
Facebook: We don’t need your consent - Findus23
https://noyb.eu/facebook-we-dont-need-your-consent/
======
hellofunk
Time and time we are proven again and again that Facebook has become the
emblem of how far technology can go to support pure malicious intention with
widespread support.

~~~
hugi
This thread was removed from the front page of HN real fast, as in—one second
it's at the top of the site, the next minute it's gone. Despite being very,
very relevant news and lots of discussion going on.

It's disappointing, although not surprising, to know where HN's allegiences
lie in this particular fight.

~~~
hellofunk
It's still on page 2 so it's not like it vanished. Who knows how the scoring
algo works.

~~~
usr1106
It's on page 2 but in grey font. What does that mean? 164 points after 2
hours.

Many downvotes by GDPR haters???

Edit: s/at the moment/after 2 hours/

~~~
hellofunk
I think the grey text is something else -- like if it was already visited
before or you upvoted it or something. I checked on two different browsers and
it was gray on one but not on the other, so who knows.

~~~
usr1106
You are correct. It's the rendering applied by my Firefox, because I had
visited the page before. (Outside of hn, someone sent me the link earlier)

------
Havoc
Congrats on finding a way to circumvent the letter of the law.

Think they're about to have an harsh encounter with spirit of the law &
European thinking about privacy & consent though.

~~~
buboard
facebook is probably laughing harder at this. A few billion in fines, combined
with low irish taxation is still not big enough to justify pulling out of the
EU market. The EU decided a bit too late to build a chinese-style 'firewall'
around european tech and it's not really working. Instead they are playing cat
and mouse with big corp, which really shows that these laws were mainly meant
to have an apotropaeic effect

~~~
Havoc
>The EU decided a bit too late to

Probably. They're the only big guys making a credible effort though.
Russia/China won't be doing anything. US & associated lobbying basically IS
big tech now.

...leaving just the EU.

~~~
buboard
china already has her own internet ecosystem. Russia has VK,yandex,mail.ru
etc. EU has nothing

[https://www.alexa.com/topsites/countries/CN](https://www.alexa.com/topsites/countries/CN)

[https://www.alexa.com/topsites/countries/RU](https://www.alexa.com/topsites/countries/RU)

[https://www.alexa.com/topsites/countries/DE](https://www.alexa.com/topsites/countries/DE)

------
thepangolino
Hasn’t there already been rulings against those kind of clauses being
shoehorned in terms and conditions?

I can’t make you sell your soul for subscribing to a service.

~~~
dagav
I don't think that's enforceable. You'd need some kind of soul extracting
machine, or a soul-over-IP transfer mechanism. Maybe a soul mail-in option.
You'd also need to implement some kind of soul storage warehouse. What would
you do with all those souls anyway?

~~~
jagged-chisel
The technical feasibility of soul extraction and storage isn't really the
problem. It's the act of selling it that's the problem. I mean, we don't
'extract' and 'store' land/real estate, but we do buy and sell it. You can
have a claim to land and not need to move it to your warehouse.

Just a title/deed system for souls would suffice. Since there's not a legal
framework around the ownership of souls, I'm sure we could encourage its
creation by starting a marketplace. Ultimately, however, I suspect 'soul' will
finally be defined as "existing, being, with current human perceptions of free
will" or somesuch and we will no longer have the ability to sell our souls for
the licensing benefits of a product or service.

~~~
dagav
What rights does owning someone's soul give me over that person? If I sold my
soul to the devil, he would have me for an eternity in Hell after I die.
However the devil is an eternal being, and human law only applies to mortals.
I have to assume that ownership of a soul is revoked after the death of that
soul, since human authority is transcended by a higher body of power. If I
sold my soul to Mark Zuckerberg, what would he do with that power over my
mortal life?

~~~
jagged-chisel
The answers to these questions will be codified into the new law, because they
cannot be determined scientifically (yet.)

~~~
dagav
Due to it's non physical nature I don't think we could ever define "soul"
scientifically, except perhaps as "the aspect of the human being which is not
physical". Is it possible to own something non-physical? There is precedent,
such as patenting an algorithm, or owning shares in a software company.

------
ckastner
Under article 7 GDPR [1], consent has to be given _freely_. Unless Facebook
offered an option to opt-out of this contract, use of the Facebook service was
tied to the agreement, which means it probably won't hold up.

It's great that this is happening in front of an Austrian court, because the
Austrian Data Protection Agency already has ruled on consent issues, and in
those rulings was (IMO) extremely strict on when consent was given freely. In
one ToS challenge, the mere _potential_ for confusion was enough to render it
invalid.

Edit: Here's one such ruling [2]. Co-mingling checkboxes for processing of
data for marketing purposes with actual contractual clauses was ruled as a
violation of the GDPR, even though by default, the checkboxes were
_unchecked_. The Agency ruled that the confusing nature of the form could lead
subjects to believe that they had to check a checkbox to receive the service.

Also, another relevant local case would be with a popular national newspaper,
DerStandard.at. That newspaper offers access in two ways: either (a) you pay
for a subscription and receive the service ad-free, or (b) you access the
service for free, but consent to receiving ads. This was deemed in compliance
with the GDPR, but it was stated that only offering (b) -- ie, exactly what
Facebook does -- would not hold up.

[1] [https://gdpr-info.eu/art-7-gdpr/](https://gdpr-info.eu/art-7-gdpr/)

[2]
[https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180731_DSB_D2...](https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180731_DSB_D213_642_0002_DSB_2018_00/DSBT_20180731_DSB_D213_642_0002_DSB_2018_00.html)

