Hacker News new | past | comments | ask | show | jobs | submit login
Facebook's GDPR consent bypass reaches Austrian Supreme Court (noyb.eu)
252 points by input_sh on March 15, 2021 | hide | past | favorite | 107 comments

Ah yes. The yearly reminder to companies that TOS still don't supersede EU law and aren't a magical way to weasel out of regulation.

It's hard to sign away some consumer protections even with an actual, physical, signature - what makes companies think some legal mumbo jumbo that isn't worth its bytes on a drive will somehow do?

Weaseling around consumer protections in their TOS to give Facebook a blank check to fuck over consumers? Yeah courts will just love that one.

Yep, In Norway too there is a specific law that say consumers can't negotiate a worse deal than the actual consumer protection laws. This includes warranty and repairs too.

I guess EU have something similar since we adopt a lot of the laws from the directives.

AFAIK the laws dealing with a protection of rights almost always have such instruments implemented. You can't give up on the rights prescribed to you by the law as they're considered to constitute the bare minimum that's guaranteed to everyone.

Thats pretty standard in contract law in general. Ex: you cannot sign yourself into slavery, since slavery is illegal. Cant agree to work under min wage, etc

There's two sides to every deal though. You can't presume something is necessarily a worse deal just because on the other side you are asked to give up some right. You obviously must compare it to what you get in return. In the US you can waive much of your warranty rights with an "as is" purchase, for example. I think the important issue is whether it is clear to the customer or buried in fine print, which I do think is unacceptable.

> what makes companies think some legal mumbo jumbo that isn't worth its bytes on a drive will somehow do?

While they may "think" that officially I do not believe they do internally. Fact: Enforcement takes years. Fact: The fines are often tiny. Fact: They make billions while this goes through court. Conclusion: They have every bit of motivation to act dumb while raking in the money.

Yep. The whole thing reminds me of professional wrestling, with one person blatantly cheating, the entire public watching it happen, as the "referee" is pretending to be distracted by something else. So the public is going crazy, screaming at the ref to look over there, all agreeing to pretend the match isn't a scripted act performed by a single party.

And the entire public just stays, acting like they don't have something better to do.

...all the while, giving more time for lobbyists to harangue ministers for relaxation/rescinding of the regulations and (maybe this is just my cynicism causing me to see ghosts but) to push PR that is explicitly anti-regs

Until senior management and boards of directors are personally accountable for deliberate law-breaking it will be seen not just as a business expense but also a useful barrier to entry smaller competition.

"It was illegal. You knew it was illegal. Your claim of ignorance is not a defense because it was your job to know that so you can have a stretch of a few weeks in the slammer with a criminal record to go with that."

Yes caution needs to be taken not to overreach on the enforcement and sentencing just like it does for every single other fraud case.

So, letting them keep the earning is like letting a drug dealer keep the illicitly obtained earning--a criminal liability.

This will continue until the consequences ramp up to adequate levels. If the company is not threatening to leave the country over the law and paying "journalists" like Mike Masnick to complain about the law destroying the Internet as we know it, your law is too weak.

"... what makes companies think some legal mumbo jumbo that isn't worth its bytes on a drive will somehow do?"

Because in most cases it does (because the mumbo jumbo is never challenged). Users generally do not attempt to enforce their protections under the law against software or so-called "tech" companies. Unenforceable terms in EULAs and TOS can go unchallenged for decades. Schrems seems to be one of the very few users who is actually filing complaints.

This case is a reminder that the user is not the customer. According to this summary, Facebook is arguing it has a duty under contract to its customers (advertisers) and that provides Facebook with an exemption under the GDPR from having to provide its users with a choice whether to consent. Customers have contractual rights they can enforce against Facebook. Generally, users do not. That is intentional on the part of Facebook.

I still don't understand how a long TOS with a "click here to agree" passes legal muster. If I said here, "By reading this comment you agree I have a right to come into your house and eat all your food", any attempt I made to enforce that would be laughed out of court.

I don't think anyone would argue that it does pass legal muster; the problem is that these entities can get away with their behavior without appropriate enforcement for enough time that they are able to profit from their behaviors; the average contract writer seeking to eat all your food would not have enough time to profit from their contract before you would be able to enforce the law on them.

> I don't think anyone would argue that it does pass legal muster

As I read the article two lower courts in Austria do think the argument passes legal muster:

> The two lower Courts in Austria however took the view that is solely in Facebook's discretion to claim a term to be a "contract" or "consent". Consequently they saw no issue with Facebook's bypass, but also held that the matter needs clarification by the Supreme Courts.

Am I misunderstanding something?

