That article doesn't summarize the ruling very well. Here's a short tl;dr of the actual ruling[0]:
Part A: Privacy settings
- Facebook tried to claim that it is only subject to Irish law. Court disagrees since Facebook operates in Germany, so local law applies. [side note: this kind of confusion is exactly why the GDPR is needed]
- Law states that the imprint must be "easily" accessible. Court found this not to be the case (it took three clicks and was hidden behind a link called "explanation of your rights and duties").
- Law states that explicit, informed consent is necessary for the kind of data processing Facebook does. Facebook pointed users to the privacy settings page where all settings were enabled by default. Court found that this constitutes neither explicit nor informed consent - the settings would have to be opt-in, or the user needs to be explicitly informed about the full extent of how his data is used ("without any doubt").
Court explicitly states that presenting an opt-out after registration and login is not sufficient, especially if it is presented as an optional "privacy tour" that most users are going to ignore.
- Plaintiff stated that Facebook incorrectly claimed it was "free forever", when users were in fact incurring hidden costs by volunteering their personal data ["paying with their data"]. Court strongly disagrees - no money is changing hands, after all. They do recognize that there's a counterpart, but it's immaterial and as such does not constitute a "hidden cost". Court basically states that the meaning of "free" is not up to debate.
Part B: Terms of Use
- Terms of use state that the user "acknowledges" to have "read" the privacy policy during registration. This is invalid in two different ways - a mere "acknowledgment" is insufficient, since it puts the burden on proof on the user, and since parts of the privacy policy are invalid, the user can't legally agree to it its entirety anyway.
Court explains that "read and understood" clauses like this one are invalid. Clearly, the user didn't actually read and understood the whole thing - but the language in the terms forces him to admit he did, which would disadvantage him by implying informed consent about everything in it when he didn't explicitly consent to anything.
- There's a clause in the ToU stating that the user "agrees to use his real name". This does not constitute informed consent since the user isn't properly informed - Facebook does not state why his real name is required and how it will be used.
The court states that it is questionable whether a real name policy is at all legal, underlining the need for proper consent due to the significant consequences of volunteering one's real name.
- Same for "agreeing that personal data is transferred to the US" - no explanation why data is transferred, what it will be used for or even what data is transferred. In addition to that, there's no indication which data protection standards are applied.
- Similar case for "agreeing that the profile picture is used [...] commercially": no informed consent since the user is not informed about the consequences.
... and a few more clauses where the court finds that no informed consent is given by the user due to very broad clauses with little explanation.
- It's OK to have the user agree that he's 13 years or older. Facebook cannot possibly check whether it's true, and the age doesn't matter anyway since the contract would be valid even if it weren't the case.
- Plaintiff complained about a few informational clauses in the privacy policy. Court rejected this since they weren't part of the terms of use due to their purely informational character (user isn't agreeing to anything).
This was a very interesting read. It is very clear that the courts take the requirement of "informed consent" very seriously, as they should. Is is not enough to present the user with a 100+ page privacy policy and have him agree to it, they actually need to present it such that the user realizes what they're agreeing to.
> The court states that it is questionable whether a real name policy is at all legal, underlining the need for proper consent due to the significant consequences of volunteering one's real name.
That represents an amazing win for online privacy. And seems totally at odds with core Facebook policy.
I agree with your agreement and I think it is absolutely paramount that the actual summary and facts of this ruling be shown completely in each and every instance it is posted, then re-posted, around the e-world.
This feels like the type of article that's going to wind up being click-bait-ified like mad around social media and such to demonize Facebook's privacy policy (as it should) and a non-US / European Country's (Germany) honest look and ruling on it but it feels like it will just be more water under the bridge if the average reader / Facebook user will be at all confused or slightly missing the point while reading it.
> It is very clear that the courts take the requirement of "informed consent" very seriously
The modern understanding of "informed consent" came out of the Nuremberg trials. Not sure if the concept was strong in German law before that, or the German courts are now particularly interested for historical reasons, but it's not all that surprising that German courts would be keen on that.
> Facebook pointed users to the privacy settings page where all settings were enabled by default. Court found that this constitutes neither explicit nor informed consent - the settings would have to be opt-in, or the user needs to be explicitly informed about the full extent of how his data is used ("without any doubt").
I personally feel this is a particularly important concept with respect to digital rights.
> Court explains that "read and understood" clauses like this one are invalid. Clearly, the user didn't actually read and understood the whole thing - but the language in the terms forces him to admit he did, which would disadvantage him by implying informed consent about everything in it when he didn't explicitly consent to anything.
I wonder if that renders most terms used by modern services invalid since, again clearly, nobody reads those 100 page terms or even understands them - regardless if it's Facebook, iTunes, Google Mail or most other services. Adn if so, what kind of language and how many pages can we expect a user to read/understand?
> - It's OK to have the user agree that he's 13 years or older. Facebook cannot possibly check whether it's true, and the age doesn't matter anyway since the contract would be valid even if it weren't the case.
I suspect this clause is actually due to US law (COPPA).
Also, are kids allowed to agree to contracts in Germany? I believe that's not the case in the US.
As far as I know, kids can't sign contracts. They are not "geschäftsfähig" (business capable) until they are 18. Unless the parents explicitly agree to some contract.
Kids under 7 cannot enter into contracts at all. Kids between 7 and 18 can enter into contracts, either if those contracts are entirely without duties to them (e.g. they can accept gifts) or if their contractual duties are somewhat negligible (e.g. they can buy sweets from their pocket money) or their guardians agreed to them being able to enter into such contracts. All other contracts are provisionally void (?!, "schwebend unwirksam"), i.e. can become void as soon as their guardians disagree with the contract or can become fully valid once their guardians agree.
> Kids between 7 and 18 can enter into contracts, either if those contracts are entirely without duties to them (e.g. they can accept gifts)
Huh, that's interesting. I'm not familiar with German law, but in the Netherlands this would legally be simply not a contract at all. A contract (in the Netherlands) explicitly requires (actually is defined as such) that both parties have contractual duties, and a contract is the formalisation of the exchange of these ("this for that").
It makes a lot of sense too. If one party has no duties, they can't be held to the contract, so what's the use of even having one.
Teenagers can agree to contracts, but only in very limited terms. For example, they can buy food in a supermarket. Buying stuff in a store constitutes a contract.
When I said ’contract’ without qualifier then I meant any form of legally binding agreement including sale contracts. A contract does not need to be written down.
Under 18 you are not able to form fully valid contracts in Germany. Period.
If you're under 13 any contract that exceeds reasonable monthly allowance is automatically invalid.
All other contracts or "floating/pending valid", ie valid until the parents agree. There is also a clause on 16 to 18 year old kids but IIRC it just shifts responsibility away from the parents more. A contract that is "floating/pending valid" is usually not a problem, it just means the parents can terminate the contract as if it never existed within reasonable bounds (if you bought something from the supermarket and ate it, your parents won't be able to get the money back)
Big respect for the German courts for not only having common sense but putting their foot down about it, making it explicit and taking it very seriously. I hope that many other countries follow its example.
It’s the same with the Banking sector...all those banking regulations are in place for a good reason, yet in sum they make it impossible to start a new bank and stifle competition/innovation.
There's also a whole bunch of very good reasons for not having one. We've had this discussion already a few years ago (so I don't really feel like rehashing the same arguments again, but you can easily look them up, IIRC it was about Google+ not Facebook, but the reasoning is exactly the same).
I can't really tell from your comment history if you're from the US or EU, but I'm going to guess the US.
Your view on what should be platform's rights, kind of implies there is supposed to be as little regulation as possible.
And the problem with that view is, if you ask people why they are still using FB, given the knowledge of what they do with user data and privacy, the most heard excuse is that they feel they have little choice to use an alternative!
If you add to that the consideration that it is in the very nature of social network effect that this choice will be diminished to a singular monopoly (a social network is not very useful if your friends/family aren't on it), then you have to admit that the power in "people's right to not use a platform" is absolutely miniscule compared to your desired "platforms right to do what they want".
And it is that very imbalance, what regulations are intended to solve (or at least push somewhat towards fairness).
When someone in the street is speaking aloud, then you can't go to them and demand them to reveal their name, even if what is spoken is against the law. You can call the police and they can determine the name of the speaker. The internet is not a lawless place.
Wait until GDPR is in place in May and German and other EU courts will rule FB to death.
IDK how FB will ever be compliant with GDPR and survive that huge upcoming fines in the long term or in the worst case the withdrawal from these markets.
The GDPR isn't actually as bad as people claim. The law is actually pretty reasonable. It is the result of years of discussion and deliberation. In fact, privacy watchdogs are complaining that it doesn't go far enough - it leaves plenty of holes.
Most of the GDPR is about informed consent, having a valid reason for processing personal data and individual rights.
Facebook will do just fine, they had years to prepare and an army of lawyers. It will force them to be more transparent, which is a good thing.
Many EU member states like Germany already had very similar laws in place (like the BDSG), the GDPR unifies and standardizes them.
How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.
The rules are so vague that any firm could be argued to be in violation. And the EU acts as judge, jury and executioner. It looks like a way to tax the SV tech firms without needing a treaty change. After all there's no practical difference between a tax and a law that everyone is guaranteed to always be in violation of that has huge fines attached. The money all goes straight into EU central coffers.
> How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.
How is that different from a US law like HIPAA? The structures of the law seem largely the same, in that they give you guidelines to follow, but provide no clarity about what specifically is required by it and what isn't.
Understanding HIPAA has largely come from companies doing their best to comply with their understanding, and clarifications tend to come from courts when there's an actual dispute in progress.
Then, the US (through it's various district courts, circuit courts, the supreme court, and regulatory bodies) acts as the "judge, jury, and executioner".
HIPAA and other mega-regulations like them have the same problems. And they do cause people to just give up rather than deal with the risk. I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
But this specific thread is about EU social network privacy fines, not US healthcare privacy fines.
The US courts aren't quite the same. They're a lot more independent. The ECJ has a history of surprising things, like hearing cases where one of the appellants wasn't aware he was involved in a court case at all and both sides turned out to be the same law firm, or simply voiding parts of the treaties they found to be inconvenient to the EU, or inventing new 'rights' on the fly (legislating from the bench). Like the right to be forgotten, which was invented by the judges in response to a lawsuit and required massive responses similar to the creation of entirely new regulations.
The Supreme Court is generally much better about following the Constitution, not inventing new laws on the fly and ensuring the cases before them are actually legitimate.
> I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
As someone who worked extensively on HIPAA covered data and systems, there are only three options here.
Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).
Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.
Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.
Of these options, I'll take (3) every time.
If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...
HIPAA (and PCI compliance) has done little to prevent 1) in practice, especially when balanced against the huge costs it has on industry and the 'hidden' cost of crippled innovation.
You can't measure the true cost of hundreds of thousands of projects and startups that were never realized because HIPAA scared them away...and this is stuff that would have saved billions in healthcare costs, improved the public's health, and supported research/processes that could save lives.
