...and so it begins... <popcorn>
Max Schrems is back: Facebook, Google hit with GDPR complaint
Max Schrems, the thorn in Facebook’s side, has returned to launch the first challenges under the EU’s new data protection laws. The complaints, filed on the day Europe's General Data Protection Regulation (GDPR) comes into force, take aim at what he describes as Google and Facebook’s “forced consent”. Under the GDPR, when …
COMMENTS
-
-
-
-
Friday 25th May 2018 17:41 GMT Anonymous Coward
One interesting move would be for Google and Facebook to withdraw access for all users subject to GDPR.
The public outcry would be so vehement the only way a government that continued supporting GDPR could survive for more than 24 hours would be if the protestors couldn't use Facebook and Google to press home their grievance......
-
Saturday 26th May 2018 12:31 GMT Anonymous Coward
One interesting move would be for Google and Facebook to withdraw access for all users subject to GDPR. The public outcry would be so vehement the only way a government that continued supporting GDPR could survive for more than 24 hours would be if the protestors couldn't use Facebook and Google to press home their grievance......
Could be, but how would the Americans then get their intelligence on Europe*? The UK is about to step out, and ECHELON is becoming less and less relevant with the advance of secure message apps that carry voice. I rather think that Google will cough up whatever fine gets lobbed at them, and then knocks on the door of the NSA for a nice chunk of the gazillions annually sunk into the US espionage engine - after all, they're one of the major data providers.
But it's nice to be proven right :).
* Well, OK, apart from Google Home and Amazon Alexa intercept - if you didn't see that one coming you must be new here :)
-
-
-
-
-
Monday 28th May 2018 20:00 GMT Anonymous Coward
Not quite so fast....
Yes we are a net contributor to the EU, but as with most businesses you have to look carefully at what you get back, because with EU membership we don't get charged for some things, e.g. border taxes and crossings, as well as intangibles such as consistent and standardised regulations, so if you are a manufacturer and distributor of, say chemicals, then you know that your business doesn't have to worry about a different regulatory regime for different countries.
As we have been in the EU for so long, people have forgotten what non-frictionless trading is like, we forget about the paperwork and the lorries held up in customs because some plonker back at head office has not done the right form. HMRC hasn't forgotten and is talking about £20B per year of additional costs due to borders.
Now I know that the swivel eyed loonies exiteers think that this is nonsence, but if it comes to trusting the head of HMRC over Gove (no time for experts), Johnson (somebody who would sell his children for high office) or Rees Mog (who is still living sometime in the last century) I know who I would trust. Even if the HMRC estimates are 50% too high, that's still £10BN there.
So all this talk of £350M/week or £163M/week to the EU that we can claw back is simply pie in the sky.
The arguments of the Brexiteers remind me of the Climate Change Deniers, they find a single fact to hold onto and worry it to death. There't not a single credible piece of analysis that says we will be better off outside of the EU. Note the word credible, a pile of right wing junk from the ERA is not credible.
I have a feeling that this govt will fall before the end of the year and then all bets are off, mind youy Corbyn distrusts the EU more than Give does, but he might be a little more pragmatic and shouldn't be in the pocket of the NI Taliban, aka the DUP.
-
Monday 28th May 2018 23:19 GMT Alan Brown
Re: Not quite so fast....
"The arguments of the Brexiteers remind me of the Climate Change Deniers, they find a single fact to hold onto and worry it to death. "
The climate change deniers are so loud and have so much politictal clout that they've forced pretty much all climate change estimates to be extremely conservative.
The reality of climate change is looking to be far _far_ worse than science has been predicting since the naysayers started their campaigns and virtually exactly on track of the near-worst case scenarios put forward in the 1990s before the vested interests started funding the naysayers to shout the science down.
Sea level rise is the least of the worries in things to come. Ocean food chain collapse and reduction in oxygen levels are likely to happen sooner.
-
Tuesday 29th May 2018 04:08 GMT Cederic
Re: Not quite so fast....
people have forgotten what non-frictionless trading is like, we forget about the paperwork
That's weird. You mean the UK doesn't trade outside of the EU at the moment?
I must be getting old, I could have sworn we have global trading relationships. Maybe the new EU one could work like the ones we have with China, or America, or Canada, or Australia, or Papua New Guinea.
There't not a single credible piece of analysis that says we will be better off outside of the EU.
What makes you think I care about whether we're better off? The economy wasn't the primary factor in my preference to leave the EU.
-
Tuesday 29th May 2018 13:13 GMT tiggity
Re: Not quite so fast....
@ Cederic "What makes you think I care about whether we're better off? The economy wasn't the primary factor in my preference to leave the EU."
Makes a refreshing change from the usual person who voted brexit for racist reasons but claimed it was for economy reasons
-
Tuesday 29th May 2018 13:45 GMT Alan Brown
Re: Not quite so fast....
"You mean the UK doesn't trade outside of the EU at the moment?"