For companies as large as Facebook, it must be economical to "bet" a relatively small sum of money on the long shot that they win the case.

That's what the GDPR tries to solve by not having a fixed amount for the fines, but allowing them to go upwards of 2% of revenue.

And this has yet to be enforced despite thousands of companies openly breaching it in bad faith.

I remember many people on Hacker News being appalled that it could go as high as 2% of global revenue, and that others here pointed out that 2% global revenue was merely the maximum, and that most fines — especially the initial ones or for relatively minor breaches — would be much lower.

> this has yet to be enforced

You are misinformed.


That link gets posted all the time and yet the web is still littered with non-compliant consent flows, so whatever fines there are, they aren’t enough.

allowing them to go upwards of 2% of revenue.

When it's a minimum of 25% of revenue, the companies will take notice.

Until then, it's just factored in like pencils and laptops and coffee: just another cost of doing business.

For severe breaches the maximum is actually €20 million or 4% of global revenue [1] whichever is higher.

For smaller breaches it is 2%.

[1] https://gdpr-info.eu/issues/fines-penalties/

Weaseling around consumer protections indeed. Seems like something corporation do often. Check out this documentary it is quite insightful (e.g. The U.S. Chamber of Commerce (not a United States government agency, but a lobbying group for businesses)


In this context, for people in the Netherlands - there is a 'class action' (well not really, we don't have those in the same way as in the US, but functionally equivalent) lawsuit against Facebook in order to get monetary compensation from Facebook for the time(s) they violated privacy laws. The first hearing will be on the 1st of April. Of course Facebook has been trying to delay this case, e.g. by claiming Dutch users should have asked for redress in Irish courts.

If you want to join (for free), see https://www.consumentenbond.nl/acties/facebook/aanmelden .

Even if I only ever get a single euro from that case, that euro will feel better than making 1000's from regular work, and if it's ever paid out, I'll take my children out to dinner from it (I suppose I'll have to chip in the difference myself so that we won't have to split one item off the McD's dollar menu...) to celebrate that not all hope is lost.

First time I have heard of this. I joined, thanks!

This news for me! Thank you for sharing :)

> Facebook now argues that it has a "duty to provide personalized advertisement" to the users, therefore, it does not need the user's consent to process his or her personal data.

That’s a bold move. Very user hostile. If users want personalized ads, then let them opt in.

I don't mind targeted ads, I mind targeting based on information I haven't explicitly given. I understand that since I joined a group for local mountainbikers, which is tagged that it is about "cycling", I can see ads for mountainbiking. They infer my interests from information I have given (age, groups, ...). That's fair game.

I do NOT want to see a mountainbike ad, ever, because I browsed a random retailer for mountainbikes, or wrote a message about a mountainbike to a friend on messenger, or because a friend of a friend bought a bike on fb marketplace etc etc.

Yes. I agree. I like targeted ads. Ads on electronic engineering or computer science are nice because I actually enjoy those things. But just because I looked at something as a possible present for someone doesn’t mean I want ads for weeks.

Facebook goes really far on this. It seems even pausing your scrolling for a few seconds more than usual is enough for them to think I’m interesting. I’m not. I’m just trying to figure out if I want to read this post or not.

Object to legitimate interest! ...I find cookie dialogs that have an on/off switch _and_ such a button very confusing, but it sounds like it was created for these kind of situations. IANAL.

No, they were created either out of a complete misunderstanding of the law, or as a way to try and weasel-word into being able to retain the information even when you do not consent. It's illegal.

Either you have a legitimate interest in the data (by which I mean you have to use the data in order to do what the user explicitly asked you to do), at which point you can process the data without asking for consent, or you don't, at which point you must ask for consent, and you must not alter/degrade the user experience if you do not get it.

Legitimate interest is not necessarily what the user wants you to do. Storing data e.g. for preventing fraud is also a kind of legitimate interest.

As a non-legal person I in all honesty can't understand why e.g. storing person's credit score is legitimate while storing their advertising profile isn't.

The “legitimate interest” lawful basis is required to be “balanced against the interest of the data subject to privacy.” (Paraphrased from memory)

So it’s not so much that storing their advertising profile isn’t a legitimate interest, it’s that users’ desire for privacy supersedes it.

(Not a lawyer, have read the GDPR.)

Well, I would argue a lot of people would desire to reset their credit score to default level, and it has much more profound impact on a person's life than some targeted ads.

The whole thing seems to be designed for arbitrary enforcement to me. The only positive thing is that people people start discussing the topic seriously, and companies start being explicit about what they are going to use with people's data.

