back to article Spanish media sues Meta for ignoring GDPR and harvesting data

A group representing some of Spain's largest media outlets have sued Meta, demanding €550 million ($596 million) in recompense for Zuckercorp's "systemic and massive" disregard for EU privacy regulations that have left them at risk of collapse. The lawsuit, filed by the Information Media Association (AMI) on behalf of 83 …

  1. Anonymous Coward
    Anonymous Coward

    I hope Spain goes all in on META

    Comfy chair, the lot!

    1. Anonymous Coward
      Anonymous Coward

      Re: I hope Spain goes all in on META

      I hope that Meta pulls out of the EU and the UK and goes back to 'merkkkka.'

      We don't need your highly addictive drug aka FecalFartBook.

      Or...

      Lock Him Up, Lock Zuck up

  2. xyz Silver badge

    Mmmm.....

    I was wondering about the AMI ads on the telly here in Spain; the main message of which is "trust no one but us to tell you the truth".

    Now I wouldn't touch anything to do with Mr Z but I also get the smell that the Spanish Media has decided that only the Spanish Media tells the truth and everyone else is a liar, whereas the Spanish Media generally tend to be slightly right of fascist in its views.

    So we seem to have an old fashioned turf war kicking off between a lumbering data elephant and a Franco era data fly. I wonder if the elephant will notice?

    1. alain williams Silver badge

      Re: Mmmm.....

      the main message of which is "trust no one but us to tell you the truth".

      You might want to check how truthful your favourite media is by looking at https://mediabiasfactcheck.com/

      1. A Non e-mouse Silver badge

        Re: Mmmm.....

        And they claim El Reg isn't biased and scores highly on factual accuracy: mediabiasfactcheck.com/the-register-uk/

        1. Doctor Syntax Silver badge

          Re: Mmmm.....

          "could also fit into the pro-science category."

          Could? Could? Almost actionable I'd have thought.

          1. A Non e-mouse Silver badge

            Re: Mmmm.....

            How dare they tarnish El Reg with this sciency mumbo-jumbo. Clearly they've never read BOFH, Moderatrix, etc. Definitely no science there!

        2. Strahd Ivarius Silver badge
          Trollface

          Re: Mmmm.....

          You'll note it is referring to El Reg as "UK", so it is for the previous version obviously.

          Now that it is "US", it is either providing woke or far-right disinformation...

      2. Pascal Monett Silver badge
        Thumb Up

        Interesting. Thanks for the link.

    2. Vincent Ballard

      Re: Mmmm.....

      El Mundo and La Vanguardia maybe, but El País is at most about as far right as Tony Blair.

      1. Greybearded old scrote Silver badge

        Re: Mmmm.....

        Far enough then. He's about as far left as a '70s tory.

  3. Anonymous Coward
    Anonymous Coward

    For a mere €550 million? I doubt it, they've probably given the case to a legal intern on work experience and forgotten about it already.

  4. HuBo
    Facepalm

    Should be a worldwide regulation

    GPDR should be international law in my opinion. Data harvesting through smartphone apps, web page cookies, and other surveillance tech goes against too much of privacy and freedom in my view. Why should perverted voyeurism be an acceptable business model?

    1. Anonymous Coward
      Anonymous Coward

      Re: Should be a worldwide regulation

      It is. It applies globally to EU and UK citizens.

      1. Phil O'Sophical Silver badge

        Re: Should be a worldwide regulation

        No, citizenship (and residence) is irrelevant. It applies to any persons present in the UK and EU, irrespective of their citizenship.

        1. Anonymous Coward
          Anonymous Coward

          Re: Should be a worldwide regulation

          No. It applies to THEIR PII DATA. Wherever that is stored on the planet.

      2. Anonymous Coward
        Anonymous Coward

        Re: Should be a worldwide regulation

        That should read citizens AND residents above.

        1. Phil O'Sophical Silver badge

          Re: Should be a worldwide regulation

          There is not a single reference to citizens or citizenship in the 88 pages of GDPR. It is defined in terms of "data subjects", and clearly states:

          "The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence [my emphasis], in relation to the processing of their personal data." and refers to personal data of "data subjects who are in the Union".

          For example, the personal data of a US citizen on holiday in Paris is still covered by GDPR, if it is being handled by a data controller or data processor who is established in the Union, or if their "processing activities are related to offering goods or services to such data subject". Citizenship and Residence are not relevant.

          1. TheVogon

            Re: Should be a worldwide regulation

            GDPR legal guidance states citizens and residents. As per your holiday example it would be ridiculous to expect companies to identify if a US citizen took a day trip to the EU and suddenly have to wipe all non compliant data.