Saying it's only a dynamic between "profit vs security" completely downplays the utility of technical progress in health care. This isn't just about quarterly profits of large mega-corporations.
As someone who started off working in the health space I can assure you I personally gave up on multiple potential projects because of HIPAA. And know of countless others who have to in spaces that seem "crazy" no one has yet built software for.
And I say this as a complete paranoid hawk on information security and privacy rights...
I hear you that it makes things more difficult, but I think it's hard to overstate how terrible & uninterested conservative revenue stream businesses (e.g. insurance, utilities) are at keeping up with IT trends.
Based on what I saw in a couple of the top 5 largest insurance companies, these are IT departments that would be storing personal data in databases open to every employee of the organization, were there not a law discouraging them doing so.
Why?
Because IT isn't their business. That perspective is changing (gradually), but the resistance to anything aside from business as usual is staggering.
Sure, but the other side of the equation is an unknowable number of thousands of lost lives and billions of dollars, because of medical advances that were never made.
There are other important values than privacy in the world!
As a consumer, my view is: if a potential idea is abandoned out of fear of HIPAA then HIPPA is working and I am thankful that that idea went nowhere. Soon, s/HIPPA/GDPR
This. I am not a hipaa expert or anything, but if a company is not making an effort to protect the data, they dont deserve to make money off of products touching that data.
> HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.
Good? This sounds like the law is doing what it's supposed to be doing - it's not enough to simply be smart, you have to also be sufficiently willing to pay attention to detail such that you don't accidentally design your systems in a way that leaks personal data. If you find this burdensome, maybe the world is better off if someone else develops it instead. (There are enough newly launched healthcare startups - Clover Health, Oscar, and One Medical all come to mind without even thinking - that I don't think that it's completely stifling innovation, which would be a different story.)
As a person who is much better at being smart than at being reliable and careful, I am totally okay being regulated out of this space - I don't trust myself not to just forget about something. I worry consciously about edge cases in my code because I know I won't worry about them subconsciously. If I want to go into this space, I imagine that I can just hire someone who's good at the regulatory part and willing to focus on getting that stuff right.
I don't understand this idea that smart people should be entitled to develop and market products in whatever way they want, simply because they're smart. I'm sure the Therac-25 programmers were very smart.
I've worked in the healthcare space. HIPAA doesn't scare enough people/companies away. Not by a long shot.
Sensitive personal medical info was routinely sent, by major companies, over insecure FTP or even plaintext email, on a regular basis.
Anyone who has ever had medical benefits at any point in their lives most likely has their benefit information, along with socials and more, sitting unencrypted in databases of a plethora of small companies/medical/insurance providers whose only concern for security is a mandatory HIPAA CYA compliance lecture for their every couple of years. The rest of the time they go about sending socials and pmi through plain text email or just leave shit on their desks for anyone to pick up.
The firms that HIPAA scares away aren't necessarily going to be the ones that have the most dubious security practices. They're going to be the ones that have a choice between business models that involve healthcare and ones that don't, and the ones that don't think they'd make enough money to justify the exposure.
Legislating from the bench is not a bad thing, to the extent it doesn't contradict a fully valid statute. Indeed, most law in the US is judicially created, and always has been, dating back to the English common law system from which we inherited ours.
American courts continue to create common law today. This happens less at the federal level only because the scope of federal common law is narrower.
I too have concerns over the breadth of the EU right to be forgotten, but not over the concept that a court could combine premises with a process of reasoning to arrive at such a conclusion.
The Supreme Court's focus on ensuring that the cases before it are actually legitimate is primarily for three reasons: keeping their workload manageable, deferring controversial decisions they don't actually need to make, and complying with the Case or Controversy Clause in the federal Constitution.
Notably, the Case or Controversy Clause does not bind the state courts. Whether they are willing to issue advisory opinions or perform other duties is a matter of state law.
If GDPR analogously has a chilling effect, reducing the proliferation of "social" products, I'd consider that a positive outcome. I don't really buy that any of these are "making the world a better place" as Zuck loves to say, though you might have a better case with the health products.
1) Despite the GDPR being a regulation, the national courts will decide first and oly if appealed enough times, the ECJ will decide as highest court
2) The EU judiciary is base don the civil law system. In the US or UK or other common law countries, you have much more "legislating from the bench". Inf act, most US laws are created by the judiciary.
>The rules are so vague that any firm could be argued to be in violation.
I think that's a good thing. So the law has to be interpreted by precedence set by the courts.
If the text of is too specific you could have the opposite effect of companies weaseling through.
It is not a tax. It's pretty clear that the EU expects companies to treat private user data with respect. If your company cannot operate without exploiting this info, than maybe the world is better off without it anyway.
I think that's a good thing. So the law has to be interpreted by precedence set by the courts.
Most EU countries follow civil law, and precedence has a much more limited role than in common law countries. So it actually matters that the statutes be written clearly.
Why have any law at all, by your logic? Just have a single law that says "Whatever we decide, is final" and make up all rulings and fines on the fly. No 'weaselling' is possible then. Only problem is, it's totalitarian. Nobody knows what is or is not allowed, there is no such thing as justice.
Law is meant to be precise. If it's not, then ignorance of the law does become an excuse and law loses its moral authority.
Unfortunately the EU does seem rather keen on laws so vague that they're impossible to understand - it's rule by law, not rule of law.
Somewhat ironically, as it's the--presumably soon without the UK--EU we're talking about, but you're basically objecting to a Common Law system. Admittedly, in modern times, there's a lot less practical distinction between civil and common law jurisdictions than there once was, but nonetheless common law is "the part of English law that is derived from custom and judicial precedent rather than statutes."
As mentioned in another reply, the actual laws will have to be implemented by the member states anyway. So the text for each country can vary and can be more specific.
As for your strawman that I somehow argued to abandon all law: I won't deal with that.
No, they actually won't. The Data Protection Directive needed to be implemented by national legislators into national law, but the GDPR is a regulation which means it is directly binding law.
Only a few technical, minor points need to be spelled out in national regulations or laws.
Each country (or state, in the case of Germany I believe) will have their own privacy commissioner with substantial leeway. Now technically these differences won't be implemented as laws, but there will be substantial differences between eg the French and the UK privacy regulators.
The GDPR also allows for individual states to strengthen its provisions, eg for genetic data.
That’s true only if you regard he EU as a single entity. Laws made via the EU will be turned into national law, and independent judges will judge all cases, up to the EU high court. By the same right you could call the US judge, jury and executioner on all laws and rules made and enforced by the US government (FACTA anyone?)
No. That's not how the EU works. That's how a national government would work but not the EU.
The GDPR is not a directive so it does not have to be translated into national law. It is directly binding and applies immediately everywhere.
Fines have to be paid up front, before appeals are exhausted. Appeals can of course take years.
The EU courts have judges appointed by the same people who control the rest of the EU, and are ideologically aligned as such. They have a long history of legislating from the bench and making shocking and nonsensical decisions: consider the case where they simply voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK. The court simply decided it didn't like that bit of the treaty and so it did not apply. I do not regard the ECJ as a robust court. It will rule in whatever way is most favourable to the European project.
No, the enforcement is through the national "supervisory authorities" such as the ICO. Most of the enforcement process is through national courts and the ECJ is only for the final layer of appeal. This very article says "German Court rules ..."
> voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK.
[citation needed]; did you read this in the UK press?
In the section "Wasn’t the UK supposed to get an opt-out from EU human rights laws?"
The summary is, when the Treaty of Lisbon awarded the EU new human rights powers the UK and Poland negotiated an opt out which was written in the treaty. It was a part of convincing the UK government to accept the new treaty without granting a referendum on it, as they had previously promised.
The opt out is very clear, really as clear as lawyers can make such things. It says:
The charter does not extend the ability of the CJEU, or any court or tribunal of… the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of… the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms
and
In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law
In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.
A few years later the ECJ decided that the opt out was meaningless and voided it, under a new interpretation that they claimed meant they'd actually always had these powers, and therefore the treaty did not "extend" them, and so the opt out didn't "work" despite its apparently clear wording. They then began overturning UK laws.
It's unclear why the treaty had anything new in it at all if the courts had always had these powers of course, but this is how things go in the EU - no matter how plainly something seems to be written, no matter how clear the assurances seem to be at the time, the moment it becomes politically inconvenient to the project the rules are tossed out under bizarre and kafkaesque re-interpretations.
Same thing happened to Ireland with corporation tax. They were promised the EU wouldn't interfere with their tax policies. Then the EU decided low taxes were "state aid" and awarded itself the power to control Irish tax policy. Nobody had previously interpreted the state aid clauses that way.
It's a decision that makes perfect sense if you read the preamble to the Charter (my emphasis):
> This Charter reaffirms [...] the rights as they result, in particular, from [various pre-existing sources].
The opt-out specifies that the Charter does not _extend_ the ability of the courts, but does not limit the powers that the ECJ already had prior to the implementation of the Charter. Even if the UK had a cast-iron opt-out (e.g. "The Charter, in its entirety, is not applicable to the UK, no rights are granted under it to UK citizens, and no court may refer to it in reaching a decision affecting the UK"), more or less the same results would likely be reached.
Also note Article 51(2): "The Charter does not extend the field of application of Union law beyond the powers of the Union or establish any new power or task for the Union, or modify powers and tasks as defined in the Treaties.". This is broadly similar to the UK/Polish opt-out, further suggesting that the Charter did not grant powers that the UK had not otherwise agreed to.
> In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.
It does not grant them _new_ abilities to do so, and the second statement only refers to a subset of the rights considered under the Charter.
> They were promised the EU wouldn't interfere with their tax policies
EU promised not to meddle as long as preferential treatment wasn't given. As in if Ireland gave the exact same tax deal to every company in Ireland then it would have been fine.
(the no preferential treatment in taxation bit is part of getting access to the single market)
The reason d'être of the EU is to unite, so I expect eventually all opt-outs to end or to become meaningless. Countries joining the project should have that in mind, and I think they all have and had, even if they're not talking too much about it.
>consider the case where they simply voided the UK's opt out of new human rights related legislation
Erm...you are aware that this case has nothing to do with the ECJ, but with the ECHR, which isn't even an institution of the EU, but of the Council of Europe* , which is an entity completely separate from (and older than) the EU.
* not to be confused with the European Council or the Council of the European Union. Yeah, it's a bit silly.
I think that this source suggests that this idea may have been a mis-representation by Michael Gove [0] during the course of a referendum (I was interested, as I wasn't aware of any such decision).
Then again, all's fair in love, war and referendums :)
Now, now, you make it sound like a single human actually endorses those three roles. Any state (or group of states) is judge, jury, and executioner. I also write and dictates laws…
The real world is very complicated. As time goes on, there will be lots of court cases which set a precedent.
Even though I dislike em, I think the laws surrounding fair use and copyright are another example. Due to its nature, it's incredibly difficult to provide exhaustive guidelines.
