This is the original article (linked from The Verge one) and is much clearer:
> Bluesky, the rapidly growing social media platform, is violating EU regulations by failing to disclose important details, a European Commission spokesperson told reporters during a daily briefing on Monday.
> “All platforms in the EU even the smallest ones which are below the threshold, which is the case for Bluesky, have to have a dedicated page on their website where it says how many user numbers they have in the EU and where they are legally established. This is not the case for Bluesky as of today,” the spokesperson said.
I'm not saying this doesn't happen, but I also think it's genuinely difficult to write policies that apply to technical systems that don't exist at the time of writing and which are also clear enough that regulators, courts, and the relevant parties within tech companies all understand what they mean, what they imply about technical systems, etc.
With respect to much older law, e.g. copyright, I think we still haven't fully interpreted what constitutes "copying" or "distributing" in a digital context.
With respect to data privacy, though I was part of a team that was responsible for ensuring my company met GDPR obligations, it's still not clear to me what really constitutes deletion or erasure for these purposes. What if my DB doesn't delete stuff on disk immediately but marks some records with an in-memory tombstone, so normal DB queries will no longer return the record but files containing the record do still exist? Am I obliged to delete all DB backups when any individual exercises their deletion rights? If my datalake uses columnar files that record events (e.g. clickstream data) from many users, every time any user exercises their deletion rights, do I have to re-write all the files that included any event from them? To find all files containing a user efficiently, I'd probably need to start indexing by user, which if anything puts my team on the path to using user-specific data more intensively going forward. Or is it sufficient to mark their ID in a "forgotten" file and ensure that datalake results do not include information from their records, though the records are in principle still readable? If you didn't have a good systems/data engineer participating in the drafting of the policy, it's easy for a regulator to just write "delete" without thinking through what the actual definition should be, and what the implications are.
> But since Bluesky isn’t yet big enough to be considered a “very large online platform” under the DSA, the regulator says it can’t regulate Bluesky the way it does X or Threads.
So are they breaking the law or aren't they? Sounds like they aren't but the EU wants to be on their back anyway.
I thought the article was pretty clear: they are breaking rules (not laws, FWIW) but are not yet big enough for the EU to do anything about it. At their current growth trajectory they will soon. The EU statement seems to just be an anticipation of the inevitable.
> Sounds like they aren't but the EU wants to be on their back anyway.
> The regulator hasn’t reached out to Bluesky directly, yet, The Financial Times writes.
I think no on is on anyones back, they just follow standard procedure more or less.
There is a new "growing" platforms which might be affected by such regulations and they just want to make sure what their state is and under which legal aspects they operate (e.g. if they have any EU offices onto which they should base official communication).
The things pointed out by the article are also non issues:
- a missing statistic about EU users which you need once you have a certain size but practically kinda should have before _to show you have not quite yet that size_. But that is somewhat of a nothing burger, you add it when needed and as long as there is no reason to believe you acted with malicious intend it's unlikely to involve any penalties.
- regulation related to moderation, non issue as Bsky enforces their AGB and that already fulfills more or less all moderation requirements (maybe not some increased reporting requirements for larger companies, but like said they don't count as such yet)
So IMHO a nothing burger.
My guess is various news paper made "official" information/press requests to some EU institutes asking if Bsky complies with this or that and stuff like that and then created a issue from atm. more or less nothing. Wonder if it was with malicious intend.
> 1. It puts Bluesky on notice that they need to watch their numbers
can't be as they haven't reached out to Bluesky, can't put someone on notice without communicating with them
this articles seems to be based on newpapers doing "press requests" not any EU institution initiating actions, some parts can outright be read as "what is Bsky, we should find out if it is relevant if we get press requests about it, where is their office again?"
> 2. It preempts accusations of unfair application of the rules
I'm not sure where such accusations should come from. I don't thing any related EU regulatory organizations care about what people in the US thing about supposedly unfair treatment of X compared to Bsky.
> 3. It reminds Blusky that if they trade internationally they need to "do as Romans do".
which only makes sense if they communicate with them but the only communication flow seem to have been the Financial Times asking some regulators. So I don't think so.
So… EU regulations are about "protecting users privacy"… but requires you to know how many of your users are EU-based, and publicly report it ?