Why can't we have a fixed preference in the browser? (The do-not-track header field failed, but it still seems like the best solution)

> If users want personalized ads, then let them opt in.

Let's be honest, if you're using Facebook you've basically agreed to personalised ads on some level. We all know their business model. Try convincing random joe that Facebook don't read their messages for ad purposes and you'll probably find most won't believe you.

With that being said, Facebook also knows if their users are given a choice most will choose not to get personalised ads. That's why they fight so hard againist any privacy move.

> if you're using Facebook you've basically agreed to personalised ads on some level

Yes, but no. Someone who joined Facebook in 2007 would have had very different expectations than someone joining in 2017. And there's a difference between "sure, send me personalized ads" and "sell everything you know about to me malicious actors"

if you're using Facebook you've basically agreed to personalised ads on some level

You don't have to join Facebook to be part of its data collection octopus.

> if you're using Facebook you've basically agreed to personalised ads on some level

The GDPR quite explicitly rejects the idea that this constitutes consent.

Actually, I believe it explictly includes this idea of consent. For example, they state that when you use a cart system you consent to the cookie because you knew it would be needed.

But my point was more about the basic idea that people know Facebook is data mining them and use it anyways therefore the idea that you haven't opt'd into it is a bit silly. I wasn't talking about the legal point of view.

Consent requires a positive opt-in [0] but there are conditions that permit use of cookies without consent [1]. It seems clear to me that it was written with the intent of excluding advertising cookies while allowing shopping baskets to work even without consent, as you say. Facebook is contesting that its use of cookies falls under the processing is necessary for a contract you have with the individual category, and so doesn't require consent. Of course, if that's the case, the GDPR is truly toothless regarding tracking cookies.

> my point was more about the basic idea that people know Facebook is data mining them and use it anyways therefore the idea that you haven't opt'd into it is a bit silly

Another relevant point here is that we seem to keep focusing on cookies, but that's just a small part of the equation.

[0] https://ico.org.uk/for-organisations/guide-to-data-protectio...

[1] https://ico.org.uk/for-organisations/guide-to-data-protectio...

The GDPR doesn’t discuss cookies, IIRC. It discusses the collection and use of personally identifiable information. The cookie law is a different law.

You're right, got my wires crossed :P

It's not directly relevant, but regarding exceptions to the consent requirements of the cookie law, apparently there are two: [0][1]

> - the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network

> - the cookie is strictly necessary to provide an ‘information society service’ (eg a service over the internet) requested by the subscriber or user. Note that it must be essential to fulfil their request – cookies that are helpful or convenient but not essential, or that are only essential for your own purposes, will still require consent.

Unlike the GDPR, there's no necessary for the performance of a contract exemption.

[0] https://en.wikipedia.org/wiki/HTTP_cookie#EU_cookie_directiv...

[1] https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a...

Just a nit pick, its not at the supreme court, its at the highest court (Oberster Gerichtshof), the court below the supreme court, the Verfassungsgerichtshof.

Its confusing, I know.

That's patently false. The Austrian judiciary is divided into general courts and courts of public law. The "Oberster Gerichtshof" is not "below" the supreme court, it's the highest court of a different branch.

Framing targeted ads as contractual obligations to the user is pretty absurd, but I wonder if explicitly stating that being tracked is user's payment for the service can work. I've seen a couple of news websites doing that - you have to either agree to be tracked or subscribe to the paid plan.

> I've seen a couple of news websites doing that - you have to either agree to be tracked or subscribe to the paid plan.

Do you have to agree to be tracked? Or agree to be served ads? Because there are plenty of paid services where you're promised no ads (and indeed aren't served any ads) and yet are tracked to the same extent as the free users. I don't think I've come across any services that allow you to pay not to be tracked. Only those that allow you to pay to avoid ads. It's frustrating because it's not the ads I have a problem with - it's the stalking.

I've just checked German zeit.de. They promise less ads and no tracking to paid users. Not sure how much do they stick to this promise.

Legal staffing is expensive. Please donate to the organisation NOYB so that Schrems and friends can continue the good fight.



I was not aware that there is actually something being done against some of the giants who think they stand above the law. It's going to be a test whether GDPR is worth its salt. If it can be bypassed by that simple T&C trick, then it's just has been another expensive waste of time. I have a feeling they will allow that as otherwise Facebook's predatory business model will make no sense until they find a way to trick users into consent. Given that people are just clicking the boxes without reading now, this could work...

Look at https://www.enforcementtracker.com/.

Sort by fines desc :)

Do you know what is done with the money from these fines? Does it merely fund the enforcement teams (seems excessive), or is it put into some EU “general fund”?