As long as these large enterprises engage in a good faith attempt at complying with the law they shouldn't end up receiving huge fines.
> The GDPR isn't actually as bad as people claim. The law is actually pretty reasonable. It is the result of years of discussion and deliberation. In fact, privacy watchdogs are complaining that it doesn't go far enough - it leaves plenty of holes.
I'm feeling a huge cultural gap in the discussions in this thread.
Americans seem to have a different tolerance for privacy abuse and draw the line elsewhere.
And I suppose that's okay, live and let live etc. However, so far it's really been mainly US tech companies pushing their views on privacy (read: less of it) in the EU market (kind of poisoning the field for EU companies as well, because obviously you can make more profit that way).
I don't see the (EU) public making a huge fuss about EU businesses taken to court over privacy violations (which happens), because we see it as justice as usual.
Now that the EU(/Germany) pushes back against a huge US corporation (ok multinational, technically), it's considered really harsh, from a US point of view. Some arguments going even as far as attacking our legal system (which is a bit much, coming from the US, IMHO. Americans themselves flat out admit justice is a matter of financial resources and consider that justice as usual). Apparently we have different values.
Personally, I agree it doesn't go far enough even though I'm very happy with the German ruling and hope other countries will follow suit.
GDPR is reasonable. How Facebook handles user data is not.
I'm sure, they'll mostly ignore the law at first, and if they get sued, they'll claim having a legitimate interest [1], but that will be their strategy, because actually complying with the law voluntarily would likely cost them more.
And yes, especially Germany already had a very similar law in place, but Facebook did not actually need to keep to it most of the time, because they were operating from Ireland. GDPR does not care where you're operating from. The fines would have also not been much more than operational costs for Facebook (the highest fine placed in Germany for privacy violations so far is at 300,000€).
Ignoring the court order of which they were duly informed and which contains time to comply is a felony. Including a huge fine in this case, which will likely be calculated per German user. Think something closer to 30 M€.
With "ignore the law", I meant not (fully) implementing the requirements that the GDPR imposes. If a judge actually rules that they did not properly implement the GDPR requirements, then yeah, they will correct that.
But until someone sues them and that court case concludes, there's going to be a lot of time, in which they can probably make enough money by not properly implementing the GDPR requirements to easily recover however high that fine is in the end.
If somebody says "X has money and an army of lawyers" the implication is they are going to beat the case, Microsoft didn't, they were slapped with the largest fine ever at the time ($794 million USD). They are fine despite the inability of lawyers and prep time to deliver victory, not because of it. No guarantees FB will fare better (or worse).
They're not going to withdraw. Best-case scenario, they stay in the EU but stop abusing users' data there so much, but still make a profic. Worst-case scenario, they're able to weasle their way out of having to change anything.
The problem with the GDPR isn't that it is too far-reaching. The problem is that it isn't clear what companies have to do to comply with the new regulation.
Large companies will simply pay their lawyers to deal with this. Small companies basically will have to do their best and hope they don't get sued.
As I wrote already in another comment: all these regulations will end up doing is strengthen the market position of the established players and cripple any competition from new incumbents :(
It’s the end of an era...not too long ago anyone could compete with the big players...soon nobody will
given the feedback loop of social networks there wasn't much of a reason for viable competitors to emerge in the first place.
The lack of competitors here is structural, not everything is an issue of 'we must remove the red tape!' That would do nothing because nobody is voluntarily going to switch away from an established social network monopolist. It's a nash equilibrium of sorts.
Myspace was pretty much dead the moment facebook arrived. It's true that companies like Facebook can be replaced, but they almost never coexist or directly compete. Chat services usually split geographically. Wechat in China, Whatsapp outside of the US, snapchat in the US.
Anecdotally I know very few people who simultaneously use multiple messenger apps or switch around a lot. (For the reason outlined in the post before, you lose your network).
> Facebook will do just fine, they had years to prepare and an army of lawyers.
They won't do fine. Don't want to go into details but their actual products/required architectures for their products just can't be GDPR compliant. And they didn't prepare anything. You confuse them with Google--they prepared GDPR but FB?
Btw, one of GDPR's key motivation was to take FB down.
A grandiose claim offering nothing better than "don't want to go into details" counts as unsubstantive and flamebait, two qualities that are deprecated here. In the future, could you please either make a comment like this substantive, or just not post?
Dang, no need to get aggressive. I was on mobile and had not the time explain why all products around Facebook—which need to collect user's behavioural data to target ads etc.—can't ever get compliant with the strict GDPR. I guess you are not informed about GDPR. If you were my prior message with a "don't want to go into details" would be have been super clear.
So, this is a misunderstanding and again your aggressive tone is for somebody who is representing YC just sad.
Besides, thanks that you gave my profile more gravity when posting comments. Now my comments drop so quickly (first seconds after posting) and people with 0 karma move above me.
Without a citation, I doubt this claim and wonder if you have any personal investment in or relation to Facebook or a similar company whose profit is generated by selling or buying personal data.
No, but I have to comply with the GDPR. The first thing to understand about the GDPR is much of it is quite vague, and is essentially a framework for rule making for 30+ privacy regulators. See eg legitimate interests where you are supposed to conduct a balancing test between competing interests with very limited guidance on what a reasonable balancing test is. Second, these lazy morons haven't issued final guidance approximately three months out from the deadline. Now, there is some guidance, but there's no hard cap on the distance between working and final guidance. How they expect companies to comply with that is obvious: they don't, and will use the opportunity to fine them. The ICO has been quite explicit about this; I don't have quotes on this laptop but one of their senior staff basically said that grace periods are not part of their regulatory strategy. Grace periods are apparently only for the regulators. And that's the ICO, one of the more reasonable regulators! The french regulators, who aren't particularly reasonable, are no doubt anticipating the influx of cash.
So if you're a company that is relying on some mix of legitimate interests and consent to service your customers, market, and perform outbound, it's very difficult to understand what the rules are. And this is worse if you are an American company and therefore probably don't have a lead regulator and will have to attempt to comply with the (almost certainly) conflicting rules as decided upon by every privacy regulator instead of just one.
Much of the GDPR is quite reasonable (besides the DPOs, ie employment program for EU lawyers) -- privacy dashboards, the ability to delete data, SARs, etc. But it's wildly unreasonable to not have final regulations in place.
> Btw, one of GDPR's key motivation was to take FB down.
this all seems very similar to the new VAT scheme, in that it was designed to target a foreign giant (Amazon), which was barely affected as a result, and instead ended up hurting the competitiveness of the EU's own small businesses
the EU Commission's response to small business concerns about that new VAT scheme? "we'll allocate some time to talk about that in 5 years"
That's not entirely true - MOSS actually works quite well, and preparing a sales report grouped by country should be trivial no matter what infrastructure you're using.
No matter what infrastructure you're using? You won't believe how many payment systems out there are not very MOSS friendly. If you are a developer and cannot use VAT MOSS logic as e.g. plugin you basically have to get IP country code, add country VAT tax and adjust the payment plan. Yeah... all really really trivial if the payment system is not used to dynamic pricing on different country of customers! I hope you see the irony. This is all very unpleasant for small businesses!
Do you have to actually change the retail price? The way we do it is to keep the price constant for the customer. If their country has a lower VAT rate, they have to pay more. I'm not sure most even know/care how much VAT they pay, but they do care about the total price - and this doesn't change no matter if you change IP/user VPN etc. It also removes any incentives to cheat.
Good comment. Actually this is what I'm doing... move the logic to the book keeping side and deal with less income e.g. on Hungary with 27% VAT. Nevertheless why do I have to do all this hassle when somebody who sells e.g. a hardcover (vs. ebook) does not need to do this when selling cross border and they need to start thinking in this direction once they cross over 50 - 100,000 € on one country. Because I'm selling digital goods is much harder on my side.
This is all stupid if you sell a really small amount of digital goods online. It all starts with 1€ (and less) on a ebook and in comparison: On normal goods there is a threshold of roughly ~100,000€ depending on country sales.
Well, it's not that - before that law was introduced, you could simply ignore the country, since it's about digital downloads. If all you cared for was getting a payment, it was not unusual to have the transaction list in the forms of e-mails. Now you need much more information.
A customer is entitled to an invoice and a full invoice requires an address. Most businesses that offer digital goods and services should have had that even before. All the people I know that were affected by the VAT changes certainly had all customer
adresses.
This is wrong. You are not forced to give your whole address always to buy something, especially on digital goods. In fact e.g. giving only your payment information like your debit/visa card is actually enough for buying stuff legally online as a normal customer in EU (b2c).
previously when I had a new idea that I might be able to turn into a business I could form a limited liability company for about £10, try the idea out with essentially no paperwork at all
then if the idea panned out I could worry about the huge-pain-in-the-ass-that-is-VAT later
now with this regulation it's a problem once I've made my first sale to a non-domestic EU customer, and my agility goes through the floor
EU countries have gone from being fantastic places to start a digital services micro-company to being at best mediocre ones, all to try to stop Amazon avoiding VAT
utter madness: small companies started as side projects turn into the big ones, but apparently we no longer want that
> EU countries have gone from being fantastic places to start a digital services micro-company to being at best mediocre ones, all to try to stop Amazon avoiding VAT
Well, so how do we deal with Amazon avoiding VAT and still being fair to all players on the market, big and small?
the paperwork is a minor bureaucratic annoyance, it's not a significant problem
the significant problem is now the fact that I have to register for VAT domestically if I want to to sell to people in other EU countries
before if my turnover was below ~£70,000 I paid no VAT at all due to the exemption (giving me a competitive edge vs. big companies with better economies of scale)
after the new regulations if I make any EU sales I have to either fill in VAT returns for EU member state I've sold to (not feasible, that would be hundreds of VAT returns/year in many languages), or register for domestic VAT which will handle that for me, but kills my business model
the EU Commission doesn't see this as a significant problem, likely as it is a beneficiary of VAT (the VAT being an EU mandated tax)
That's not the hard part of the VAT rules. If it was just asking the user what country they're in and then submitting sales figures by country, that'd be easy.
There are two hard parts to what the EU did, for businesses.
The first is you have to charge variable VAT rates and remit the collected tax. However VAT rates do vary not only by country but in some cases within countries too, and they do change, so you have to make sure you have a really up to date list of tax rates and geographies where they apply. Including varying rates down to the city levels.
But the real kicker is that you can't trust the user's claim about where they are. Users are financially incentivised to lie about their location because these are digital downloads. So if they claim to live in a low VAT region they pay less, but download the same files. Simple as that.
As a consequence the VAT regulations have a LOT of complicated edge cases and "guidance" in them about how to figure out where the user really is, not where they say they are. This is hard of course, the user may be using VPNs and so on. There is specific guidance on how to handle users who are on ships sailing between VAT regions, or planes that are in the air when a purchase is made. So you've got a really complex pile of logic to start with, and then you're also in an adversarial situation where the users are all trying to screw you over by forging their location. And if they succeed, you can suffer big fines.