I don’t know about you, but "country of residence" is the kind of private information but I’d rather not be collected unless good reasons. Requiring to collect it seems rather antithetical to "protecting user privacy".
Who cares. Everyone should collectively turn their websites off in the EU, so that they can continue to suffer in mediocrity. The EU doesn’t have to deal with their own laws because they don’t innovate or produce anything.
This is like when a non-atheistic person claims that the only way to be kind, ethical, moral etc is to be religious. They are not mutually exclusive. You can be a good steward of your users' data without imbibing yourself with EU regulation.
It's a variation on "Premature Optimization Is the Root of All Evil". Focus on what actually matters for your startup. If for some reason some EU regulator actually comes knocking, you're most likely big enough to mean you've created a successful startup.
Then you just say "Sorry!" and you implement what they want.
This is probably different if your company is in the EU, but this is my North American point of view.
It can go both ways. Just because a company has done something that deserves to be regulated does not mean the regulation itself is a good way of accomplishing that. For what it is worth, I think the EU for the most part is doing alright in some places with some severe missteps as far as encryption and privacy goes.
I've honestly been pretty happy with it. It gives developers the ability to push back on shirt practices with "do you want to lose access to the European market?" Having that in the tool belt is very handy
Counter-point: as a programmer and data engineering working with large and small companies, GDPR has been of massive help to me, as the clients have now the concepts coined and I can back my stances with legal texts when it comes to protecting people data.
Not really. The methods companies use to skirt around the EU regulation has been the actual disaster. Case in point: The EU never mandated the cookie popups that proliferate the web. They simply passed common sense regulation about user tracking. But there's too much money to be made tracking your every move on the internet, so along came the popups that convince you to allow yourself to be tracked. Every time I see one I'm reminded of how relentlessly exploitative the modern web is, not how mistaken the EU are.
I'd say those are unintended consequences and should have been taken into account. The effective result of the regulation appears to be just to have added annoying popups and close to zero change in company behavior.
You have third party data brokers in the US which has everyone's data and sells it to anyone, you don't have that in the EU. I'd say that is a pretty big change.
There’s an open question of who is to blame when poorly written legislation causes companies (with fiduciary responsibility to their shareholders) find ways to follow the letter of the law but not the intent and create end results that are worse for the public.
The American perspective tends to be that if millions of users are suffering because thousands of companies are interpreting the laws created by a single legislature, we should tell that one legislature to fix their shit. (Note: not that they actually do fix their shit, but that’s who we yell at)
The European perspective tends to be that the thousands of companies should each be individually yelled at to fix their shit (Note: not that they actually do fix their shit, but that’s who they yell at)
Neither way is all that effective tbh. But looking at the end results, I must say I prefer using the internet outside of the EU. I always use private browsing, and the implementation of EU rules when browsing the web in Europe makes this an absolutely insufferable experience. Pages and pages of legalese I have to click through to access a single google result - when guess what, none of that applies because I’m browsing in private. The natural response for me would be to then disable private browsing and let google store its “you clicked through our bullshit” cookie to make my life easier — resulting in the exact opposite of the intended effect of the law.
Like I said, neither side is perfect, but using the internet “privately” is actually much easier outside of the EU vs in it. To me, that means we need to yell at the legislature. Opinions may very.
I have forgotten the recent example, but there are sites that don't have a banner at all because they don't track users and others that see the Do-Not-Track header and replace the banner with a discreet acknowledgement.
Good point, a reasonable response to the who debacle would be to get the legislature to mandate that a HTTP headset similar to do-not-track must be configurable on a browser basis and all requests that hold it must be seamlessly executed as if the user had pressed the “do not agree” button previously.
The question who is not breaking EU rules?
The funny thing, when there is penalty let's say $100M, all these funds going to the government to spend more for another regulations. Never ending loop. User doesn't receive anything.
The EU’s own website has the same banner message asking for analytic cookies, it’s just a poorly designed and executed regulation like many in the EU revolving around tech.
Longest period of peace in Europe seems like a pretty big achievement, even if many of us don't even know what it's like to live through wars in Europe. On a smaller scale, having a single currency, no roaming fees, traveling and working everywhere without worrying about tourist or a working Viswa is pretty big too.
Easy to forget about many of these things as we just take these as a given baseline.
