
Facebook ordered to delete illegally collected data by Belgian court - 317070
https://www.theguardian.com/technology/2018/feb/16/facebook-ordered-stop-collecting-user-data-fines-belgian-court
======
jacquesm
That's still pretty mild compared to what will be possible past May 15th. FB
better count its blessings that this happened now.

[https://www.gdpreu.org/compliance/fines-and-
penalties/](https://www.gdpreu.org/compliance/fines-and-penalties/)

No cap, up to 4% of worldwide annual revenues for these kind of transgressions
of the law.

~~~
ryanwaggoner
I really think that all of you who are salivating at the prospect of the GDPR
destroying FB should prepare yourself for disappointment. The intent behind
the law might be good, but it's unlikely to accomplish what you want it to.

1\. It's a bad law, because it's so overly broad and vague that it's going to
be impossible to be fully compliant. For example, an EU resident hits your
server while they're on vacation in Australia. You've stored analytics, IP
addresses, etc. Congrats, you're now in violation. That's the tip of the
iceberg. The law also broadly contradicts loads of other laws about how data
must be _retained_ for legal and compliance purposes. So now that everyone is
breaking this law, regulators are free to just decide who they want to punish
and how much. That's incredibly damaging to the fundamental idea of the rule
of law.

2\. It sets a really bad precedent regarding jurisdiction and the internet. So
now any jurisdiction in the world can declare that if you do something they
don't like that even remotely affects them, you owe them whatever they want.
What if some oppressive regime passes a law that if your website is shown to
one of their citizens and doesn't have a message praising their leader, you
owe them 100% of your global revenue in perpetuity. Why not? You've violated
their laws regarding behavior towards their citizens!

3\. As item #2 gets at, countries can pass whatever laws they want, but
they're limited by their ability to enforce those laws. If the EU gets overly
broad and punitive here (as I'd argue they have), then companies will either
just leave, or shift their digital operations to jurisdictions where courts
can't enforce those laws.

Ultimately, I think that the realistic path here is that Google and Facebook
will fundamentally change almost nothing. The user experience will just get
worse, because we'll have to constantly be agreeing to a long list of terms
about how our data will be used, etc, etc. And people _will_ just agree and
move on. Look at the cookie thing. Yes, I know you think it's different this
time because of X, Y, and Z, but I'm skeptical. We'll see.

Regardless, the idea that we're suddenly going to live in a new golden age of
digital privacy because the GDPR has good intentions is laughable.

~~~
lucian1900
You shouldn't be storing anything without first obtaining consent. Why are you
using analytics indiscriminately?

The GDPR does actually have exceptions for cases where local law requires you
to store data.

Any jurisdiction can already enforce their laws upon you if you affect their
citizens. There's nothing new here.

~~~
ryanwaggoner
_You shouldn 't be storing anything without first obtaining consent. Why are
you using analytics indiscriminately?_

Sorry, I find this ludicrous. Using analytics "indiscriminately"? What does
that even mean? The most basic use case for analytics is to use them
indiscriminately to see how visitors are using your site.

Not to mention that this is basically impossible, since storing IP addresses
in Apache log files is also probably a breach. Someone in the EU sends you an
email, now you're in violation because the header info is PII. A german walks
into your hospital in Miami and signs in; if you don't have a special
snowflake data management process for them that runs alongside your standard
HIPAA-compliant one, you're probably in violation.

 _Any jurisdiction can already enforce their laws upon you if you affect their
citizens._

No, they can't. They can _declare_ any law, but that doesn't mean they can
enforce it.

I really think that basically every business around the world who doesn't have
a direct EU presence in terms of office, employees should (and probably will)
just ignore the GDPR. It's a huge violation of sovereignty, the freedom and
ideals of the internet, and a great example of how people will be pleased to
let their governments enact policies no matter how harmful or dangerous as
long as they're against an "enemy" that they hate.

~~~
sveme
> Any jurisdiction can already enforce their laws upon you if you affect their
> citizens.

Isnt't that already done by the US? The case against Kim Dotcom comes to my
mind.

~~~
adventured
Kim Dotcom made the mistake of operating servers in the US jurisdiction. New
Zealand made the mistake of complying with the US requests to extradite him.
The US could not have effectively enforced its laws upon Kim Dotcom without
New Zealand's assistance.

If China comes after me for something terrible I say about Mao (stray absurd
example), and the US turns me over to China because they're influenced and or
intimidated by China, that would be a similar premise: the US would bear
immense, near total responsibility for capitulating, showing no backbone.

------
blackrock
I think it is now time for society to regulate Facebook, Google, and whatever
other company out there, that seeks to collect information on people.

Facebook and Google, are now collecting and tracking users across the
Internet, just so that they can make a few extra dollars per person, but on
aggregate, they will make billions.

They have essentially removed the right for us to browse the Internet
anonymously.

This is what the libraries tried to protect for so long: your privacy on what
books you check out. But now, with the Internet, there is no anonymous
browsing anymore. It's all recorded.

It is already terrible enough that the government is doing it. But at least we
know that the government is doing it.

But for a commercial enterprise to do it, without proper regard for consumer
information, privacy, and protection. Then, this is a step too far. In fact,
we don't even know what these private companies are doing. And the people that
they employ don't have any special training, or any security clearances to
handle such private information.

When Facebook goes bankrupt, like Yahoo did, then what is the first thing that
they will do? They will immediately sell off all that valuable data that they
have collected on the population for nearly 20 years.

What they have taken from us, is the right to be forgotten. The right to
control the privacy of our lives, after we die. Sure, some people may not mind
having all of their private digital history published, for all the world to
see. But for some other people, we want to maintain that privacy, and take it
to our grave.

