectionism from the US. He said so in his now infamous Joe Rogan podcast episode.
And for the DMA — well, Apple now allows alternative browser engines within the EU, as just one example.
So I just don't understand why people make this claim. The DPAs may be slow, but that's not a good argument. Law enforcement in general is slow. And the fact is that the GDPR is changing the Internet, which is undeniable.
Not in the EU myself but I don't think so. There's a specific entitlement that has to be granted and last time I looked nobody has ever done it.
I learned one interesting tidbit from the latest Ladybird progress report: apparently, in order for an engine to actually be eligible to get this entitlement, it actually has to have a higher than 90% WPT pass rate. I think it is absolutely fascinating that this is part of the criteria. The differences between the era of more-or-less free distribution on desktop platforms couldn't be more different than the totalitarian control of iOS and the slightly less restrictive control of Android. It almost feels like what happened with home computers was an accident, a circumstance that was only temporary and that once it is finally taken away we'll never get it back.
It's weird to think about. The evolving nature of computer security has definitely created some serious challenges for having a more open distribution model, but by and large nobody wants to try to solve that, and there's not much of an incentive to. The problem is, though, that closing down distribution doesn't just magically solve the problem of trust, it centralizes it to a single entity, with all of the many problems that comes with.
People, of course, seem to defend this practice tooth and nail. Like, it's not enough to just have the option of curated walled gardens: it's important to be forced to use them, because your agency could be used against you by other massive corporations, by coercing you to sidestep security measures. (Nevermind the fact that the existence of said abusive mega corporations is, in and of itself, a problem that should be dealt with directly...)
Meanwhile, I'm just blown away. I have an iPad with an M1 processor. It has virtualization capabilities. It could run VMs, if Apple would let it. Volunteers have gone great lengths despite JIT restrictions and sandboxing to make decent virtualization software for iOS, entirely free of charge. But instead, they updated iPadOS to explicitly remove the hypervisor framework in a major OS upgrade, and of course, it being an iPad, you can't even choose to downgrade it. Now I'm not saying running a desktop OS in a VM is an ideal experience for a tablet, but the damn thing has a keyboard cover and all manner of connectivity, it would be extremely useful to allow this, especially given how relatively powerful the device is. Yet, you can't.
And sure. If you don't like it, don't buy it. I largely don't buy Apple products anymore, but I have a few for various reasons. They're very nice pieces of hardware. But the thing is, the market isn't incentivized to offer alternatives to Apple. What Apple has accomplished with the App Store is absolutely unparalleled: 30% of all revenue. Everywhere, in every app. Perpetually. Forever. Holy Shit. And sure, there are technically exceptions, but let's face it: they play fast and loose with their own rules. When even Patreon is forced to pay 30% you know they are just going to push anyone with enough revenue into it with some rationale. So I personally struggle to believe that there will be alternatives if nothing is done. It's not a matter of people not being willing to buy viable alternatives, it's more a matter of nobody being able to sell them, because doing the arguably unfair thing profits hand-over-fist and nobody can fucking compete with that.
So we're here, bargaining with the richest company in the world, for the ability to be able to download a web browser that isn't Safari in a trenchcoat.
I don't like all EU regulation, but it's kind of unreal to watch this unfold and see how people actually defend this status quo. I still struggle to reconcile how people who consider themselves hackers or at least adjacent to hacker culture can see all of this and not feel dead inside.
> It almost feels like what happened with home computers was an accident, a circumstance that was only temporary and that once it is finally taken away we'll never get it back.
Home computers gave full control to the owners because there was no other choice. There was no internet, no way to push updates or hoover up data. Anything that happened on those machines had to be initiated by the user. They have been working on pulling all that back ever since always-on internet has become something that can basically be taken for granted.
And thankfully a lot of people realize that’s utter bullshit and are taking measures to fight off further enshittification. I’m not a nationalist but things like the GDPR and DMA make me proud to be European.
> I'm also talking about the ability to download your data or to delete your data from their servers, which was also the outcome of GDPR.
I’ll admit that I did this years ago so it may be different now. Facebook just gave me a copy of the data that I explicitly uploaded to Facebook: text posts and images. There was no other data about my login history or request history or anything else that (I believe, perhaps mistakenly) the GDPR considers as my personal data (cross-site tracking is the big one). There’s also no way to verify that my deletion request was honored, even for those text posts and images, but that will probably never be false so that’s kind of a weak point, IMO.
Not that I disagree with your overall point, just wanted to offer some words of concern on this particular point.
The GDPR is very clear (despite those who profit from breaching it would like you to believe): consent for non-essential data collection/processing should be strictly opt-in. You can't opt-in by default, you can't use dark patterns to trick people to opt-in, and you can't degrade the experience to coerce people to opt in.
Yet by your own comment's admission, Facebook has tried multiple blatant breaches of the regulation, and is still in business and trying their latest iteration of pseudo-compliance, which means whatever enforcement there is, it's clearly not enough.
When it comes to the DMA, Apple is currently on track to receive a (very low) fine for not actually complying by still preventing developer from letting users know they can pay for apps/services outside the App Store for cheaper. So clearly the potential penalties and actual enforcement is low enough that Apple is (rightly) calling their bluff.
I can now use Facebook without being profiled for ads. I can also delete my account.
It took longer than expected, but it happened. The GDPR has forced Facebook and others to change.
People may want huge fines, but then the EU is accused of targeting US companies or suffocating innovation. I don't want fines necessarily, I want results.
As an example of a service that was forced to change to get in line with GDPR: Facebook.
For user profiling, they first tried to use their Terms of Service, then they tried claiming a legitimate interest, then they tried offering paid subscriptions, and now they are at the point where they somewhat degrade the experience of those refusing to be profiled. I'm not talking about the fines, I'm talking about EU citizens being able to use Facebook while refusing to give their consent for profiling. I'm also talking about the ability to download your data or to delete your data from their servers, which was also the outcome of GDPR.
Facebook has also received multiple GDPR-related fines, maybe it's not enough, but it's only going to get worse, as EU regulators are also eyeing them for the spread of election misinformation. Actually, Zuckerberg has been kissing Trump's ring because he's hoping for some protectionism from the US. He said so in his now infamous Joe Rogan podcast episode.
And for the DMA — well, Apple now allows alternative browser engines within the EU, as just one example.
So I just don't understand why people make this claim. The DPAs may be slow, but that's not a good argument. Law enforcement in general is slow. And the fact is that the GDPR is changing the Internet, which is undeniable.