>Regnier reportedly went on to say that the commission has asked the EU’s 27 national governments to look for “any trace of Bluesky” like EU-based offices. The regulator hasn’t reached out to Bluesky directly, yet, The Financial Times writes.
>But since Bluesky isn’t yet big enough to be considered a “very large online platform” under the DSA, the regulator says it can’t regulate Bluesky the way it does X or Threads.
So it sounds like they are 'breaking' rules that don't even yet apply to them?
https://www.reuters.com/technology/eu-says-bluesky-is-violat...
This is the original article (linked from The Verge one) and is much clearer:
> Bluesky, the rapidly growing social media platform, is violating EU regulations by failing to disclose important details, a European Commission spokesperson told reporters during a daily briefing on Monday.
> “All platforms in the EU even the smallest ones which are below the threshold, which is the case for Bluesky, have to have a dedicated page on their website where it says how many user numbers they have in the EU and where they are legally established. This is not the case for Bluesky as of today,” the spokesperson said.
These days I think everyone's breaking some rule in the EU
By design, I suspect, so they can prosecute those who they don't like (but not their "friends")
Can you elaborate? Have they in the past used this to "prosecute those who they don't like"?
I'm not saying this doesn't happen, but I also think it's genuinely difficult to write policies that apply to technical systems that don't exist at the time of writing and which are also clear enough that regulators, courts, and the relevant parties within tech companies all understand what they mean, what they imply about technical systems, etc.
With respect to much older law, e.g. copyright, I think we still haven't fully interpreted what constitutes "copying" or "distributing" in a digital context.
With respect to data privacy, though I was part of a team that was responsible for ensuring my company met GDPR obligations, it's still not clear to me what really constitutes deletion or erasure for these purposes. What if my DB doesn't delete stuff on disk immediately but marks some records with an in-memory tombstone, so normal DB queries will no longer return the record but files containing the record do still exist? Am I obliged to delete all DB backups when any individual exercises their deletion rights? If my datalake uses columnar files that record events (e.g. clickstream data) from many users, every time any user exercises their deletion rights, do I have to re-write all the files that included any event from them? To find all files containing a user efficiently, I'd probably need to start indexing by user, which if anything puts my team on the path to using user-specific data more intensively going forward. Or is it sufficient to mark their ID in a "forgotten" file and ensure that datalake results do not include information from their records, though the records are in principle still readable? If you didn't have a good systems/data engineer participating in the drafting of the policy, it's easy for a regulator to just write "delete" without thinking through what the actual definition should be, and what the implications are.
Do you have any evidence to offer for that claim, other than a personal suspicion?
Hey, regulations are among our key export articles. Do not be so dismissive.
> But since Bluesky isn’t yet big enough to be considered a “very large online platform” under the DSA, the regulator says it can’t regulate Bluesky the way it does X or Threads.
So are they breaking the law or aren't they? Sounds like they aren't but the EU wants to be on their back anyway.
I thought the article was pretty clear: they are breaking rules (not laws, FWIW) but are not yet big enough for the EU to do anything about it. At their current growth trajectory they will soon. The EU statement seems to just be an anticipation of the inevitable.
> Sounds like they aren't but the EU wants to be on their back anyway.
> The regulator hasn’t reached out to Bluesky directly, yet, The Financial Times writes.
I think no on is on anyones back, they just follow standard procedure more or less.
There is a new "growing" platforms which might be affected by such regulations and they just want to make sure what their state is and under which legal aspects they operate (e.g. if they have any EU offices onto which they should base official communication).
The things pointed out by the article are also non issues:
- a missing statistic about EU users which you need once you have a certain size but practically kinda should have before _to show you have not quite yet that size_. But that is somewhat of a nothing burger, you add it when needed and as long as there is no reason to believe you acted with malicious intend it's unlikely to involve any penalties.
- regulation related to moderation, non issue as Bsky enforces their AGB and that already fulfills more or less all moderation requirements (maybe not some increased reporting requirements for larger companies, but like said they don't count as such yet)
So IMHO a nothing burger.
My guess is various news paper made "official" information/press requests to some EU institutes asking if Bsky complies with this or that and stuff like that and then created a issue from atm. more or less nothing. Wonder if it was with malicious intend.
