
Leave Facebook if you don't want to be spied on, warns EU - czottmann
http://www.theguardian.com/technology/2015/mar/26/leave-facebook-snooped-on-warns-eu-safe-harbour-privacy-us
======
junto
Unfortunately that doesn't stop my friends and family from uploading my name,
various home, work and mobile numbers, email addresses and photos of me to
Facebook when they install any of their apps or choose to let Facebook "Find
your friends". Ideally that feature should be renamed "Fuck your friends
privacy".

~~~
Silhouette
I still don't understand how that kind of feature is even remotely legal under
the data protection laws in most if not all EU countries. I suspect that it
isn't, but the under-staffed and under-budgeted privacy regulators don't want
to pick that fight with an organisation as powerful as Facebook, even though
it is exactly the kind of fight they should be picking.

~~~
Zenst
I believe the real crux is that if any data protection law is voilated by
passing on your details via a friend that the whole onus of responsibility is
laid soley at your friend via some EULA and the like they never even bothered
to read.

So in short it is your privacy laws and rights being violated, though by your
friends on behalf of Facebook and the like. Morally wrong on Facebooks part as
they know what they are getting but legally, they are covered more than your
friends who have facebook who grassed you up to Facebook. Could call it viral
peer micro marketing list scraping. I call it bad form.

~~~
Silhouette
_I believe the real crux is that if any data protection law is voilated by
passing on your details via a friend that the whole onus of responsibility is
laid soley at your friend via some EULA and the like they never even bothered
to read._

It doesn't work that way. The usual EU legal position, absent any special
case, is that any entity acting as a data controller is subject to data
protection rules.

Given explicit consent by the subject of the personal data, Facebook might
have a way around this. I could believe they escaped with legalese in their
terms and conditions for anyone who has a Facebook account themselves, for
example, whether or not we might agree with legislation that allowed them to
do so.

That would not cover data about anyone else who had not given such consent,
however. I suspect they'd also have trouble arguing that position for any
subject who had previously had a Facebook account but had ceased using it and
effectively withdrawn their consent.

(Just to be clear, I'm not any sort of lawyer. I'm just a guy who runs
businesses that sometimes deal with these issues in Europe, so I'm broadly
familiar with the rules and I've taken advice from real lawyers about some
aspects of them.)

Edit: It's possibly also worth noting that the EU doesn't have a general rule
prohibiting all collection of personal data without consent, nor a general
rule compelling a data controller to delete data on request. The situation is
more nuanced than that, and has all kinds of legal wriggle room.[1] The
question is whether Facebook's lawyers are somehow using that room in this
sort of situation, or whether they're just hoping they'll get away with the
behaviour even if they aren't sure it's legal.

[1] For example, in the UK, see [https://ico.org.uk/for-organisations/guide-
to-data-protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/conditions-for-processing/)

~~~
voxic11
Wait do in the EU you cannot disclose things like phone numbers without
permission of the numbers owner? So if I told my brother the phone number of
my mother without her permission I could be charged by thee state?

~~~
Silhouette
The rules about registering as a data controller and restricting the use of
personal data usually apply to organisations rather than private individuals,
so as far as I know, the kind of situation you describe isn't illegal anywhere
in Europe. Similarly there are different rules for things like non-profit
community groups and the like.

A company doing the same thing, however, might need either the consent of the
data subject or a good reason to process or disclose that data without
consent. The actual laws cover this in much more detail. But again, this is a
tricky issue, because on the one hand there are supposed to be rules about
when an organisation is allowed to process personal data in the first place,
but on the other hand, the legally enforceable rights of individuals to
prevent processing can be quite weak in practice.

In any event, if you were processing data outside the rules, it's highly
unlikely you'd wind up with the state coming to arrest you for it. Normally if
an individual did object it would be handled via the regulator and you'd have
to be a very long way down the path before any sort of police action was
involved. I suppose if you completely ignored the regulator's decisions and
any resulting fines for long enough, eventually someone would probably see
handcuffs.

------
tedunangst
Is this an official warning from the Commission, or a statement by somebody on
the commission? It sounds like the hearing/case/whatever is still ongoing, so
it's kind of premature to announce that they've said anything, no? You'd think
the EU itself would post some kind of notice.

~~~
detaro
It was a statement by the person representing the Commission in Court. I'm
really curious how this will play out. (Safe Harbor is more or less the
justification for using US cloud services for anything having to do with
personal information. If it gets killed, a lot of people on both sides of the
pond are going to have a very fun time figuring out what to do next.)

------
mercurial
> European Commission admits Safe Harbour framework cannot ensure privacy of
> EU citizens’ data when sent to the US by American internet firms

Press 1 if you would like to send your data to the US to be processed by the
NSA. Press 2 if you would prefer your EU country's intelligence services to
take care of it instead.

~~~
fweespeech
Tbh, I'm less worried about the damage the EU intelligence agencies do than
the NSA.

Outside of the UK, the EU at least pretends to be outraged. The majority of
the US political class thinks its a good thing and says so publicly.