1: Not markets that can be accessed via lorry
2: Have you had to deal with customs delays due to paperwork when your goods are on the docks? The parking fee structures for containers ensure it gets very expensive very quickly, so there's strong incentive to get it right before the ship arrives.
-
-
-
Wednesday 30th May 2018 15:25 GMT Anonymous Coward
Re: Not quite so fast....
"Yes we are a net contributor to the EU"
So as stated, it costs us £160 million a week net in cash terms. The Brexit bus rather misleadingly said that "we send Brussels £350M a week" which is true, but rather naughtily didn't mention that we get about £190M a week back in net benefits.
As with most businesses you have to look carefully at what you get back, because with EU membership we don't get charged for some things, e.g. border taxes and crossings, as well as intangibles such as consistent and standardised regulations, so if you are a manufacturer and distributor of, say chemicals, then you know that your business doesn't have to worry about a different regulatory regime for different countries."
We will be free to negotiate similar agreements with the rest of the planet. And we can retain / adopt regulations that make sense and ditch those that have a greater cost than benefit to us.
-
-
-
-
-
Friday 25th May 2018 12:44 GMT Voland's right hand
he is missing the lowest hanging fruit
F**book and G00G still have 13 years cut-n-paste from COPPA in their T&Cs.
That is invalid in Europe. A minor cannot consent to their data being processed without written parental consent of at least one parent, usually both parents/guardians until they have reached the age of full legal responsibility - between 16 and 18 depending on which country.
He should add that one too. Just for laughs if not for any other reasons. If he does not have a suitable offspring to file the complaint, I am sure the el-reg readership can give their kids some interesting ideas who to talk to on this one.
-
-
Friday 25th May 2018 16:38 GMT israel_hands
Re: he is missing the lowest hanging fruit
I'm planning on hitting Whatsapp and Facebook myself for shadow profiles. I've never used their services but I know they've slurped my e-mail address and other details from my other half's phone (she uses Whatsapp unfortunately) and friend's Facebook accounts.
So I'm going to ask them to delete my data. And then refuse to provide any identifying data (because what would be the point of providing them data I explicitly don't want them to have?). Then asking them to just delete all data they don't have explicit opt-in consent to hold, on the grounds that my data will be in there somewhere and that's the only way to ensure that they successfully delete it without being able to personally identify me.
I'm strongly considering investing in metaphorical popcorn futures. Seems like a booming market.
-
Friday 25th May 2018 17:07 GMT Ken Hagan
Re: he is missing the lowest hanging fruit
"So I'm going to ask them to delete my data. And then refuse to provide any identifying data (because what would be the point of providing them data I explicitly don't want them to have?). "
Dear israel_hands,
We have deleted all our data on you. (This email was generated before we did that, sent on successful completion of the task, and was not been copied to our "Sent" folder.)
Obviously there is no way for us or you to prove that this is the case, because all the evidence is gone, but we've done it. Happy?
Love, Facebook.
-
-
Monday 28th May 2018 23:30 GMT Alan Brown
Re: he is missing the lowest hanging fruit
"Exactly! If a user des not want his data stored, how do you ensure that???"
Easy: Under GDPR you only store the data of those who have given explicit consent for their data to be stored.
Consent is not fungible (meaning someone else cannot consent on your behalf), so all of those contract terms in the T&C where "you confirm you have permission to share someone else's details" have zero legal validity.
The next step along the GDPR path will be for someone to challenge those clauses and attempt to get the T&C declared void.
-
-
-
Saturday 26th May 2018 02:29 GMT jdoe.700101
Re: he is missing the lowest hanging fruit
He may also wish to ask WhatsApp why they are not enforcing their terms and services. Because I suspect that the majority of their users are in violation of the following:
Address Book. You provide us the phone numbers of WhatsApp users and your other contacts in your mobile phone address book on a regular basis. You confirm you are authorized to provide us such numbers to allow us to provide our Services.
-
-
Friday 25th May 2018 14:39 GMT Bob Magoo
Re: he is missing the lowest hanging fruit
There is a digital age of consent provided for in the GDPR with has nothing to do with the age of full legal maturity as you put it. It is up to each country to set their own age of consent, between 13 & 16, but it's 16 by default.
They are mapped out here - https://www.betterinternetforkids.eu/web/portal/practice/awareness/detail?articleId=3017751
-
Friday 25th May 2018 15:52 GMT Voland's right hand
Re: he is missing the lowest hanging fruit
There is a digital age of consent provided for in the GDPR
Thanks for pointing it - I overlooked it when scanning through GDPR a while back.
However, this makes things even more interesting. Prior to GDPR it was the legal major age which is 16-18 in most countries so there is a good case for historic enforcement.
With GDPR setting it to 16 unless specifically lowered, the cut-n-paste from COPPA in USAsian company terms is still illegal everywhere except Estonia which is the only one to both go for 13 years and actually enact them.
-
-
-
Friday 25th May 2018 12:50 GMT Anonymous Coward
This will go nowhere in court...
Because nobody is forcing you to use these services...
If you don't agree to their terms and conditions then don't use them...
If you DO wan't to use them then part of the deal is that you have to agree to their terms...
