Looking at the first page of your comment history, it seems a good third of your comments get downvoted. It may be wise to reread the HN guidelines:
It's disappointing, although not surprising, to know where HN's allegiences lie in this particular fight.
Many downvotes by GDPR haters???
Edit: s/at the moment/after 2 hours/
Facebook should be destroyed.
Think they're about to have an harsh encounter with spirit of the law & European thinking about privacy & consent though.
IANAL, but my impression of the US legal system vs various (continental) Europe legal systems is the former is completely engrossed with the letter of the law while the latter is much more focused on the spirit of the law.
If FB gets shafted in the processs of discovering this fact of life, all the better.
The only reason that doesn't happen is either fear of FB or corruption.
Probably. They're the only big guys making a credible effort though. Russia/China won't be doing anything. US & associated lobbying basically IS big tech now.
...leaving just the EU.
I can’t make you sell your soul for subscribing to a service.
Just a title/deed system for souls would suffice. Since there's not a legal framework around the ownership of souls, I'm sure we could encourage its creation by starting a marketplace. Ultimately, however, I suspect 'soul' will finally be defined as "existing, being, with current human perceptions of free will" or somesuch and we will no longer have the ability to sell our souls for the licensing benefits of a product or service.
It's great that this is happening in front of an Austrian court, because the Austrian Data Protection Agency already has ruled on consent issues, and in those rulings was (IMO) extremely strict on when consent was given freely. In one ToS challenge, the mere potential for confusion was enough to render it invalid.
Edit: Here's one such ruling . Co-mingling checkboxes for processing of data for marketing purposes with actual contractual clauses was ruled as a violation of the GDPR, even though by default, the checkboxes were unchecked. The Agency ruled that the confusing nature of the form could lead subjects to believe that they had to check a checkbox to receive the service.
Also, another relevant local case would be with a popular national newspaper, DerStandard.at. That newspaper offers access in two ways: either (a) you pay for a subscription and receive the service ad-free, or (b) you access the service for free, but consent to receiving ads. This was deemed in compliance with the GDPR, but it was stated that only offering (b) -- ie, exactly what Facebook does -- would not hold up.
A contract also needs consent. This contract is clearly entered only because Facebook is making it a condition of using the service, and this type of coupling is prohibited.
The contract is entered when a user registers at Facebook. However Facebook seems disagree about what the contract involves. Any sane person (well, 96% of them, as the article claims) would say that the contract is for delivery of means to communicate with other people; Facebook seems to argue that the contract is for delivery of personalized ads.
> Europe’s strict privacy laws
actually it's EU's privacy regulation
> Facebook openly admitted that it has been collecting and processing data without users’ consent
They said that they ve been collecting WITH consent, at least with their definition of consent
> To prove that no one ordered advertising from Facebook, we conducted a neutral study by the Austrian Gallup Institute. The result is devastating for Facebook: Only 4% of users want advertising,
... And i bet only 4% want to pay taxes too. polls are not legal documents. Also, "wanted advertising" is very different from "accepted advertising as part of the terms"
> Facebook does not give users a full copy of all their data
I believe facebook does give all their personal data,but maybe they are looking for derived data that facebook has stored for them? that's not personal data and it can be particularly tricky if it has been combined with other people's data , for example to train a neural net
In any case, i don't think facebook cares too much anymore and will just pay another yearly fine for operating in the EU. Even if FB asks for consent in every second page, people will click yes.
You argue they are regulations? European Regulations are law. European Directives and Regulation are the two main legislative
They argue users are using facebook because they want advertising, their primary usage is advertising and for that advertisement they consent to share their data. That's so ridiculous it is funny.
And no, FB does not give all the data, the definition of what data is in the regulation.
Both FB and their Privacy Director are not looking good.
> European Regulations are law.
Regulations have to be implemented and integrated into each country's laws. Countries may not have yet implemented GDPR
> their primary usage is advertising
I don't see where FB claimed that advertising is primary usage and others are secondary. i can infer from the text that they parceled as part of the "service promise"
> FB does not give all the data, the definition of what data
Facebook says they are GDPR compliant and i doubt they 'd say that without the consultation of at least one EU data authority (perhaps the irish?).
This is 100% wrong.
Of course they'll say they're compliant. They have to to be able to operate. But they are not. They are operating illegally within the EU and they should be shut down.
I am sorry buboard, I don't know whether you are affilated with FB, but that's not just how it works. They indeed, just claim it. That's why you pay for General Counsel.
The GDPR (which is not the only EU privacy law) is fairly described as a “law”, “regulation” is just the formal EU law term for a directly-applicable primary legislative act, which is a kind of law. If you're complaining about the “EU” part, well, the GDPR applies in some non-EU countries too (e.g. in the EEA).
> They said that they ve been collecting WITH consent, at least with their definition of consent
Some data is collected with ostensible consent, some without, and there's still processing to deal with.
