
First complaints under the GDPR lodged within hours - raleighm
https://privacylawblog.fieldfisher.com/2018/first-complaints-under-the-gdpr-lodged-within-hours
======
hanoz
Has anyone actually come across any sites that have gone properly GDPR
compliant yet? 90% of the conversions I've seen have seen have gone with: we
use cookies, click here to be fine with that (almost always after the cookies
are already set), or click here to embark on some convoluted process to
disable some in our spuriously derived non-essential categories.

It appears the positive opt in requirement of GDPR is being universally
ignored by the industry.

~~~
scaryclam
I've seen various sites in compliance, mostly smaller companies TBH. It seems
to be mostly US companies who seem to be getting it completely wrong (maybe
that's biased by the sites I frequent), which has perplexed me a little as it
would have been cheaper to just do nothing about it at all.

I'm also wondering if the cookies thing is actually just the other law, but
now we're all having to look at the old "we use cookies" notifications in a
GDPR light.

~~~
Silhouette
The irony is that the rules about annoying cookie notifications were supposed
to be fixed by some additional changes that came into effect with the GDPR,
but those changes weren't ready in time.

~~~
kristofferR
Interesting, do you have a link where I can learn mire about the fix?

~~~
ma2rten
[https://en.wikipedia.org/wiki/EPrivacy_Regulation_(European_...](https://en.wikipedia.org/wiki/EPrivacy_Regulation_\(European_Union\))

~~~
Fnoord
That Wikipedia page seems out of date, and there's only that one and a Dutch
version of it, it seems. ePR should get in effect in 2019, correct?

~~~
Silhouette
_ePR should get in effect in 2019, correct?_

Yes, that seems to be what they're aiming for now. It was originally supposed
to come into effect alongside the GDPR last month, repealing the analogous
ePrivacy Directive that was (and for now remains) in force, and therefore
allowing member states to update their national laws to remove the annoying
cookie notification requirements. Sadly, it wasn't ready in time.

------
alfredallan1
I’m not sure I entirely follow the point of the complaints. The complainants
seem to have a problem with the fact that they’re asked to either agree with
the ToS or not use the product/service. How’s that illegal/unfair? No business
is obliged to allow all and sundry to use their product/service - regardless
of whether they abide by the rules. GDPR doesn’t mandate that, does it?

While I of course fully support the protection of consumer data/privacy, the
companies also have a right to decide whether they want non-compliant users
using their service. They’re not running something like public transport,
which must, by rights, be available to all.

Are these complaints in fact valid under GDPR?

~~~
zajd
> No business is obliged to allow all and sundry to use their product/service
> - regardless of whether they abide by the rules.

If they are operating in the EU? they do actually. You can't just put whatever
you want in your ToS/EULA and throw your hands up.

~~~
soneil
We should already be used to this. We're used to seeing the phrase "Your
statutory rights remain unaffected". A site's ToS, a store's policies, etc do
not override your rights available by law.

If a shop says "no returns", what they actually mean is "changing your mind or
deciding you don't like it isn't a valid reason". But you can still return
something if it's faulty, isn't as described, or isn't fit for purpose -
because they're your legal rights, phooey to the store's return policies.

It's my understanding (which could be wrong, is constantly evolving, and
desperately needs test cases) that being able opt out of unnecessary PII
collection or processing is a legal right, and phooey to the ToS that claims
otherwise.

~~~
alfredallan1
>It's my understanding (which could be wrong, is constantly evolving, and
desperately needs test cases) that being able opt out of unnecessary PII
collection or processing is a legal right, and phooey to the ToS that claims
otherwise.

That’s actually a great point. Collecting PII is NOT illegal, as far as I can
see. Nor can it be illegal. Same for personalized ads.

Consider a real estate agent. To show you the right kinds of houses to buy and
finally make the contract, they have to have enough PII about you. If they
know nothing about you, they’ll end up showing 1-bedroom studios for a family
of five and a three bedroom suite for a bachelor living alone. Similar
arguments can be made for all kinds of service providers.

Now onto the issue of FB, the only service they offer is “communication tools
with built in personalized ads”. PII is necesary to provide that service.

~~~
zucan
> Collecting PII is NOT illegal, as far as I can see. Nor can it be illegal.

Article 6 [0] is phrased negatively, making collecting PII illegal unless x or
y. These points cover all the use cases the lawmakers deemed valid; a real-
estate agent may collect PII because of 6.1b (taking steps to enter a contract
at the request of the data subject). Should a new, possibly valid reason to
collect PII come up it would first need to be checked and then added to the
list.

Since most websites and online services do not aim to form a contract nor fit
points c-f, they have to obtain consent by the data subject (6.1a) to make
collecting PII legal.

[0] [https://gdpr-info.eu/art-6-gdpr/](https://gdpr-info.eu/art-6-gdpr/)

~~~
alfredallan1
Doesn’t “consent” (point a) supersede all the rest? Looking at how people have
been conditioned to so easily click on "I agree", that will be the most
obvious thing to pursue for most companies.

