
Upcoming EU data law will make Europe tricky for Facebook - jacquesm
http://www.theregister.co.uk/2011/11/08/eu_new_data_protection_proposals/
======
law
It's wonderful to see the EU upgrade its 1995 Directive to give users even
more control over how data they voluntarily contribute is used. From the
source, "This is why in our view, EU law should require that consumers give
their explicit consent before their data are used. And consumers generally
should have the right to delete their data at any time, especially the data
they post on the Internet themselves."[1]

I _hope_ that this language portends a paradigm shift where users are no
longer kept in the dark concerning the inferences made by analyzing and
correlating data that they, and others, submit. By incorporating language that
protects users from unauthorized "use" of their data, I hope that this
Directive will encourage industry self-regulation to the extent that
unforeseeable inferences become a relic of the Internet's "wild west" days.

By unforeseeable inferences, I'm specifically referring to situations where a
company like Amazon might tacitly suggest to your girlfriend to open a wedding
gift registry. Its algorithm might to do this based on information gleaned
from chat transcripts it licensed from Facebook. While certain laws might
protect the actual transcripts from being transmitted to Amazon, nothing to my
knowledge prevents Facebook from unforeseeably inferring that you intend to
get married, based on complex natural language processing algorithms that it
most certainly already employs. The EU's proposed Directive would, I hope,
protect people from just that.

[1]:
[http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO...](http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&format=HTML&aged=0&language=EN&guiLanguage=en)

~~~
buro9
> And consumers generally should have the right to delete their data at any
> time, especially the data they post on the Internet themselves

I'm all for that, but where does it leave community collaborated work when one
author wishes to delete their contribution totally?

i.e. wikipedia

One way around this might be to disassociate contributions form the public, to
anonymise those contributions. But then... how do you stop spammers and
trolls?

If a person has made a contribution under a perpetual licence, then that
licence should trump. But if that were the case then everyone would just
sidestep this law such that all user contributions were under a for-
commercial, shared-forever licence.

Does the law win? Yes.

How would it apply to collaborative works in which data contributed is clearly
identified as coming from an author who wants to delete their data? Unknown.

~~~
DasIch
This is about personal information not about creative works.

Besides if you contribute to Wikipedia you have to agree to a license which
would obviously trump any privacy measures.

~~~
buro9
Not obvious.

The data protection laws in Europe are enforcement laws and provide detailed
instruction on the enforcement of the treaties that make up the "European
Convention for the Protection of Human Rights and Fundamental Freedoms"...
basically what is referred to as just "Human Rights".

As governments and companies in Europe keep finding, no laws trump that EU
treaty.

A wikipedia licence won't cut it.

Further the 1995 data protection laws already stated that any data which could
identify the person is covered. That definitely includes meta data, hence my
comment about needing to disassociate the data to anonymise it. A person can
request any identifying information be deleted, including pseudonyms as it's
conceivable that a pseudonym used on multiple services _is_ identifying.

Which leaves anonymous contributions to a project... then how can you continue
to enforce anti-spam/troll policies when most of the existing methods rely on
spotting the spammers/trolls based on signals from IP, user-agent, emails,
usage... if you can identify a spammer, then you can identify a person (given
access to enough data), and therefore it's identifying.

These new proposals strengthen the existing laws, which are actually already
pretty good. I'm basically saying that there is an edge case here, and it
could lead to problems. The law being black and white needs exceptions
clarified in writing and not left to assumption.

------
danmaz74
Wow, this is really terrible. The EU-ro-crats think that EU citizens, while
using a service in the EU, should be protected by European laws. How dare
they?

~~~
mooism2
_"We both believe that companies who direct their services to European
consumers should be subject to EU data protection laws. Otherwise, they should
not be able to do business on our internal market. This also applies to social
networks with users in the EU."_

 _EU law will be enforced even if the company is based in a third country and
has its data centres outside the EU, the statement reaffirmed._

I'm reading this as suggesting they'll set up a firewall to block non-EU
websites that don't adhere to EU data protection law. That would be a cure
worse than the disease.