~~~
jaredklewis
> It is already terrible enough that the government is doing it. But at least
> we know that the government is doing it.

This argument feels so weird to me. We have a group of self-interested
companies that that will sell your privacy for a nickel (Google, Facebook,
etc...) and then we have a government that values your privacy at nothing. The
government views even trying to keep your matters private (like encrypting
your phone, as advocated by the big, self interested companies) as being
inherently linked with crime and terrorism. And we now we want the government
(you know, the “if you have nothing to hide you have nothing to fear” guys),
to be in charge of regulating internet privacy? Thanks, but no thanks.

Given how much the majority US congress cares about privacy (almost 0) and how
little they understand technology, I am quite sure whatever they create would
be a giant cluster fuck.

In Germany or some other place with enlightened politicians? Yes, please, go
ahead. But dear god if the FCC or some such is put charge or regulating
privacy it’s going to make the TSA look like geniuses.

------
newscracker
How can I pretend to be from the EU so that I get better protection from
Facebook? Are there any cheap and trustable VPNs (I don't use Facebook a lot,
and certainly not to watch bandwidth/traffic intensive videos) that would help
for this? Any other solutions? How can such solutions be spread around so that
more users get these protections, regardless of where they physically live?

~~~
craftyguy
> How can I pretend to be from the EU so that I get better protection from
> Facebook

You don't have to. You can start today by not giving facebook any more
information (stop using their service). If facebook bleeds enough users, maybe
they'll become motivated to change. I seriously doubt, at least in the US,
that we'll see any legislation that forces them to change here.

~~~
Sylos
Facebook will still have a lot of data on you, even if you don't use their
services.

Their Like-Buttons that are spread on a lot of the web, allow them to track
your IP-address and what webpage you're on (thanks to the HTTP referrer). They
also have an analytics library that some webpages use, giving them the same
data and more.

And your friends probably have you in their contacts on their phones, which is
uploaded to WhatsApp's server (unless none of them uses WhatsApp).

~~~
craftyguy
> Facebook will still have a lot of data on you, even if you don't use their
> services.

That doesn't mean you should not stop giving them even more information by you
directly using their services.

There are various mechanisms to preventing tracking like using an ad blocker
to prevent loading tracking elements, preventing 3rd party cookies from being
set, using something like noscript to block javascript from
facebook/google/etc, and using Tor. Many of these don't take long at all to
configure.

~~~
Sylos
Which is definitely not what I was trying to argue here.

You implied that one does not need governmental help to protect against
Facebook. That's what I argued against. No matter how informed you are about
Facebook's practices and no matter how technologically skilled you are, you
cannot be sure that Facebook doesn't have your data.

~~~
craftyguy
It's not that I don't agree you don't need governmental help to protect
against facebook, but rather that it's very unlikely to come from the US
government any time soon. You'd be better off taking active steps to protect
yourself as much as possible (admittedly won't be complete protection) than
sitting around hoping someone in DC will care enough to protect you. The
current trend is that things will get worse before they get better (if ever).
Write your congress folks, etc etc, I guess.

------
zimbatm
How is this different than Google Analytics?

Both companies are tracking users and Google is doing this even more than
Facebook.

~~~
hjnilsson
As long as tracking is not connected to personal information (name, IP, email)
it is OK by GDPR. So Google Analytics is not affected (as long as you specify
the anonymizeIps option) as it does not associate a user with their actual
identity.

~~~
Radim
Actually, the law is defined quite broadly, not restricting itself to "name,
IP, email".

Have you considered how a combination of innocuous data points, such as
"browser + city + top 3 popular sites" can make a person uniquely
identifiable?

Or any other of the billions of combinations of your browsing patterns or
seemingly random daily activities. Your entropy fingerprint, if you will.

Check out "differential privacy" to learn more [0].

We've built a product to help companies identify the more obvious "private
data" cases ([https://pii-tools.com](https://pii-tools.com)), but we're not
fooling ourselves that we've solved "personal data". Or that the task is even
solvable. A dedicated person or algorithm can identify people from
surprisingly little information (in the extreme, think Sherlock Holmes).
Identification is a matter of degree, rather than a binary "name, IP, email"
thing.

[0]
[https://en.wikipedia.org/wiki/Differential_privacy](https://en.wikipedia.org/wiki/Differential_privacy)

~~~
hjnilsson
> Have you considered how a combination of innocuous data points, such as
> "browser + city + top 3 popular sites" can make a person uniquely
> identifiable?

