On Feb 15, 2019, at 8:11 AM, Tim Walters <
" class="">
> wrote:
>For semi-retired cyber-utopians like me, it's depressing.
Are you a utopian who's semi-retired? Or have you semi-retired your utopianism?
The latter.
I was once described as an optimistic pragmatist. That may be a better label than either of those two.
Doc On Fri, Feb 15, 2019 at 1:58 PM Doc Searls <
" class="">
> wrote: Last I looked, 65% of Google's income was from search advertising, which works fine without personalization.
With Alphabet, Google is diversifying. They weren't surveillance capitalists in the first place, and don't like being the alpha exemplar of it. And there are lots of other ways to play their vast capital and operational assets.
Google's programmatic intermediary advertising machinery will still work fine in a post-tracking world.
Doc
Hi Tim,
picking up an older thread here.
In your blog post you said "
The barely
veiled message is that the regulators will not allow Google to claim that
personalized ads – and all of the data collection, aggregation, and profiling
that powers it – is “necessary” for the fulfillment of a contract to provide a
Google service."
What are you thoughts on the following two points:
1 - Is there actually a contract involved ie "ohne gelt" where is the privity between Google and user?
2 - It seems reasonable (well, at least not dismissable out of hand anyway) for Google, in the example here, to claim that they require revenue, namely generated from ad personalization, in order to recover the cost of making any given service available free of cost at the point of use.
I'm left wondering whther Google might withdraw from physical and financial presence in the EU so as to avoid fines and crucially still be able to generate revenue indirect from the EU market through even more aggressive ad personalization?
If so then might we see the Great Firewall of EU emerge to rival that of China and an ever growing balkanization of the internet?
Guy
Here is my post on the story, the real story, and the real real story about Google's GDPR fine.
I would say no, in the sense that, say, Italy cannot now fine Google for the violations determined by France. If you look at the English summary from the CNIL, they point out that they first coordinated with the other DPAs to determine whether they should conduct the investigation. Interestingly, they say "the discussions with the other authorities, in particular with the Irish
DPA, where GOOGLE’s European headquarters are situated, did not allow [us]
to consider [conclude?] that GOOGLE had a main establishment in the European Union."
Normally, a "main establishment" would determine the lead authority. It will be interesting to see if Ireland takes the lead on all/most Google complaints now that they have shifted processing for all EU residents to Ireland. However, the authorities and the EDPS are very keen to avoid "DPA-arbitrage" -- i.e., where processors locate "main establishments" in states with weak regulators. (Weak could mean resource constraints and/or enforcement restraint.) So I *guess* it's possible that if, say, Ireland is overworked, they could agree to have another state take the lead on an investigation of an Irish processor.
Finally, it's worth repeating that a violator can be fined multiple times for the "same" non-compliant practices. So if Google does not respond appropriately (ignoring the appeal options), they could conceivably be fined 4%, or $4.4 billion, over and over again.
Thanks Tim, I missed that.
Out of interest, does anyone know if can each of the 27 member state regulators can levy a fine (of their choosing) against the same company for the same reason? If so, how often? --
StJohn Deakins @stjohndeakins +447500802020 On 22 January 2019 at 16:14:15, Tim Walters (
" target="_blank" class="">
) wrote:
Well, there was Italy's €10 million fine against
Facebook in December.
Hi
Iain,
Yes, it’s
decided by the national govt that sets up the regulator. I
understand that in Italy, Spain and a couple of others the
regulator must self fund from fines. There was therefore an
expectation that these countries regulators would be more active
than others after GDPR but I’m not aware that this has happened.
Maybe they’ve been more active locally?
StJ
--
StJohn Deakins
@stjohndeakins
+447500802020
On 22 January
2019 at 13:15:37, Iain Henderson (
" target="_blank" class="">
) wrote:
Yes, I think how fine income is allocated is a local
country decision. I also vaguely recall some concept of fines
gathered from multi-nationals (e.g. Facebook) being shared across
other countries by the fining regulator (e.g. Ireland).