I suspect this fulfills three objectives:
1. It puts Bluesky on notice that they need to watch their numbers
2. It preempts accusations of unfair application of the rules
3. It reminds Blusky that if they trade internationally they need to "do as Romans do".
> 1. It puts Bluesky on notice that they need to watch their numbers
can't be as they haven't reached out to Bluesky, can't put someone on notice without communicating with them
this articles seems to be based on newpapers doing "press requests" not any EU institution initiating actions, some parts can outright be read as "what is Bsky, we should find out if it is relevant if we get press requests about it, where is their office again?"
> 2. It preempts accusations of unfair application of the rules
I'm not sure where such accusations should come from. I don't thing any related EU regulatory organizations care about what people in the US thing about supposedly unfair treatment of X compared to Bsky.
> 3. It reminds Blusky that if they trade internationally they need to "do as Romans do".
which only makes sense if they communicate with them but the only communication flow seem to have been the Financial Times asking some regulators. So I don't think so.
So… EU regulations are about "protecting users privacy"… but requires you to know how many of your users are EU-based, and publicly report it ?
I don’t know about you, but "country of residence" is the kind of private information but I’d rather not be collected unless good reasons. Requiring to collect it seems rather antithetical to "protecting user privacy".
If you don't collect anything, you don't need to collect the country of residence either.
On the other hand, if you do, you'd better know what local data privacy laws you have to comply with for a given user!
Who cares. Everyone should collectively turn their websites off in the EU, so that they can continue to suffer in mediocrity. The EU doesn’t have to deal with their own laws because they don’t innovate or produce anything.
I get the "Our content is not available in EU" more and more often. 16%-14% of world's GDP and sinking fast.
if I were starting a startup, especially a social one, EU rules are literally the last thing on the earth that I would be caring about.
Come to think of it, I have never and hope to never consider the EU rules ever in my lifetime.
The principle of the EU's rules is treating people's private data with the respect it deserves.
What other expectations of society would your startup ignore?
Yeah, the idea that companies bend over backwards to protect credit card information but not data on the user is mind boggling.
Except when you think of incentives.
So when it comes to data protection, your startups will be user-hostile? Noted.
This is like when a non-atheistic person claims that the only way to be kind, ethical, moral etc is to be religious. They are not mutually exclusive. You can be a good steward of your users' data without imbibing yourself with EU regulation.
Can you elaborate on why you'd have that stance? Genuinely curious
It's a variation on "Premature Optimization Is the Root of All Evil". Focus on what actually matters for your startup. If for some reason some EU regulator actually comes knocking, you're most likely big enough to mean you've created a successful startup.
Then you just say "Sorry!" and you implement what they want.
This is probably different if your company is in the EU, but this is my North American point of view.
It's par for the course with HN libertarian virtue signaling
Wonder how you define "Bluesky" users in the context of ATProto. is it users of the relay? users of bsky provided PDS? users of the bluesky frontend?
number of active registered users
you have a login with bluesky, you register with a email
thats more or less what matters here at the moment
EU regulation has been a disaster for the web.
Only if you are a shady company.
For the rest of the universe, it has been a pretty good deal.
Not the companies that cause the regulation?
It can go both ways. Just because a company has done something that deserves to be regulated does not mean the regulation itself is a good way of accomplishing that. For what it is worth, I think the EU for the most part is doing alright in some places with some severe missteps as far as encryption and privacy goes.
I've honestly been pretty happy with it. It gives developers the ability to push back on shirt practices with "do you want to lose access to the European market?" Having that in the tool belt is very handy
Counter-point: as a programmer and data engineering working with large and small companies, GDPR has been of massive help to me, as the clients have now the concepts coined and I can back my stances with legal texts when it comes to protecting people data.
Cookie dialogs are a medium-size meh.
Browser choice vs Microsoft were a big win.
GDPR is a big win.
I'd say it's 20:1
>Browser choice vs Microsoft were a big win.
that's the US DoJ, not EU
https://en.wikipedia.org/wiki/BrowserChoice.eu
Not really. The methods companies use to skirt around the EU regulation has been the actual disaster. Case in point: The EU never mandated the cookie popups that proliferate the web. They simply passed common sense regulation about user tracking. But there's too much money to be made tracking your every move on the internet, so along came the popups that convince you to allow yourself to be tracked. Every time I see one I'm reminded of how relentlessly exploitative the modern web is, not how mistaken the EU are.