Oh and finally of course, you can't use any technical tricks to figure out where the user actually is, because then you'd violate EU privacy laws ... have fun with all of this! In practice it has to all be outsourced, it is too much work to implement in house for all but the largest of firms.
A while ago VAT rules for digital goods were changed. Before, the VAT of the country where the company was located applied, after the VAT of the customers country. Amazon, Apple, ... exploited that by officially making the sale in a low-VAT country and pocketing the difference.
Many small businesses were concerned that they would have to register for VAT in all EU countries and deal with individual VAT laws, but the implementation for small businesses allows you to basically register at your home countries tax authority and provide them with a list of sales broken down by country. (MOSS in the UK, iirc) The initial hubbub has largely died down.
This is grossly simplified, but captures the gist. No tax advice, yadda, yadda.
my solution was to stop selling into the EU, though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
whereas this is from 2015. I was confused by language where you described it as a law to target Amazon. Now I see that was just an opinion.
> my solution was to stop selling into the EU
Interesting business decision. Was the cost of compliance that high, or was your revenue that trivial?
> though amusingly once the UK leaves the EU I'll be able to start again (by just ignoring the EU's VAT rules)
Well I was having a conversation with one of the UK's foremost VAT specialists on Friday, from one of the UK big 4 accountancy firms. He was very clear that the general opinion is that the UK will align with the EU for VAT. This was a response to my question about the catastrophic cashflow impact that losing the VAT rules on imports would have to UK businesses. He told me not to worry, as VAT alignment was simply a necessity.
> Interesting business decision. Was the cost of compliance that high, or was your revenue that trivial?
the cost of having to pay VAT on all of my UK REVENUES (digital services, remember!) would vastly dominate the PROFIT (not revenue) made from my EU sales
compliance wise, I'd rather not have to fill in VAT returns if it is optional (this is a side business, not my main employment)
> Well I was having a conversation with one of the UK's foremost VAT specialists on Friday, from one of the UK big 4 accountancy firms. He was very clear that the general opinion is that the UK will align with the EU for VAT.
well I'm glad his crystal ball is operating well... saying that I'm sure we will have a similar VAT after leaving (payable to our exchequer instead of the EU), but unless something radically changes the EU's laws won't be directly enforceable in the UK post brexit, and it's unlikely the UK will go out of its way to collect EU specific taxes for the EU's benefit
regardless, all of my "is EU VAT optional outside the EU?" discussion in this post and above is only an interesting thought experiment, it's not worth the possible consequences in practice (especially if your main worry is the lack of UK VAT free allowance like me... maybe if you're a large US based SaaS provider it's different)
I'm not sure you have that right. I don't professionally engage with MOSS so I will not give advice, but I professionally do work with VAT and handle some millions in VAT a year, so I am pretty familiar with the dreaded VAT guide. All quotes are from the aforementioned resource
> the cost of having to pay VAT
Presumably you mean the higher price from charging VAT
> on all of my UK REVENUES
"your UK sales will not be liable, unless they’re above the UK VAT registration thresholds". So it makes no difference to your UK revenues at all, you either had to register for VAT because your total revenue was over the threshold, or you didn't.
> I'd rather not have to fill in VAT returns if I don't have to
Wouldn't we all love to avoid administering taxation.
> well I'm glad his crystal ball is operating well.
I think it is rather more than a crystal ball when you are the UK VAT lead for a big 4. This means you get consulted on it by the government, get to sit in on meetings with them, and work with the biggest companies in the UK who will also be lobbying the government. I think you rather trivialise their positions when you assume they know the same amount as me and you.
>(payable to our exchequer instead of the EU)
When did you ever pay VAT to the EU? I pay all of my VAT to HMRC despite trading extensively across Europe. It is possible as a consumer that you paid VAT that was passed on by the supplier to one of the member states tax authorities, but under what circumstances could it be paid to the EU?
> it can claim jurisdiction all it wants, enforcing it is another matter
Not at all, the UK government will enforce on its behalf, as we will expect them to enforce on our behalf.
> but unless something radically changes the EU's laws won't apply to me in the UK after the process is complete
The UK is in the process of bringing all EU law into UK law (where it isn't already) with the strangely titled Great Repeal Bill. So EU law will apply to you. Also the government have committed to an open border in Northern Ireland as mandated by the Good-Friday agreement. This will require a customs union, and a joint body of oversight (like the European court). The government has further committed that Northern Ireland will have the exact same terms as the rest of the UK under it's coalition deal with the DUP. Therefore the whole UK will be covered by that customs union. This is before we even discuss what EU oversight will be placed over a future trade deal with the EU. So whilst the government might bluster about what leaving the EU means, it is quite clear that it's options are
a) stay in the customs union and therefore under EU law
b) Leave the customs union and violate the Good-Friday Agreement, whilst also breaking the coalition agreement and therefore bringing down the government.
I wonder against that backdrop how you think you are going to be outside of EU law? You seem to have a downer on the EU, if you don't mind me saying?
> I think it is rather more than a crystal ball when you are the UK VAT lead for a big 4. This means you get consulted on it by the government
given the cabinet doesn't seem to know what their objective is, this seems like a fantastical claim
> When did you ever pay VAT to the EU?
not directly, but that's why it exists and where (a chunk of) the money goes -- read about the history of the VAT, it used to form the 40% of the EU's budget (down to about 14% these days)
> Not at all, the UK government will enforce on its behalf, as we will expect them to enforce on our behalf.
doesn't work like that in practice, once we're out HMRC isn't going to spend money chasing people for taxes due in Bulgaria, in the same way it doesn't chase people for taxes owed in Russia today
> The UK is in the process of bringing all EU law into UK law (where it isn't already) with the strangely titled Great Repeal Bill.
yes
> so EU law will apply to you.
no, at that point it will be UK law
> Also the government have committed to an open border in Northern Ireland as mandated by the Good-Friday agreement.
depends on what they mean by "open" -- regardless of that: there's nothing that prevents a customs border in the good-friday agreement (have a read, it's only about 10 pages long: [1])
> (various points based on the assumption that the government will commit absolutely to one policy voters don't care about and completely abandon all others)
the government has also committed to leaving the EU customs union and the single market
I agree that it's hard to see how both are possible, but politics is the art of the fudge
> I wonder against that backdrop how you think you are going to be outside of EU law?
I don't accept the premise or the conclusion -- b) doesn't violate the GFA[1] or the confidence and supply agreement[2] (not a coalition)
to be blunt: it seems like you're making things up
> You seem to have a downer on the EU, if you don't mind me saying?
why should I like it? if you're running a medium sized or big business it's fantastic (unless you're a large foreign business like Facebook, Amazon or Microsoft), but I'm trying to run a small business, and it seems like they're doing their best to kill me
hell, if in 5 years we're still subject to the ever increasing mountains of poorly thought out legislation written by morons, I suppose emigration is always an option
There is no legal way around ignoring EU VAT rules and selling to EU customers (no matter where you or your company is located). If you do business with EU end customers you have to comply to EU VAT rules. Just telling you how it works in theory.
This was quite a hit to small companies, because now they have to manage collecting and remitting taxes to every country their consumer customers reside in. Previously they only had to collect and remit taxes to their own home country.
The GDPR is beautiful and an example of the best outcomes democracy can produce. The winners are pretty much everyone. It's sad that the US can't implement public policy like this.
We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones. As much talk as there has been about the effects of GDPR on huge companies, the fact is, they're not too concerned: they have enough lawyers to throw at the legal issues and enough engineers to throw at the technical issues. Smaller companies without these resources are going to see their lives get harder.
This is a pattern you see across a lot of regulation, even when perfectly well-intentioned: it tends to favor giant companies over smaller ones, because the big ones can devote lots of manpower to the complicated legal and technical challenges the regulation sets up. That might be a worthwhile tradeoff, but it's not the same as saying "the winners are everyone".
Why do you equate technology startups with startups that finance themselves with private data (mis)use?
Instead of taking profit out of private data one has, it's possible to charge for the service. Alternatively, one can use the data to finance the business but also follow the rules and regulations. I don't see the big issue here.
Why do you equate startups with startups that finance themselves with private data?
Every piece of regulation is another headache for a business.
Take for example the combination of GDPR + backups.
If you have enough technical manpower, you can change the backups.
If you have enough legal manpower, you can argue that changing those backups counts as 'unreasonable'.
If you have neither you have a headache.
Don't forget that even usernames and IP addresses are part of the personal data that the GDPR covers. Are you sure those are not present on a harddisk collecting dust somewhere?
I see zero chance for the argument that it be unreasonable to adjust backups. Either they are adjusted, or they violate the law, period.
Software projects like apache2, nginx, or your favourite website framework should adapt to the GDPR to make it easier for those who use them.
How things will turn out is not settled yet. If you are a small company not focused on handling private data, and documentedly continuously work on compliance, then I see little you must fear.
Usually, if your business is handling private data of others, then you must simply know exactly what you record where, and what you don't record. That is an essential part of your business.
> If you are a small company not focused on handling private data
I'll repeat myself a little bit: IP addresses and user names are also private data.
Please provide me with an example of an IT business that doesn't deal with private data. No real names, no user names, no IP addresses.
I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.
> continuously work on compliance
That's the big part of the headache. Even if you're a one man shop, you have to spend time and effort to get informed and deal with it. Multiplied by all regulations that might effect your business.
Well, don't record IP addresses in the first place? Or if you need ip addresses for protection against technical attacks like DDOS-attacks, then delete them as soon as possible.
What is so difficult about deleting a real name and a user name stored by you if the owner of that account asks you to?
> I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.
Common sense gives that data on documents you are legally required to store like for example invoices are exempted from deletion during the legal storage duration. After that, why not anonimize them or delete completely?
Things become pretty easy if the default becomes not storing any data, and only make exemptions from it after careful consideration if it's really needed, what private data it contains and how it has to be handled based on that.
Data is not just a resource, it is also a liability.
> We'll have to wait a while before we know for sure, but one loser might be technology startups, especially European ones.
Or it may be a great opportunity for them to differentiate developing not privacy invading business models protected from being undercut by "free" (because we sell your data) competitors.
Well that's ... kind of the point, isn't it? If they're not going to be compliant and respect our privacy, or even if they kind of would like to be sort of privacy-respecting in a sense except that their business model precludes them from actually being able to be compliant however since business models are rather subject to change especially with the SV "get venture capital and break stuff" mentality, such that even the "in a sense" part is exceedingly likely to become unjustifiably cost-inefficient as soon as the business gets big enough to believe they can get away with it (like, you know, Facebook, Google, etc), ... then, good riddance, right?
I mean, just because a company believes they can claim to "respect your privacy" without actually being compliant to the EU regulations specifying they should do such, let's call it a cultural difference then.
You don't know that yet. There is not a great track record anywhere for implementing radical reform without significant unintended consequences.