FB has a global revenue of ~$86B. Of which 4% is $3.44B. That would make a real mark on the budgets of the poorer half of EU countries.

I wonder why there aren't more enforcement actions...

It's a simple math - how many people are responsible for processing such case? 10-100? So let's say it is 100 people. You only need like 100,000,000 EUR to make it go away by giving each one a 1M. Even if those people go for early retirement and new staff takes on the case, you can repeat this. Even if it happens every year you can do it for 34 years before the money exceeds the potential fine and meanwhile you'll make much more money as it gets pushed back. In reality you probably need to buy top 5-10 people so they can keep pushing it back while being set for life.

This doesn't answer the question "does the money just sit in an escrow account forever or is it eventually spent somehow?"

Generally they go into the coffers of the treasury of the country that issued the fine. This may be further directed to the EU but probably not.

That's an interesting question. I do not know the answer.

Some companies will never learn. Search for Vodafone, for example.

Wonderful, thanks!

Now we are talking :-)

A drop in the ocean.

Indeed. The regulation allows for pretty stiff fines I believe, so with fines this small for companies whose entire business model is persanal data (e.g. Google and Facebook but not an airline or retail chain) the math should be "How large should the fine be in order for it to cost MORE for this company, than actually complying".

Complying with the GDPR isn't "free". It's like these companies belive "oh we can't possibly comply with that because it would hurt our bottom line!".

Give it some time. H&M got a €35mio fine in November 2020 for a document from 2014 stored in a network drive that contained employees personal data. If you do not comply, the more you wait the more risky that becomes.

Indeed, this will be important going forward. Living in EU, with local laws (denmark) being what they are. I hope the conclusion of this suit, will be similar to our laws that state: Any contract signed, that through its terms, makes you relinquish your state-afforded rights. Is by definition void.

Example of a void contract: When Buying a used car, Salesmen makes you sign a contract: "No warranty nor cancelation of contract possible after purchase".

Mmhhh, is it so strong?

I guess what is void is that specific clause. Otherwise, any vendor could include a clause saying "you relinquish some rights" just in the middle of the text and, after the fact, claim that the contract was void and require you to return an item (say, a car).

So, I guess you mean that specific clause?

In German law that would, as a default, actually make the whole contract void, yes. Many contracts therefore contain a clause that hedges against that situation (i.e. something like "if one or more of these items is found void, the rest still applies")

Specifically, the idea of a voided clause voiding the entire contract is sometimes a feature -- severability is not always desired. A simplistic example would be a contract with two clauses, one specifying that A sends B widgets, and the other specifying that B sends A money. You would not want those to clauses to be severable.

The legal term for this is "severability clause": https://en.wikipedia.org/wiki/Severability ("salvatorische Klausel" in German)

I believe this is how it typicaly works. At least the few laws I've read (Finnish law) voids the offending clauses, not the entire contract.

This specific case has a lot to do with Max Schrems & noyb pressing the issue to be litigated, he's a very engaged activist for privacy


You can't really trick them into consenting either as the law specifies you need a informed consent. Just having a flag in the database that the user ticked without knowing what they agreed to does not qualify.

I am referring to the fact that people click on the consent boxes without reading what they are agreeing to. I am not sure if informed consent is even possible at this stage. You can put all the details before the user and you will never know they read it. Maybe you could do a test to see if user read, memorised and understood, but still they can just click answers until it goes away.

> I have a feeling they will allow that as otherwise Facebook's predatory business model will make no sense until they find a way to trick users into consent

Luckily European courts don't really give a damn about Facebook or their business model.

It's not that European courts never play favorites with large companies, but Facebook isn't really known for paying a lot of taxes here and doesn't have many employees in Europe (at least an order of magnitude less than e.g. Volkswagen). Facebook is seen as a foreign company that doesn't know how to play by the rules, and was a major motivation for creating the GDPR in the first place.

I am wondering if a recent Apple announcement of a 1 bln investment in a Berlin tech-hub is so Apple can have a friendlier relationship with EU law.

Indeed. Working in research with human data, we spend a ton of time taking GDPR into account and it would be a huge disappointment to see a corp bypass that for profit when we for non profit research cannot.

I have a feeling that GDPR is actually mostly about giving tools to reign in the tech giants rather than stomping on the little guys.

So far there is no suggestion of an ulterior motive. GDPR is just there to protect the privacy of EU citizens and that's that.

>GDPR is just there to protect the privacy of EU citizens and that's that.

From what exactly? You'll see where I was going when you try to answer that simple question.

Because your answer will be -- tech giants.

From having their information processed/sold without their consent. There is nothing implicit in the regulation that targets "tech giants".