~~~
A_No_Name_Mouse
The trick is that the legal ground is not based on consent but on performance
of a contract, in which case consent, freely given or not, is not required at
all.

~~~
ckastner
I understand the trick, I just don't believe that it can play out.

A contract also needs consent. This contract is clearly entered only because
Facebook is making it a condition of using the service, and this type of
coupling is prohibited.

~~~
kruczek
> This contract is clearly entered only because Facebook is making it a
> condition of using the service

The contract is entered when a user registers at Facebook. However Facebook
seems disagree about what the contract involves. Any sane person (well, 96% of
them, as the article claims) would say that the contract is for delivery of
means to communicate with other people; Facebook seems to argue that the
contract is for delivery of personalized ads.

------
buboard
while they may have a point their arguments are not well articulated

> Europe’s strict privacy laws

actually it's EU's privacy regulation

> Facebook openly admitted that it has been collecting and processing data
> without users’ consent

They said that they ve been collecting WITH consent, at least with their
definition of consent

> To prove that no one ordered advertising from Facebook, we conducted a
> neutral study by the Austrian Gallup Institute. The result is devastating
> for Facebook: Only 4% of users want advertising,

... And i bet only 4% want to pay taxes too. polls are not legal documents.
Also, "wanted advertising" is very different from "accepted advertising as
part of the terms"

> Facebook does not give users a full copy of all their data

I believe facebook does give all their personal data,but maybe they are
looking for derived data that facebook has stored for them? that's not
personal data and it can be particularly tricky if it has been combined with
other people's data , for example to train a neural net

In any case, i don't think facebook cares too much anymore and will just pay
another yearly fine for operating in the EU. Even if FB asks for consent in
every second page, people will click yes.

~~~
thierryzoller
Your are funny, you say their arguments are not well articulated, yet you do
seem not to be up to point.

You argue they are regulations? European Regulations are law. European
Directives and Regulation are the two main legislative

They argue users are using facebook because they want advertising, their
primary usage is advertising and for that advertisement they consent to share
their data. That's so ridiculous it is funny.

And no, FB does not give all the data, the definition of what data is in the
regulation.

Both FB and their Privacy Director are not looking good.

~~~
buboard
don't be insulting

> European Regulations are law.

Regulations have to be implemented and integrated into each country's laws.
Countries may not have yet implemented GDPR

> their primary usage is advertising

I don't see where FB claimed that advertising is primary usage and others are
secondary. i can infer from the text that they parceled as part of the
"service promise"

> FB does not give all the data, the definition of what data

Facebook says they are GDPR compliant and i doubt they 'd say that without the
consultation of at least one EU data authority (perhaps the irish?).
[https://www.facebook.com/business/gdpr](https://www.facebook.com/business/gdpr)

~~~
Hamuko
_> Regulations have to be implemented and integrated into each country's laws.
Countries may not have yet implemented GDPR_

This is 100% wrong.

[https://ec.europa.eu/info/law/law-making-process/types-eu-
la...](https://ec.europa.eu/info/law/law-making-process/types-eu-law_en)

~~~
buboard
Right, that's correct, even though supplemental legislation is passed in each
country following the regulation, including GDPR. IIRC there are 2 EU members
that haven't done it yet.

------
stiray
I don't think anyone of us has seen consent request by facebook or google in
this form (freely given != 'give consent or you can't use or services,
specific/informed/unambiguous != barried in miles of legal giberish,...):

Recital 32 EU GDPR (32) Consent should be given by a clear affirmative act
establishing a freely given, specific, informed and unambiguous indication of
the data subject's agreement to the processing of personal data relating to
him or her, such as by a written statement, including by electronic means, or
an oral statement.

This could include ticking a box when visiting an internet website, choosing
technical settings for information society services or another statement or
conduct which clearly indicates in this context the data subject's acceptance
of the proposed processing of his or her personal data.

Silence, pre-ticked boxes or inactivity should not therefore constitute
consent.

