Last I looked, 65% of Google's income was from search advertising, which works fine without personalization.With Alphabet, Google is diversifying. They weren't surveillance capitalists in the first place, and don't like being the alpha exemplar of it. And there are lots of other ways to play their vast capital and operational assets.Google's programmatic intermediary advertising machinery will still work fine in a post-tracking world.The Internet is balkanizing anyway, which is a damn shame. For one take on that, see Four Internets: The Geopolitics of Digital Governance, by Dame Wendy Hall and Kieron O'Hara: https://www.cigionline.org/publications/four-internets-geopolitics-digital-governance. For semi-retired cyber-utopians like me, it's depressing.DocOn Feb 15, 2019, at 6:17 AM, Guy Jarvis < " target="_blank"> > wrote:Hi Tim,picking up an older thread here.In your blog post you said " The barely veiled message is that the regulators will not allow Google to claim that personalized ads – and all of the data collection, aggregation, and profiling that powers it – is “necessary” for the fulfillment of a contract to provide a Google service."What are you thoughts on the following two points:1 - Is there actually a contract involved ie "ohne gelt" where is the privity between Google and user?2 - It seems reasonable (well, at least not dismissable out of hand anyway) for Google, in the example here, to claim that they require revenue, namely generated from ad personalization, in order to recover the cost of making any given service available free of cost at the point of use.I'm left wondering whther Google might withdraw from physical and financial presence in the EU so as to avoid fines and crucially still be able to generate revenue indirect from the EU market through even more aggressive ad personalization?If so then might we see the Great Firewall of EU emerge to rival that of China and an ever growing balkanization of the internet?GuyOn Tue, Jan 22, 2019 at 9:31 PM Tim Walters < " target="_blank"> > wrote:Here is my post on the story, the real story, and the real real story about Google's GDPR fine.On Tue, Jan 22, 2019 at 5:42 PM Tim Walters < " target="_blank"> > wrote:I would say no, in the sense that, say, Italy cannot now fine Google for the violations determined by France. If you look at the English summary from the CNIL, they point out that they first coordinated with the other DPAs to determine whether they should conduct the investigation. Interestingly, they say "the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow [us] to consider [conclude?] that GOOGLE had a main establishment in the European Union."Normally, a "main establishment" would determine the lead authority. It will be interesting to see if Ireland takes the lead on all/most Google complaints now that they have shifted processing for all EU residents to Ireland. However, the authorities and the EDPS are very keen to avoid "DPA-arbitrage" -- i.e., where processors locate "main establishments" in states with weak regulators. (Weak could mean resource constraints and/or enforcement restraint.) So I *guess* it's possible that if, say, Ireland is overworked, they could agree to have another state take the lead on an investigation of an Irish processor.Finally, it's worth repeating that a violator can be fined multiple times for the "same" non-compliant practices. So if Google does not respond appropriately (ignoring the appeal options), they could conceivably be fined 4%, or $4.4 billion, over and over again.
On Tue, Jan 22, 2019 at 5:19 PM StJ Deakins < " target="_blank"> > wrote:Thanks Tim, I missed that.Out of interest, does anyone know if can each of the 27 member state regulators can levy a fine (of their choosing) against the same company for the same reason? If so, how often?
On 22 January 2019 at 16:14:15, Tim Walters ( " target="_blank"> ) wrote:
Well, there was Italy's €10 million fine against Facebook in December.