I'd say those are unintended consequences and should have been taken into account. The effective result of the regulation appears to be just to have added annoying popups and close to zero change in company behavior.
> and close to zero change in company behavior.
You have third party data brokers in the US which has everyone's data and sells it to anyone, you don't have that in the EU. I'd say that is a pretty big change.
There’s an open question of who is to blame when poorly written legislation causes companies (with fiduciary responsibility to their shareholders) find ways to follow the letter of the law but not the intent and create end results that are worse for the public.
The American perspective tends to be that if millions of users are suffering because thousands of companies are interpreting the laws created by a single legislature, we should tell that one legislature to fix their shit. (Note: not that they actually do fix their shit, but that’s who we yell at)
The European perspective tends to be that the thousands of companies should each be individually yelled at to fix their shit (Note: not that they actually do fix their shit, but that’s who they yell at)
Neither way is all that effective tbh. But looking at the end results, I must say I prefer using the internet outside of the EU. I always use private browsing, and the implementation of EU rules when browsing the web in Europe makes this an absolutely insufferable experience. Pages and pages of legalese I have to click through to access a single google result - when guess what, none of that applies because I’m browsing in private. The natural response for me would be to then disable private browsing and let google store its “you clicked through our bullshit” cookie to make my life easier — resulting in the exact opposite of the intended effect of the law.
Like I said, neither side is perfect, but using the internet “privately” is actually much easier outside of the EU vs in it. To me, that means we need to yell at the legislature. Opinions may very.
I have forgotten the recent example, but there are sites that don't have a banner at all because they don't track users and others that see the Do-Not-Track header and replace the banner with a discreet acknowledgement.
Good point, a reasonable response to the who debacle would be to get the legislature to mandate that a HTTP headset similar to do-not-track must be configurable on a browser basis and all requests that hold it must be seamlessly executed as if the user had pressed the “do not agree” button previously.
The question who is not breaking EU rules? The funny thing, when there is penalty let's say $100M, all these funds going to the government to spend more for another regulations. Never ending loop. User doesn't receive anything.
They just have to fine every tech company lol
EU's greatest contribution to technology has been that annoying pop-up on every website.
No permission is required for cookies that are needed to make a website work.
Cookie dialogs are solely the contribution of those who want to keep tracking you but aren't allowed to do so without your consent.
The EU’s own website has the same banner message asking for analytic cookies, it’s just a poorly designed and executed regulation like many in the EU revolving around tech.
Often repeated, always wrong.
In your estimation what is the EU’s greatest contribution?
Longest period of peace in Europe seems like a pretty big achievement, even if many of us don't even know what it's like to live through wars in Europe. On a smaller scale, having a single currency, no roaming fees, traveling and working everywhere without worrying about tourist or a working Viswa is pretty big too.
Easy to forget about many of these things as we just take these as a given baseline.
https://european-union.europa.eu/achievements_en
It was implied through GP that the topic was “greatest contribution to technology”
Yep it’s been great to see the sites that try and track me vs them just doing it without me knowing.
Those are put there by the websites, not the EU.
They are put there by websites in reaction to the poorly thought out and executed EU regulations, which is par for the course for the EU.
The official EU website has the same popup asking about required or optional (read: tracking) cookies that every website does.
Clearly this isn’t the websites fault if the EU’s own website is displaying the same pointless banner to comply with their poorly executed regulation.
>Regnier reportedly went on to say that the commission has asked the EU’s 27 national governments to look for “any trace of Bluesky” like EU-based offices. The regulator hasn’t reached out to Bluesky directly, yet, The Financial Times writes.
Really?
Tl:dr; they are missing a EU-user counter and a reference to an EU office
>But since Bluesky isn’t yet big enough to be considered a “very large online platform” under the DSA, the regulator says it can’t regulate Bluesky the way it does X or Threads.
So it sounds like they are 'breaking' rules that don't even yet apply to them?
Yeah, this feels like a non-story.
But this gives us an excuse to moan about cookie banners, so up to the front page it goes
This stats link Verge found is nice: https://bsky.jazco.dev/stats
Do EU based bots count?
That'll be 5 trillion dollars per cookie, please