I hope Spain goes all in on META
Comfy chair, the lot!
A group representing some of Spain's largest media outlets have sued Meta, demanding €550 million ($596 million) in recompense for Zuckercorp's "systemic and massive" disregard for EU privacy regulations that have left them at risk of collapse. The lawsuit, filed by the Information Media Association (AMI) on behalf of 83 …
I was wondering about the AMI ads on the telly here in Spain; the main message of which is "trust no one but us to tell you the truth".
Now I wouldn't touch anything to do with Mr Z but I also get the smell that the Spanish Media has decided that only the Spanish Media tells the truth and everyone else is a liar, whereas the Spanish Media generally tend to be slightly right of fascist in its views.
So we seem to have an old fashioned turf war kicking off between a lumbering data elephant and a Franco era data fly. I wonder if the elephant will notice?
the main message of which is "trust no one but us to tell you the truth".
You might want to check how truthful your favourite media is by looking at https://mediabiasfactcheck.com/
And they claim El Reg isn't biased and scores highly on factual accuracy: mediabiasfactcheck.com/the-register-uk/
There is not a single reference to citizens or citizenship in the 88 pages of GDPR. It is defined in terms of "data subjects", and clearly states:
"The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence [my emphasis], in relation to the processing of their personal data." and refers to personal data of "data subjects who are in the Union".
For example, the personal data of a US citizen on holiday in Paris is still covered by GDPR, if it is being handled by a data controller or data processor who is established in the Union, or if their "processing activities are related to offering goods or services to such data subject". Citizenship and Residence are not relevant.
NO. a) Yes they do. See GDPR guidance from your legal dept or your DCO who will know what they are talking about - otherwise how would you possibly know who GDPR applied to? b) Where the data is processed is not relevant. This applies globally to the data of EU (and UK) citizens and residents. Where the entity is doesn't matter.
how would you possibly know who GDPR apiplied to
It's quite specific in the text of the Regulation. It applies to: "natural persons, whatever their nationality or place of residence" who are in the Union. It could not be more clear than citizenship and residence are not relevant. A visitor in a hotel in London, or a shop in Berlin, is covered by GDPR if that business processes their personal data. Doesn't matter if that person is British, German, American, nor where they live.
Where the data is processed is not relevant.
That's the more complex area. If it's processed in the EU/UK, or by an entity established in the EU/UK, GDPR applies. If it's processed outside the EU/UK by a non-EU/UK entity but concerns a data subject who is in the EU or UK, it probably applies (but that's not simple to enforce). There are all sorts of corner cases, for example insurance policies for people who move between EU/UK and outside it.
As above see actual guidance on the law. How can you say identify if your non EU customer visits the EU for a weekend and according to you suddenly comes under the GDPR? And then have to take action on that? Of course you can't. That would be ridiculous and not surprisingly it doesn't work like that.
Where the data is is not relevant if GDPR applies to the person. This is not in any doubt. Enforcement is another matter but if they have an EU entity or funds passing through the EU it can be enforced.
For the insurance situation this is simple - what is the policy holder's stated address and citizenship? If either are in the EU (or UK) then GDPR applies.
How can you say identify if your non EU customer visits the EU for a weekend and according to you suddenly comes under the GDPR? And then have to take action on that? Of course you can't.
You can, and you must. GDPR applies to the data processor and data controller. If you're an EU entity, and are processing personal data concerning someone who is present in the EU, GDPR applies. You don't need to know where they live, or what nationality they are, they're in the EU so any data you process about them at that time comes under GDPR.
For the insurance situation this is simple - what is the policy holder's stated address and citizenship? If either are in the EU (or UK) then GDPR applies.
No, it isn't that simple. Consider the situation of an American who has a life assurance policy with a US company. One day, they decide to move to live in the EU. Is the personal data collected by the company at the time the policy was taken out now covered by GDPR?
Clearly you are not thinking this through. No you don't and therefore no one does. Indeed how would you without knowing they were taking a holiday?
Yes if they move (and notify the insurance company of an EU address - the GDPR doesn't expect telepathy.) then they are an EU resident and it is covered. As to if they would actually do anything is another question. Probably not. This situation is exceptional and therefore pretty low on the enforcement RADAR obviously.
... the CJEU supposedly "expressly recognized that a subscription model, like the one we are announcing, is a valid form of consent for an ads funded service."
But of course it didn't. A passing comment without significant force of law was made to the effect that "an appropriate fee" might be considered as an alternative to adverts. This is not the same as refusing to subscribe implying consent. to adverts
Yup, that sounds like Meta, all right.
El Zuck will never give a flying fig about user privacy because his entire empire (and fortune) is based on pilfering that privacy.
To teach him the error of his ways will require liberal and enthusiastic percussive maintenance with bats (corked or not). Given that that is legally frowned upon, the only other option is pathetically small fines which will be royally ignored until the EU in its globality decides to fine META a year's worth of its global revenue.
Then El Zuck will start listening.
But since that won't happen . . .