It's totally reasonable to be cautiously optimistic, but when people are only barely not frothing around the mouth at the prospect of landing a punch on Goliath, I'd err on the side of caution, at least until we see how the chips fell.
I'm with this sentiment too. I think there are plenty of laws with good intentions and unforeseen side effects which range from harmful to annoying and inconsequential (Prop 65 warnings, EU cookie law, south korea Internet Explorer mandate). They all seemed good at the time I'm sure.
Then the problem with technology laws is we have to live with them far beyond their usefulness since the tech evolves so quickly.
only real freedom is financial. Americans don't usually like to preemptively create rules and regulations that could hinder innovation or hurt businesses.
It's pretty good, actually. I prefer being poor in the EU over being poor in the US. Privacy is just one of the many benefits. I've been saying "maybe we have different values" a lot in this thread, but in this case, I suggest you ask poor people in the US what they prefer. Because I get the sense that you're not poor (in a strictly financial sense, that is, because even as a poor EU-citizen I probably get more affordable healthcare :p).
It is good that they are protecting their citizens from exploitation by US companies but this is not uncommon that it is easier to regulate a large company that is not your constituent.
The EU has not done so well on regulating diesel autos for instance but the US is knocking that one of the park.
Your comparison is not correct. The practices of FB are not universally considered bad, many people are OK with them. The diesel scandal was a deliberate scheme to cheat everybody - you can't find anyone who considers what they did as good. And the Germans finally started arresting people, too - although the USA gave a good example.
> The practices of FB are not universally considered bad, many people are OK with them
Really. Please point me at these people.
People that simply "don't care, yolo" do not count. People that have a stake in this because they have an interest in the tech business and fear that any decisions in this matter might negatively impact their business, also do not count (because a very specific yet vocal slice of the tech sector is hardly representative of what is "universally" considered right or wrong).
If you think that's too restrictive, and those are the only two groups you can point at, that's okay. I don't really believe those two groups (ignorance and business interest) should be considered representative of what is universally considered right or wrong. If you believe otherwise we'll have to agree to have a different view on ethics (which is a bit of a long discussion I'm not up for right now).
Everybody else I hear about this (I said "almost everybody" at first, but I can't think of anyone), DOES think it's bad, but admit that "what can you do, if everyone uses it" (hence the need for EU regulations!!) and because "it's really useful to keep in touch with long-distance friends and family, also to plan events etc", the latter being a reasonable point except there's nothing unique about FB's capability providing this service, and it's really easy enough to do it without violating privacy, if it weren't for FB dominating the social network sphere and forcing the privacy violations on the general public.
> Wait until GDPR is in place in May and German and other EU courts will rule FB to death.
If indeed GDPR will enable those courts to "rule FB to death", and not, as repeatedly promised, be entirely reasonable to comply with, including for Facebook, obviously Facebook will shut down in Europe (and so will a good number of other popular services), and tell their millions of former users why. Here's a quick, free lesson in politics: that will not end well for the GDPR.
If they do this, traditional TV will likely bang our heads over how deceptive these companies are. They will point out the fine prints in the EULA with the most outraged tone possible. They will conflate the issue with US spying on everyone ("NSA" and "Snowden" will be uttered repeatedly).
Because doing so is in the interest of EU corporate powers: let's drive away, or at least hinder, US companies on our soil, so we can develop our own. Even if the initial intent was not to put up a trade barrier, it will be used as such. Not that would be a bad thing: from what I have heard, the GDPR seems fine, as well as quite defensible.
> the GDPR seems fine, as well as quite defensible.
So, that's the thing. Either, it's fine and defensible, and the Facebooks of the world will just comply, and so won't be a trade barrier, or it's not. It can't be both.
And also, don't wish for a "trade barrier" for this purpose, import substitution has been demonstrated over and over again to be really just awful policy.
I was hypothesising Facebook being unreasonable. And their business model could very well be incompatible with GDPR. They're an ad company that feeds on personal data. I'm not sure they can get the informed consent of most of their users for this.
Simply put, GDPR could be reasonable and sue Facebook to death (at least within its borders).
But that would not be a politically acceptable outcome. There will be so unbelievably many free votes for the "Bring Facebook back" party that they will barely need to campaign.
Also, by the way, this won't bring about the development of "our own" alternatives. Being European doesn't confer any particular skills required to build a GDPR-compatible Facebook, if Facebook itself can't even build it themselves.
> There will be so unbelievably many free votes for the "Bring Facebook back" party that they will barely need to campaign.
Hence my predicting that traditional media would gang up against Facebook. It wouldn't be the first time there's a disconnect between television and the people. (Who's right is a separate issue.)
> And also, don't wish for a "trade barrier" for this purpose, import substitution has been demonstrated over and over again to be really just awful policy.
That's a very different kind of "trade barrier" than is being discussed here.
The barrier being thrown up here is in fact not so much about trade but about privacy values. I see that as a very different thing, if a business wants to draw the line for privacy ethics elsewhere, but that line happens to be subject to regulations which reflect our values, then that is indeed a barrier, but I don't see much wrong with it. Unless you want to argue that US values on privacy are somehow more right than the ones we decide on in the EU.
If FB gives up on the EU market, then they've opened a massive weak spot for themselves. Social networks benefit from the more connections between people.
If FB leave the EU, then some EU company can copy the software (we know what kind of features people want), and this company will be able to operate in EU and USA, but FB will not be able to operate in EU, giving this EU company a massive benefit and safe harbor.
Point is that the UK government already has a tax regime. It has no incentive to fine Facebook so much there's a risk of it leaving. The ICO already said that it doesn't intend to use its big new fining powers under GDPR anyway, as there's no need.
The rest of the EU is a bigger question. The EU is desperate for cash. It faces a huge budget shortfall, member states that don't want to pay more and it can't raise a corporation tax itself by treaty. Repeatedly fining tech firms looks like a nice way out for them.
But that said, hopefully the UK will repeal GDPR eventually along with associated EU nonsense like the cookie law.
> Point is that the UK government already has a tax regime. It has no incentive to fine Facebook so much there's a risk of it leaving.
Do Facebook have a presence in the UK? I thought they were headquartered in Dublin? Do Facebook pay tax in the UK? News to me.
> The ICO already said that it doesn't intend to use its big new fining powers under GDPR anyway, as there's no need.
Citation very much needed. The ICO will follow the law. The ICO is using it's DPA powers already. The
> The EU is desperate for cash
The EU organisation is handing rebates back to members at the moment...The UK just got one. Or perhaps you mean countries in the EU. Germany has a budget surplus, so I don't know what you could mean? you sound bitter?
> But that said, hopefully the UK will repeal GDPR eventually a
It seems extremely unlikely that the UK wont retain 'regulatory alignment'. This is actually part of the agreement over NI border? This will also be a prerequisite for a trade deal, and the UK will cintinue to make CE marked goods or they would not be able to sell them
> long with associated EU nonsense like the cookie law.
The EU is already on this one[0] What other 'nonsense' consumer protection law do you want undone?
> You can see how few people ICO impose fines on already, and that they have never imposed the maximum fine
Why would they have to impose the maximum to be effective?
The maximum sentence for arson in the UK is life imprisonment, something you are unlikely to see imposed. That doesn't mean that everybody is going to start torching their houses for the insurance.
> UK regulators really do take a light touch approach, aiming to get companies to change behaviour.
Maybe the German ones did too, but Facebook chose to ignore them?
Here is a recent DPA case against a non US company btw[0].
> The maximum sentence for arson in the UK is life imprisonment, something you are unlikely to see imposed. That doesn't mean that everybody is going to start torching their houses for the insurance.
And if you did see that, I suspect you'd start seeing that maximum imposed more - there's no reason why the ICO wouldn't do the same if lower fines were ineffective.
Leaving the EU would have very strong network effects and is IMO not an option for Facebook. The entry barrier to social networks is so low now that this could trigger a mass exodus in the rest of the world.
They are doing ok AFAIK, but are almost two orders of magnitude smaller than FB, user wise. I don‘t think Xing is even doing that well, they have started very aggressive monetization tactics recently, like forcing people to purchase a pro account in order to view incoming friend requests.
I don't know about _strong_ network effects, but part of the appeal of Facebook (for me) is that it's universal - visitors to the country (e.g. exchange students) and people I've met overseas (holidays) are all in one place. Further, it doesn't result in you being introduced to (possibly better) Facebook alternatives in those situations. It may not a strong effect, but there is definitely small cross-country effects IMO.
Leaving doesn't mean erasing all the profiles. It just means shutting down local corporate presences. It'd suck for the employees but Facebook can run things out of Palo Alto just fine.
I'm not sure what it'd involve for contracts and payments. But many EU firms have US legal presences too. They could easily buy ads on Facebook through their US presence. Multi-nationalism works both ways.
The GDPR does not allow international players to store data on EU citizens without conforming to the rules. So if FB leaves in order to avoid conformance, then they have to delete all EU citizen data.
You are right, this might be the case, someday.. but as long as they have their tax-free money parked in the EU, removing all legal entities from the EU will be very expensive..
From the perspective of the US company, then it's not them getting fined so not their problem. And if the EU wants to fine its own companies for buying adverts, they can go right ahead and do that. Doesn't seem very practical for the local economy though.
That assumes that the more people Facebook has in a country the more important that country is. I think the wealth of people in a country / block plays an important role in that consideration. And EU countries are far richer than most other countries.
> IDK how FB will ever be compliant with GDPR and survive that huge upcoming fines in the long term or in the worst case the withdrawal from these markets.
By limiting their use of personal data, according to the law? And by requesting informed consent from users, instead of silently opting them into all their anti-privacy features? And by not hiding this two thirds of the way through a 100 page TOS?
It's not like it's impossible to make a good faith attempt at all those things. Facebook isn't even trying.
When they make a good faith attempt, and get sued out of existance, you may have a point. They haven't, though.
I wonder. In my opinion more rules only means bigger hurdles for newcomers. The big companies might have a setback but will survive one way or another because they have the knowledge and money (lawyers, lobbyists) to adapt.
A good example is the VAT law of Europe. No problem for big companies, but small companies struggle to comply (its a returning subject on HN). Or the net neutrality law in the US: it will become harder for a startup to disrupt YouTube.
Europe is too concerned wrestling with large US tech companies to understand that more regulations will only exacerbate the very thing they are trying to get away from.
> IDK how FB will ever be compliant with GDPR and survive that huge upcoming fines in the long term or in the worst case the withdrawal from these markets.
The worst case? I think that's the best case, actually.
You do realize there's nothing special about Facebook at all, except for currently being the most popular and biggest social network. The major features I hear people repeat again and again for not leaving Facebook (keeping in touch with family and friends, planning events) also happen to the most basic, easily reproducible features. It's just getting the userbase that is hard.
So yeah, Facebook withdrawing from EU markets? PLEASE DO! I predict within no time, we'll have a whole bunch of replacement social networks (they already exist even), with better features, better privacy and hopefully interoperability.
It's not hard to switch at all, not even to the general public. They'll just register for whatever their friends are using. The only thing holding them hostage is that "everyone is on it". In fact teenagers already want to be on social networks their parents aren't on.
They might lose their timeline, comments, posts, memories, pictures? Guess who they'll blame.
FB have taken out huge newspaper and billboard ads in Belgium, pretending to care about your privacy. They're trying to divert attention from their real privacy issues, by saying "you can choose who can see your stuff".
If I could be given a bit of latitude to generalize for a second, I've noticed that America has a very "self-focused" culture wherein the individual is often seen as being solely responsible for everything relating to their self.
That makes a lot of sense but I've seen this often taken to extremes such that the perspective is used to absolve various levels of government, corporations, and organizations from responsibility over making decisions about common goods or on the behalf of others (things like healthcare, safety/protection, insurance, privacy, etc.).
So this position from Facebook seems (to me) to be a very American approach to take. ie. "We give you a plethora of options to secure your information, thus it's on you what information we get. After that, once we have it, then its ours and not yours anymore."
That simply reflects technical reality. Once you give them information, you no longer can restrict what they can do with it technically. legally, sure, you can write whatever law you like, but the best way to protect your privacy continues to be technical measures.
The privacy regulators have the authority to enter your business and server locations and look directly at the data you have and what you do with it.
Also, laws do have an impact even if there is no technical mean to enforce it. Working without paying taxes is forbidden but has no technical means of ensuring it. Yet, most pay taxes.
What is so difficult about deleting, not collecting and not using data?
The difference is that under German law merely having access to the data doesn't mean you can use that data. This isn't really a novel concept to anyone that's ever heard of an NDA.
When the privacy settings are hidden away in some non-obvious, hard to find place, you can guess Facebook tried really hard to prevent you to actually change them.
When the privacy settings reset to "allow almost everything" at every update, you can guess Facebook tried really hard to make your changes ineffective.
Privacy settings only exist for plausible deniability. And that plausibility is dwindling every year.
I'd argue there is no way to properly communicate to the average facebook user how their data is being collected and used in a way that is transparent but not confusing.
For example, explain to someone who is illiterate in technology how the act of you "tagging" your friend in a photo is to offload image labeling work to train a deep neural network to infer your friend's face.
If you radically simplify the issue in line with GDPR by saying something like:
"Whenever you tag a friend in a photo you to help teach our computers to recognize what your friends face looks like"
It makes it seem way more terminator/ominous than it is to the average person.
Ok now do the same thing with all of the nlp, voice etc... data points.
I just don't see how facebook is going to deploy a worldwide education effort on big data effectively.
It makes it seem way more terminator/ominous than it is to the average person.
Personally, I think it's actually pretty ominous. Prompting people to consider what the consequences of their FB actions are can't be bad - I bet a lot of people wouldn't tag their friends if they knew what it was doing and really thought about the implications.
I think you need to step back and ask why that sounds more "terminator/ominous" to people. And from there, maybe re-examine why you're doing it.
Just because someone thinks that it might sound bad is not a reason to not disclose it. If people think that FB image tagging training their systems to recognize people's faces is bad, that's probably a signal that shouldn't be ignored.
It's scary to some people but not others, so is the purpose of GDPR to spur a discussion on the scope of technology and privacy tradeoffs or to actively slow the pace of personal data collection?
I think there has been a lack of reasonable and measured discussion about this issue, it's very polarized as with most things.
Just in looking at ambiguous and deceptive labeling in the grocery stores (US), I am seeing what seems like a loosening of ethical norms. I can't quantify it, but I am feeling like the ideology that regulations are always bad and the market can be trusted to maintain good quality products is giving people license to try anything that is technically legal to make incrementally more money. Despite the vast number of regulations that exist, I think people are identifying loopholes in both the law and human psychology at an ever increasing rate, and regulations that exist are inadequate.
This doesn't mean, of course, that more regulations can fix things, but I think the world is changing, possibly for the worse, while some people say we should remain calm and do nothing, because nothing unusual is happening.
Edit: I am not suggesting people are becoming less ethical than in the past "just because" - I'm suggesting information technology is letting smart people increasingly subvert norms about transparency, because once you can quantify the effect of your customers' cognitive biases, competition makes it imperative to exploit them. Even if you don't realize what you're doing, you do enough A/B testing and it's automatic, I should think.
The ruling and article only mention Facebook but I don't see how everything in it doesn't apply to every single app/website that does targeted advertising.
It does and it will be an interesting time ahead. I don't think 2018 will see any enforcement, maybe a couple of warnings but nothing major. But I fully expect some large company to be thrown the book at in 2019 and it would be lovely to see FB as the one they will make an example out of.
A thought I was having recently: any communication medium (Messengers, social networks, email services, contact apps, etc) that does not use end-to-end encryption and has access to the data, may be in violation of privacy/data laws or moral obligation that will soon become law.
For example in email, people can, and do, send everything including documents with sensitive information, pii, account/payment numbers, etc. to each other - which are likely not being stored in pci compliant, and/or other responsible ways, by the providers.
Social networks run platforms that facilitate others to provide information about you when you did not agree: whether you're on Facebook or not, you're on Facebook.
Same with contact apps where you fill in all your friends' contact info then simply pass it all to a company without the consent of your contacts: mass legal doxxing.
Any communication medium where the platform has access to the contents of the communication might be susceptible to serious future legal/moral ramifications. There is a non-zero possibility that today's business models might be fully illegal at some point. Perhaps replaced by decentralization/encryption/privacy/crypto/etc.
To FB the fake name is only yet another datapoint connected to your identity. Make no mistake, they know who you are and what you did last summer, and can pretty much predict what you will do next summer as well. Or worse, influence what you will do.
Part of the problem is that FB still compiles and uses data on people even if they're not FB users. FB assuredly has plenty of data on you, and uses that as they see fit, regardless of if you've agreed to their terms or not. I would hardly consider that to be 'zero effects'.
So how exactly do they collect data on people who are not on FB? Through websites with their tracking codes - and that's why the EU introduced so called 'cookie law' that says a website can't track you until you give consent (e.g. by continuing to use the website).
There's of course the way of other people giving them your data such as photos of you - but that's illegal and against FB TOS.
I will repeat my comment as you seem to be repeating the same argument.
It's not "consent" as understood by GPDR and ePrivacy. You had no recourse not to give it, therefore it was not willing and informed. Implied consent ("agree or leave") is not deemed sufficient by GDPR. According to the law you can't condition the service you're providing on collecting unrelated (to that service) data.
GDPR has been there for 2 years [1] and will start to be enforced come May. Facebook has a presence in the EU, since they're selling data about European users to European companies. Therefore they need to comply with European law.
In the part where they ask you to follow the laws. Also not of "non-members" but of "people that didn't give you consent to share the content with a third party".
I'm sure they will delete the illegal content if you ask them to. I've seen it happen several times already, it's a bit lengthy but functioning procedure.
If the appeal doesn't go Facebook's way, what is the resolution to this? It sounds like they'll just have to update their terms of service to say that you agree to allow Facebook to use your data in XYZ ways. Of course, that'll be buried in the fine print and no-one will even notice.
> It sounds like they'll just have to update their terms of service to say that you agree to allow Facebook to use your data in XYZ ways. Of course, that'll be buried in the fine print and no-one will even notice.
If you read the first paragraph of the article, you'll notice that that is in fact the thing that the court is talking about: the degree of consent created by their terms of service process is deemed insufficient for the disclosure that agreement covers.
Your argument seems to imply that people thoroughly read the TOS for every website they use.
Even if you do that, most people don’t, regardless of country. “Disclosing” things by putting them in the middle of a document that people don’t read was deemed insufficient.
It reminds me of a cute exchange from Hitchhikers Guide to the Galaxy:
Mr Prosser: But, Mr Dent, the plans have been available in the local planning office for the last nine months.
Arthur: Oh yes, well as soon as I heard I went straight round to see them, yesterday afternoon. You hadn’t exactly gone out of your way to call attention to them had you? I mean like actually telling anybody or anything.
Mr Prosser: But the plans were on display…
Arthur: On display? I eventually had to go down to the cellar to find them.
Mr Prosser: That’s the display department.
Arthur: With a torch.
Mr Prosser: The lights had probably gone out.
Arthur: So had the stairs.
Mr Prosser: But look, you found the notice, didn’t you?
Arthur: Yes yes I did. It was on display at the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying beware of the leopard.
That's a very uncharitable way of looking at things. A different way of phrasing it would be that the EU recognizes the power disparity between Facebook and any individual user, and that an individual user does not have any ability to negotiate with FB, and thus the contract of adhesion that is the ToS is not made in good faith.
That's not a reasonable defense, though. Not to mention, it's been shown quite a bit that FB is still gathering information on people who are not members of Facebook.
I think if I was creating a new social media website today I'd probably not set up any presence in the EU. The sheer quantity of fines for vaguely specified "crimes" being handed out makes it a deeply unattractive business environment and it seems to be getting worse. I remember when Facebook was new, one of its big competitive advantages was its easy and comprehensive privacy controls. I didn't see other social networks go significantly further in the years since. Now Germany - having failed to clone Facebook domestically (StudiVZ) - sits around extracting money on the grounds that users somehow did not consent to their data being used when they directly uploaded it to the site.
I don't see the Valley's hold on social networking loosening any time soon. For all its faults the USA doesn't constantly fine its firms for not doing "enough", whatever that means.
1., If you store data of EU residents, you are under EU jurisdiction (GDPR) and can be targeted by fines.
2., The EU is a very rich, large market - considered the single largest economy in the world (GDP per capita). Good luck not targeting it with your products.
3., The pendulum around data protection is swinging back, this is normal. Apple saw it and adjusted already. Google is cooperating and staying quiet. Only FB is stupid enough to fight in courts.
Perhaps not so surprisingly, most people that would want to pay money for data on European data, resides in Europe. And if you receive payments from Europe, you are definitely in the jurisdiction.
Depends on the treaties setup with the US, assuming that is where the company is based. It may be possible to take some EU judgements to a US court and have them enforce it.
> If FB were to be shut down tomorrow I would probably not even notice.
Based just on the fact that you are on HN, this is, uhm... highly unlikely.
By the way, I wonder how it would actually look like. I mean, if FB was actually blocked in Germany or something like that, I imagine people (the victims of FB crimes) would very much vocally defend FB, claiming they don't give a fuck about their privacy. Which I cannot decide if it's funny or not.
Addressing your point #1, the EU has no enforcement mechanism for fines or otherwise unless you have physical presence (servers, offices etc...) in an EU member nation or are processing money on EU run systems.
So if a social media platform strictly based outside of the EU "exports PII" from an EU resident there isn't anything the EU can do about it, other than asking google or apple to take their app off the app store or somehow blocking the domain across the EU.
You do realize the EU can stop or confiscate the money that is transferred to you from European customers? Noneuropean companies already have to pay VAT on stuff they export to EU, so it is not as if there is no big collection already going on.
Suppose I put up a website hosted on a server I own in a non-EU country. A person from the EU visits the site, I gather their personal information, and I sell that information to a non-EU buyer blatantly in violation of EU privacy law. I have no offices, bank accounts, property, service providers, subsidiaries, suppliers, customers, etc., in the EU.
> You do realize the EU can stop or confiscate the money that is transferred to you from European customers?
I don't have any money being transferred to me from European customers.
Unless the EU has a treaty with the non-EU country me and my site are in that provides for the enforcement of EU fines in this area in me or my buyer's country, how are they going to actually enforce a fine against me?
That raises some interesting questions. Let's say:
• I run website W. W does not obey EU privacy and data rules, but I, my company, my server, etc., are all outside the EU in places without treaties that would allow enforcement of EU rules against me.
• I sell data from EU citizens who visit W. I sell this data to ad network N that is also outside the EU. (I'm selling N all my visitor data, not just data from EU visitors).
• Company C that is in the EU or sells products in the EU or has a presence in the EU buys ads through N. N uses the data they bought from me to show C's ads to visitors from the EU who visit websites using N's ad network.
Questions:
1. Which of the various entities in this (me, N, C) are violating EU data and privacy laws, according to the EU?
2. Which of those entities could the EU actually enforce a fine against?
3. For those entities that are violating EU laws (according to the EU) but are out of the reach of EU fines, can the EU take alternate action such as ordering EU ISPs to block access to their websites?
N is definitely violating EU laws. It handles data of EU citizens without their consent. The EU could stop the cash flow from C to N. It's rather simple: You can't purchase products which are made illegally. As much as I can't legally buy DDOS services, even if the provider is outside my jurisdiction.
I think that's the gist of the GDPR. Make personal data toxic.
1. GDPR is a good example of why to abandon the market imo. It's not even clear how it affects backup strategies, let alone more complicated questions. Most vaguely written law I've seen in a long time. I can't help but suspect it's designed to be violated, as a revenue source. But just don't set up a corporate presence in the EU and they can't do much.
2. I remember people saying that about China. The market was too big to ignore. Somehow Facebook got banned in China completely and did fine. Same for YouTube, Twitter, etc. They're companies any founder could be proud of. You could serve the US market and make money advertising to EU member state citizens without having a corporate presence in the EU, it'd still be a nice business.
3. Hardly, Apple / Ireland are appealing the EU tax ruling, Google has been getting fined repeatedly for things like Google Shopping and maybe Android, FB getting fined is nothing new. And what's "stupid" about fighting in courts ... unless you believe the EU's courts are kangaroo courts that are guaranteed to always take the EU's side? Why shouldn't they appeal? It's hardly like these cases are bulletproof. Most of them can't even explain what precisely was wrong.
I have a hard time seeing how you came to your conclusions about point 3. The rulings seem crystal clear and are explained in normal language. Take the google shopping case:
I'm thinking that perhaps it's a good thing that future companies like FB can't take off in Europe. The need for a product like FB is clear, and if the rules prohibit FB like companies from taking root, then it gives grassroots or open source a chance. We'll see.
I disagree. I followed the shopping case closely. At no point was it obvious what Google did wrong, or why providing shopping results is a problem but not maps or videos, or how you would predict and avoid such problems in a new company and product line.
Nor are any of the other cases clear cut. Apple's case isn't even about Apple, it's more like a power struggle between the Commission and the Irish government.
We saw how Germans reacted to the rise of Facebook years ago. It wasn't through some 'grassroots' social network or open source. It was simply a local clone of Facebook, China style, right down to cloning the UI:
If the EU succeeds in convincing the rest of the world that it sees their firms as cash cows, all that'll happen is that people who live in member states will have to live with crappy local ripoffs - no different to China.
I must admit that I've not followed the case all that closely. But, assuming that the document does not lie, this part looks like a huge problem:
> "Evidence shows that even the most highly ranked rival service appears on average only on page four of Google's search results, and others appear even further down"
I think this is a death sentence for any website whose that previously depended on unbiased search results. I remember reading sometime in the past that virtually all clicks go to the first two results, third and fourth barely receiving any, and other pages not even visited.
Combined with the fact that google supplied 90% of all search traffic it looks clear that they were starving their competitors.
To be honest I'm also skeptical of any open source, (hopefully distributed) social network from ever coming into existence. But I'm equally sure that what FB, and google, are doing with information about me is not the way to go. They are earning money with the information they are endlessly slurping up about me in any way they can. Rarely with my _informed_ consent. And if this is how the EU fights back, I'm all for it.
Off topic/related:
Like the bait and switch they do with youtube. I've had an account there for ages, long before social networks were a thing. I've got content up there, 2k video's that I've liked and would like to be able to keep visiting. But it has happened a number of times where I was forced to 'accept' the changes to the TOS. Youtube does not allow me to download my liked video's easily. Apparently what they are doing is not illegal, or maybe the courts have not caught up to the things like this yet. But it does create an adversarial relationship, therefore I dislike youtube, and loathe facebook and google these days. They are constantly taking steps to my disadvantage.
You're missing the bit where the sites in question are basically zero value link farms, who got downranked for low quality content.
Don't get me started about the maps thing. They're very keen on defining Google search as Web search, and neatly divided search engines. Don't know about you, but if I put an address into Google search I expect a map back, and it's daft to expect Google to guess how to find it on a competitors sites when they have (likely better) data at their disposal. And yes, they got ruled against for this.(giving a helpful Google map result if I input an address)
I don't have a strong position on the broader issue, but I feel like this argument ignores some context. It's one thing to sign up for your local car wash's loyal program and have them do some lightweight customer research on the data. It's quite another for to input your demographic info and interests into a social networking site and have it be analyzed by some of the most sophisticated data analytics in history. The potential downside/cost to the user is orders of magnitude larger. I think it's a stretch to say the user is giving informed consent to (for example) have their manual photo tagging be used to train a model so that a computer can identify their friend's faces automatically. The average user has no idea such a thing is even possible.
So your problem with data mining is that they're too good at it? What happens when AI gets commoditized, and your car wash gets those analytics as part of their Azure subscription? Are they suddenly no longer allowed to use the data you gave them previously? This isn't consistent, and the line is nowhere near clear.
Actually that's a reason why we need laws like GDPR: I don't have an Facebook account but random websites I visit still have elements embedded from Facebook. I've never agreed for Facebook to store my data but they can only give their word they won't collect my data (which, AFAIK, they don't give).
I've got no recourse against this - or maybe I have because Facebook is big enough that it's worth it to create targeted block lists. But against the next 20 smaller companies who do the same?
This is why there needs to be something else than just blindly trusting everyone out there. Because someone will not play fair if theres a competitive edge to gain.
They allow users on from the age of 13. It is rather unclear to some children that they are consenting to mass surveillance, rather than just trying to fit in with their friends
That's not true. That's the purpose of the cookie law. If you continue to use a website that gives you the notice, you've given consent. You can still use blockers also.
Again, this is not deemed sufficient by GDPR. According to the law you can't condition the service you're providing on collecting unrelated (to that service) data.
The GDPR doesn't apply to US companies. While the FB has EU offices right now, they're there for convenience only. They can close them next month and stop caring about the EU law.
| they're there for convenience only. They can close them next month
Citation needed? Facebook gets revenue from their ad network, which is used by European business customers and targets European users. Therefore they need to comply with European law.
Then they uploaded a picture they shouldn't have uploaded and the person who uploaded it should be sued (by you and possibly by Facebook because they broke the TOS that says you can only upload stuff that doesn't break the laws - and a photo of you that you didn't agree to be uploaded is against the laws)
No, it's part of the basic privacy protection laws that every EU coutry has had for decades. It's the same law that says you can't share videos taken with a dashcam if you're recording in the public.
Last time I agreed to Facebooks terms of services it explicitly said that the agreement is between me and Facebook Ireland Limited in Dublin. I only ever consented to the data being transferred and processed in the US.
The Facebook Europeans use is very much an EU company.
Very limited and if the EU will keep fining them, they will leave - and that will mean the exact opposite of what EU wanta because not having an EU entity doesn't mean they don't continue to have EU users.
The Irish double doesn't have anything to do with VAT.
And the Irish double was replaced with the "Single Malt".
It would be a loss for Ireland and Malta, still not a big loss.
Most of the tax income EU has from FB is VAT and since they now have to distribute the money to the place where the customer is, it means that all EU countries will be affected.
"Facebook is well understood as being a major customer of third-party data-brokers, who compile huge dossiers on people based on their spending, internet and phone usage, employment history and so on. In addition, Facebook encourages users to upload their entire address books to the system to "find your friends," and users generally don't appreciate that they may be leaking sensitive information, including nicknames, private numbers, and connections to the system.
Facebook mines this data to create "shadow profiles" of its billions of users. These are profiles that are filled with data about you that you have never consciously provided to the system -- data mined from third parties, including your friends, but also those spooky data-brokers. Facebook's shadow profile system was first confirmed in 2013 when it accidentally leaked users' shadow profiles to them along with their own data, something the company says it will never do again out of (ironic) respect for the privacy of the people who provided the data that goes into your shadow profile.
Facebook's shadow profiles are involuntary and there's no opt-out. Facebook has shadow profiles on people who don't use the service. For example, even though I'm not a Facebook user, multiple people have uploaded their address books containing my email and phone number to the system, allowing Facebook to create a profile of my contacts by looking at who lists me as a contact."
There's the cookie notice that every website with FB tracking code has to display to you and not track you until you give consent (e.g. by continuing to use the site). If your friends do something you don't like like uploading photos of you, FB has nothing to do with it - it's your friends who gave them the info and lied that the data they upload is uploadef rightfully.
According to the law, you have to give certain rights to the user, including the right to demand cease of use and deletion of the data. So, you do not own the data and are not free to use it however you wish.
It is of no matter where FB is incorporated. Every country can still bring it to court and judge it. The question is then of enforceability. I'm confident the EU can enforce fines on FB, but that is a different discussion.
Because nobody forces you to use websites that track you or Facebook itself. It's your voluntary choice and in many cases also your payment for the seemingly free service.
Not at all. People either don't care about this enough or they will create an alternative - them caring means a new business opportunity has been created.
One way of thinking of legislation is to encourage/discourage behavior indirectly. Think how putting a ridiculous tax on cigarettes makes people less likely to want to use them. In this sense, the German government (and greater EU) may be completely fine in implementing these laws to discourage the presence of these types of companies operating in their jurisdiction. After all, it is hard to argue that social media as currently implemented (by large, foreign, data-hungry companies) is an inalienable right, and much easier to argue that it is a net drain on society.
30 years ago everyone had the freedom to choose between restaurants that allow smoking and those that don’t — except that no businesses wanted to provide the latter. Without government intervention we’d still be wading through cigarette smoke in bars.