            1. Anonymous Coward
              Anonymous Coward

              Re: Should be a worldwide regulation

              They don't have to identify anyone. If that person is in the EU, any of their personal data that is processed in the EU, or by an EU entity, is covered by GDPR. It _doesn't matter_ what country they are a citizen of.

              1. TheVogon

                Re: Should be a worldwide regulation

                NO. a) Yes they do. See GDPR guidance from your legal dept or your DCO who will know what they are talking about - otherwise how would you possibly know who GDPR applied to? b) Where the data is processed is not relevant. This applies globally to the data of EU (and UK) citizens and residents. Where the entity is doesn't matter.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Should be a worldwide regulation

                  how would you possibly know who GDPR apiplied to

                  It's quite specific in the text of the Regulation. It applies to: "natural persons, whatever their nationality or place of residence" who are in the Union. It could not be more clear than citizenship and residence are not relevant. A visitor in a hotel in London, or a shop in Berlin, is covered by GDPR if that business processes their personal data. Doesn't matter if that person is British, German, American, nor where they live.

                  Where the data is processed is not relevant.

                  That's the more complex area. If it's processed in the EU/UK, or by an entity established in the EU/UK, GDPR applies. If it's processed outside the EU/UK by a non-EU/UK entity but concerns a data subject who is in the EU or UK, it probably applies (but that's not simple to enforce). There are all sorts of corner cases, for example insurance policies for people who move between EU/UK and outside it.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Should be a worldwide regulation

                    As above see actual guidance on the law. How can you say identify if your non EU customer visits the EU for a weekend and according to you suddenly comes under the GDPR? And then have to take action on that? Of course you can't. That would be ridiculous and not surprisingly it doesn't work like that.

                    Where the data is is not relevant if GDPR applies to the person. This is not in any doubt. Enforcement is another matter but if they have an EU entity or funds passing through the EU it can be enforced.

                    For the insurance situation this is simple - what is the policy holder's stated address and citizenship? If either are in the EU (or UK) then GDPR applies.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Should be a worldwide regulation

                      How can you say identify if your non EU customer visits the EU for a weekend and according to you suddenly comes under the GDPR? And then have to take action on that? Of course you can't.

                      You can, and you must. GDPR applies to the data processor and data controller. If you're an EU entity, and are processing personal data concerning someone who is present in the EU, GDPR applies. You don't need to know where they live, or what nationality they are, they're in the EU so any data you process about them at that time comes under GDPR.

                      For the insurance situation this is simple - what is the policy holder's stated address and citizenship? If either are in the EU (or UK) then GDPR applies.

                      No, it isn't that simple. Consider the situation of an American who has a life assurance policy with a US company. One day, they decide to move to live in the EU. Is the personal data collected by the company at the time the policy was taken out now covered by GDPR?

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: Should be a worldwide regulation

                        Clearly you are not thinking this through. No you don't and therefore no one does. Indeed how would you without knowing they were taking a holiday?

                        Yes if they move (and notify the insurance company of an EU address - the GDPR doesn't expect telepathy.) then they are an EU resident and it is covered. As to if they would actually do anything is another question. Probably not. This situation is exceptional and therefore pretty low on the enforcement RADAR obviously.

  5. Mike 137 Silver badge

    According to meta

    ... the CJEU supposedly "expressly recognized that a subscription model, like the one we are announcing, is a valid form of consent for an ads funded service."

    But of course it didn't. A passing comment without significant force of law was made to the effect that "an appropriate fee" might be considered as an alternative to adverts. This is not the same as refusing to subscribe implying consent. to adverts

    1. entfe001
      FAIL

      Re: According to meta

      Adverts and targeted advertising (which feeds on personal data and is what the GDPR is about) are not the same thing

  6. Pascal Monett Silver badge

    "systemic and massive disregard for privacy laws"

    Yup, that sounds like Meta, all right.

    El Zuck will never give a flying fig about user privacy because his entire empire (and fortune) is based on pilfering that privacy.

    To teach him the error of his ways will require liberal and enthusiastic percussive maintenance with bats (corked or not). Given that that is legally frowned upon, the only other option is pathetically small fines which will be royally ignored until the EU in its globality decides to fine META a year's worth of its global revenue.

    Then El Zuck will start listening.

    But since that won't happen . . .

    1. Knightlie

      Re: "systemic and massive disregard for privacy laws"

      Prevent Meta properties from operating in the EU until they fix the issue. Either a) they fix the issue or b) we'll be without ArseBook and Crapstagram. It's a win either way, although I prefer the latter outcome myself.

  7. Kurgan

    Spanish media does not care abut privacy, actually

    They just care for their money. GDPR is just a tool they are using to stop Meta taking away their money.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like