While this is certainly the case. As long as you do not use the data in that
way it is not illegal to collect it. Intent and actions are very important in
GDPR.

Standard law: Purchasing a knife is not illegal, but using it to kill is.

GDPR: Collecting browser, behaviour and city is not illegal, but correlating
it in order to connect collected data to a single person is.

------
allthenews
Regardless of whether this is a good idea or not, how will it possibly be
enforced against a multinational giant like Facebook, with private source code
and machines to store data all over the world?

~~~
mseebach
_Generally_ by leveraging the fact that Facebook probably wants to remain on
reasonable terms with most governments. Modulo appeals etc, once they've
finally lost (provided that's the final decision), they'll probably just
comply.

If they refuse, the government can seize any assets Facebook might hold in
Belgium, possibly other EU countries, they could block or fine Belgian
companies and individuals that do business with Facebook and such things, and
escalate all the way to issuing warrants for Facebook executives' arrests,
which with the European Arrest Warrant could be effectuated across the EU.

[https://www.bloomberg.com/news/articles/2017-01-09/volkswage...](https://www.bloomberg.com/news/articles/2017-01-09/volkswagen-
executive-arrested-in-miami-in-u-s-emission-probe)

------
mtgx
Is the Court of First Instance like a district court/appeals court? Because I
remember Facebook winning here:

[https://www.reuters.com/article/us-facebook-
belgium/facebook...](https://www.reuters.com/article/us-facebook-
belgium/facebook-wins-privacy-case-against-belgian-data-protection-authority-
idUSKCN0ZF1VV)

Or is this a different case?

~~~
ctx
Not a lawyer and I had to translate from Dutch, but the first legal encounter
involved the Privacy Commission looking for interim measures. Facebook first
lost, then won the appeal. This is (sort of?) the same case, but now they're
looking for a final judgment on the merits of the case.

The current process started a couple of months ago:
[https://deredactie.be/cm/vrtnieuws.english/News/1.3080677](https://deredactie.be/cm/vrtnieuws.english/News/1.3080677)

------
meddlepal
I'm not sure why any mega-companies bother with running EU business units.
Just put your offices and data centers outside EU jurisdiction (Hello
Switzerland, Turkey, Morocco and now England) and pay your engineers enough to
compensate for being in a less desirable location (in some cases) and you're
still way ahead of the game.

~~~
smallbigfish
1-2k€ vs $10k salaries?

At least that's what they do in my EU country.

------
halukakin
Recently facebook pixel started collecting information on pretty much
everything a user does on the website naming them "microdata". Those users
have no clue they are being tracked in that manner.

------
zenhack
I'm looking at this on mobile, and the cookie policy footer is taking up more
than half the screen. Oh the irony.

------
ansh0l
I'm curious - if I have a clean browser history(no Facebook login ever), and
Facebook still tracks me, how does that information benefit Facebook?

Alternatively, how does it affect me?

~~~
rockinghigh
Their official stance is that these cookies are used for fraud detection:
[https://www.facebook.com/notes/alex-stamos/preserving-
securi...](https://www.facebook.com/notes/alex-stamos/preserving-security-in-
belgium/10153678944202929) In theory, Facebook could also sell these ghost
profiles to web sites that have the Facebook like button or Facebook comments
and want to show personalized ads.

------
squarefoot
just wondering here, but what would stop them -or any other multinational big
corp- from say redirecting any web connection from a country A where X is
illegal to one of their servers in country B,C,D etc. where it is legal, do
all number crunching there and send unrecognizable results back to A?

~~~
detaro
The relevant laws generally don't care about server locations, or only in a
negative sense (data processing in jurisdictions with weaker protections
requires additional steps to be acceptable)

Since in general evidence for these things is not collected by grabbing local
servers and searching them, this doesn't really give them any benefit.

------
argimenes
Why was the Belgian court illegally collecting data in the first place? ;-)

------
hokus
Ethnic cleansing was so much easier with the church records.

------
larrysalibra
Best part about this article is that the Guardian has Facebook tracking code
that collects user data on it.
[https://imgur.com/a/UrSyt](https://imgur.com/a/UrSyt)

~~~
kenning
Why is that the best part?

~~~
avs733
because we are being socialized to over-react to even the hint of hypocrisy as
invalidating rather than engaging in meaningful evaluation of information
sources quality.

~~~
larrysalibra
It doesn’t invalidate the article at all. Quite the opposite.

------
sctb
If someone can suggest a non-translated article we can update the link here.

~~~
matt4077
[https://www.theguardian.com/technology/2018/feb/16/facebook-...](https://www.theguardian.com/technology/2018/feb/16/facebook-
ordered-stop-collecting-user-data-fines-belgian-court)

~~~
sctb
Thanks! Updated from
[https://translate.google.co.uk/translate?sl=auto&tl=en&js=y&...](https://translate.google.co.uk/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=https%3A%2F%2Fwww.demorgen.be%2Ftechnologie%2Fbrusselse-
rechtbank-veroordeelt-facebook-voor-schending-privacy-b460a887%2F&edit-
text=&act=url).