Nothing explicit* in the regulation -- but -- it IS the tech giants that egregiously guilty of:

>From having their information processed/sold without their consent.

The targeting of tech giants is implicit here.

Sure. That must be why the first fines were levied at a restaurant, a hospital and a bank.

Yes some of the tech giants are guilty of this. And some aren't. And also some non-giants are guilty of this. And some non-giants aren't. This is a possible kick in the nuts for Facebook and Google. It's not so much for Apple or Netflix, for example.

I don't think it's fair to make the grouping "tech giants " here. It's the "ad-giants". It's the companies whose business model is personal information. It's a small subset of the tech giants. In fact, much smaller adtech companies probably have a lot more to lose from GDPR than fb and google have.

Facebook, unlike a lot of online services, would still be able to target ads just because they know what people like without using any information people haven't consented to. A random news website on the other hand has to start showing me (a man) ads for women's clothing because news sites can't be as sure about my gender (or taste in fashion) as facebook is. So as weith so many things, I think the GDPR is just serving to reinforce the position of facebook, not the other way around.

No, the answer is "Anyone infringes on those rights."

It just so happens that some "Tech Giants" fit into that category.

>No, the answer is "Anyone infringes on those rights."

Nope a small American firm can infringe those rights and face zero consequences. A US Multinational with operations in Europe can't.

So implicitly -- bigger companies are targeted as they have more of a global footprint.

Since you can't read your own link:

>The second exception is for organizations with fewer than 250 employees. Small- and medium-sized enterprises (SMEs) are not totally exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases (see Article 30.5).

So "Tech Giants" are "anyone with >250 employees"..

That's a mighty tight clutch you have on those straws.

Your feeling is wrong. As linked in another comment, [1] is a list of GDPR fines. As you can see, plenty of non tech giants in there.

[1] https://www.enforcementtracker.com/

A fun fact is that no business likes additional regulatory overhead and risk, but larger companies are much more able to take on the costs associated with compliance.

It's very simple: you can not contract out of the law. So, assuming murder is illegal where you live, I can't contract you to murder me, even if I 100% agree that you should murder me and I pay you for it.

I love how people always create legal analogies that are the least relevant comparison to re-enforce a point that is not even universally true.

Facebook has a "duty to provide personalized advertisement". How heroic!

Facebook has a "duty to provide personalized advertisement". How heroic!

Perhaps the people at Facebook believe the oft-repeated HN meme about "Companies are required by law to maximize profit for shareholders!"

The tech bubble is like politics: If you tell a lie enough times, it becomes the truth.

yeah had to laugh at that one too. I can only imagine the ad guys at Facebook show up like soldiers on the Galactica everyday and Zuckerberg gives a 'so say we all speech' to get us our daily dose of advertisements

"duty to irritatingly and creepily pester you to buy things"

Ok one more thing - what about the Facebook customers who are blissfully ignorant to what's going on and they buy advertising knowing about privacy abuse? I think the customers should also be fined as they benefit just as Facebook benefits.

They might act unethically, but legally it's not their responsibility. They may not have the means to figure out whether FB is obeying the laws (after all, this is what the court is trying to figure out). They also may or may not have another viable choice.

They can indeed expect facebook to act legally.

Isn't what any accomplice would be saying? "I didn't know... I tought they are okay" despite all the fuss in the media... they still went for it.

Maybe. But the reason they would say it is because it can be a valid excuse, right? We fund the state and the justice system for a few very specific reasons. This is one of them.

Also, don't forget that FB is a (near) monopoly, so the advertisers depend on them just as much as the customers. Especially the small ones.

> I think the customers should also be fined as they benefit just as Facebook benefits.

This is legal matter, not a witch hunt.

A lot of people have been using Facebook ads so it is understandable that this direction will have a massive pushback from anyone who used them. But that means Facebook becomes a "fall guy" rather than justice being served.

Now this is gonna be expensive. And it very much shows why those stupid GDPR consent popups were worth it. (Let me quickly add that I do not like them either, but I'm fully aware that the UX for most of those are indeed the result of the companies operating the websites trying to side-step GDPR and force you into acceptance...)


What is the cost to the EU of standing up to FB? Why is this an invasion? How is the Australian clash of news monopolies remotely like Austria upholding the law? How is this criminal law enforcement?

You're not making much sense to me, tbh.

You're going to have a hard time comparing anything that doesn't involve death to the bad deeds of WWII Germany.

Don't put your hopes on Supreme Courts, they don't tend to really care about individual rights. It's all about politics and perceived public opinion. They just want to keep their power and fat salaries.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact