> If you just say, "Oh I have consent" then the user can withdraw consent. If you actually needed that information (like the user's name!) then you are absolutely screwed.
Well, only screwed if they want to keep their account? I can assume that resulting in Facebook closing down your account.
All in all, I doubt millions of people will request data under the GDPR. But I guess the fines are significant enough to worry about it.
The really, really, really awesome thing about GDPR is that you can't deny service because someone wants to opt out of sharing their data. You actually have to keep their account active and make it work somehow. If you can't, then you are libel for a really huge penalty. I can't add enough smileys to that, so you will just have to imagine them.
> The really, really, really awesome thing about GDPR is that you can't deny service because someone wants to opt out of sharing their data.
That's actually pretty horrible. How about freedom of association and freedom to contract? These two are basic human rights. If one thinks their privacy rights are not respected they are free not to associate or contract and same thing for the entity on the other side of the contract, why should one party be forced to contract anyway? This is authoritarian. The basis of a free society is the freedom to contract and associate between individuals. If the GDPR makes that impossible and it's highly liberticidal.
It's a bit different - you can deny service to people; however, if offering or denying service is conditional on consent, then this means that this consent isn't freely given and thus "doesn't count", doesn't give you any rights to handle that data.
It's done in the same manner as with other consumer contracts - there's a broad range of contractual terms that (in EU) automatically are unenforceable if they're put into a "take it or leave it" consumer contract; GDPR clarifies that permission to use private data is one of such terms; this permission cannot be transferred by some term in a nonnegotiable contract.
I.e. if customer A clicks "agree", customer B clicks "disagree", and you deny service to customer B because of that - then this means that the "agreement" of customer A (and everyone else) is worthless to you, it means that these clicks don't indicate freely given consent and thus do not give you permission to use their data, as customer A can reasonably claim that they did not really want you to use that data in this manner and they clicked "agree" only because you'd refuse them service otherwise.
The legal wording is such that you can't (and shouldn't be able to) gain GDPR-consent unless the users actually want you to do the thing you do with their data; GDPR requires that they know what exactly you'll do, and they without any coercion give an explicit opt-in indication that they want you to do it, and they can freely revoke that permission.
> How about freedom of association and freedom to contract
How free are you when one of the parties is naive (in the context of the contract) and has little power, and the other party has the interest, the means and the power to force an unfair contract?
Freedom of association implies the freedom to NOT associate. Yet non-Facebook users are tracked by Facebook, without their consent.
Laws like GDPR are needed to help protect individuals from powerful interests.
It's not as bad as you imagine. Essentially, you can use data if you have consent, if you need it for a contract, if you need it for some "legitimate interest" (complicated), if you need it for regulatory reasons, etc. So there are plenty of avenues for using the data. The key is that you have to say up front under what "lawful basis" you are using the data. Each "lawful basis" has specific things the user is allowed to do and things the user is not allowed to do.
If you choose the consent lawful basis, then the user is allowed to withdraw consent. In fact, they are allowed not to give consent in the first place. If you choose the contract lawful basis, then the user can't withdraw without cancelling the contract. However, they can object if they believe that there is no reason you need the information to complete the contract. If you choose "legitimate interest", then the user can object and you have to show that the interest is indeed legitimate and that there is no other way to do what you are doing without the private information. One of the things explicitly prohibited is profiling. So it's quite complicated.
The key is that once you have informed the user of how you are going to use their data, you can't change your mind (within the same business context). This means that you have to be very, very careful. If you decide to use consent (in my example), but you should have used contract, then you are in big trouble. If you say that it's part of the contract but it's not strictly necessary to provide service, then you are in big trouble. Etc, etc.
One thing that I think will be very interesting is under what lawful basis FB publishes your real name. If it's consent, then you can withdraw it. If it's contract... do the really need you real name to give you service? Legitimate interest... Yes, potentially, but I don't see how they will get away with sharing your name with the whole world.
I'm very much looking forward to seeing how it pans out.
> If one thinks their privacy rights are not respected they are free not to associate or contract
We tried that. It didn't work.
> The basis of a free society is the freedom to contract
You cannot write any contract as you want. They are limited, and for very good reasons. One example is indentured servitude. It's basically a contract you voluntarily sign that binds you to work for a party for a duration of time. Does it sound reasonable at a first glance? It's considered slavery today and is almost globally banned.
> > If one thinks their privacy rights are not respected they are free not to associate or contract
> We tried that. It didn't work.
It did and still does work. People freely give away their information, giving up their rights to privacy, in exchange for services they want. I really don't see what the big deal is, and GDPR is a massive overregulation.
Freedom to contract isn't a basic human right, it also wouldn't affect companies acquiring my PII from third parties - as Facebook and the like did when harvesting address books.
In most (?) countries we deny the right to contract on many things, contracts that avoid taxation, contracts that involve selling human organs, contracts that make slaves.
It avoids power imbalances from causing desperate people to do things that dehumanise, disenfranchise, and devalue them.
Article 12 of the Charter of Fundamental Rights of the EU has a freedom of association:
> 1. Everyone has the right to freedom of peaceful assembly and to freedom of association at all levels, in particular in political, trade union and civic matters, which implies the right of everyone to form and to join trade unions for the protection of his or her interests.
But I don't think the person I'm replying to above was thinking of labour unions. ;)
> You actually have to keep their account active and make it work somehow. If you can't...
If you don't, not if can't. If you can demonstrate a reason that that piece of information is absolutely necessary for your service then you can deny service if the person doesn't want to provide the data. Otherwise you could submit a complaint about any delivery service for refusing delivery if you refuse to give them your address.
If you don't provide a reason why that data is necessary and still require the person to give it to you, then yes, you're in for some pain.
This is great in theory, but will it work in practice? That remains to be seen. I can't help but compare it to Javascript: technically, you can disable it in a browser, but most websites will promptly stop working properly.
Not that I'm against the GDPR. It seems to be a great law for consumers.
Is that not only the case for consent as legal basis though? If you're signing up to a service, then surely they can use fulfilment of a contract (with some very expensive lawyers drafting some nice ToS language), or legitimate interests (i.e. argue that a social network relies on real names etc to function)?
I see this turning into an in-app clicking contest though soon, a card comes up in the app with a little description, a cutesy graphic, and a "Consent" "No Consent" box to click before you can get to the newsfeed.
Yes there are two separate bases for processing of data, but the point is that consent cannot be bundled and made a precondition to another form of processing i.e. to provide a service.
Put another way, Facebook should not make the provision of a service (which technically should not require usage of data for other purposes i.e. marketing/advertising, ignoring any business model points) conditional upon providing consent for that other form of processing.
Bundling of consent means the consent is not freely given here because the user wants the service and so is less likely to refuse than if the consent decision was isolated from the provision of service.
Well, only screwed if they want to keep their account? I can assume that resulting in Facebook closing down your account.
All in all, I doubt millions of people will request data under the GDPR. But I guess the fines are significant enough to worry about it.