I don't see how shadow profiles can be justified under GDPR and ePrivacy. If have identifiable information (just "some" ID will do, but also IP and various other fingerprints) then you need to allow for deletion/takeout/opt-out. Current strategy of implied consent ("if you're on this site you agree") is strictly not allowed.
It's not. Well, as long as the GDPR applies. So, if we assume there are a 5 billion profiles on fb (2 billion actual users, and everyone else that use the Web at least occasionally - I'm not sure if 5 billion total is a bit high) - compliance with GDPR would render some 100s million high value profiles illegal. Applying the GDPR to the remaining profiles would require an entirely new business model for Facebook.
And that's not even getting into logs or backups, which will probably be a problem to delete from for smaller companies (since I'm assuming that facebook couldn't keep logs or backups for 30 days since that would be massive)
That's not true in the UK, there's no ID card here. IMO it's quite a nuisance, for example you need to always bring 2 documents to verify your identity and address for a variety of situations (opening a bank account, even opening a new savings account at the SAME bank, renting a new place, new job, mortgage, requesting information from the government).
Don't get me started on the UK and the ID card. It's stupidity at the highest level. There is a de-facto "ID", your national insurance number (like a social security number). Except it has no ID features, and cannot be changed. So much, much worse than an ID card. As far as practical ID for bars/clubs, people usually just use a driving license, or are forced to use a passport. Complete idiocy.
(However to get back onto topic, most people in the UK will have a passport, otherwise they should have a NINo allocated at birth. For the people who have neither, the GDPR is the least of their worries.)
Fun fact, in Lithuania people are allocated personal number (similar to NINo?) on birth. ID and/or passport is mandatory regardless.
However, personal number is not guaranteed to be unique because of how it's issued. We have funny stories once in a while when people with similar (or even identical) names happen to have same personal number. A photocopy of ID in important governmental or banking actions.
Regarding "they got the users’ permission initially" this is true for the users that signed up for it, not anybody in their social graph. GDPR treats data about a user as data belonging to this user. Those people have definitely not consented to having their data mined for this use case.
Next (as I understand) the consent was for research purposes, not for the CA targeting. So under GDPR Cambridge Analytica could be fined 4% of global revenue or €20M - whichever is HIGHER [1]
Looking forward to May (when GDPR officially comes into force). Provided that it doesn't end up like the cookie law (and there are explicit provisions in GDPR and ePrivacy to avoid that) this might shake up the ad industry:
* Explicit consent for non-essential data use, you always need to provide opt-out without degrading the service
* Opt-in/out separately for every activity (no more "research purposes")
* Data deletion and takeout. Maybe in the future EU will also introduce some standards for the takeout, which will allow us to migrate between services much easier (as we now can switch between banks or telcos in a semi-automatic way)
What we are seeing is that the ad providers are considering themselves "controllers" under the GDPR and the tracking of device ad identifiers as critical to their business. Hence, their plan is to inform of the collection via a privacy policy but not to offer users the opportunity to affirmatively consent to allowing their advertising ID to be tracked. It's dispiriting.
I'm pretty sure that this kind of behavior will be shot down by EU or Local courts. The GDPR contains parts where it explains what kind of reasons might lead to overriding of legitimate or critical interests.
If this is the case, I imagine a lot of profitable sites will be geo-banning EU users who don't subscribe to a payment plan as a non-profitable drain on resources.
Sounds like a good business model. Look at what US tech companies don't want to abide by EU law. Copy their app, but without all the privacy issues, make it free for all, incl EU. You already know what to copy, you don't need to do any research. Development and business risk is much less.
The GDPR does forbid hinging service quality/availability on consent
Although this is one of the areas where it seems some sort of challenge is inevitable. Requiring businesses to give people more control over data about them is one thing. Requiring businesses to do things that make no business sense, like providing services to people despite getting nothing in return, is something else entirely.
It doesn't forbid you to provide free service, to my understanding, you can charge for the service but you can't provide a worse free experience when a user opts out.
Additionally, this does not affect data that is necessary to operate the service. When you run a GPS tracker app then it is entirely okay to ask for the right to process someone's position as part of that contract (as long as you don't share it with a third party).
