How to effectively evade the GDPR and the reach of the DPA

We&#x27;ve actually been threatened with a lawsuit because RocketReach displayed some obviously inflated revenue for one of our customers. Luckily, we were able to prove that the numbers were changed recently and threatened to report them for fraud, which ended this pretty quickly.<p>Seriously shady company.

Currently there&#x27;s not much the data protection authorities in the EU can do about foreign companies abusing the data of users.<p>I assume that in the coming years (or decade?) there will be more efforts to ensure the enforcement of EU law for foreign companies that offer services to EU citizens as part of trade deals.<p>Right now there&#x27;s e.g. a flourishing industry of data brokers in Israel that illegally collects data from EU (and US) citizens and sells it, a practice which is hard to stop as well since most of these companies don&#x27;t have offices in the EU.<p>I think another possible strategy would be to go after the clients of these companies. If they can&#x27;t legally sell their data to companies in the EU or US their business model would falter. The GDPR actually mandates that you as a data controller validate that companies which process data for you adhere to GDPR principles. Right now it seems this isn&#x27;t being enforced much yet but I think it will be soon, which hopefully will have an effect on data brokers outside the EU as well.

I&#x27;m not sure how I feel about the screenshot at the end, showing that various policy makers also have their personal information being sold.<p>I guess the information is out there, and doing so also makes it definitively personal for the policy makers &#x2F; enforcers involved.<p>That said, the policy makers &#x2F; enforcers may be genuinely hamstrung. The US imposes its laws globally because of it&#x27;s status as a global reserve currency (trading in USD requires the transaction to route via the US, thus making the entity subject to US law).<p>The EU doesn&#x27;t have such status or power over US companies. The most it can do is try to prevent them from operating in the region.<p>As a person who almost certainly has his personal information being sold on this platform, I&#x27;m not pleased, and would love to see something done to prevent this kind of activity. Unfortunately, that depends on the US government to take action, and the last 12 years haven&#x27;t been a flying endorsement of the effectiveness of the current government system. (This is not meant as an statement regarding the effectiveness of either President, but rather a regarding the low output from the system as a whole)

This same BS is perpetuated by YC backed Apollo.io by simply scraping public LinkedIn profiles &amp; then masking asterisked emails &amp; numbers(usually your company public numbers) &amp; asking people to sign up.<p>And when you do request them to remove the same, they ask you to provide ID proof. As if one would provide the same to a company which didn&#x27;t take your consent for the initial profile data either.<p>I somehow managed to get hold of the CEO&#x27;s mail ID got mine removed. But I can only imagine what everyone else would have to do when they want to control their web-presence.

Data sharing seems so prevalent, and I would dare say even with EU companies, the chances of getting caught (let alone fined) by the GDPR are pretty slim.<p>An interesting exercise: If you have a Facebook account, go to this page[0] or this one[1] and see if you even <i>recognize</i> some of the companies that shared data about you. Not to mention gave explicit consent to sharing your data ...<p>My list includes companies I never gave consent to (e.g. Amazon, Uber), never signed up for or gave any details to (e.g. Robinhood, Triplebyte) and some I have zero clue about, but the name alone sounds dodgy (Opteo, Mindshare Biddable Digital ...).<p>[0] <a href="https:&#x2F;&#x2F;www.facebook.com&#x2F;ads&#x2F;preferences&#x2F;?entry_product=information_about_you&amp;section_id=interacted#" rel="nofollow">https:&#x2F;&#x2F;www.facebook.com&#x2F;ads&#x2F;preferences&#x2F;?entry_product=info...</a><p>[1] <a href="https:&#x2F;&#x2F;www.facebook.com&#x2F;off_facebook_activity&#x2F;activity_list" rel="nofollow">https:&#x2F;&#x2F;www.facebook.com&#x2F;off_facebook_activity&#x2F;activity_list</a>

I had a very similar experience with Apollo.io. Somehow my professional data (business email, personal phone number, name, job title and my LinkedIn network and connections) ended up on this website without my consent. I’m assuming it was collected from several sources such as LinkedIn (Even though I had my privacy settings tight) and some conferences I attended in the past year. Either way I contacted them and they sent me a document to confirm my identity and then proceeded to remove my data from their website after I sent it back. I was a bit shocked as it’s basically asking to confirm my identity and give them more information about me when I haven’t even granted them permission in the first place. Such “data brokers” need to be regulated. The most annoying thing is that they only remove data under GDPR, CCPA if I am a resident of California, UK or EEA. Well what if I’m from a country that doesn’t fall under one of those 2 regulations?

