HackerTrans
TopNewTrendsCommentsPastAskShowJobs

buzer

1,137 karmajoined 10 lat temu
Staff Software Engineer at 8x8

Especially interested in systems scaling & IAM and also general interest in most of thing on backend side.

You can reach me via <username>@<username>.net

Submissions

Noyb launches class action over CRIF's scoring system in Austria

noyb.eu
2 points·by buzer·w zeszłym miesiącu·0 comments

Digital Omnibus Report V2: Analysis of Select GDPR and EPrivacy Proposals by EC

noyb.eu
1 points·by buzer·6 miesięcy temu·0 comments

Austrian Supreme Court: Meta must give users full access to their data

noyb.eu
5 points·by buzer·7 miesięcy temu·0 comments

Digital Omnibus: Analysis of GDPR and EPrivacy Proposals by the Commission

noyb.eu
3 points·by buzer·7 miesięcy temu·0 comments

comments

buzer
·15 godzin temu·discuss
It's unfortunately somewhat common these days and personally I actively avoid any place which does this. At least it's only somewhat common rather than the standard so it's still possible. Couple of examples:

https://sushiconfidential.com/wp-content/uploads/2024/07/sc_... "3.5% Living Wage Surcharge added to each bill which allows us to provide the service you have always enjoyed!"

https://www.pacificcatch.com/menu/ "NorCal - A 3% surcharge (5% in San Francisco) will be added to all Guest checks to help offset the rising cost of wages and benefits. This is not gratuity."
buzer
·5 dni temu·discuss
Personally I do agree, but enforcement is unfortunately behind DPAs and it's pretty clear that they are trying to avoid ruling on it.

In theory someone could directly sue some company which engages on this via Article 79, but this can be expensive and depending on jurisdiction the plaintiff can end up with personal liability on defendant's legal costs if court ends up finding that this is actually legal (e.g. Finland has "loser pays" rule in civil suits).

Additionally this does also touch ePD and in some countries there might be different agency which handles ePD complaints compared to GDPR, like in Finland Data Protection Ombudsman handles GDPR, but Transport and Communications Agency (Traficom) handles ePD. If there is something that touches both the Ombudsman usually lets Traficom take care of ePD aspects before they give any GDPR ruling. Both of these can take years.
buzer
·6 dni temu·discuss
Not quite.

> This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

This is the reason why these are usually separated to "strictly necessary" and "functional" cookies. Functional cookies are things which enhance the functionality, but are not strictly necessary. These would generally include things like persistent cookie for language choice rather than just session one.
buzer
·6 dni temu·discuss
It's called "pay-or-okay" (or "consent-or-pay") and there hasn't been many decisions on it yet which has led noyb to sue German DPAs: https://noyb.eu/en/years-inactivity-pay-or-ok-cases-noyb-sue...

There is one case where DPA ruled in favor of the company, but it's currently being appealed: https://noyb.eu/en/pay-or-ok-der-spiegel-noyb-sues-hamburg-d...

Another one ruled against company and court agreed: https://noyb.eu/en/court-decides-pay-or-okay-derstandardat-i...
buzer
·11 dni temu·discuss
In 2022 I got physical mail about leaving a review for something I bought from Amazon (sold by company X, shipped by Amazon) in exchange for Amazon Gift Card. It contained the name of the product I bought. When I tried to report it to Amazon:

* there was no obvious way to do it. Closest thing was by reporting issue on product.

* there was no way to show the customer service agent a picture of the mail. Chat did not support sending pictures & they were unable to open imgur link.

* agent recommended me to leave a report it by leaving review to the seller page. I did that and next day review was deleted.

So it's pretty clear that Amazon didn't care and I doubt it has changed (unless the law you are talking about is recent one).
buzer
·11 dni temu·discuss
2 weeks ago it was $60 billion apparently. https://news.ycombinator.com/item?id=48553224

It might be higher now.
buzer
·11 dni temu·discuss
You are somewhat confusing two distinct concepts. IP addresses are considered to be personal data because they can be linked to single individual and controller is allowed to give this personal data to someone who can do the linking (e.g. police who can then request logs from ISP or NAT connection logs from the company).

Now it doesn't mean it will always link to single individual, but unless controller can be sure that there are always at least 2 people behind the IP and the devices on that side do not keep enough information to ever link IP+timestamp+destination service to single individual, the controller essentially must assume that IP address is personal data.

This is different from civil liabilities. National courts determine what is the threshold for that. For example in Finland the court has ruled that if the owner of the car cannot name the person who parked the then the presumption is that they did it and are responsible for parking contract breach (KKO 2026:24). National courts could end up with similar ruling for civil liability for sharing content, i.e. assumption that the IP owner either is the person who shared it or knows who they did it & if they refuse to name the person then presumption is that they did it.
buzer
·11 dni temu·discuss
> nor are there any major EU software services and there never will be

SAP and Spotify come to my mind first. Some ex-EU services include Skype and Booking.com (latter might still be counted as EU service depending on definition).
buzer
·12 dni temu·discuss
Mostly yes.

Note the chance to object must be given before decision is made, i.e. not to give option for human review after the fact. Human must also be able to actually have meaningful chance to affect the decision.