There doesn't seem to be any problem with either totally free or paid services. The potential problem is with business models that are free in financial terms but instead rely on some form of data or advertising for their source of revenue.
Personally, I value my privacy. I don't tend to use services like Facebook, mostly because I don't want to encourage that sort of perpetual surveillance or volunteer that much data about myself (or encourage my friends/family/colleagues to do so for me) to be used for purposes I don't fully understand.
On the other hand, apparently there are literally billions of people in the world who disagree with me. Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
Requiring such a business to allow users more control over how data about them is being processed is one thing, and there are pros and cons that reasonable people can debate in that area. But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.
>But I'm not sure the EU has any moral/ethical right to dictate that business models that have supported highly successful businesses with literally unprecedented levels of popular support should no longer be viable, and the conditions we're talking about here look awfully close to allowing that.
I would say that being popular does not correlate with being good and moral. Being successful does not correlate with being good and moral either.
>Most people I know demonstrably are willing to give up some privacy in return for the convenience that Facebook provides to them.
The patient is not always right. A lot of people would give up privacy for facebook because in the faustian bargain, the short-term benefit outweighs the long-term consequences.
Hopefully it specifies opt in instead of opt out. I can't tell you how many things I've forgotten to do while being conscientious because it was just so out of the way.
GDPR wants absolutely undeniable consent including that if you give consent, the corporation involved has to keep proof that you consented. It is very much opt-in.
Can you elaborate on what you mean by "doesn't end up like the cookie law"? I'm an American and don't have much awareness of this other than I've noticed that sites in the EU like the Guardian tend to have annoying banners saying they use cookies at the bottom of their splash screens.
Basically EU wanted sites to obtain consent to use users' cookies (and for the users to give/take away that consent). However, pretty much all the sites just decided to provide you with a banner saying something like "if you're using this site you agree to our cookie policy". Therefore the law became ineffective and just a nuisance to the users.
This notion of "implied consent" is being actively fought with GDPR. You have to provide explicit consent to the usage of your data. And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service).
With ePrivacy this will go one step further. Right now you only need to provide opt-out, which means most people will likely leave it as it. Going forward those additional services (marketing purposes, ad tracking) will need to be strictly opt-in (and there's already internal research done in some companies showing that marketing/ad opt-in rates will be 10-12% at best).
But what's the alternative approach to the cookie law? A yes/no consent page before your site, and if you click no, the user doesn't get to access it? Because that's basically the same thing, but even more annoying.
If you click no, a single, non-tracking cookie (i.e. "optout=true", not a session ID) is set, and you get to use the parts of the web site that don't require cookies to function (which, for 99% of the cookie banners I've seen, is all I wanted).
Furthermore, if I remember correctly, no explicit consent is required where the cookie has to be used for features the user requested, like a shopping cart.
So, if the law was actually written to require what it was supposed to require, and actually enforced, a web site operator would have the options to either:
a) implement an opt-out globally across the entire site to ensure no part sets a cookie and doesn't track them, with a high risk if you get it wrong, annoy every visitor with a modal yes/no before letting them onto the site (which would hurt your conversion rates etc.), where the "no" would be a meaningful choice that would still let them use your site, and there would be very little incentive for the user to click yes
b) stop tracking users unnecessarily in general
As it is written, the options are:
a) implement an opt-out globally across the entire site to ensure that no part sets a cookie and doesn't track the users, with a high risk if you get it wrong
b) slap an annoying banner on your web site
One of these options is significantly less work and allows you to keep tracking users, so guess what gets done.
Which is why there is the "And more importantly you can revoke it (at any point) and the site can't deny or degrade the service (unless the data is strictly necessary for a specific action related to the service)." point - you're not allowed to deny access to a newspaper article if somebody does not consent.
You can only degrade when the users denial exactly relates to the function of the service.
I have history turned off in google maps. I can’t name the points I make, it tells me I need to turn history and tracking back on. I hope that becomes an unjustifiable degrade.
I may have understood wrong, but it seems to me that for your maps degrade, the tracking may relate very much to the function of the service. How is the server supposed to remember the name you gave to each point without tracking you? Remember, there are many round-trips to the server when you're scrolling and resizing a map. They could always move point-naming override client side, but that's a pretty big change.
