It's a bit different - you can deny service to people; however, if offering or denying service is conditional on consent, then this means that this consent isn't freely given and thus "doesn't count", doesn't give you any rights to handle that data.

It's done in the same manner as with other consumer contracts - there's a broad range of contractual terms that (in EU) automatically are unenforceable if they're put into a "take it or leave it" consumer contract; GDPR clarifies that permission to use private data is one of such terms; this permission cannot be transferred by some term in a nonnegotiable contract.

I.e. if customer A clicks "agree", customer B clicks "disagree", and you deny service to customer B because of that - then this means that the "agreement" of customer A (and everyone else) is worthless to you, it means that these clicks don't indicate freely given consent and thus do not give you permission to use their data, as customer A can reasonably claim that they did not really want you to use that data in this manner and they clicked "agree" only because you'd refuse them service otherwise.

The legal wording is such that you can't (and shouldn't be able to) gain GDPR-consent unless the users actually want you to do the thing you do with their data; GDPR requires that they know what exactly you'll do, and they without any coercion give an explicit opt-in indication that they want you to do it, and they can freely revoke that permission.

> How about freedom of association and freedom to contract

How free are you when one of the parties is naive (in the context of the contract) and has little power, and the other party has the interest, the means and the power to force an unfair contract?

Freedom of association implies the freedom to NOT associate. Yet non-Facebook users are tracked by Facebook, without their consent.

Laws like GDPR are needed to help protect individuals from powerful interests.

It's not as bad as you imagine. Essentially, you can use data if you have consent, if you need it for a contract, if you need it for some "legitimate interest" (complicated), if you need it for regulatory reasons, etc. So there are plenty of avenues for using the data. The key is that you have to say up front under what "lawful basis" you are using the data. Each "lawful basis" has specific things the user is allowed to do and things the user is not allowed to do.

If you choose the consent lawful basis, then the user is allowed to withdraw consent. In fact, they are allowed not to give consent in the first place. If you choose the contract lawful basis, then the user can't withdraw without cancelling the contract. However, they can object if they believe that there is no reason you need the information to complete the contract. If you choose "legitimate interest", then the user can object and you have to show that the interest is indeed legitimate and that there is no other way to do what you are doing without the private information. One of the things explicitly prohibited is profiling. So it's quite complicated.

The key is that once you have informed the user of how you are going to use their data, you can't change your mind (within the same business context). This means that you have to be very, very careful. If you decide to use consent (in my example), but you should have used contract, then you are in big trouble. If you say that it's part of the contract but it's not strictly necessary to provide service, then you are in big trouble. Etc, etc.

One thing that I think will be very interesting is under what lawful basis FB publishes your real name. If it's consent, then you can withdraw it. If it's contract... do the really need you real name to give you service? Legitimate interest... Yes, potentially, but I don't see how they will get away with sharing your name with the whole world.

I'm very much looking forward to seeing how it pans out.

> If one thinks their privacy rights are not respected they are free not to associate or contract

We tried that. It didn't work.

> The basis of a free society is the freedom to contract

You cannot write any contract as you want. They are limited, and for very good reasons. One example is indentured servitude. It's basically a contract you voluntarily sign that binds you to work for a party for a duration of time. Does it sound reasonable at a first glance? It's considered slavery today and is almost globally banned.

Freedom to contract isn't a basic human right, it also wouldn't affect companies acquiring my PII from third parties - as Facebook and the like did when harvesting address books.

In most (?) countries we deny the right to contract on many things, contracts that avoid taxation, contracts that involve selling human organs, contracts that make slaves.

It avoids power imbalances from causing desperate people to do things that dehumanise, disenfranchise, and devalue them.

> freedom to contract

I think you'll find this libertarian "right to enter into any contract for anything" doesn't exist in EU law.

The Charter of Fundamental Rights doesn't list it. It does list the right to protection of personal data.

Companies aren't humans. They only have the rights we choose to give them.

Yes there are two separate bases for processing of data, but the point is that consent cannot be bundled and made a precondition to another form of processing i.e. to provide a service.

Put another way, Facebook should not make the provision of a service (which technically should not require usage of data for other purposes i.e. marketing/advertising, ignoring any business model points) conditional upon providing consent for that other form of processing.

Bundling of consent means the consent is not freely given here because the user wants the service and so is less likely to refuse than if the consent decision was isolated from the provision of service.