The achilles heel of the GDPR is that you must act through a DPA. In the case of the Shrems he had to basically sue the Irish GPA in order for them to do their job. And instead of actually doing their job, the Irish DPA instead fought Shrems on behalf of Facebook.<p>As an EU citizen and resident, it&#x27;s abundantly clear to me that getting a DPA to act in my best interest is mostly hopeless. I&#x27;m reminded of the CANSPAM Act where a US citizen can send their spam to the FTC and have them investigate it. Only they never will. All spam sent to the FTC just goes into blackhole, and next to no one is ever prosecuted. Even when it&#x27;s clear who the spammer is.<p>I don&#x27;t think many people realize this fact. That a politically motivated entity controls European&#x27;s access to privacy restitution, and they&#x27;re rarely motivated to actually do anything. This makes the GDPR is my eyes primarily a joke. It certainly isn&#x27;t about securing my rights as an EU citizen. It seems more written to benefit lawyers and others who make money because things are complicated.<p>If the EU actually cared about my privacy rights they would allow all Europeans access to restitution without mediating it through national agencies. I want to be able to hire a lawyer and directly take abusive firms to court over GDPR violations. I shouldn&#x27;t have to act via some pre-court mediator who gets to arbitrarily determine if my claims have merit.

Lusha in NY does this too except they claim the deletion magically happened automatically because of &quot;algorithms&quot;.<p>I&#x27;d made a subject access request because they&#x27;d sold my personal email address linked to my business position to random spammers. That association didn&#x27;t exist in any legitimately accessible data, only in the linkedin data breach.

Looks like rocketreach is aggregating information that is public on fb,linkedin etc. He forgot to mention that the google search result he got is already selling those, but maybe we ve become blind to that? Rocketreach is packaging and selling it directly, google does it indirectly. Same thing though, are those illegal?

Fundamentally the thing which everyone is missing is that the regulatory authorities can simply say that the data can not be used within the European Union by Rocket Reach. They may not be in the European Union but they can make their product useless in the European Union.

Now watch the entire currently-EU based adtech industry relocate out of the EU...

Yes, it&#x27;s hard for EU authorities to enforce its laws on a company that has no EU presence or revenues to threaten. At least the Luxembourg DPA is doing something about it, unlike the Irish DPA that deliberately does nothing (or worse, colludes with Facebook to help them skirt GDPR with highly dubious and most likely legally invalid semantic contortions).

In this particular case, GDPR can get enforced for the <i>buyers</i> of data.<p>Rocket Reach and similar companies may be outside the reach of GDPR, however, all the advertisers and global platforms who actually want to target EU customers <i>are</i> within the reach of GDPR so it&#x27;s illegal for them to buy data from Rocket Reach.

Another company collecting and selling your personal data right there in Silicon Valley: <a href="https:&#x2F;&#x2F;eightfold.ai" rel="nofollow">https:&#x2F;&#x2F;eightfold.ai</a>

I don&#x27;t know if there&#x27;s another good example, but Poland fined an EU company under the GDPR for scraping profile data without giving proper notification: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19530087" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=19530087</a><p>You shouldn&#x27;t have to guess where your personal data is going, and how it&#x27;s being used. When the GDPR was first coming into force, I remember getting bombarded with all these notification emails from all these companies coming out of the woodwork that I didn&#x27;t recognize. But I don&#x27;t think I&#x27;ve ever been notified by email, SMS, phone or smoke signal since then.<p>The biggest flaw of the GDPR in my opinion is that it leaves the definition of what&#x27;s considered personal identifying information with too much wiggle-room for creative interpretation. Maybe it&#x27;s hard to pin down exactly, but there&#x27;s often too much emphasis on the word &quot;identifying&quot;, as if it&#x27;s otherwise OK to gather every intimate online detail and build a profile that is a unique identity in and of itself. It&#x27;s even worse when real-world decisions can be based on it without your knowledge.<p>I recently had my own rude awakening learning about these data brokers and risk analysis services. The matter itself was relatively trivial, but I didn&#x27;t realize the extent of this before and the scope of what personal information they&#x27;re gathering. And it doesn&#x27;t matter if you think it won&#x27;t affect you, since you&#x27;ve done nothing wrong. From what I read elsewhere, even exercising fundamental consumer rights may be held against you. <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21440526" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=21440526</a>

&gt; Instead of pursuing Rocketreach locally on that basis alone, the CNPD just gives up arguing it has no jurisdiction in the US.<p>Which is true and obvious. Why anybody ever thought the GDPR would have teeth outside the EU is beyond me. It was always laughable to me that anybody believed that the EU had made a law that applied to every company in every country in the world.

I had a similar experience with a company called RateSetter.<p>- They email me some marketing<p>- I respond with DSAR<p>- They acknowledge receipt of DSAR<p>- 6 months pass<p>- I bump the email thread<p>- They respond saying they have deleted my data as per my request (I requested access, not deletion)<p>- I point this out<p>- They apologise and offer £100 to drop the complaint<p>- I refuse and complain to ICO<p>- Obviously nothing happens<p>GDPR is toothless.