(But yes, the Register's tabloid-speak grates.)

~~~
danmaz74
There is no reason why a firewall would be needed to enforce that kind of
laws, just as there is no need for one to enforce the stricter European
privacy laws. We're not talking about rogue websites here, but about
established businesses that could be fined, or sued, etc. if they din't
comply, as is usually the case.

------
DanBC
Link to original press release
([http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO...](http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&format=HTML&aged=0&language=EN&guiLanguage=en))

Quick summary:-

\- The existing laws date back to 1995 \- They need updating \-
Recommendations are going to be made before Jan 2012 \- EU law is needed
because data travels so easily across borders \- Companies wishing to deliver
services to Europeans should obey EU law, or be prevented from supplying those
services

\-- Customers must be in charge of their data \-- Customers must give explicit
consent before their data is used

------
jnorthrop
If the recent ICO cookie rule is any indication on where the legislative
proposals are heading then the concluding statement in the article "Expect
sparks to fly when these proposals come out in January" is an understatement.

For those that are unaware the "EU Cookie Law" requires explicit user consent
before setting a cookie that can be used for tracking[1]. That's a pretty high
bar for sites that just want to use something like Google Analytics. Now if
you consider extending out the intent of that law to all data collected from
EU citizens it will make doing business in Europe via the internet much more
cumbersome for those that want to do any sort of marketing.

Personally, I like the idea that the EU is forcing companies to be transparent
about what information they are collecting and what purpose they are
collecting for, but publicly listed policies, such as a privacy policy or
terms of use, should be enough. To force users to have to read a legal
statement and check a box to agree to start doing business makes that step
much more difficult and I'm betting that is exactly where they are heading.

[http://www.privsecblog.com/2011/07/articles/main-
topics/mark...](http://www.privsecblog.com/2011/07/articles/main-
topics/marketing-consumer-privacy/six-tips-for-compliance-with-europes-new-
cookie-rules/)

~~~
Isofarro
"To force users to have to read a legal statement and check a box to agree to
start doing business makes that step much more difficult and I'm betting that
is exactly where they are heading."

The cookie directive specifically excludes those client-side persistence
mechanisms ("cookie-like") that are necessary to deliver the pro-offered
service.

If the cookie isn't necessary for that core service (e.g. a third party
tracking tool), then it requires an informed consent. Hiding it in legal
wording in that case is not an option, it needs to be clear and
understandable.

Note too, that the ICO cookie rule isn't limited to cookies, it covers all
client-side persistence mechanisms that can be used in third party tracking
and behavioural aggregation tools.

------
pilif
As always about this request for "real" deletion of data, I wonder of what
kind of people there are more of:

Those that are concerned that the data they deleted isn't really deleted?

Or those that learn that they can't get their data back which they just now
accidentally deleted?

I'm a techie. I'm part of the first group. But daily I have to deal with the
second group. Telling them that, no, you deleted the data, so now it's gone,
would break their heart.

And. No. I can't have backups of that data because having a backup would be
the same as not really deleting it. Think of retroactively altering the
backups of the days where the data still existed _shudder_.

This is pure theory anyways as there is a huge difficulty in reliably deleting
data once it's replicated all over different machines.

By the way: I wonder how this request for immediate deletion flies with the
more and more strict data retention laws that the EU is issuing. You know:
Either you store the data for the state (and thus don't delete it), or you
delete it, at which point it's gone.

~~~
nextparadigms
Who actually requests their data back from Facebook if they deleted it? And
why would that be Facebook's responsibility if you deleted it? At the very
least it should give you the option to permanently delete it, too.

I think if normal people would really know that Facebook keeps their data even
after they deleted it, they would get pretty freaked out about it, too.

~~~
DanBC
I know a few people who turn their Facebook profile on and off. (Depending on
how mentally stable and well they feel at the time.)

So long as Facebook offers two options and makes it really clear - [this is
our normal 'hide your profile'][This will really delete everything. No,
really, are you sure?]

~~~
hetman
The two option solution is probably a good idea (perhaps naming it something
like "destroy" because "delete" no longer has those kinds of connotation for
many).

However, I would suggest penalising people genuinely concerned about their
privacy and completely leaving out the option of permanent deletion, only
because some people aren't responsible enough to to be trusted with that
decision, is not really acceptable.

------
rmc
_Facebook famously stores all its data forever, though that data isn't
available to users._

This isn't true. If a company keeps data on you, then you may request a copy
of that data. It's illegal, _under existing EU data law_ for them to store
data (regardless if the 'delete flag' is set) and not tell you.

Facebook does and has given users copies of the 'deleted data' when people
have made requests under this law. In fact learning that, on Facebook, "when
you press delete, it doesn't really delete it", was a big deal and potentially
in breech of Data Protection law. (cf.
[http://www.guardian.co.uk/technology/2011/oct/20/facebook-
fi...](http://www.guardian.co.uk/technology/2011/oct/20/facebook-fine-holding-
data-deleted) )

~~~
gurkendoktor
It is true for some users. Like many others, I have requested my data as
suggested here-

<http://europe-v-facebook.org/>

And, like many others, they told me they couldn't handle my request on time,
it may contain intellectual property, whatever- I haven't received my data.
Unless they've really found a legit loophole by calling my data their IP, they
are violating existing EU law right now.

~~~
rmc
Well if they can't abide by the law, then they are breaking the law. Make a
complaint to the Irish Data Protection Commisioner:
<http://dataprotection.ie/>

------
jheriko
We do all realise they already ignore data laws in the UK (for instance) by
not disposing of old data? Why should they make any better effort for this new
EU law if it happens?

Maybe if it gets enough publicity... but even then I have low hopes.

~~~
hetman
The question rather should be, why is nothing being done about those breaches
in the UK. Passing legislation to firewall non-compliant sites shouldn't be
difficult... unless it leads to outrage from the populace I suppose.

------
mhitza
But not for G+, right?

