Re: [projectvrm] Facebook and GDPR

[Guy Higgins < >]

On Tuesday, we had a serious wind storm locally and one of my neighbors had a fir tree blown over in his front yard.  While I was helping him and his wife attempt to save the tree, we fell into a discussion of monopolies and success.  I’ve held for a long time that success is a self-correcting condition.  Successful companies, like FaceBook and Amazon and Google (and US Steel and Standard Oil and AT&T), become successful, then they begin to suffer from the pathologies of large organizations.  These pathologies include, but are certainly not limited to, large, rule-bound bureaucracies, slowing growth, fiscal laxity and hubris (my personal favorite).  These pathologies create risks for the organization — risks that are extremely difficult to effectively address because addressing them would require the leadership to take actions that do not reward said leadership (short-term bloodletting for long term health).  That opens the door for competitors.  Is any of this inevitable — of course not, it’s merely the way the Second Law of Thermodynamics (paraphrased as, “Left to itself, everything goes to s#*&.”) weights the evolving ecosystem.  Look at the Dow Jones Industrial Index.  The average time that a company is on the index has been monotonically declining for a century.

I suspect that the contortions that the illustrious Mr. Zuckerberg is going through will ultimately open the door for competitors — and I think that the most effective thing government could do is to nature the economy/economies to enable those competitors — and those competitors should include VRM-friendly players.

Guy

From: Tim Walters < "> >
Date: Thursday, April 19, 2018 at 6:44
To: Iain Henderson < "> >
Cc: ProjectVRM list < "> >
Subject: Re: [projectvrm] Facebook and GDPR

And as expected/feared. I suspect this will be worth a court battle. It's not clear to me what it means to "switch the data controller entity." If FB Ireland continues doing all of the processing, I doubt that FB can simply *designate* FB US as the controller.

https://techcrunch.com/2018/04/18/data-experts-on-facebooks-gdpr-changes-expect-lawsuits/


​

On Thu, Apr 19, 2018 at 9:27 AM, Iain Henderson < " target="_blank"> > wrote:

Hi Tim, on your first point i’d have thought that just boils down to which Facebook entity is the data controller for which which set of users; as you say if ‘served from Ireland’ equals Facebook IE is the data controller then yes all 1.9bn should have those rights.

If true then that won’t have been by design related to GDPR; just historical, and I don’t see how they could move users from one controller to another at this point.

Sounds like facial recognition activity was planned pre Cambridge Analytica blow up as it does not sound like a good thing to be doing in that context.

Cheers

Iain

On 18 Apr 2018, at 18:05, Tim Walters < " target="_blank"> > wrote:

Two quick news items to promote and solicit viewpoints.

First, I was surprised by this statement a couple of days ago. "The 89 percent of users served from Facebook Ireland—even those who don’t live in EU countries—will already benefit from the GDPR’s legal protection, regardless of public promises, and can seek redress through European regulators and courts."

If it is true that these global users -- all except the US and Canada -- are served from Ireland, then according to Article 3(1), all 1.9 billion of them should be due full GDPR protections and rights as of 25 May. It seems to me that that, combined with the Article 5 requirements for purpose specification and limitation plus the heightened awareness around data abuse, could equal a significant revenue impact for Facebook.

Make sense?

Of course, if the impact is significant enough, it could motivate FB to restrict Ireland to serving EU residents and deal with the rest of the globe from elsewhere.

Second, that highlights the question of how successful FB will be in getting users to consent to purposes that go beyond those necessary to facilitate social exchanges. And this article says that FB has started rolling out the requests. FB provided a sample of a consent request for facial recognition. (I'll try to embed it here, but it didn't work last time.) I can't see how any data protection authority is going to find this acceptable. (But then, the lead DPA for FB will be Ireland's Helen Dixon, who has until now shown no backbone in standing up to FB re Max Schrem's complaints.)

The left screen asks for consent for facial recognition. But instead of the "affirmative action" choices being Accept/Refuse or Allow/Disable, they are "Accept and Continue" or "Manage Data Setting."

Problem #1: The request is not "clear" and "transparent" as required by the GDPR. A request to accept or decline a given type of data collection should offer accept or decline actions. Instead, users can accept, or they can . . . ugg, yuck, "manage my data settings"? Sounds hard. I'll just accept.

If you do select Manage Data Setting -- that is, if you want to say NO -- you're presented (I presume) with the screen on the right. This does nothing but ask AGAIN if Facebook can use facial recognition. Even I (a trained sceptic) initially thought this was a different question. The choices after this question -- allow/don't allow -- are the ones that ought to have been presented on the left screen.

Finally, note that according to one quote in this article, FB itself evidently thinks that GDPR protections apply only in the EU, not for the 1.9 billion served from Ireland. Namely: "The company says that “people in the EU will see specific details relevant only to people who live there, like how to contact our Data Protection Officer under GDPR.”

Cheers,

tw