This guy seems to want his cake and eat it too !
-
-
-
-
Friday 25th May 2018 19:54 GMT Anonymous Coward
'The only sort-a optional is Facebook.'
Even if Facebook was optional don't forget the deeply unhealthy ties to WhatsApp. In Latam for example, its used universally in Govt, Commercial firms, plus schools and education / colleges.
Anything you can think of, all the way up to exchanging patient records between Doctors / Clinics / Hospitals etc. With both WhatsApp founders now ousted, its Game-On - 'Slurp-Time'...
-
-
-
-
Friday 25th May 2018 12:55 GMT Remy Redert
Re: This will go nowhere in court...
And under GDPR, making that consent to process PI for reasons other than providing the service itself mandatory to use the service is specifically on the shitlist. Facebook has consent to process data required for the service itself by your use of the service, but to process data for any other purpose they have to get informed consent and it has to be possible to use Facebook without giving consent.
The same for Google, Whatsapp, etc.
-
Friday 25th May 2018 13:00 GMT Voland's right hand
Re: This will go nowhere in court...
Because nobody is forcing you to use these services...
1. My kids have to use both Google and Office 365 in school. No account - no ability to do and submit homework or sit an exam (if a computer is required).
2. 30-40% of SMEs around Europe have moved to either Google or Office 365 too.
The only sort-a optional is Facebook. Google unfortunately is not.
-
Saturday 26th May 2018 08:31 GMT Nick Kew
Re: This will go nowhere in court...
My kids have to use both Google and Office 365 in school.
Then they should use entirely a school-provided facility for access (VPN for homework), making the school responsible for all PII and for anonymising access. If the school requires access to a service, they should be responsible for providing it in a legal manner.
30-40% of SMEs around Europe have moved to either Google or Office 365 too.
Then those SMEs need to do the same. Or pay for a premium service. Hmm, I wonder if the provision of just such a premium service might be a business opportunity?
-
-
Friday 25th May 2018 13:01 GMT Anonymous Coward
Re: This will go nowhere in court...
"Because nobody is forcing you to use these services"
Now that there are a billion or so people using the Facebook platform, and more and more businesses are providing info/services inside the walled garden, 'choice' of whether or not to use the services is less free than it once was.
-
Saturday 26th May 2018 01:55 GMT Anonymous Coward
Re: This will go nowhere in court...
"Because nobody is forcing you to use these services"
Applying for a new UK passport online in 2016 did force me to use Google's Captcha service and there was no way around that short of travelling to the UK and applying in person.
There was a link to "Google's Terms and Conditions" but it only applied to those with a Google account. As such,I deemed that any box accepting their apparently non-existent T&Cs I might have ticked was illegal.
Certainly so under the new rules.
-
Saturday 26th May 2018 06:38 GMT Chris Fox
Google Captchas = slavery
Those pervasive and invasive Google Captchas are even more annoying when you realise that you are providing Google with unpaid labour and intellectual property. Websites and CDNs that use them are essentially compelling users to supply Google with training data for their image classifiers, while also implicitly "consenting" to them using your personal data, both for corporate profit. There should be a law against such indentured servitude... for some reason Article 4 of the Universal Declaration of Human Rights springs to mind. There is more to all this than just the GDPR. How about some enforcement?
-
-
Saturday 26th May 2018 08:42 GMT Nick Kew
Re: This will go nowhere in court...
Now that there are a billion or so people using the Facebook platform, and more and more businesses are providing info/services inside the walled garden, 'choice' of whether or not to use the services is less free than it once was.
Up to a point, Lord Copper.
I've always resisted facebook. Not because of privacy concerns, but because I have ethical issues with their Enclosure of the Commons. I have come under pressure to join over the years, but it's never been harder to resist than some of the other social pressures, like knowing enough about celebrities (e.g. footballers, pop stars) to follow a mindnumbingly boring conversation on the latest telly nonsense.
-
Tuesday 29th May 2018 13:49 GMT Alan Brown
Re: This will go nowhere in court...
" but because I have ethical issues with their Enclosure of the Commons"
One example of this which is starting to show up is where communities moved to Facebook from various sites because it was easier to use. The coordinators of those communities are starting to find that FB is demanding they pay a fee to access the audience (their community).
TANSTAAFL
-
-
-
Friday 25th May 2018 13:04 GMT Jon 37
Re: This will go nowhere in court...
That's wrong. There have always been some things that can't legally be put in terms & conditions.
E.g. under long-standing UK law, a shop can't usually say "I'm selling you this stuff, but you have to agree there are no refunds, and if you don't agree then you can't buy it". That's because all consumers have the legal right to a refund if the product is not "of merchantable quality" or not "fit for purpose" or not "as described". If a shop tried that, and the product was faulty, the shop could still be sued for a refund and the shop would lose in court. The consumer's "agreement" not to get a refund was illegal and will not help the shop in court - in fact the shop may get punished for that illegal practice.
GDPR says that consumers can't be compelled to consent to unrelated uses of their data. So any consent purportedly gathered that way is invalid, and they can be sued for using the data without consent.
