Text archives Help


Re: [projectvrm] GUARDIAN: Facebook moves 15 billion users out of reach of GDPR


Chronological Thread 
  • From: Rob van Eijk < >
  • To: elliot noss < >, Tim Walters < >
  • Cc: Doc Searls < >, Joyce Searls < >, ProjectVRM list < >
  • Subject: Re: [projectvrm] GUARDIAN: Facebook moves 15 billion users out of reach of GDPR
  • Date: Thu, 19 Apr 2018 16:21:03 +0000
  • Autocrypt: addr= ; keydata= xsFNBFnRBJ0BEADF+Mds/wAhOEx7YYVrM7rNFHbkwG/3mWMx1WZIeYAGEoMlYE8Chl3zOk6w khVCW+83o+4CRiP+/yAsiHaG9t5ogfMwGBERz9yCYTgnQZWWUGLTmgu7rWy+kspuwRu+T8Id hi+QVVqZGNqKsgpxg921EhfpLxI4QBE4ZxWAIGc+LrD0ib1AAdLEkw5KxpbQeUPn5Fx97re0 expHl4pzAk7LjujjLkuSu+evrKxYtJpHRvLEfLZsYKtSLcfpi/WIsBOznXA4HTGJhMp9OvJ2 2K1p/I3F6+ixqiNnp0viT7sJU1M9iBpsXf0N4Ru+vsryZufPEZL9icf++3LU5mbitN2tvCQp iMqN0uLCmoGj+w6/IhEfWhQ9Fa/NdxlUuu+D3VR8YMuH39hTEw1mHqRZUfAKjGxUST0sQLpS DxN6wLpwtIkql6FTH3AVQjPfTO+0iuNw/WRtuXLADmjq1MYz0jNozW4Wj3Fiq+wsu5Qu0tJn qDP+cf9zvcmh/yolUVH3nCi7EJ2bQ46x+cMGN6Uyccl9gAFLKaTPZCUyKSN/rpjBRbdjcRlr j7QZMqYix+4YmIEH9J5cxEmOMJlVl3TQTMS+aFlfcFN68rCH2Jr7fZVJ5EZRSmAyx+Vi+40T mH5f6Vl9qFRcqClM51fQYQUyDfGAInxqLs6pqpEbx35OC7p3AwARAQABzSpSb2IgdmFuIEVp amsgKGRlZmF1bHQga2V5KSA8cm9iQGJsYWV1LmNvbT7CwZQEEwEIAD4WIQRwT0lV9+METkCE GeIoRM3cplXbPAUCWr5KRgIbIwUJAeEzgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAo RM3cplXbPFLgEACVWJIMnBWkZFx+JTXCpZGTmgtcE4PJWzEM/V8r7bQ5WyCdI5Xyu7MH4Awh 5GmI2R0IIFjBbQFnVTuJagTMHEUdmcU+MFVr2i4n4OS9Fm+Kqs9EK61B+Zo1sV0+bgqfxmPy COEU4BR16J5ouSl5TwqHyIS7QCnRxBccyMp67Hrphhetni+X735Ke79LoCJBcThuzJMTYGW2 bWC1GLP5IyDAbzyfz59Wf/1nkMJcZIYlB44MfuW5WcVJ5XFfjrxDjWLBLlPkvFYmds83IMIk xaVJjpuneNEG7Cij5MH3yj6yXxyvLljRwK8VE1dXe0iVlBot66tS6ApZMMfEo7Lg5kbxnSxj YdVVrKfKtSycom3A/HALIDcK2qeSgpEcm1M7HmXUQm1MuVnvZJmgj1ieeW81dD7fMM4DSGUp bNbLu3uj17JKjE9R7WePBEhYOeWsex1V2CiBUcMsCrvE4E2hrmDZ3aVipP2Y8DLtdpBA3del GqQEeh9ojY9yWsM64YtJ3yNNl9WrcTi1iXyDMEu5LGABT4zl18mawAd5faAUjxF1F5FG7U31 MeXzTRdqGZu9CYSzO41NNGXfSCma6iD5cesRWwMGCD1PKtnIZy+fmdnTPlPfgJnTXvl6rjeG IY0Ln0uH0l7GCF6AGrKhMllLIAt7zlG7Z0uDR3YH6lSXbsk/7s7BTQRZ0QSdARAAtk2701Ld Tokd3Nqf27c2HZqw4/X8AfxbVzK+6uYlqhBSJawPSjy3Kc+fUOfv2g6lQvp6Yy0ycIkuOw4W FNuwvHcKSPqWdrSyxN1gSi+AK7JN0eShxadc/O+d7IQNvmxuAsqZGC+3qoYR/26beYobA62W zNXd9hrSKFRr8aJraY6fGZlgI0TwG7wRPVprkofgERyllwpBjQ3m0k5zJC4Xr73jDd7SQBUQ ylhC2YRbR/bN6G0p20WCmW6Eb/0DMdhSbgHor3pfsADHgA5uz0ENlsFdHW5Mui/Cfczy7Dm0 RE81csKa9iZ1ROfAbpxZoihQ/5yeWCq1EcUF3NSbC0HEytVUXD42fSqYh5Hft9Fth4cFe/LJ 4id/QPiV9rZEluJ1+csdCijXTmK2wJd1B/72TUN33p1+IeOiEWK9Uh0RnsmFNT16KfimRjW4 H707E/YKPi7ot7h6G2Cm2up6+jIKXGIafYYgqGWA5tYrb56hnDQBvkCY9RLWKDUwqJ0bFRL7 Sc3CQxSzymE+YxRLH+eFx9BDBTnXvjvPYLM0oVbB09hYFoNeHOaDqvhGF7V7kMVBE84/7jWN h4SdJcNykKmPSQPlToywQjoez98tL0g90sgIp85Vlu+WblC9HopMNLiXYckGwzA5WHPSK9Uo 9Ug0lfH2UTlUMZOAWG0IJPjm+xUAEQEAAcLBZQQYAQgADwUCWdEEnQIbDAUJAeEzgAAKCRAo RM3cplXbPH9xEACKzfTlSUiH2f3KqwphNIU4hHq4y/3QqYKBvJu90vLYcSStpHwziSeakp8p doqNonUzt37FRv6aZwclTlcRESdanOs+Em8aOFj+j+1KTpAkGyBMXkwlVTwzRcnXe6v75yU7 6+OKL5cANCsIVjxJz2/h8Q1YiEQU5x+IwElNiUi1cDIUCQGQdxh3KKZ2f7n6c9qoIBVlmRdj OnHWx4EOYSfZafmxz1ceRJ9Y8NwdTlQ6nwuAdMm4JqGcSsSTw7xGCbMS1EiJxm+KXectmej5 jfI67DafpzWRBc/JYs2bI+exPVe8qubJlcvSjmfoJQFllp+gwL1qfAzpP96rA8KfMSD+p803 Zxo7MwWUeNtif5QF/UwsgK3eLEkbCu/izk5G8kZQmtZraVH7+NlbQLNN1NOa9dL0u4SUdERy l0P/FXoQ8P5q4lywM/VMob8B2wTQHDxfOh7/kYJY5q09DG2igGL76lELThgjDAyxGpwPyfeg 37rAAH4IxEr6sTLiQAk0nFoTWF2tQj18ik93gwReg09xuMUDNwIjhzwMHr+8XFgJ3Lw28gwv ocMxF0YkW4m7YClcib6V/KIRFmv3BDkfkBzkQAneuv3TxIhPS3XZALBk9tK4LwbSEOFpRLWa FRvtNb03AT8HhNMnlv9qhZ+4qE8O3qckekkronFMfmaNn/tvJg==
  • Feedback-id: 1.eu-west-1.h5N3mj9bc1cyDsi9i3fL9+5wOoEFBqB4xcAPJ7kL8fM=:AmazonSES
  • Openpgp: id=704F4955F7E3044E408419E22844CDDCA655DB3C
I agree that the question about material scope is not an easy question
to answer. There are edge cases. The material scope of the GDPR is
addressed in Article 3 and Recitals 22, 23, 24, and 25. Below I included
the GDPR-text because it contains some interesting details that may be
relevant for the discussion.

Rob


Article 3 sub 1 ("Location of the company"):
This Regulation applies to the processing of personal data in the
context of the activities of an establishment of a controller or a
processor in the Union, regardless of whether the processing takes place
in the Union or not.

Article 3 sub 2 ("Location of the data subject"):
This Regulation applies to the processing of personal data of data
subjects who are in the Union by a controller or processor not
established in the Union, where the processing activities are related to:
    (a) the offering of goods or services, irrespective of whether a
payment of the data subject is required, to such data subjects in the
Union; or
    (b) the monitoring of their behaviour as far as their behaviour
takes place within the Union.

Article 3 sub 3 ("Member state law, even outside of the EU"):
This Regulation applies to the processing of personal data by a
controller not established in the Union, but in a place where Member
State law applies by virtue of public international law.

Recital 22:
Any processing of personal data in the context of the activities of an
establishment of a controller or a processor in the Union should be
carried out in accordance with this Regulation, regardless of whether
the processing itself takes place within the Union. Establishment
implies the effective and real exercise of activity through stable
arrangements. The legal form of such arrangements, whether through a
branch or a subsidiary with a legal personality, is not the determining
factor in that respect.

Recital 23:
In order to ensure that natural persons are not deprived of the
protection to which they are entitled under this Regulation, the
processing of personal data of data subjects who are in the Union by a
controller or a processor not established in the Union should be subject
to this Regulation where the processing activities are related to
offering goods or services to such data subjects irrespective of whether
connected to a payment. In order to determine whether such a controller
or processor is offering goods or services to data subjects who are in
the Union, it should be ascertained whether it is apparent that the
controller or processor envisages offering services to data subjects in
one or more Member States in the Union. Whereas the mere accessibility
of the controller's, processor's or an intermediary's website in the
Union, of an email address or of other contact details, or the use of a
language generally used in the third country where the controller is
established, is insufficient to ascertain such intention, factors such
as the use of a language or a currency generally used in one or more
Member States with the possibility of ordering goods and services in
that other language, or the mentioning of customers or users who are in
the Union, may make it apparent that the controller envisages offering
goods or services to data subjects in the Union.

Recital 24:
The processing of personal data of data subjects who are in the Union by
a controller or processor not established in the Union should also be
subject to this Regulation when it is related to the monitoring of the
behaviour of such data subjects in so far as their behaviour takes place
within the Union.

Recital 25:
Where Member State law applies by virtue of public international law,
this Regulation should also apply to a controller not established in the
Union, such as in a Member State's diplomatic mission or consular post.
In order to determine whether a processing activity can be considered to
monitor the behaviour of data subjects, it should be ascertained whether
natural persons are tracked on the internet including potential
subsequent use of personal data processing techniques which consist of
profiling a natural person, particularly in order to take decisions
concerning her or him or for analysing or predicting her or his personal
preferences, behaviours and attitudes.


Op 19-4-2018 om 17:38 schreef elliot noss:
> Hi Tim,
>
> I took a quick look at your linkedin and did not see a legal background.
> You may be right. But, that is not the view of our inhouse counsel, our
> external counsel, two separate legal positions that have been provided
> (publicly) to ICANN, nor the view of DPAs who have come to successive ICANN
> meetings.
>
> I would also distinguish (in the example in your article) between an EU
> citizen passing through the US and an EU citizen living there. If you were
> responding here to the EU citizen traveling through the airport than I
> agree and my reference was confusing.
>
> Most importantly, the general approach is that questions like this (and
> there are MANY) will not be answered dispositively until something is
> challenged and takes the five years or so that it will take to get to the
> highest European court. This really requires companies to take a
> conservative view.
>
> EN
>
>> On Apr 19, 2018, at 10:05 AM, Tim Walters
>> < >
>> wrote:
>>
>> Sorry, Elliot, that's not correct. The GDPR does not apply to EU citizens
>> (living outside of the EU). I wrote about it here:
>> https://www.linkedin.com/pulse/three-biggest-lies-gdpr-tim-walters-ph-d-/
>>
>> tw
>>
>> On Thu, Apr 19, 2018 at 3:48 PM, elliot noss
>> < >
>> wrote:
>> I cannot imagine how they can do this without massive tax implications. I
>> also think they cannot avoid the “ex-pat European problem” (an eu citizen
>> living in the us is covered).
>>
>> Sent from my iPhone
>>
>>> On Apr 19, 2018, at 9:43 AM, Doc Searls
>>> < >
>>> wrote:
>>>
>>> 1.5, but yeah. That’s pretty much the whole thing, after you subtract out
>>> the fake accounts.
>>>
>>> This, of course, is one gigantic hunk of evidence that Facebook gives the
>>> opposite of a shit about privacy. Linkedin too. Also the U.S. government,
>>> whose oversight of all this resembles something between sleep and death.
>>>
>>> Doc
>>>
>>>> On Apr 19, 2018, at 9:28 AM, Joyce Searls
>>>> < >
>>>> wrote:
>>>>
>>>> https://www.theguardian.com/technology/2018/apr/19/facebook-moves-15bn-users-out-of-reach-of-new-european-privacy-law
>>


Attachment: signature.asc
Description: OpenPGP digital signature


Archive powered by MHonArc 2.6.19.

§