If you're made aware of the terms and can choose to leave, that's pretty much consent. Do you sign a paper agreeing to all the terms when you enter a car park? Of course not! It's a class of contracts called contracts of adhesion. [0]
EU consumer rights specify many (types of) terms that are considered unfair in various common contracts, so if they're included in a standard form contract offered to consumers, they're automatically considered null and void. I.e. it's a general legal principle that because such contracts aren't negotiated, there's one-sided leverage, and certain classes of terms are inherently abusive to consumers, therefore even if a consumer "agrees" to them and signs a contract including these terms, they shall not be considered binding.
GDPR extends this concept also to consent for processing private data - there are some ways how that consent can be granted and received, but contracts of adhesion are not (will not be when GDPR comes in force) one of them. In particular, GDPR specifies that anything included in such a "take it or leave it" contract is not considered "freely given" consent and thus such a contract does not and can not give you any rights to use that data, no matter what is written there.
The cookie banner does not put me in a "take it or leave it" position. By the time I get to learn of the terms—by any reasonable definition a prerequisite for consent—the other party has already set a bunch of cookies.
You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.
There is currently no detailed description as to what the definition of "sufficiently" is. For example:
- can I use your data to build a targeting machine learning model?
- can I use it to target you?
- do I need specific opt-in for every model?
Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.
This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.
> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws
Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.
> This is a corporate regulation, not a criminal case.
Most of European constitutions don't limit this principle to criminal cases - actually most of the time it specifically says that it especially applies to interaction with government on top of criminal cases.
The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.
TL;DR: sites were obliged to provide information and ask for consent when using marketing cookies. That is, cookies required for the site to work (e.g. session) were fine, but tracking/analytics were not. Everyone started to show banners saying "we use cookies [OK] [what cookies?]", users just got used to clicking OK on them, and almost nobody has any clue what this was all about.
You could see the cookie law as a gentle request for Internet businesses to self-regulate and limit unnecessary tracking. It didn't work (I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit), so now GDPR is meant to force companies to stop their user-hostile data abuse.
I don't know of any case when businesses decided to self-regulate themselves out of potential extra profit
Hello. I have moral objections to excessive tracking, and none of my businesses use things like retargeting based on tracking pixels, even though this would almost certainly improve the conversion rates for our online ads significantly.
There, now you've seen a case where a business self-regulated out of potential extra profit in exactly this area. :-)
Explicit consent is the principle I'm most curious (and pessimistic) about. It's one of those things that are very easy to describe in everyday terms, but almost impossible for legal enforcement to work with.
There are rules about things banks have to inform you of, or pharmaceuticals. On the academic side, this can be effective. Disclosure and making information public. On the consumer side it is almost always disingenuous. Small print meticulously written by compliance officers and reviewed by regulators. No one seems capable of stepping back and asking "are consumers better informed."
When internet service X wants you to know your card is about to expire, they make sure that you are informed. When a regulator wants you to be informed about cookies.... we get small print, and a nag screen making us promise that we read it.
Its pretty easy: The law says, that you always have to set a willing action to opt in. There can be check-boxes, but they need to be unchecked by default ("privacy by default"). Simple. I have already received multiple communications from Banks and credit card companies, and they are all very explicit about it and it was very easy to see the choices and the effect of the law.
I guess I can't go forward without reiterating the argument, so I guess I'll stop. But, I think considering it easy is naive, considering the mountain of experience to the contrary.
At least in Italy, this has been the way it works for years. When I sign something privacy-related I get at least two boxes: one for the treatment of my information for functional purpose (that is, "we can't even take this paper back if you don't give us permission"), the other for research and marketing purposes (that is stuff not essential to the performance of the service). It's working quite well, in my case at least.
Note: the following questions are not because I'm trying to figure out how to work around GDPR. They are to help figure out just what the meaning of it is. Imagining hypotheticals that try to work around a law is a common method in legal circles for clarifying the law. My employer does not keep any data that would be problematic, and compliance looks like it will be pretty easy for us [1].
> Explicit consent for non-essential data use, [...]
This raises a bunch of questions. Anyone know the answer to any of these?