> And i bet only 4% want to pay taxes too. polls are not legal documents. Also, "wanted advertising" is very different from "accepted advertising as part of the terms"
Sure, but the GDPR also means you can't forcibly bundle consents together. You need to separately consent to invasive use of data for advertising versus provision of the basic service.
> I believe facebook does give all their personal data
Did this recently change? I seem to recall that Facebook are known for not providing e.g. the data they've got from you browsing other sites with FB cookies unless you went via some difficult legal route.
details, but they are not claiming that data collection is without consent. they claim that they need a separate consent to use that data to show personalized ads
> you can't forcibly bundle consents together
Yeah that is true. still, making an online poll about what people want in general is a ridiculous way to nullify an agreed contract
> you browsing other sites with FB cookies
that would depend on whether these are personally identifying or personal data in general
In practice for Facebook the attraction for their ads platform is precisely that you can target fine grained demographics. So I'm not sure if Facebook can do anything here without a drop in revenue.
Probably not, but that's kind of the point: Some things may make you money, but we do not allow you to do them. Find another way to make money.
GDPR is not different from other laws forbidding lucrative, but scummy, things.
A vast majority of political prosecutions for online extremism in Russia were carried out using info that VK subserviently provided to police and special services.
As for access, i assume there are server farms on quite a few countries looking for all kinds of patterns in chats. Until E2E encryption becomes extensively spread, it 's a joke to pretend there 's some kind of user privacy
Time to push the amounts up. 2% of worldwide annual revenue per infraction (e.g. per user) should start to add up after a while.
Whichever European social network replaces them.
Facebook is a freak social network considering how long it has survived. People used to migrate every one to two years.
GDPR makes it very difficult to touch user's private data for commercial purposes. that's the whole business of a SN so this is kind of precluded
If we start from scratch without all that it would be possible to make a profitable social network for a couple of bucks per month per user (or a tiered system, so heavy users or “influencers” would pay more while the base tier remains free).
They won't of course, because it leaves the market open for grabs.
Due to trade agreements US companies have to follow EU law, for EU citizens, even of those companies don't have a presence in the EU.
In other words Facebook would have to block EU users.
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given for all of them.
If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
But that's the problem of closed source rating algorithms
(not suggesting that HN would use contractors and blacklists, but generally the discussion about the black magic happening)
As a sys-admin, GDPR invented all sorts of jobs. Jobs well intended. But these jobs are filled by people that are neither lawyers nor IT people. Whenever I interact with them I feel like they just want to check some boxes that makes the org compliant and go home. They don't enforce or apply GDPR, they enforce those checkboxes.
* all of the above in my limited experience.
The idea that consent should be freely given is ludicrous if it can be overridden by simply including it in a term in the terms and conditions. Facebook could probably write that they can kill or castrate the user at any time and most of their users wouldn't notice it (until the media picked it up).
It’s a key part of the offering! You get free access and get to see ads in exchange. Others have tried other business models and failed...that’s how the world works, the better offering wins!
If the problem people have is ads then just make all ads illegal and we can move on. But trying to use GDPR as a lever is silly...it’s not what its intended to do, as much as some people would like it to
And before you answer that ads without tracking don't pay the bills, that's honestly Facebook's problem.
There's a big difference between massive companies seeking to keep their brand in your mind and small businesses trying to let you know they even exist.
But how do you ban one without banning both? Its a complicated issue
If consumers knew the perfect good or service that they wanted to buy and exactly whom to buy it from, there wouldn't be a need for advertising. As it is now, information asymmetry creates a demand for advertising, so until people know everything about every market, you're going to have ads.
-paraphrasing someone 300 years ago, probably.
Sometimes people pick things that are bad; that people choose something doesn’t make it somehow good.
Maybe that lack of long-term feature is endemic to the capitalist system/environment, because decade-long growth usually isn't allowed to sacrifice short-term growth. I couldn't imagine a private company like Valve Software making the same decisions.
FB is free because they can pay for it with personalized ads. I doubt generic ads would fund the site as it stands today.
FB does not have some sort of right-to-exist. Beyond that, if FB goes out of business completely, the world is arguably improved.
I haven't used FB in years, but even I know that if FB didn't exist that another service would fill the gap in the market. The problem is FB plays fast and loose with privacy and security, which should be the focus of criticism for FB, since that negatively affects users. If FB didn't exist, you still run the risk of another player making the exact same mistakes.
Yes, but I do still see people give the "just don't use FaceBook then" argument on every post about this on HN, as if we should just ignore all the problems. Under this insane framework any horrible behavior by a company towards their customers is justified as long as you use their products willingly.
This also ignores the massive existing adoption FaceBook has. If I want to switch to twitter or mastodon or $otherSocialNetwork I have to convince everyone I communicate with on FaceBook to switch too.
User demand is a necessary but not sufficient condition for a business to exist.
Existing legality is not necessarily a good cause to dictate if a business should exist or not, as for some markets the law tends to lag society (i.e. federal law and weed dispensaries). This discussion isn't really about legality anyways, it's about market demand.