-
Friday 25th May 2018 13:41 GMT Anonymous Coward
Re: This will go nowhere in court...
"in fact the shop may get punished for that illegal practice."
Given that it's explicitly an offence under the The Consumer Protection from Unfair Trading Regulations 2008, they stand to be prosecuted simply for saying it (assuming the relevant enforcement authority actually has any money).
-
-
This post has been deleted by its author
-
Monday 28th May 2018 13:16 GMT bombastic bob
Re: This will go nowhere in court...
actually, offering services using illegal policies is, by definition, illegal as well.
If Google and Faece-b[itch,ook] want to offer these services to people in the EU, then they must abide by EU laws and regulations. That's pretty much an international agreement, as far as I understand it.
And what I'd like to see is a *BIT* more privacy protection everywhere else BESIDES the EU, too. A "global opt out" might be a good start.
I suspect this 'MYOB' charity is a bit like "EFF meets the ACLU"
-
Monday 28th May 2018 23:34 GMT Alan Brown
Re: This will go nowhere in court...
"Because nobody is forcing you to use these services..."
Even if I don't use these services, they've been busy hoovering up data on/about me.
Which by definition is without consent, unnecessary for the operation of the service, etc and then to compound the damage, that data is then sold to advertisers.
I've served DPA section 11 notices on a number of advertisiing companies, but it's clear that they're still gathering data on me for targetting purposes. When the sharks get amongst this school of goldfish it's going to be "interesting"
-
-
Friday 25th May 2018 13:42 GMT Anonymous Coward
that isn’t free choice
while I'm generally agree that google and pals are evil and should be (...), I don't see why they shouldn't engage in exchange of FREE!!! services for user data. I mean, there is no law that the only way to trade is by means of currencies, no? If you want to whore away your data, etc., you should be able to do so. I mean, it's not pretty, but it's the same as consensual sex. Sex services.
...
oh, I see. Yeah, well, I hope I'm not getting logged for ILLEGAL SOLICITING OF SEX... :/
p.s. ARE CAPS ILLEGAL YET?!
-
-
Friday 25th May 2018 15:02 GMT Killfalcon
Re: that isn’t free choice
That's the core problem here, really.
Google makes money by processing your PII in ways that the GDPR says it needs consent for.
If Google can't make money, the service will fail.
Therefore, one of the two things must follow:
1) Google's business model doesn't work under the EU regulatory environment [akin to "no, you can't write mortgages to people you know cannot afford it", or at the extreme "no, you can't break people's legs for not repaying their loans"]
2) Google processing of your PII to provide adverts etc *is* essential, and thus doesn't need consent anyway.
Google clearly don't actually agree with option 2, as they requested permission. So it falls back to option 1 - the law says that Google can't rely on people giving up all their data to access their services. They may need to find alternate revenue streams, or provide additional benefits to make the service itself more valuable, such that people willingly turn the trackers back on.
I mean, in all seriousness, if Google managed to block malverts reliably, and ensured they only display adverts that run well on the hardware I'm using, I'd feel a damn sight more indebted to them than I do right now, hunkered behind a wall of script blocking tools because the industry they control is incapable of basic QC, let alone cleaning up it's own messes.
-
-
Saturday 26th May 2018 17:01 GMT John Brown (no body)
Re: that isn’t free choice
"Google's business model doesn't require slurping to fling adverts."
Exactly that. But targetted ads pay more, so it's hits them in the wallet. This means they either suck it up or find a better/different business model or go back to the lower incomes of random or contextual adverts.
-
-
Friday 25th May 2018 15:45 GMT Voland's right hand
Re: that isn’t free choice
Google processing of your PII to provide adverts etc *is* essential
Clearly not. You can and should provide advertisements based on the context which is being viewed. It can and should provide adverts based on that. Same as it did before Doubleclick acquired it.
-
Friday 25th May 2018 17:12 GMT Orv
Re: that isn’t free choice
The business problem here is companies will pay extra to micro-target ads to, say, male 28-35 year olds with college degrees who make between $80,000 and $120,000/year and own a dog. They believe, often without evidence, that this will result in more effective ads than just scattershot context advertising.
-
Saturday 26th May 2018 06:00 GMT Jamie Jones
Re: that isn’t free choice
The business problem here is companies will pay extra to micro-target ads to, say, male 28-35 year olds with college degrees who make between $80,000 and $120,000/year and own a dog. They believe, often without evidence, that this will result in more effective ads than just scattershot context advertising.
From: https://gdpr-info.eu/recitals/no-26/:
Recital 26 Not applicable to anonymous data*
1The principles of data protection should apply to any information concerning an identified or identifiable natural person. 2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. 3To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.......
.......6This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.
* This title is an unofficial description.
(More...)
But anyway, even if this wasn't the case, I'd say TOUGH!.
I'm sure the TV advertisers would like more information on their audience.. It doesn't mean if it was practical to do so, they could send people to spy through our curtains.
