It's disappointing, although not surprising, to know where HN's allegiences lie in this particular fight.
Facebook should be destroyed.
Think they're about to have an harsh encounter with spirit of the law & European thinking about privacy & consent though.
IANAL, but my impression of the US legal system vs various (continental) Europe legal systems is the former is completely engrossed with the letter of the law while the latter is much more focused on the spirit of the law.
If FB gets shafted in the processs of discovering this fact of life, all the better.
The only reason that doesn't happen is either fear of FB or corruption.
Probably. They're the only big guys making a credible effort though. Russia/China won't be doing anything. US & associated lobbying basically IS big tech now.
...leaving just the EU.
I can’t make you sell your soul for subscribing to a service.
Just a title/deed system for souls would suffice. Since there's not a legal framework around the ownership of souls, I'm sure we could encourage its creation by starting a marketplace. Ultimately, however, I suspect 'soul' will finally be defined as "existing, being, with current human perceptions of free will" or somesuch and we will no longer have the ability to sell our souls for the licensing benefits of a product or service.
It's great that this is happening in front of an Austrian court, because the Austrian Data Protection Agency already has ruled on consent issues, and in those rulings was (IMO) extremely strict on when consent was given freely. In one ToS challenge, the mere potential for confusion was enough to render it invalid.
Edit: Here's one such ruling [2]. Co-mingling checkboxes for processing of data for marketing purposes with actual contractual clauses was ruled as a violation of the GDPR, even though by default, the checkboxes were unchecked. The Agency ruled that the confusing nature of the form could lead subjects to believe that they had to check a checkbox to receive the service.
Also, another relevant local case would be with a popular national newspaper, DerStandard.at. That newspaper offers access in two ways: either (a) you pay for a subscription and receive the service ad-free, or (b) you access the service for free, but consent to receiving ads. This was deemed in compliance with the GDPR, but it was stated that only offering (b) -- ie, exactly what Facebook does -- would not hold up.
[1] https://gdpr-info.eu/art-7-gdpr/
[2] https://www.ris.bka.gv.at/Dokumente/Dsk/DSBT_20180731_DSB_D2...
A contract also needs consent. This contract is clearly entered only because Facebook is making it a condition of using the service, and this type of coupling is prohibited.
> Europe’s strict privacy laws
actually it's EU's privacy regulation
> Facebook openly admitted that it has been collecting and processing data without users’ consent
They said that they ve been collecting WITH consent, at least with their definition of consent
> To prove that no one ordered advertising from Facebook, we conducted a neutral study by the Austrian Gallup Institute. The result is devastating for Facebook: Only 4% of users want advertising,
... And i bet only 4% want to pay taxes too. polls are not legal documents. Also, "wanted advertising" is very different from "accepted advertising as part of the terms"
> Facebook does not give users a full copy of all their data
I believe facebook does give all their personal data,but maybe they are looking for derived data that facebook has stored for them? that's not personal data and it can be particularly tricky if it has been combined with other people's data , for example to train a neural net
In any case, i don't think facebook cares too much anymore and will just pay another yearly fine for operating in the EU. Even if FB asks for consent in every second page, people will click yes.
You argue they are regulations? European Regulations are law. European Directives and Regulation are the two main legislative
They argue users are using facebook because they want advertising, their primary usage is advertising and for that advertisement they consent to share their data. That's so ridiculous it is funny.
And no, FB does not give all the data, the definition of what data is in the regulation.
Both FB and their Privacy Director are not looking good.
> European Regulations are law.
Regulations have to be implemented and integrated into each country's laws. Countries may not have yet implemented GDPR
> their primary usage is advertising
I don't see where FB claimed that advertising is primary usage and others are secondary. i can infer from the text that they parceled as part of the "service promise"
> FB does not give all the data, the definition of what data
Facebook says they are GDPR compliant and i doubt they 'd say that without the consultation of at least one EU data authority (perhaps the irish?). https://www.facebook.com/business/gdpr
The GDPR (which is not the only EU privacy law) is fairly described as a “law”, “regulation” is just the formal EU law term for a directly-applicable primary legislative act, which is a kind of law. If you're complaining about the “EU” part, well, the GDPR applies in some non-EU countries too (e.g. in the EEA).
> They said that they ve been collecting WITH consent, at least with their definition of consent
Some data is collected with ostensible consent, some without, and there's still processing to deal with.
> And i bet only 4% want to pay taxes too. polls are not legal documents. Also, "wanted advertising" is very different from "accepted advertising as part of the terms"
Sure, but the GDPR also means you can't forcibly bundle consents together. You need to separately consent to invasive use of data for advertising versus provision of the basic service.
> I believe facebook does give all their personal data
Did this recently change? I seem to recall that Facebook are known for not providing e.g. the data they've got from you browsing other sites with FB cookies unless you went via some difficult legal route.
details, but they are not claiming that data collection is without consent. they claim that they need a separate consent to use that data to show personalized ads
> you can't forcibly bundle consents together
Yeah that is true. still, making an online poll about what people want in general is a ridiculous way to nullify an agreed contract
> you browsing other sites with FB cookies
that would depend on whether these are personally identifying or personal data in general
In practice for Facebook the attraction for their ads platform is precisely that you can target fine grained demographics. So I'm not sure if Facebook can do anything here without a drop in revenue.