Consent should cover all processing activities carried out for the same
purpose or purposes.

When the processing has multiple purposes, consent should be given for all of
them.

If the data subject's consent is to be given following a request by electronic
means, the request must be clear, concise and not unnecessarily disruptive to
the use of the service for which it is provided.

------
hgjbhujxgjbv
But this is really strange, news like this with 186 pts atm is on 3rd page.
Before it are news with 2pts. This doesnt make any sense. Is it a coverup by
HN administration?

~~~
usr1106
I would not shout coverup.

But that's the problem of closed source rating algorithms
[https://news.ycombinator.com/item?id=21544537](https://news.ycombinator.com/item?id=21544537)

(not suggesting that HN would use contractors and blacklists, but generally
the discussion about the black magic happening)

------
twobat
As an user I feel that GDPR changed nothing. Google, Facebook and whatever
else tracks you to the bones did not change one bit (for me).

As a sys-admin, GDPR invented all sorts of jobs. Jobs well intended. But these
jobs are filled by people that are neither lawyers nor IT people. Whenever I
interact with them I feel like they just want to check some boxes that makes
the org compliant and go home. They don't enforce or apply GDPR, they enforce
those checkboxes.

* all of the above in my limited experience.

~~~
buboard
plus nobody can be sure whether they 're GDPR compliant. I bet facebook
thought so too.

~~~
Hamuko
Yeah, I bet they're all good boys and girls who couldn't have possibly
imagined that all of the secretive ways they go about collecting data could be
wrong.

------
VBprogrammer
Honestly, if this "loophole" is allowed to exist then the GDPR is not worth
the paper it is written on.

The idea that consent should be freely given is ludicrous if it can be
overridden by simply including it in a term in the terms and conditions.
Facebook could probably write that they can kill or castrate the user at any
time and most of their users wouldn't notice it (until the media picked it
up).

~~~
ComputerGuru
In the United States time and again legal precedent has been set and
reinforced that TOS is not a binding legal agreement but it’s somewhat of a
grey area just what it _actually_ is and what can and can’t be considered
“fair warning” for being there. The American courts don’t really place a
premium on privacy so that’s generally been summarily dispatched with and its
ramifications ignored, but other jurisdictions clearly don’t feel the same.

------
rock_hard
I don’t understand what’s so hard to understand about the fact that ads is
what pays for Facebook to exist?

It’s a key part of the offering! You get free access and get to see ads in
exchange. Others have tried other business models and failed...that’s how the
world works, the better offering wins!

If the problem people have is ads then just make all ads illegal and we can
move on. But trying to use GDPR as a lever is silly...it’s not what its
intended to do, as much as some people would like it to

~~~
xg15
IMO, ads should be made illegal, but that's not the point here. Facebook is
perfectly free to show ads to people, they are just not free to track people.
They are trying to use ads as a justification for tracking here, which is the
contested point.

And before you answer that ads without tracking don't pay the bills, that's
honestly Facebook's problem.

~~~
cmcd
The alternative to ads is subscription services, which already exist. If
people prefered subscription social media to ad based they would flock to
those, but they don't.

~~~
riversflow
“The alternative to indentured servitude is free labor, which already exists.
If people preferred free labor to indentured service, no one would sign a
service contract, but they do.”

-paraphrasing someone 300 years ago, probably.

Sometimes people pick things that are bad; that people choose something
doesn’t make it somehow good.

~~~
cmcd
Pretty extreme to compare FaceBook to indentured servitude, everyone is free
to leave FaceBook at any time and we know up front what their model is.

~~~
riversflow
Seems apt to me. Indentured servitude actually seemed reasonable to a lot of
people looking to move, you got expensive passage on a ship in exchange for
working for a set length of time. Facebook is a platform for social
manipulation, in a few hundred years I wouldn’t be at all surprised if we see
that social manipulation as a morally intolerable evil. The sort of
tracking/aggregating they do is a violation of privacy as extreme as
indentured service is on free will.

------
tcd
The GDPR is a failure anyway. US tech giants are still globbling up masses of
data even if the individual hasn't consented.

For example, the "contacts" permission should be disabled on OS's in the EU as
it's impossible to prove the user has constend to sharing that information,
yet Google launches an API in chrome to access the users contacts which
totally won't be abused.

Alternatively you can gobble up data and "accidentally leak" it through an
open MongoDB or AWS instance, will anyone go to jail? Unlikely, nobody really
cares.

I doubt Facebook is going to change its ways any time soon, they're simply too
big to fail at this point

~~~
mpweiher
GDPR enforcement is just beginning. The cases again the big guys have started
to be made, but haven't actually made it yet. When they do, things will get
interesting...right now we're in limbo...or more precisely in a Wile E. Coyote
moment.

I am keeping my popcorn ready.