On Tue, Jan 22, 2019 at 3:20 PM StJ Deakins < " target="_blank"> > wrote:Hi Iain,Yes, it’s decided by the national govt that sets up the regulator. I understand that in Italy, Spain and a couple of others the regulator must self fund from fines. There was therefore an expectation that these countries regulators would be more active than others after GDPR but I’m not aware that this has happened. Maybe they’ve been more active locally?StJ
On 22 January 2019 at 13:15:37, Iain Henderson ( " target="_blank"> ) wrote:
Yes, I think how fine income is allocated is a local country decision. I also vaguely recall some concept of fines gathered from multi-nationals (e.g. Facebook) being shared across other countries by the fining regulator (e.g. Ireland).In any case, i’d expect the regulators to now be see-ing the big data aggregators (in the broadest sense) as easy money. And the model where the investigation is triggered by informed activists (NOYB, Open Rights Group, Privacy International etc) is also a good one that i’d expect to continue. I would certainly like to launch a missile called ‘Data Portability’ into the mix; anyone interested in collaborating on that let me know.CheersIain
On 22 Jan 2019, at 12:50, Tim Walters < " target="_blank"> > wrote:
I've received various answers about this, but the consensus is that the sums go into the general member state revenues, with nothing (officially) for the DPA. It may vary by country, as I'm pretty sure there is nothing about it the text of the GDPR.Cheers,tw
On Mon, Jan 21, 2019 at 11:21 PM Iain Henderson < " target="_blank"> > wrote:I don’t think we need worry too much about funding DPO’s; as I recall they get a proportion of fines levied. So there will be an incentive to go after the big fish first, bring in some cash from the low hanging fruit and then scale up. That will do some good obviously for the individual, but it will be years down the track before some mid range GDPR breaches and failings get to the top of the queue.Iain
On 21 Jan 2019, at 20:00, Tim Walters < " target="_blank"> > wrote:
Here is the CNIL's (quasi) English announcement: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llcLaw firm FieldFisher analysis: https://privacylawblog.fieldfisher.com/2019/european-data-protection-authorities-finally-flex-their-gdpr-musclesTo tie this back into the Zuboff thread, and specifically my response earlier today to Doc's pessimism about the GDPR, the CNIL largely determined what you would expect a DPA to determine if you've simply read the text of the GDPR. Namely, Google's notification/consent request:- Violates the requirements for transparency and intelligibility. "Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information." The CNIL does not say so, but I think this is a violation of Articles 12(1) and 5(1)(a); see also Recitals 39 and 60.- Does not allow for valid consent. This second violation basically follows from the first. Because of the failure to communicate purposes, transfers, retention periods, etc. clearly, the consent acquired from the user cannot be "informed," "specific," as required by the GDPR. Here the CNIL rejects the failure to provide granular choices: "For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined."- Moreover, the CNIL rejects Google's use of pre-checked "yes" options -- which, excuse me, ARE USED DEPLOYED IN MOST OF THE CURRENT RIDICULOUS COOKIE NOTICES -- "However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance)."It's interesting -- but also vaguely disturbing -- that the CNIL focuses on what they call "ads personalization." (Also interesting that they use the US spelling rather than the British!) On the one hand, Goggle's failures viz the GDPR are much, much larger than sufficient notice about ad personalization. On the other hand, this focus may be a convenient way for the DPA to draw the CRUCIAL line between processing purposes "necessary" for the service to operate" and all other purposes. In this sense, the CNIL is rejecting any effort by Google to assert that targeted advertising is "necessary" for search, email, YouTube, etc, to function.I propose that we start a crowd funding campaign that will pay for all EU DPAs to go on a week-long retreat with Shoshana Zuboff, Brett Frischmann, and Evan Selinger.Cheers,tw
On Mon, Jan 21, 2019 at 7:35 PM Elizabeth M. Renieris < " target="_blank"> > wrote:It's good that we're acknowledging what meaningful consent is and is not. But we are also going in circles because this could result in more & more push notifications, pop ups, and boxes to tick, which will actually end up diluting consent. So maybe they'll be forced to admit that consent is the wrong basis to rely upon (and if they can't find another basis, then maybe it will actually undermine the ad tech business model). If not, then we will end up where everything went wrong with cookie laws.
On Mon, Jan 21, 2019 at 12:49 PM Tim Walters < " target="_blank"> > wrote:Very quickly -- (This broke while I was on a call and now I need to leave the house.)This was the result of the complaint filed by Max Schrems' NOYB group on the morning of 25 May.Commentators are convinced that the flaw (mainly -- speak of the devil -- non-granularity of proposed purposes) applies to the IAB's consent framework was well.Here is Max Schrems' tweet with several links: https://twitter.com/maxschrems/status/1087379606594818048Cheers,tw
Archive powered by MHonArc 2.6.19.