-
-
Monday 28th May 2018 23:43 GMT Alan Brown
Re: that isn’t free choice
"It can and should provide adverts based on that. Same as it did before Doubleclick acquired it."
What you're forgetting is that Doubleclick was the poison pill that acquired Google.
If you don't understand what that means:
Doubleclick was on the verge of bankruptcy and one of the most hated companies on the Internet when Google acquired them. In the time since that happened, Doubleclick's CEOs have become Google's CEOs and Google's policies have become closely allied to Doubleclick's reviled policies.
-
-
Saturday 26th May 2018 08:39 GMT Mage
Re: processing of your PII to provide adverts etc *is* essential
I doubt it. Do personalised adverts really work better? Trying to sell you stuff you just bought?
They make money from Advertising. Make them do it the same as TV, Radio, newspapers, magazines, buses and billboards.
I think it's just a marketing scam perpetrated on the companies they sell advert space to.
Also Adverts should have NO scripts, only a static image and a regular link.
-
Monday 28th May 2018 23:48 GMT Alan Brown
Re: processing of your PII to provide adverts etc *is* essential
"Do personalised adverts really work better? Trying to sell you stuff you just bought?"
The kind of mentality that tries to sell you another car or washing machine misses the point that you'll need washing powder and tyres.
Companies selling this stuff know that. The problem is that they have to go via marketing/advertising outfits who universally seem to be full of pushy twats with low IQs and poor reasoning skills, aided and abetted by marketing departments in the abovementioned companies full of the same kinds of people.
-
-
-
-
Friday 25th May 2018 13:58 GMT demonwarcat
Having both Facebook and Twitter accounts my layman's impression is that Facebooks new privacy controls do not meet the requirements of GDPR and Twitter's does. Though I would have preferred that Twitter giving me a 3rd party processing yes / no option I would have like the option to choose who could and couldn't. Since the option was all or nothing I naturally chose nothing. I wait to see Facebook's next attempt to get valid consent
-
-
Saturday 26th May 2018 08:20 GMT Mr Han
Re: A Living Legend
I tried to send him a 6-pack of San Miguel but WHOIS came up blank, Facebook too. I can't seem to find his email address either.
The man must be paranoid or something. It's as if he can't deal with a little SPAM, targetted advertising, hidden trackers, inavasions of privacy, identity theft, mass data collection and sharing, impossible to find opt-outs, almost non-existent opt-ins, and a general 'couldn't don't give a toss about your privacy' attitude.
I will have to drink it myself by way of celebration.
-
-
Friday 25th May 2018 15:34 GMT nematoad
Re: I sincerely hope...
"I wonder if the eventual outcome will be a paid-for (with money) service?"
That would indeed be interesting. Then, perhaps, we will see just how much people value the services provided by Facebook for "free" as opposed to the punter having to pay real money to use FB's stuff. Another benefit would be that the user would become a customer and not the product.
Interesting times!
-
Monday 28th May 2018 23:52 GMT Alan Brown
Re: I sincerely hope...
" we will see just how much people value the services provided by Facebook for "free""
I block FB's tracking cookies and their tracking shit on other sites. Just about everything I post on their site is simply reposts intended to gum up their tracking and I use FB purity to block all adverts when on FB,
If everyone did the same thing, they'd have a hard job selling anything.
There are two ways of responding to the slurpers - one is to try and hide from them, but if it's impossible to do so, then choke the bastards with an never ending stream of irrelevant content.
-
-
-
Friday 25th May 2018 16:09 GMT Donchik
How can just a new privacy policy be compliant
I'm fascinated by the steady stream of GDPR emails rolling through my inbox.
A lot appear to have done the right thing, and are asking for us, the data providers, to provide a clear permission through links to preference pages on their sites. Not problem as I'm happy to tell them what I'd like them to do with their service and my data etc.
Many just like Facebook, Google, and many smaller fry have simply sent an email advising that GDPR has caused them to revise their privacy policy, and provide a link to this. Several have even said continued use of our service constitutes acceptance of these new privacy rules! I think we all know this is not legal in the eyes of GDPR.
I understand some confusion, but this is being deliberately obtuse and I hope the ICO's in all these countries crack down across the board. Consent must mean consent (I know I hate the Brexit analogy)
-
Friday 25th May 2018 18:06 GMT Yet Another Anonymous coward
Re: How can just a new privacy policy be compliant
Anyone else feel this plays straight into Facebook / google's hands ?
Like big car companies demanding every stricter safety regs that only their newest cars meet.
Like everyone else I have got a bunch of emails from everyone I have dealt with asking for permission to keep contacting me. Like everyone else I ignored them.
But vital social media services I use everyday (ie el'reg) I am going to agree to their terms - so soon only those must-use-everyday services are going to have permission to contact me and so will control 100% of online advertising.
-
Monday 28th May 2018 23:56 GMT Alan Brown
Re: How can just a new privacy policy be compliant
"Like everyone else I have got a bunch of emails from everyone I have dealt with asking for permission to keep contacting me. "
If you signed into a mailing list, then you already gave permission and they can carry on.