The Privacy Shield framework that was just declared invalid by the EU included a requirement that US companies make themselves available for arbitration of disputes brought by EU data subjects. GDPR by itself doesn&#x27;t include that concept. But if GDPR is going to be enforceable, the negotiation around a successor to Privacy Shield should probably include it.

I&#x27;ve always wondered about the practical side of how GDPR is supposed to work for companies outside the EU.<p>If you&#x27;ve got actual <i>stuff</i> in the EU, it&#x27;s easy. You get fined under GDPR and if you never show up to argue your side in court or an administrative hearing or whatever, they seize your real estate or bank accounts or physical servers or whatever, and sell it to pay your fines.<p>If you&#x27;re US-based, how does it work? Hmm, if you&#x27;re a modern shop you probably have stuff hosted by big companies, like servers on Amazon&#x27;s AWS or code on Microsoft&#x27;s Github. Then the EU could presumably tell those companies to stop hosting your stuff, or they&#x27;ll become liable for fines as an accessory to the violation. Microsoft and Amazon probably have a lot of bank accounts and physical stuff in the EU that could be seized and sold, so they couldn&#x27;t simply ignore the fine. They&#x27;ll probably drop you as a customer immediately once Europe starts making them pay fines, and maybe try to sue you in the US court system to try to recover those costs.<p>I&#x27;ve never heard of this happening though. So maybe this isn&#x27;t actually a thing.<p>If all your stuff is on US soil, and you&#x27;re careful not to use providers with any European presence, how would they do it? Does the EU have some way to order all European ISP&#x27;s to blackhole traffic from your company&#x27;s IP ranges? When your executives come to Europe for vacation or conferences or whatever, could they get hauled off the plane in handcuffs and taken to a European jail over your company&#x27;s GDPR violations?<p>Again, I haven&#x27;t heard of this actually happening. But it seems to me that would be how they&#x27;d do it, if they really wanted to prevent overseas companies from simply ignoring GDPR.<p>If there&#x27;s no threat of enforcement, why bother with GDPR at all, unless you&#x27;re planning on having seizable <i>stuff</i> like real estate or bank accounts or physical servers in Europe someday?

Is crunchbase&#x2F;owler&#x2F;cb insights and every other public data aggregator&#x2F;lead generator service also illegal by the same logic?

I figured that the European Union would simply act to block such a website from being resolved in Europe by DNS resolvers?

This constitutes denial of justus and you can sue them either in your country or in the European Court of Justus.

For most, you can simply ignore it since it doesn&#x27;t apply anyways

It&#x27;s always nice to not find yourself in one of those databases.<p>Data frugality ftw.

GDPR compliance would be trivial if web browsers used a stateless request-response hypertext transfer protocol.<p><i>O Tempora O Mores</i>

Does GDPR apply here? They might not be selling to the EU, and they aren’t monitoring EU persons but just selling historic information. I don’t read GDPR as applying globally to any and all trade in EU personal data. <a href="https:&#x2F;&#x2F;gdpr.eu&#x2F;companies-outside-of-europe&#x2F;" rel="nofollow">https:&#x2F;&#x2F;gdpr.eu&#x2F;companies-outside-of-europe&#x2F;</a>

Typical of this kind of regulation: the real purpose is less about ensuring individual rights and more about giving bureaucrats more power. The GDPR is great in the latter sense. It’s impossible to predict the outcome of a legal process even if you do your very best to comply, and you can be slapped with incredible fines... Cross the wrong bureaucrat and your days are numbered (in an economic sense).

&quot;Rocketreach has not met the requirement of the GDPR to name an EU representative (Art27) to account for the processing of European Personal Data. In their answer, the CNPD makes it sound like it is optional, it isn&#x27;t. Instead of pursuing Rocketreach locally on that basis alone&quot;<p>LOL, yes.<p>I&#x27;m sure they also do not meet the legal requirements of North Korea, Saudi Arabia, and many others.<p>Likewise, various EU corporations do not meet the legal requirements of non-EU places like those. Would he prefer that they did?<p>Even more interesting, since he expects the US to follow EU law, how does he feel about the EU following US law? The US has that Patriot Act, and lots of EU companies are not compliant. Maybe he should report a few EU companies to the FBI.

When are we going to admit that GDPR is a failure?<p>Asserting a bunch of rights around personal privacy is great, but I&#x27;ve yet to see any compelling evidence that the relevant courts and bureocracies are capable of enforcing the law effectively. EVERYBODY is cheating.<p>Every time this is brought up on HN, the response is to wait for when the big fines start coming.<p>It&#x27;s been two years. They&#x27;re not coming.