In any case, i’d expect the regulators to now be see-ing
the big data aggregators (in the broadest sense) as easy money. And
the model where the investigation is triggered by informed
activists (NOYB, Open Rights Group, Privacy International etc) is
also a good one that i’d expect to continue. I would certainly like
to launch a missile called ‘Data Portability’ into the mix; anyone
interested in collaborating on that let me know.
Cheers
Iain
I've received various answers about this, but the
consensus is that the sums go into the general member state
revenues, with nothing (officially) for the DPA. It may vary by
country, as I'm pretty sure there is nothing about it the text of
the GDPR.
Cheers,
tw
I don’t think we need worry too much about funding
DPO’s; as I recall they get a proportion of fines levied. So there
will be an incentive to go after the big fish first, bring in some
cash from the low hanging fruit and then scale up. That will do
some good obviously for the individual, but it will be years down
the track before some mid range GDPR breaches and failings get to
the top of the queue.
Iain
To tie this back into the Zuboff thread, and
specifically my response earlier today to Doc's pessimism about the
GDPR, the CNIL largely determined what you would expect a DPA to
determine if you've simply read the text of the GDPR. Namely,
Google's notification/consent request:
- Violates the requirements for transparency and
intelligibility. "Essential information, such as the data
processing purposes, the data storage periods or the categories of
personal data used for the ads personalization, are excessively
disseminated across several documents, with buttons and links
on which it is required to click to access complementary
information." The CNIL does not say so, but I think this is a
violation of Articles 12(1) and 5(1)(a); see also Recitals 39 and
60.
- Does not allow for valid consent. This second
violation basically follows from the first. Because of the failure
to communicate purposes, transfers, retention periods, etc.
clearly, the consent acquired from the user cannot be "informed,"
"specific," as required by the GDPR. Here the CNIL rejects the
failure to provide granular choices: "For example, in the section
“Ads Personalization”, it is not possible to be aware of the
plurality of services, websites and applications involved in these
processing operations (Google search, You tube, Google home, Google
maps, Playstore, Google pictures…) and therefore of the amount of
data processed and combined."
- Moreover, the CNIL rejects Google's use of pre-checked
"yes" options -- which, excuse me, ARE USED DEPLOYED IN MOST OF THE
CURRENT RIDICULOUS COOKIE NOTICES -- "However, as provided by the
GDPR, consent is “unambiguous” only with a clear affirmative action
from the user (by ticking a non-pre-ticked box for
instance)."
It's interesting -- but also vaguely disturbing -- that
the CNIL focuses on what they call "ads personalization." (Also
interesting that they use the US spelling rather than the British!)
On the one hand, Goggle's failures viz the GDPR are much, much
larger than sufficient notice about ad personalization. On the
other hand, this focus may be a convenient way for the DPA to draw
the CRUCIAL line between processing purposes "necessary" for the
service to operate" and all other purposes. In this sense, the CNIL
is rejecting any effort by Google to assert that targeted
advertising is "necessary" for search, email, YouTube, etc, to
function.
I propose that we start a crowd funding campaign that
will pay for all EU DPAs to go on a week-long retreat with Shoshana
Zuboff, Brett Frischmann, and Evan Selinger.
Cheers,
tw
It's good
that we're acknowledging what meaningful consent is and is not. But
we are also going in circles because this could result in more
& more push notifications, pop ups, and boxes to tick, which
will actually end up diluting consent. So maybe they'll be forced
to admit that consent is the wrong basis to rely upon (and if they
can't find another basis, then maybe it will actually undermine the
ad tech business model). If not, then we will end up where
everything went wrong with cookie laws.
Very quickly -- (This broke while I was on a call and
now I need to leave the house.)
This was the result of the complaint filed by Max
Schrems' NOYB group on the morning of 25 May.
Commentators are convinced that the flaw (mainly --
speak of the devil -- non-granularity of proposed purposes) applies
to the IAB's consent framework was well.
Cheers,
tw
|