~~~
borgia
>Outside of the UK, the EU at least pretends to be outraged.

And in a glaring act of hypocrisy, David Cameron came out yesterday to extoll
how upset he was over the ruling that the lobbying letters Prince Charles sent
government members had to be published. What a breach of privacy it was. Can
nobody communicate privately anymore?!

~~~
Silhouette
Correct situation if you are on the civil liberties and accountable
representation side:

Government has no privacy by default. Government is required to defend any
need to keep secrets from individual citizens (and other parties such as the
media or businesses).

Individuals have privacy by default. Government (and other parties) are
required by law to justify any invasion of that privacy.

Practical situation today:

Government keeps secrets by default. Individual citizens (or other parties
such as the media) may need to make considerable efforts to force disclosure,
which may be denied repeatedly even where there is no basis in law for doing
so.

Individuals have little privacy by default. Government (and other parties)
routinely collect and process whatever data they feel like with little
consequence, with the notable exception of some explicitly enumerated
sensitive areas such as religious beliefs or health information.

------
throwaway7767
While it's certainly no surprise, it's fascinating to see the discussion focus
so candidly on the root of the issue: whether economical and political
expediency trumps justice (as set out in the law).

At least we can stop pretending that our court systems are impartial arbiters
of truth.

------
batou
There goes the EU safe harbour scheme.

Did anyone trust it to start with?

~~~
Silhouette
Trust isn't really the point. The Safe Harbour scheme is what makes it lawful
for European businesses to use US services to process personal data about
their customers. Without Safe Harbour, any European business that did this
without explicit consent from users would be at risk of legal action under the
usual data protection legislation. A few activist lawsuits and/or formal
action by national data protection regulators would make things like using US-
based SaaS or processing payments with services like Stripe a complete no-no.
It would also put multinationals with any US element, such as Google and
Microsoft, in a difficult position, because even if their formal in-house
policy is to keep all such data exclusively within the EEA, EU data protection
laws can then conflict with US disclosure requirements.

The article makes it seem like this is a new concern, but in reality this has
been on the radar of European businesses concerned about privacy and personal
data since _at least_ the initial Snowden revelations that rendered the polite
assumption that US companies could actually meet their obligations under Safe
Harbour no longer credible. Everyone is just hoping that the obvious economic
damage from preventing this kind of trade will be so dangerous that either the
US government will back down (highly unlikely) or the European authorities
will cave and pragmatically overlook obviously illegal (and rightly so, if
you're on the privacy side of the debate) data sharing.

Note that there is no general exception to the European data protection rules
permitting disclosure of personal data outside the EEA upon request by foreign
authorities under their own laws[1]. Specific international agreements have
been created to cover specific cases like PNRs for people travelling abroad.
So arguing that the US Safe Harbour scheme is still OK because it's only the
US government breaking the rules for its own official purposes has no weight
in EU law.

[1] [https://ico.org.uk/for-organisations/guide-to-data-
protectio...](https://ico.org.uk/for-organisations/guide-to-data-
protection/principle-8-international/)

------
Already__Taken
Would this mean every school in the EU can no longer partake in Microsoft's
office 365 programmes?

------
koonsolo
Who cares about the info you post on Facebook? Aren't services like gmail a
bigger threat?

~~~
simon_vetter
I'd argue that facebook is as big a threat as gmail, especially when you see
how younger generations use it to communicate. Also, keep in mind that
facebook tracks and collects your moves all over the internet (hint: look for
the little 'like' button on every newspaper/forum/random website and take a
look at your cookies from time to time) even if you don't have an account with
them. De-anonymization and identification with so-called metadata (cookies, ip
addresses, phone numbers, etc) is extremely easy to perform these days.

You can't trust users to make sane choices when it comes to privacy in the
exact same way that you can't expect drivers to decide if a car is safe to
drive or not. Joe Sixpack isn't going to use browser privacy extensions, clear
their cookies, use tor, etc.

Some entity (probably a government/administration of some kind, but I can see
NGOs doing that too) needs to be tasked with enforcing privacy laws in the
same way that (at least in most of Europe) you are required to have your car
inspected for safety and maintenance every few years.

EDIT: Across the EU, the Commission for the Protection of Privacy [1] would be
that entity. There are additional government instances in various member
states, like CNIL [2] in France.

[1] [http://www.privacycommission.be/en/european-
union](http://www.privacycommission.be/en/european-union) [2]
[http://www.cnil.fr/](http://www.cnil.fr/) \-
[http://www.cnil.fr/english/](http://www.cnil.fr/english/)