~~~
Silhouette
You can do more or less anything with the subject's consent, but one of the
big changes under the GDPR is that subjects can always withdraw that consent
later and then exercise their right to erasure if there is no other lawful
basis for that processing.

------
IshKebab
I want to know if all the "semi-forced consent" options that most news
websites have adopted are legal.

If you go to [https://www.independent.co.uk/](https://www.independent.co.uk/)
for example on mobile, most of the screen is filled with a consent message.
But it isn't "yes / no" like the GDPR would like, it's "yes / visit a
difficult-to-navigate consent manager to not give your consent".

Surely not allowed.

~~~
alfredallan1
Why not?

It is perfectly reasonably to have two versions of a service - one with
ads/cookies and one without. The user uses the one they want.

If one considers personal information as a currency, it is something one can
choose to or not to pay. If the user's privacy is important enough to them,
they won’t give the company the right to track them or do whatever else with
their data. The user decides whether access to that service is worth paying
the price in terms of privacy. I think Facebook is too expensive (in terms of
my personal data they get) so I don’t use the service. But I cannot complain
that FB doesn’t service me for nothing. It is a for-profit company. The
company is not obligated to service everyone - it is not public transport or
the electricity company.

~~~
Tomte
We're not discussing what you think would be right and fair, we're discussing
what the legislature decided to enact into law.

You may argue against the GDPR, but it doesn't change the law as it stands
today.

~~~
alfredallan1
Where do you get the impression I am arguing against the GDPR? I quite support
it in fact. The discussion was about whether the complaints of the type
mentioned in the article are valid under the GDPR.

~~~
Tomte
You argue about what you think is „perfectly reasonable“. But that‘s not the
question to ask when that is obviously illegal. You cannot counter „that‘s not
allowed by the GDPR“ with „I think it should be“, unless you want to talk
about a hypothetical alternative.

~~~
alfredallan1
Consider a company which offers two services - 1. Latest news stories with
personalized ads on the side. 2. Just news stories.

There is nothing illegal about having the above two lines of services. But
when a user wants service no. 1, their personal data becomes neccessary to
show personalized ads. If the user chooses to not “pay” in the curreny of
personal data, it is perfectly fine, they can use service no. 2.

Why is this illegal? Please, be specific with which part of the law prohibits
this.

Morally, ethically, I agree with you. 100%. I was in fact involved in a
spread-the-word about GDPR campaign few months back. This discussion is about
the legality and the technicality.

------
caffeine5150
Here is a great article by one of the top EU privacy attorneys out there
explaining the interplay of the ePrivacy Directive (which governs use of
cookies) and the GDPR, which often get confused.
[https://privacylawblog.fieldfisher.com/2018/gdpr-plus-e-
priv...](https://privacylawblog.fieldfisher.com/2018/gdpr-plus-e-privacy)

------
alter_eco123
Pestering GooAmaBookSoft through GDPR complaints is fine, but won't actually
accomplish anything in terms of privacy improvements - they're all in bed with
governments anyway.

The only real solution is to stop letting these companies invade your privacy,
by ceasing to use their services.

That doesn't mean _" THIS.. IS.. STALLMAN!"_, but it will be less convenient
than letting them continue.

~~~
Angostura
> they're all in bed with governments anyway

How do you explain the GDPR then?

~~~
alter_eco123
> _How do you explain the GDPR then?_

I'm not sure what you mean.

Is it not obvious that politicians don't want to bust their biggest
(potential) campaign contributors for GDPR violations?

Isn't it obvious that we don't have any more privacy now than before GDPR,
because governments are still spying the shit out of us all?

In light of that, is it not obvious that GDPR's real goal is something other
than improving our privacy?

Do you genuinely think governments (or EU bureaucrats) actually care about us
or our privacy? If not, why would you think GDPR was devised for _our_
benefit?

And gosh, it sure makes it more difficult for small businesses to stay viable,
and wouldn't it be nice for big corporations to have fewer potential
competitors/disruptors around?

~~~
distances
> Do you genuinely think governments (or EU bureaucrats) actually care about
> us or our privacy?

Yes

> And gosh, it sure makes it more difficult for small businesses to stay
> viable, and wouldn't it be nice for big corporations to have fewer potential
> competitors/disruptors around?

This is just ridiculous. Politics is still driven by the will to improve
societies instead of just a cold grab of money and power. Your level of
cynicism is just over the charts.

~~~
hnisgroupthink
Politics is about expanding power of the political elite while using
"improving societies" and other Orwellian language to justify it.

Maybe you should be a little more cynical.

~~~
Angostura
> Maybe you should be a little more cynical

Or maybe you should consider that good government and regulation, of which
there is still much, is actually the most effective protection against
uncontrolled corporate interest.

~~~
hnisgroupthink
Government and corporation are one and the same these days. They graft onto
each other and feed one another, like unions and other collectivist
organizations.

Why do you think tax money goes to ship amazon packages?