Probably not, but that's kind of the point: Some things may make you money, but we do not allow you to do them. Find another way to make money.
GDPR is not different from other laws forbidding lucrative, but scummy, things.
Time to push the amounts up. 2% of worldwide annual revenue per infraction (e.g. per user) should start to add up after a while.
Recital 32 EU GDPR (32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.
This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data.
Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Consent should cover all processing activities carried out for the same purpose or purposes.
When the processing has multiple purposes, consent should be given for all of them.
If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
But that's the problem of closed source rating algorithms https://news.ycombinator.com/item?id=21544537
(not suggesting that HN would use contractors and blacklists, but generally the discussion about the black magic happening)
As a sys-admin, GDPR invented all sorts of jobs. Jobs well intended. But these jobs are filled by people that are neither lawyers nor IT people. Whenever I interact with them I feel like they just want to check some boxes that makes the org compliant and go home. They don't enforce or apply GDPR, they enforce those checkboxes.
* all of the above in my limited experience.
The idea that consent should be freely given is ludicrous if it can be overridden by simply including it in a term in the terms and conditions. Facebook could probably write that they can kill or castrate the user at any time and most of their users wouldn't notice it (until the media picked it up).
It’s a key part of the offering! You get free access and get to see ads in exchange. Others have tried other business models and failed...that’s how the world works, the better offering wins!
If the problem people have is ads then just make all ads illegal and we can move on. But trying to use GDPR as a lever is silly...it’s not what its intended to do, as much as some people would like it to
And before you answer that ads without tracking don't pay the bills, that's honestly Facebook's problem.
There's a big difference between massive companies seeking to keep their brand in your mind and small businesses trying to let you know they even exist.
But how do you ban one without banning both? Its a complicated issue
FB is free because they can pay for it with personalized ads. I doubt generic ads would fund the site as it stands today.
It's not hard to understand. Everybody knows this is the case. But that excuses nothing.
Also, it's only the case because that's the business model Facebook chose. They could choose a different one.
> You get free access and get to see ads in exchange.
I love how you say that as if it's the ads that are the major issue (it's not, it's the tracking), and as if seeing ads is some sort of benefit.
> If the problem people have is ads
Again, the problem isn't the ads, it's the spying.
If ads that work without spying on users don’t pay enough to pay their data center bills then they should shut them down. I’m more than happy to vote for politicians that ensure this. I’m not comfortable saying “I’ll just not use services from companies X and Y because they use shady ads”.
Uh, no, they haven't. YOU are responsible for visiting websites and using their services under terms and conditions you agreed to. YOU are responsible for and capable of not using sites do not agree with. You are getting a service in exchange for being tracked and shown ads. If you don't like it, delete your account, or fix your damn /etc/hosts file to block the (admittedly overwhelming) number of domains FB uses for these purposes.
I'm no fan of Fb. I deleted my account, blocked thousands of domains in my /etc/hosts file, use multiple ad-blockers, etc. etc. Fuckerberg going to prison would make me giddy. But, you don't get to have your mystical cake and eat it, too. You don't dictate how they run, or what data they collect, or how they use it. Get real, dude. Take responsibility for your actions. You agreed to what they do when you read(skipped) the terms of service/privacy policy when you signed up.
I think most people understand that ads pay for Facebook. But so what? I don't see how it changes anything.
GDPR should be used for exactly this purpose - it is a protection against companies collecting and using personal data in this way. Facebook has the choice to show ads, just not personalised ones. What is specifically being argued about is that Facebook tried to claim ads were a contractual service (thus exempting them from rules on personal data) - but transparently they aren't.
And if Facebook can't survive in a future where it is forced to respect personal privacy, then may its death be ever sooner.
And yet Facebook is not alone doing this. While almost all the medium and small sized sites ask for consent nowadays the big players just seem to be immune. My go to example is spiegel.de which is one of Germany's largest newspapers. Full of trackers, full of personalized ads and I have never seen them asking for my consent.
While advertising is not illegal under the GDPR, collecting an individual's data for marketing or advertising purposes without a "basis" (as defined in the GDPR) is.
The plaintiff is arguing about data privacy, whereas Facebook's lawyer is playing the advertising card as a counter. The plaintiff is unhappy about the way Facebook uses personal data, while Facebook is arguing they have a legal basis for processing data for personalised advertising purposes in order to fulfil a contract which it entered into the users. (which is a basis in the GDPR).
For example, the "contacts" permission should be disabled on OS's in the EU as it's impossible to prove the user has constend to sharing that information, yet Google launches an API in chrome to access the users contacts which totally won't be abused.
Alternatively you can gobble up data and "accidentally leak" it through an open MongoDB or AWS instance, will anyone go to jail? Unlikely, nobody really cares.
I doubt Facebook is going to change its ways any time soon, they're simply too big to fail at this point
I am keeping my popcorn ready.