The ones asking for permission to keep contacting are admitting they weren't holding your permission and have been breaching the ASA's rules for the last decade. This time the law has teeth and they're worried.
-
-
Saturday 26th May 2018 05:20 GMT diadomraz
Re: How can just a new privacy policy be compliant
The thing is most services do not need your consent if they are using your data for legitimate purposes. For example an online store needs your address and is allowed to share it with a delivery company in order to ship you the goods you have ordered.
If they do not plan to share it with anybody else and you are able to request that your data is removed after the order is complete, they are GDPR compilant
-
Saturday 26th May 2018 09:47 GMT Charles 9
Re: How can just a new privacy policy be compliant
But they're not supposed to REMEMBER it, lest the information leak out. Seems every customer in every store going forward will be a stranger: no history or nothing unless they're not customers but clients, implying a different level of relationship.
-
Monday 28th May 2018 23:59 GMT Alan Brown
Re: How can just a new privacy policy be compliant
"But they're not supposed to REMEMBER it, lest the information leak out. "
Yup.
So the store needs to ask permission to remember you for future transactions, BUT it also needs to ask separate permission if they want to send you marketing mail AND a separate set of permission if they want to pass your data to an outsourced marketer.
What they're actually doing is rolling it into a 3-in-1 permission and refusing to deal with you if you don't give them permission to retain your data past the transaction. I can't see this lasting long once regulators catch on.
-
Saturday 26th May 2018 13:44 GMT TheVogon
Re: How can just a new privacy policy be compliant
"If they do not plan to share it with anybody else and you are able to request that your data is removed after the order is complete, they are GDPR compliant"
There is a lot more to GDPR than if they are entitled to the data itself. To be compliant there are many other requirements they must meet.
-
-
Monday 28th May 2018 23:54 GMT Alan Brown
Re: How can just a new privacy policy be compliant
"I'm fascinated by the steady stream of GDPR emails rolling through my inbox."
I'm fascinated by the fact that just about every entity out there waited until deadline day to attempt to update permissions instead of asking in good time. It's not as if they haven't had 2 years' notice.
Perhaps they were all hoping that it was a bad dream?
-
-
Friday 25th May 2018 16:14 GMT GrapeBunch
Somebody will give it to us.
That's how it worked from the beginning, isn't it? The initial pale settlers would have starved if the people who were already living there hadn't taken pity on them. That's Thanksgiving. No agri-fortunes would have been made if it weren't for slavery. When that suddenly ended, Jim Crow laws somewhat turned back the clock. When the Injuns and buffalo weren't useful anymore, they were killed and shunted aside. Slavery is still gone, but the whole [illegal] immigrant migrant farmworker thing is a convenient framework for similar results. Even the current crackdown and export of farm workers with crops rotting in the fields, that's a coup by the preëminent agri-businesses to even more completely dominate the market. Once the producers have gone bust or sold for pennies on the dollar, the bigger businesses will move to complete the picture. Unharvested crops, meh, somebody will get to them.
Sometimes others were willing to die, and pay for the privilege. They waited. Someone else would do it.
Intellectual property has a shelf life, but us has cornered the cupboard and altered the labels. Free money.
So, yeah, this is a chapter in an old story.
-
Friday 25th May 2018 16:21 GMT Phil Endecott
Micropayments
Please can someone implement a proper micropayments system for the web so that we can pay for things using money, rather than by exposing our privates?
Seriously, Prestel could do this 40 years ago and WWW still hasn’t caught up. I thought cryptocurrencies might help but apparently they solve a slightly different problem. Conventional-style online payments (credit cards, Paypal) are fine for larger payments but don’t scale down to £0.001 for a web search.
-
Friday 25th May 2018 17:10 GMT Anonymous Coward
Oath Hell too please
Past 3 days, everytimeI open the browser (Firefox) it nags me to give my consent (or otherwise) before I can go to my homepage (Yahoo).
I deselct all advertising from Oath and its partners and save/OK till I land on my page.
After closing and reopening the browser, back to the same routine . Meana it does not not save my preferences at all and insists I accept cookies form their advertsisers, in which I am least interested.
WTF ? Is this what GDPR is supposed to do ? Thought it would protect us, instead its started to nag, accept or else !
-
-
This post has been deleted by its author
-
Saturday 26th May 2018 06:11 GMT Chris Fox
Re: Oath Hell too please ... and worse
"I'm not sure how they would store your preference if they can't store cookies or include any sort of personal identifier."
If you don't have a cookie, e.g. because you block or delete cookies to prevent tracking, and for that reason they cannot link you to any record of consent, then the default assumption should be that you have not consented. To do what Oath, Facebook, Google et al do, and assume you have consented by default, and then require you to jump through hoops, and enable tracking in order to "withdraw" this "consent" that was never given is hardly in the spirit of what is meant by "freely given consent". And in some cases you are not even given an opportunity to withdraw consent for some non-essential-but-profitable uses of your data. Of course changing the defaults to make them comply with the law may have implications for some business models, but that is hardly news
Other US-centric companies operating in the EU seem to have been very poorly advised, even when compliance should be trivial. Some have "opt-ins" for non-essential sharing with third-parties being written into new, supposedly "GDPR-compliant" contracts, which have to be "agreed" to in order to continue using a service, and terms concerning jurisdiction that seem intended to prevent prosecution under GDPR legislation, despite having a physical presence in the EU. This would have been dodgy even under the pre-GDPR regime.
I'm having to deal with one hosting company that has required me to accept a new contract with terms that allow sharing of personal data with third-party marketing organisations, and "Modal Contract Clauses", in order to continue using an existing UK-based service. The only nod in the general direction of "freely given consent" in this case consists of the opportunity to write to their head office requesting that they do not share personal data with third-party marketing companies. And this for a company for whom GDPR compliance is actually in their interests if they want EU companies to continue using their EU-based hosting services without themselves falling foul of the regulations.
-
Tuesday 29th May 2018 00:04 GMT Alan Brown
Re: Oath Hell too please ... and worse
"I'm having to deal with one hosting company that has required me to accept a new contract with terms that allow sharing of personal data with third-party marketing organisations, and "Modal Contract Clauses", in order to continue using an existing UK-based service. "
Send a heads-up to the ICO.
-
-
Friday 25th May 2018 17:40 GMT Mephistro
Re: Oath Hell too please (@ AC)
"Past 3 days, everytimeI open the browser (Firefox) it nags me to give my consent (or otherwise) before I can go to my homepage (Yahoo)"
I've suffered similar symptoms after Firefox upgrades. My workaround is to restart the computer. I guess the certificates store gets messed somehow in the update, perhaps with the help of Ghostery or a similar tool that, for some reason, I never remember to shut down before updating the browser. 8^)
-
Saturday 26th May 2018 06:06 GMT Jamie Jones
Re: Oath Hell too please
WTF ? Is this what GDPR is supposed to do ? Thought it would protect us, instead its started to nag, accept or else !
Um no. It's not GDPR doing that.
"That damn law making it a crime to rob... I thought it would protect us, instead it's making people use guns"
(OK, crap analogy, but it's only just gone 7.00am!)
-
-
-
Friday 25th May 2018 18:10 GMT Anonymous Coward
Re: I have but ONE wish...
Get a VPN with an exit in Europe and use it to browse the web. As far as Google, Facebook or anyone else knows you are an EU user. You might need a clean install of your OS, to create email accounts from scratch, use an EU based VOIP phone number, etc. to avoid leaking information that would let them know you are an American.
And whatever you do, don't use Android! Apple would know you aren't an EU citizen if you use an iPhone, but since borders of their walled garden are quite clearly defined and far smaller than Google's tentacles reaching across the entire internet, that's an obvious choice - just don't let any of the services you are fooling into thinking you are EU-based have your US based mobile number!
Of course since you wouldn't be a citizen of the EU you wouldn't have any recourse if companies don't obey the GDPR, but if they don't know you aren't an EU citizen they'll be forced to treat you as such.
Wouldn't help with services like Amazon where they need to know your real address so you can receive shipments, but for everything that is exclusively electronic you can maintain your secret identity as a resident of some English speaking locale in the EU. You would want to shop off a separate PC or a VM that doesn't exit via your Euro VPN.
-
-
Saturday 26th May 2018 14:46 GMT Anonymous Coward
Re: I have but ONE wish...
But if the price to enter that market's too high, they may throw up their hands and just settle for what they've got as "good enough". It's not like accessing the European market is essential to staying in business, is it? Skimming off a lot and squeezing a few dry can be a wash, depending on the circumstances, which is why boutiques can still exist alongside big boxes.
-
Saturday 26th May 2018 18:04 GMT John Brown (no body)
Re: I have but ONE wish...
"It's not like accessing the European market is essential to staying in business, is it?"
Depends on if they are a publicly listed company. As far as the stock market is concerned, it's grow or die. Just making a profit is not enough. It has to be more profits than last year and at least as much more as the analysts predict or the stock price tumbles.
Having said that, most companies don't have much, if any, dealings outside their own borders (I include trade borders such as the the EU where the effective border is the EU and EEA rather than simply the national borders)
-
Sunday 27th May 2018 05:04 GMT Danny 14
Re: I have but ONE wish...
let the US companies (that farm, scrape and ignore your rights to your data) shut down in the EU. An EU one will take its place and export to the US. That way the US can then decide if it wants to use a product that suggests to abusing your data or one that doesnt.
-
Tuesday 29th May 2018 20:31 GMT Charles 9
Re: I have but ONE wish...
"let the US companies (that farm, scrape and ignore your rights to your data) shut down in the EU. An EU one will take its place and export to the US. That way the US can then decide if it wants to use a product that suggests to abusing your data or one that doesnt."
That probably wouldn't affect a company like Facebook that has the Americas AND Asia in its pocket already (and if you don't believe me, look for Facebook in Asian dumbphones). Their inclusion is their very selling point, and the Americas and Asia combine outpopulate Europe, so they may be willing to wait and see if Facebook-starved Europeans who can't use it to maintain their Facebook-only contacts outside Europe come crawling back or risk walking on the Sun.
Until one of those European companies can convince Asian phone manufacturers to put an app in their dumbphones, I think it's going to be Interesting Times.
-
-
-
-
-
-
Saturday 26th May 2018 06:15 GMT Jamie Jones
My address has gone off whois!
I just notice my name and address has gone off my domains whois entries for .com, and the address for the .orgs now just say "South Wales'.
These results are replicated on domains that were registered with a different company.
Same effect on US owned domains, and with me calling from a US based address.
I hope y'all sold your stock in "domain privacy" companies!
-
Saturday 26th May 2018 08:48 GMT Mage
Re: My address has gone off whois!
Wonderful.
Now how to get all the scammers & spammers (mostly in USA) that scraped that and sending me "offers" of SEO, videos, content, adverts etc for all my domains?
How to cancel the annual privacy fee on the few that are "anonymous"?
IMO this was always abusive and illegal use of data. It should ALWAYS have needed a court order, like finding out who used an IP on a particular date/time.
-
Saturday 26th May 2018 08:57 GMT Jamie Jones
Re: My address has gone off whois!
Yep, and obviously not a "critical part of the infrastructure"
Of course, originally when only companies and organisations had domain names, it was useful.
My guess is that when it started to get personal, any discussions on making in private were met with "charitable donations".
Either that, or they realised they could make money selling it off directly ("We aren't doing anything wrong, it's all public information")
It was never a technical or legal use, and they were right arseholes to ever try to spin it that way.
-
Saturday 26th May 2018 18:08 GMT John Brown (no body)
Re: My address has gone off whois!
"Either that, or they realised they could make money selling it off directly ("We aren't doing anything wrong, it's all public information")"
I suspect that is the reason. It's only relatively recently that the Ts&Cs that appear when doing a whois specify that bulk scrapping of the whois data is not allowed. At one time, all you got sent was the whois data, no "legalese" appended.
-
-
-
-
-
Sunday 27th May 2018 05:09 GMT Danny 14
Re: microsoft?
however (playing devils advocate, i dont actually agree with it) the last option can be argued as essential to service as it is for product fault reports and improvement of service. The fact that GDPR has a proviso of keeping your PCs up to date would view this as possibly mandatory!
-
-
Sunday 27th May 2018 15:30 GMT Andalou
Don't say mail, say
Yahoo! mail presented me with a rather strange and probably non-compliant burden a few days ago. I was expected to spend double figures of minutes marking individual check boxes that were presented only nine at a time - and there were nearly four hundred of them in a single scrolling dialog.
-
Monday 28th May 2018 06:10 GMT Twilight
Given that Facebook and Google both pay for their "free" services by doing things with your personal data, I seriously doubt they will ever comply with GDPR in a way that most people want. If they allow people to opt out of their slurping of data then the alternative will likely be a paid service (instead of "free") - personally, I'd be happy to pay a reasonable amount for Google to have GDPR-compliant data usage (however, I'm in the US so I probably won't have that option).
-
Monday 28th May 2018 10:24 GMT Anonymous Coward
Credit Reference Agencies NO consent.
I would like to see credit reference agencies like equifax, espirum, call credit etc challenged.
The vast majority of us have no contract with these companies to hold our personal and financial data which is given to them by multiple companies who give them this data despite it not being necessary for them to pass on this data to provide us whatever service they provide, Banking, Insurance etc etc. and i haven't seen a box explicitly requesting individual consent for this sharing separate from a blanket accept our T&C in full.
The Credit Reference agencies then SELL this data out to other companies without our permission as we don't even have a contract with them and have never given them informed consent to do so..
-
Tuesday 29th May 2018 00:10 GMT Alan Brown
Re: Credit Reference Agencies NO consent.
"The Credit Reference agencies then SELL this data out to other companies without our permission as we don't even have a contract with them and have never given them informed consent to do so.."
You've always been able to prevent this with a DPA section 11 notice. The CRAs make more money selling your data to advertisers/marketers than actual credit lookups.
Of course, this is now the default position under the law. It's going to be interesting what happens next.
-
-
Monday 28th May 2018 10:25 GMT Anonymous Coward
Another manifestation of the abhorrent-behaviour-inducing-monetery-system
When are we going to evolve?
It's almost the fucking year 2100
If peoples fundamental needs were met, would they still act like cunts?
This cache / cash system is stupid, can theoretically hold more wealth than the world can actually provide for. If this seems offtopic, it's because you're asleep
-
Monday 28th May 2018 12:55 GMT Ken Hagan
"It's almost the fucking year 2100"
Is that a different fucking epoch from "AD", because by my calculations we are closer to 1947 than 2100.
New in 1947:
communist Poland, Polaroid cameras, the Cold War, UFOs, Prince Philip, India and Pakistan, "actual" computer bugs, the AK-47, transistors, Israel, David Bowie.
-