The administrative penalties, which are worth around $335 million at current exchange rates, have been issued by Ireland’s Data Protection Commission (DPC) under the European Union’s General Data Protection Regulation (GDPR). The regulator found a raft of breaches, including beaches to the lawfulness, fairness and transparency of its data processing in this area.

The GDPR requires that uses of people’s information have a proper legal basis. In this case, the justifications LinkedIn had relied upon to run its tracking ads business were found to be invalid. It also did not properly inform users about its uses of their information, per the DPC’s decision.

LinkedIn had sought to claim (variously) “consent”-, “legitimate interests”- and “contractual necessity”-based legal bases for processing people’s information — when obtained directly and/or from third parties — to track and profile its users for behavioral advertising. However, the DPC found none were valid. LinkedIn also failed to comply with the GDPR principles of transparency and fairness.

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    34
    ·
    edit-2
    2 months ago

    I always feel like the solution is to make this sort of thing unprofitable. Rather than just having a cost-of-doing-business fine, the company should have to forfeit all revenue generated by the illegal activity. The fine should then be assessed in addition to the revenue forfeiture, making it a real penalty rather than a wrist-slap.

    Businesses operate on cost-benefit analyses and risk assessments. If violating the privacy regulation risks the loss of all revenue for the ad business, they won’t do it.

    • slowcakes@programming.dev
      link
      fedilink
      English
      arrow-up
      16
      ·
      2 months ago

      Sure but when they actively decide to break the law and the rights of millions people, they are criminals or part of a criminal Enterprise and you should be on trail. The people in position of power, choose to break the law because of profit motivation, of course they shouldn’t keep the money because it was made illegally.

      Why would they care about the consequences of fines, when they themselves don’t have to pay it, they can just cash out and not lose a cent, its the company that gets fined.

      Fuck em, they should face several years of prison and lose the right to run a business or having a position of power, for gross violations of human rights and shouldn’t be trusted to hold power.

      What stops Nvidia, intel or whatever to build the same kind of privacy violating technology directly in the hardware. I don’t even know how our phones are even allowed to collect all the data that they do, what are you going to do in the future when every piece of electronics you buy, is collecting data. You wouldn’t even need internet, they’ll just send it to the nearest 5g tower.

      In 5 - 10 years, we’ll live in the era of mass surveillance (for your safety of course). AI combined with all the data available, will make the world a living hell for regular people. 1984 will no longer be science fiction, because we elect self serving clowns, total morons that aren’t capable of doing anything because they are starstruck by rich people and tech bros.

      • NaibofTabr@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        Why would they care about the consequences of fines, when they themselves don’t have to pay it, they can just cash out and not lose a cent, its the company that gets fined.

        Because if you lose a company a substantial amount of money without generating profit for the shareholders then you won’t get an executive position at any other companies.

        In 5 - 10 years, we’ll live in the era of mass surveillance

        It definitely feels like that. In a lot of ways we’re already there. Stingrays have been around for more than a decade - but of course they’re technically legal.

        Technology will always move faster than government, and unfortunately that means technology companies will always find ways to gather data on people with things that we don’t have laws for. The only way I can think to slow that down would be to kill the demand for tracking data, but it seems like every government and major business is into collecting, buying and selling data on human behavior right now so I don’t even have a theory as to how to actually reduce the demand for it. It’s way out of hand.

        The best option for individuals right now is to live in a place that has some decent legal restrictions, like the EU or California, and of course vote for politicians who favor privacy regulations.

        • ExcessShiv@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          2 months ago

          As I’m reading this, stingrays are pretty ineffective if users are using E2EE messaging (or just a VPN), and can then pretty much only be used for location estimation.

    • kambusha@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      8
      ·
      2 months ago

      Just jail the CEO. Maybe their salary will finally be justified, if they’re willing to take the risk.

      • NaibofTabr@infosec.pub
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 months ago

        Thing is, if the profit is high enough and the golden parachute is good enough then a business could probably find someone to take the fall as the CEO for them. Losing the CEO won’t end the business or their exploitative behavior.

        • P1nkman@lemmy.world
          link
          fedilink
          English
          arrow-up
          7
          ·
          2 months ago

          Board of Directors. Entire C-suite on trial. People with 10% or more ownership of shares. That would change things.

          Oh, emails were deleted and couldn’t be recovered? CTO is at fault. Skip start, go straight to jail.

          • NaibofTabr@infosec.pub
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            2 months ago

            Well… look, I’m all for punishing white collar crime, we should do more of that, but I’d much rather incentivize preventing this kind of thing in the first place than punishing people after the fact.

            Taking away the revenue (remember revenue means all the income, not just the profit) from criminal behavior does that, because it means the business risks financial collapse.

            For instance, in this case if LinkedIn’s EU ad sales department violated EU law, then all revenue from the EU ad sales department should be forfeit, for the entire time period during which the violation occurred.

            This would be a lot more effective than threatening rich people with jail time, because rich people can always make a deal to serve their time in a nice facility or house arrest or something. Instead, we threaten to wipe out the business financially.

            • P1nkman@lemmy.world
              link
              fedilink
              English
              arrow-up
              3
              ·
              2 months ago

              Oh, I totally agree, but if we use the example in the article, how would the EU be able to prove LinkedIn’s revenue? These companies are shifting their money around so they don’t have to pay tax.

              • NaibofTabr@infosec.pub
                link
                fedilink
                English
                arrow-up
                2
                ·
                2 months ago

                Ah, hah, I’m glad you asked, I have thoughts on that too.

                Auditing. The government (every government) should employ a team of auditors. In a case like this, the auditors will be attached to the offending company for the purpose of reviewing their operational and financial records. The auditors will be part of (inside of) the company operations for as long as it takes to untangle the details and assess the total sum of revenue gained from the illegal activity, and if that interferes with running the business well that’s too effing bad.

                While the auditing is ongoing, the company will be responsible for paying the auditors’ salaries and expenses, and providing office space and whatever other resources they need. There will also be a representative of the auditors assigned to the executive board, present at all board meetings, with voting and veto privileges. Effectively, the company is on probation and under observation until their debt is paid. Any other violations discovered during the audit will result in additional prosecutions.

                If the company finds this too burdensome, or if they have tried to obfuscate their records, then they can simply forfeit the revenue of the entire department/operational area in order to expedite the audit.

        • kambusha@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 months ago

          Tbh, you’re probably right. It’s the same reason that solar finally is seeing an uptick, and how cryptography works. Solar makes financial sense now, and cryptography is all just about how much money you would need to spend to crack a password.

          • NaibofTabr@infosec.pub
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            2 months ago

            This is really it. Businesses are about making money. If you want to change the way businesses behave, you have to change the financial incentives. You can condemn the capitalist greed motivation if you want, but that really only amounts to moralistic posturing, it doesn’t accomplish anything practical. It’s more useful to understand how businesses make decisions, and then adjust rules to incentivize the behavior you want and disincentivize the behavior you don’t want.

            An ounce of prevention is worth a pound of cure.