Maybe that’s ok.
It's not hard to understand. Everybody knows this is the case. But that excuses nothing.
Also, it's only the case because that's the business model Facebook chose. They could choose a different one.
> You get free access and get to see ads in exchange.
I love how you say that as if it's the ads that are the major issue (it's not, it's the tracking), and as if seeing ads is some sort of benefit.
> If the problem people have is ads
Again, the problem isn't the ads, it's the spying.
If ads that work without spying on users don’t pay enough to pay their data center bills then they should shut them down. I’m more than happy to vote for politicians that ensure this. I’m not comfortable saying “I’ll just not use services from companies X and Y because they use shady ads”.
Uh, no, they haven't. YOU are responsible for visiting websites and using their services under terms and conditions you agreed to. YOU are responsible for and capable of not using sites do not agree with. You are getting a service in exchange for being tracked and shown ads. If you don't like it, delete your account, or fix your damn /etc/hosts file to block the (admittedly overwhelming) number of domains FB uses for these purposes.
However, 90+% of the time, they're not.
That they use fine print or dense legalese doesn't invalidate the fact that it was there for the end-user to read and agree or disagree with. I find that most "ordinary non-lawyer" people can understand these policies if they take the time to actually read them. They're verbose, not arcane.
I find exactly the opposite.
> They're verbose, not arcane.
The problem is that people aren't lawyers and don't read them with a lawyer's eye. This frequently leads people to think that the terms are saying things that they aren't saying (by design). People tend to think that these policies are more favorable to the user than they actually are.
Isn’t that what I did when my elected representatives pushed GDPR through though?
The reason there are so few successful services with sensible advertising is simple: it’s too easy to fool people to accepting terrible ads that pay more.
I don’t think users should be expected to know how to edit their hosts file to preserve their integrity. Nor do I think they can be expected to read the ToS (get real).
I want regulation to ensure that idiots cannot agree to ToS that endanger their information or integrity. The GDPR and similar laws, if properly enforced, goes a long way towards that. I especially like the idea that access to the service can’t be conditioned on data collection.
Ok, that's fair.
> Nor do I think they can be expected to read the ToS (get real).
I am being real. ToS and Privacy Policies can be, and often are, legally binding. Do I expect people to read them? No. Are they legally subject to whatever they agreed to, regardless of whether or not they actually read it? Yes. The user agreed to the contact. They clicked the damn button. They can deal with the consequences of their haste and/or stupidity.
> I want regulation to ensure that idiots cannot agree to ToS that endanger their information or integrity.
That's a bit different than what your originally wrote, which seemed to be less like a desire for regulation to address this and more like a a desire for a new ToS between FB and you, a singular end-user.
FWIW, I'm also a proponent of the GDPR and CCPA. But I also don't think people can just scot-free break or circumvent contacts they agreed to. Where is the personal accountability for the user? It can't just _not_ exist.
I think most people understand that ads pay for Facebook. But so what? I don't see how it changes anything.
GDPR should be used for exactly this purpose - it is a protection against companies collecting and using personal data in this way. Facebook has the choice to show ads, just not personalised ones. What is specifically being argued about is that Facebook tried to claim ads were a contractual service (thus exempting them from rules on personal data) - but transparently they aren't.
And if Facebook can't survive in a future where it is forced to respect personal privacy, then may its death be ever sooner.
User choice has no bearing on the issue. The activity is either legal or not, and it should not be legal.
And yet Facebook is not alone doing this. While almost all the medium and small sized sites ask for consent nowadays the big players just seem to be immune. My go to example is spiegel.de which is one of Germany's largest newspapers. Full of trackers, full of personalized ads and I have never seen them asking for my consent.
While advertising is not illegal under the GDPR, collecting an individual's data for marketing or advertising purposes without a "basis" (as defined in the GDPR) is.
The plaintiff is arguing about data privacy, whereas Facebook's lawyer is playing the advertising card as a counter.
The plaintiff is unhappy about the way Facebook uses personal data, while Facebook is arguing they have a legal basis for processing data for personalised advertising purposes in order to fulfil a contract which it entered into the users. (which is a basis in the GDPR).
User: "hey Facebook where's the personalised ads you promised me?"
Facebook: "that clause was found to be illegal, and we have notified you that it is unenforceable by either party."
To phrase my question in another way, would that contract still need to be fulfilled, if they are blocked by GDPR from collecting the data they would need to fulfill it?
For example, the "contacts" permission should be disabled on OS's in the EU as it's impossible to prove the user has constend to sharing that information, yet Google launches an API in chrome to access the users contacts which totally won't be abused.
Alternatively you can gobble up data and "accidentally leak" it through an open MongoDB or AWS instance, will anyone go to jail? Unlikely, nobody really cares.
I doubt Facebook is going to change its ways any time soon, they're simply too big to fail at this point
I am keeping my popcorn ready.