1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
> [...] you always need to provide opt-out without degrading the service
2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
On the paywall, it offers to waive the subscription fee if you consent to non-essential data use. If you either do not consent, or, after consenting later change your mind and opt-out, is it "degrading the service" if I no longer let you have access to the material behind the paywall?
3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say that are not, I set a cookie that records this, and they get my normal site, which only follows whatever data collection rules my country imposes.
If they say they are, I just send them to a page that says EU people are not allowed to use my site.
What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?
[1] In fact, most of the data we keep on EU customers is data that we don't even want to keep, but the EU is requiring us to keep it for VAT MOSS reporting. Before VAT MOSS, all our EU sales went through a UK entity, and we paid UK VAT on all of them, which required much less information for reporting.
>1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
If you use the data for bank transactions or paypal subscriptions it's essential.
If you sell the data for profit, it might be essential but it falls under "opt-in only" of the GDPR. So in this part; not essential in the above sense.
>2. Suppose my site is presented as a site that has basic and premium content. The premium content is behind a subscription paywall.
Subscription paywall is fine. What isn't fine is degrading the service if the user opts out of having trackers included in the website when they visit.
>3. In #2, does it matter if that's how my site works for people that I can identify as being the EU, but works different for people elsewhere (e.g., for people in the US it collects data on everyone and does not offer the option to pay)?
GDPR only applies when you target people currently in the EU (citizen or not) and EU citizens outside the EU.
>4. Suppose I just say "the hell with this...I don't want to deal with GDPR", and have my site ask first time visitors if they are in the EU or EU citizens.
If they say no, I would say that is okay to believe considering the GDPR also requires a "Are you 16" question. Ask a lawyer.
Where is this specified? It's not what I understood from Recital 23†; as far as I can tell, it applies if the business is established in the EU or if the user is in the EU, but not to EU citizens outside the EU (if the business is foreign).
I read your link, and I think it depends on what "being in" means in the phrase "data subjects who are in the [European] Union". It could refer either to physical location (as in "I am in Germany") or to membership (as in "Germany is in the EU"), or possibly to both. I would also expect it to refer to physical location after reading this, but I'm most definitely not a lawyer.
> What's the situation if someone inside the EU lies and tells me that they are not in the EU? Am I in violation of GDPR for keeping forbidden data on them, or does their lying to me count as consent?
I don’t know the answer (interesting idea though). One thought came to mind: If you do it this way, you can only monetise your EU customers indirectly. As soon as you bill them, you’ll probably need to capture their address info at which point you know for sure they are in the EU. Yes you could argue it’s a non-EU citizen using an EU address while not being physically within the EU at the point of the transaction, but I wouldn’t think that would get a free pass in court.
> 1. Suppose that the data is used to pay for keeping the site afloat? Does that make it essential?
IANAL, but intuitively, I'd say no.
In a technical sense, it's not essential: Even if your whole income is based on data reselling, your site wouldn't instantly become unusable the moment you can't collect any user data anymore. (Unless you deliberately make it so, but then that's your decision and not a technical necessity)
Yes, you will operate at a loss, but that is your problem as a business. It doesn't have anything to do with your ability to perform the service.
In a more general sense, basing your business model on data collection is your decision. There are other ways to make money on the internet. So if you have the option of finding other sources of funding, it's not "essential".
I will repeat my comment as you seem to be repeating the same argument.
It's not "consent" as understood by GPDR and ePrivacy. You had no recourse not to give it, therefore it was not willing and informed. Implied consent ("agree or leave") is not deemed sufficient by GDPR. According to the law you can't condition the service you're providing on collecting unrelated (to that service) data.
GDPR has been there for 2 years [1] and will start to be enforced come May. Facebook has a presence in the EU, since they're selling data about European users to European companies. Therefore they need to comply with European law.
Again, this is not deemed sufficient by GDPR. According to the law you can't condition the service you're providing on collecting unrelated (to that service) data.
The GDPR doesn't apply to US companies. While the FB has EU offices right now, they're there for convenience only. They can close them next month and stop caring about the EU law.
| they're there for convenience only. They can close them next month
Citation needed? Facebook gets revenue from their ad network, which is used by European business customers and targets European users. Therefore they need to comply with European law.