Facebook’s reckless use of private data is a public hazard not unlike passive smoking. It’s not going to be solved by an asymmetric fake free market where customers are free to choose an option that doesn’t exist.
In my recollection, in the US, 30 years ago restaurants had "smoking" and "non-smoking" sections. And non-smokers sometimes complained bitterly about smoke wafting into the "non-smoking" section. Which in fact led to some restaurants being all non-smoking before government intervention. The NY statewide ban on smoking in workplaces was only passed 15 years ago.
I don't know about bars 30 years ago, though. Because drinking has always been considered a "vice", I think people tended to group it with smoking and think if you're going to tolerate one, why not the other.
Pretty sure the parent comment is talking about Germany.
Smoking bans in restaurants and bars have made a significant difference in most states.
If I remember correctly, we had a non-binding agreement between the health ministry and our national restaurant and hotel organisation at first, but this did not change much.
Even most smokers I know agree that the laws were necessary, and that they are thankful for them because otherwise they would not go outside to smoke.
Ok, however the context of this thread is the intersection of a multi-national American business with European courts, so basing one's opinion on the German experience exclusively to claim the obvious necessity of regulation is a bit German-centric.
I think the argument is about whether someone has the freedom not to have their info on the site. It’s well known that FB has shadow profiles with no active accounts. You’re on there whether you like it or not.
Well yes, and laws against killing people make people want to murder (i.e. kill illegally with premeditation). It's incredible that people think "someone will break the law" is a justification for not having the law.
> Now Germany - having failed to clone Facebook domestically (StudiVZ) - sits around extracting money on the grounds that users somehow did not consent to their data being used (...)
That is an inappropriate accusation. In Germany, large data collections have been seen as very problematic since before social networks were a thing. Authoritive action and laws take time to adapt to new problems. Given the prevalance of social networks like Facebook nowadays sped up the process, but I'm confident it would have come sooner or later anyways.
Also, Europe is certainly a place where one can do business very fine. Handling data about other people they are not aware of or don't consent to is a very specific aspect. Just don't record data about other people and you are fine in this aspect.
"Facebook hides default settings that are not privacy-friendly in its privacy center and does not provide sufficient information about it when users register"
How is putting privacy settings in the privacy center hiding them? What is "sufficient" information when users register? Where in law are these things spelled out?
Germany isn't punishing Facebook for anything actually concrete or real. Rather the German courts and regulators seem to think they should design Facebook's UI instead of Facebook. This is not how free markets work and if you were creating a new company, why let some random German regional court waste your time on disputes over the position of widgets in your user interface?
There are regulations for agreements. In Germany for example, when you rent a flat, the customers have inalienable rights that he can't legally-bindingly forfeit even in written contract form.
There is no such thing as a fully free market, and that is a good thing.
The complaint is not that they want to control every detail. Certain parts of the agreements might simply not be valid just by clicking a check box, or the parts are not displayed in a form that is considered appropiate. Imagine a document with 15000 words that is unnegotiable by you. Will your mother read that so she can give meaningful consent? I don't think so, so the consent isn't valid. This line of reasoning is about common sense, and not about formalities, and I'm glad it is relevant in law.
Homework: find the bit when signing up for a FB account that explains how they use tracking from buttons loaded on non-FB pages you visit while logged in.
> today I'd probably not set up any presence in the EU
Facebook is a national security risk and should not be let to reign free as it likes. I see no problem if we tame a vulnerability - the way it handles our personal data, how it uses it to push ads and politics, how it influences elections by tweaking the feeds. Not to mention that it doesn't like to pay taxes in EU.
Maybe the way we architect social networks online is fundamentally flawed? Maybe these products should not even exist. I'm not claiming I have a better solution though.
1) According to this[0] it is the worlds second largest economy
2) It is a very politically stable block, with low crime and corruption, war etc.
3) 51% of the population speak English as a first or second language[1]
4) High levels of literacy
5) Free market
Sounds like a really excellent place to sell advertising, as long as you don't mind not exploiting consumers. Why would you avoid it? In favour of where?
social media website today I'd probably not set up any presence in the EU
Social media is a psychological weapon that can disrupt a society to the point at which it can no longer function. Look at Libya or Syria. Look at how fractured the US is. If you want to point it at someone else, that would be nice.
From the other side of the coin, I think if your business model is based on the exploitation of peoples data, the EU doesn't want your 'SV disruption'.
An inteesting article, certainly, but it buries a rather explosive accusation:
Zuckerberg had reason to take the meeting (with
Rupert Murdoch) especially seriously, according
to a former Facebook executive, because he had
firsthand knowledge of Murdoch’s skill in the
dark arts. Back in 2007, Facebook had come under
criticism from 49 state attorneys general for
failing to protect young Facebook users from
sexual predators and inappropriate content.
Concerned parents had written to Connecticut
attorney general Richard Blumenthal, who opened
an investigation, and to The New York Times,
which published a story. But according to a
former Facebook executive in a position to
know, the company believed that many of the
Facebook accounts and the predatory behavior
the letters referenced were fakes, traceable
to News Corp lawyers or others working for
Murdoch, who owned Facebook’s biggest competitor,
MySpace. “We traced the creation of the Facebook
accounts to IP addresses at the Apple store a
block away from the MySpace offices in Santa
Monica,” the executive says. “Facebook then traced
interactions with those accounts to News Corp lawyers.
When it comes to Facebook, Murdoch has been playing
every angle he can for a long time.” (Both News Corp and
its spinoff 21st Century Fox declined to comment.)
Does anyone have any good pointers for further reading on this? If I were Mark Zuckerberg and some fossilized ink-stained wretch like Murdoch tried to weaponize a state attorney general against my company, there would be very serious consequences.
I find it surprising that people have gotten so used to Facebook's abuse of data that they cannot even imagine things being different. You uploading data to Facebook to share with your friends does not mean that you give consent to have it stored, analyzed, and sold for profit.
If I upload data to Dropbox, my bank, or my health insurance, I don't expect them to be sold to advertisers either. So what if there was a social network that actually respected its users and didn't exploit their data for its own ulterior motives? Seems to be an inconceivable notion to some.
It does seem inconceivable to me. How would it make money? Subscriptions? People can't even be bothered to pay for YouTube despite complaining endlessly about ads.
If a business can't make a profit in a socially conscious way, does the society benefit from its existences? If the only way you can make a social network is by selling members' lives to the highest bidder, maybe it's a product we should give a miss.
It's a happy fact for me that the EU protects us where we fail. I am more aligned with their privacy rules and anti-trust policies than America's - grateful for it.
The US has software patents. The EU has GDPR. China has rampant IP theft. Russia has corruption. Every large market has peculiarities, it's the cost of doing business.
"The European Patent Convention states that software is not patentable. But laws are always interpreted by courts, and in this case interpretations of the law differ. So the European Patents Office (EPO) grants software patents by declaring them as 'computer implemented inventions'".
I think it's interesting that more antitrust lawsuits seem to be brought and won against big SV companies recently in Europe. Is it just recently because because bureaucracy takes its' time, or is it because nowadays there is more political will to act against American companies since EU-American relations worsened since Trump came into office?
Yeah, I don't think Trump had anything to do with Microsoft's IE and WMP judgements, or the Google right to be forgotten thing in France. The EU has always taken a strong stance of corporate overreach.
I think it's more that there just is more interest in the EU in acting on behalf of their citizens, than there is in the US. Much of the US prides itself on being "Business Friendly", and the counterpart to that is not being as responsive to citizens or employees.
Another way to look at it is that some US tech companies think they can treat laws as an inconvenience to brush aside. In the USA corporate capture of regulators and political lobbying have reached the levels whereby they are unable to tackle these behemoths, however the EU is still operating as an efficient law enforcer? And maybe the EU does lack an illegal data collecting advertiser disguised as address book, but that is not the only kind of technical innovation possible.
Part A: Privacy settings
- Facebook tried to claim that it is only subject to Irish law. Court disagrees since Facebook operates in Germany, so local law applies. [side note: this kind of confusion is exactly why the GDPR is needed]
- Law states that the imprint must be "easily" accessible. Court found this not to be the case (it took three clicks and was hidden behind a link called "explanation of your rights and duties").
- Law states that explicit, informed consent is necessary for the kind of data processing Facebook does. Facebook pointed users to the privacy settings page where all settings were enabled by default. Court found that this constitutes neither explicit nor informed consent - the settings would have to be opt-in, or the user needs to be explicitly informed about the full extent of how his data is used ("without any doubt").
Court explicitly states that presenting an opt-out after registration and login is not sufficient, especially if it is presented as an optional "privacy tour" that most users are going to ignore.
- Plaintiff stated that Facebook incorrectly claimed it was "free forever", when users were in fact incurring hidden costs by volunteering their personal data ["paying with their data"]. Court strongly disagrees - no money is changing hands, after all. They do recognize that there's a counterpart, but it's immaterial and as such does not constitute a "hidden cost". Court basically states that the meaning of "free" is not up to debate.
Part B: Terms of Use
- Terms of use state that the user "acknowledges" to have "read" the privacy policy during registration. This is invalid in two different ways - a mere "acknowledgment" is insufficient, since it puts the burden on proof on the user, and since parts of the privacy policy are invalid, the user can't legally agree to it its entirety anyway.
Court explains that "read and understood" clauses like this one are invalid. Clearly, the user didn't actually read and understood the whole thing - but the language in the terms forces him to admit he did, which would disadvantage him by implying informed consent about everything in it when he didn't explicitly consent to anything.
- There's a clause in the ToU stating that the user "agrees to use his real name". This does not constitute informed consent since the user isn't properly informed - Facebook does not state why his real name is required and how it will be used.
The court states that it is questionable whether a real name policy is at all legal, underlining the need for proper consent due to the significant consequences of volunteering one's real name.
- Same for "agreeing that personal data is transferred to the US" - no explanation why data is transferred, what it will be used for or even what data is transferred. In addition to that, there's no indication which data protection standards are applied.
- Similar case for "agreeing that the profile picture is used [...] commercially": no informed consent since the user is not informed about the consequences.
... and a few more clauses where the court finds that no informed consent is given by the user due to very broad clauses with little explanation.
- It's OK to have the user agree that he's 13 years or older. Facebook cannot possibly check whether it's true, and the age doesn't matter anyway since the contract would be valid even if it weren't the case.
- Plaintiff complained about a few informational clauses in the privacy policy. Court rejected this since they weren't part of the terms of use due to their purely informational character (user isn't agreeing to anything).
This was a very interesting read. It is very clear that the courts take the requirement of "informed consent" very seriously, as they should. Is is not enough to present the user with a 100+ page privacy policy and have him agree to it, they actually need to present it such that the user realizes what they're agreeing to.
[0]: https://www.vzbv.de/sites/default/files/downloads/2018/02/12... (interesting part is page 22 onwards)