The counterargument to this is that you are knowingly using a piece of software that has, and has always had, the default behaviour of autoloading remote resource links it finds in HTML.
> you are knowingly using a piece of software that has, and has always had, the default behaviour of autoloading remote resource links it finds in HTML
Actually, most people don’t actually know that. And why would they? Why should they get bogged down in such technical minutiae? Why require users to play tedious uBlock whack-a-mole of enabling resources from external domains until the website starts working in order to have any semblance of privacy?
Just because something is common doesn’t make it right.
The vast majority of people don't know what the last half of your message means. They cannot, and should not, be expected to make fully informed decisions. Industry (as always) has demonstrated they're not interested in educating or helping the user in any way about this. So they need to be regulated.
By the same token, if you run a binary executable, you are knowingly using a piece of software that has, and has always had, the default behavior of autoloading any dynamic libraries, running any unprivileged machine instructions, making any unprivileged system calls, and having access to all the appropriately mapped memory it might find or obtain.
So you could conclude that my program can do whatever it wants within those constraints, and it's your problem as a user if it does something you don't like.
But I don't think it is fair to expect normal people to analyze a program for malicious behavior before running it. And I don't see how it is relevant whether that program is a compiled binary or a spaghetti blob of html, css, javascript, and web assembly. Also it is not clear that such analysis is permitted by the draconian copyright laws.
> you are knowingly using a piece of software that has, and has always had, the default behaviour of autoloading remote resource links it finds in HTML
Am I? Maybe I am, because I have worked as a web developer, but most people don't really have this knowledge.
And even if they suddenly start having the knowledge, what is their choice? Stop using the web for good?
The point of GDPR is to bring the responsibility back into the provider’s side.
Instead of blaming the user for not having technical means and personal rules to apply privacy best practices, the site creator has to offer options to review the situation _before_ letting loose all the trackers and third party carnival.
And it makes sense to me. If tomorrow a site decide to get their favicon from microsoft‘s new marketing service, it would be unreasonable to expect the users to know to block that.
If the user visits foo.de they obviously expect that some data is transmitted to foo.de
They also might know that companies use service providers and therefore necessary data might be shared with 3rd party companies (which is fine according to the GDPR).
However the user can also expect that that a) foo.de minimizes data transmissions and b) 3rd parties conform to the GDPR rules (which Google can't).
If the user is logged in to Google (e.g. for Gmail) Google would be able to connect the user with foo.de with a high likelihood. This in turn might expose the users behaviour to automatic analysis by foreign government agencies without any legal oversight (since the user most likely isn't a US citizen)
This ruling could easily get overturned.