If the decision is based on purely objective facts that are actually necessary (like you must have certain license) then human and computer always coming to same decision is likely correct and compliant, but as soon as you start putting in subjective criteria and human agrees with 100% of computer denials it becomes a lot harder to demonstrate that human is actually able to affect the decision as required by Article 5. Note that demonstration burden is on controller, not on data subject/DPA.

Objective criteria also isn't always enough by itself. If both human and computer calculate the same credit score and you must score X points to get a loan then human isn't actually able to affect the decision. Essentially the credit score calculation itself ends up being the automated decision rather than the formal rejection that is later given to data subject.
buzer
·12 dni temu·discuss
That's why I said consent usually cannot be used in employment context. I wouldn't rule it out 100% for everything employment related, but application screening is unlikely to qualify for those rare cases.
buzer
·12 dni temu·discuss
> this is most likely highly illegal to use in the EU due to violating anti discrimination laws in multiple ways.

It's generally illegal under GDPR Article 22.

> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Exceptions in 22(2) are unlikely to apply. It's hard to argue that it's truly necessary (a) and consent (c) is almost always unavailable in employment context. (b) might apply, but it requires specific law in EU or Member State to authorize it.
buzer
·14 dni temu·discuss
Finnish case happened after DVD-Jon. To my knowledge there also hasn't been any new cases which went other way (or any way) in Finland & law hasn't changed so it's technically still illegal. Of course it's up to prosecutor to determine if they want to actually go ahead with prosecution & it's also not a crime which gets discovered often so the risks are quite low, especially if you are just ripping DVDs for personal use.
buzer
·14 dni temu·discuss
In Finland DVD's CSS was ruled to be strong technical copy protection system (tehokas tekninen toimenpide). In that exact case a person had made a program which bypassed it and published it. He was found to be criminally liable though he didn't get any fine/prison time from what I remember.

In Finnish criminal law the threshold is "significant harm", but given that there were already multitude of ways to get around DVD copy protection the "significant harm" clearly isn't very high bar. Also both distribution the method and actually using the method are both criminalized.

Finnish Copyright Act does individual to bypass copy protection to view the content, but it notably does say that you are not allowed to copy the work.

Unfortunately I cannot find the exact page right now, but I found one of the appeal documents from from https://www.yumpu.com/fi/document/view/38482300/1-helsingin-.... It's probably under https://www.cs.helsinki.fi/u/nikki/, but it's no longer available and Internet Archive is currently giving 503 when trying to access the old pages.
buzer
·16 dni temu·discuss
Assuming you are in EU you could report them to local DPA. Objection (i.e. unsubscribing. Original automatic subscription may or or may not have been legal) to direct marketing is pretty much absolute due to GDPR Article 21(2), I'm not aware of any "workaround" companies have successfully managed to argue.

In the US you can report it to FTC for CAN-SPAM violations, but don't hold your breath on any enforcement.
buzer
·17 dni temu·discuss
Worth noting is that there was 2500 € capital requirement until 1st of July 2019 and it was reduced to 0 €.

Public limited liability company (Oyj) still has 80 000€ capital requirement.
buzer
·18 dni temu·discuss
Not 3 month period, but looking at e.g. capacity factor over 5 day period can be under 3% and even 10 day period can be under 5%. Capacity factor for whole year is around 30% (22TWh produced with 9433MW in 2025, rounded it up since some capacity came online during 2025). That's a lot of extra power or storage.
buzer
·18 dni temu·discuss
> Near the arctic circle Wind fill the same niche.

What do you mean? Long periods of calm weather during cold temperatures is not unheard of in Finland and does cause issues at times due to amount of wind energy that has been built in recent times.
buzer
·22 dni temu·discuss
I would like to see that thread if possible just out of curiosity.

I looked a bit into EUDPR and the earlier 45/2001 regulation (EUDPR came in effect in December 2018 so a bit later than GDPR). EUDPR explicitly imports Article 5(3) of ePD (via Article 37) and thus whatever case law there is around it. The earlier regulation seems to do this more indirectly (references in recitals), but EDPS view from 2016 is that it effectively does import Article 5(3) as well.

Personally I haven't dealt with EU institutions so far. On general public sector side I did recently seek some clarifications from Finland's Ministry of Justice regarding one of their websites and their responses weren't exactly reassuring.

I asked for the GDPR Article 15(1) information regarding single visit (i.e. information about processing, not actual copies of data) and it took them almost 3 months to give official response. Even after that time they, for example, failed to identify if they are actually the controller or not for some of the processing (Cloudflare challenge). And their stance is that analytics (Matomo) does not need Article 6 legal basis at all, i.e. they seem to think that anonymization step itself is not processing.
buzer
·22 dni temu·discuss
Official EU website, generally speaking, are not bound by GDPR or ePD. Rather EU bodies are bound by EUDPR. I'm not well-versed on that specific thing, but EDPS and courts have previously found that EC has infringed EUDPR so it wouldn't be weird if their cookie banner was breaking the law as well.
buzer
·22 dni temu·discuss
It's called "pay-or-okay" and there hasn't been many decisions on it yet which has led noyb to sue German DPAs: https://noyb.eu/en/years-inactivity-pay-or-ok-cases-noyb-sue...

There is one case where DPA ruled in favor of the company, but it's currently being appealed: https://noyb.eu/en/pay-or-ok-der-spiegel-noyb-sues-hamburg-d...

Another one ruled against company and court agreed: https://noyb.eu/en/court-decides-pay-or-okay-derstandardat-i...