Hi Guy --1 - I don't understand this question. Is there a typo?2 - I'll return to this, as it invites a couple of long quotations.3 - If I understand your point, the only way Google can avoid fines -- i.e., escape from being legally captured by the GDPR -- is to withdraw from any interactions that involve the personal data of EU residents (that is, people located in the EU). Withdrawing from the EU physically and financially but continuing to offer services such as search and YouTube with targeted ads does not shield them from the authorities under the GDPR.2 redeux -- I get this question a lot and it reflects a widespread conviction, especially in the US. Namely, as a website proprietor, shouldn't I be able to dictate the terms under which you may enter/use my site? If the "admission price" for entry is the acceptance of targeted advertising driven by the aggregation of personal data, so be it. If you don't like it, bugger off. I agree that this does not seem entirely unreasonable. But the fact remains that it (fortunately, in my view) is not allowed under the GDPR.For example, in an article in the Washington Post last August, the EDPS, Giovanni Buttarelli, wrote: "[U]nder the GDPR, a contract cannot be used to obtain consent. Some major companies seem to be relying on take-it-or-leave-it contracts to justify their sweeping data practices. Witness the hundreds of messages telling us we cannot continue to use a service unless we agree to the data use policy. We’ve all faced the pop-up window that gives us the option of clicking a brightly colored button to simply accept the terms, with the “manage settings” or “read more” section often greyed-out. One of the big questions is the extent to which a company can justify collecting and using massive amounts of information in order to offer a “free” service.Under E.U. law, a contractual term may be unfair if it “causes a significant imbalance in the parties’ rights and obligations arising under the contract that are to the detriment of the consumer.” The E.U. is seeking to prevent people from being cajoled into “consenting” to unfair contracts and accepting surveillance in exchange for a service. What’s more, a company is generally prohibited to process, without the “explicit consent” of the individual, sensitive types of information that may reveal race or political, religious, genetic and biometric data."
Somewhat more specifically, the Article 29 Working Party addressed the limits of consent ("processing necessary for the performance of a contract to which the data subject is a party") in the 2014 opinion on legitimate interest (WP 217). "The provision must be interpreted strictly and does not cover situations where the processing is not genuinely necessary for the performance of a contract, but rather unilaterally imposed on the data subject by the controller. Also the fact that some data processing is covered by a contract does not automatically mean that the processing is necessary for its performance. For example, Article 7(b) is not a suitable legal ground for building a profile of the user’s tastes and lifestyle choices based on his click-stream on a website and the items purchased. This is because the data controller has not been contracted to carry out profiling, but rather to deliver particular goods and services, for example. Even if these processing activities are specifically mentioned in the small print of the contract, this fact alone does not make them ‘necessary’ for the performance of the contract."
What justifies this allegedly restrictive use of contracts? I would venture two things:
1. Privacy is a fundamental human right. Granted, operating a business is also a fundamental right in the EU. But that means, as Buttarelli notes, that the question is always one of striking an appropriate balance between the two rights. No "take it or leave it" proposition that involves personal data is likely to pass this balance test.
2. Purpose limitation. If the purpose of collecting some data (name, IP address, submitted texts and photos, etc) is the service the "contract" to use a social media platform, this cannot be unilaterally extended to include creating profiles for targeted advertising.
Cheers,
tw
On Fri, Feb 15, 2019 at 12:17 PM Guy Jarvis < " target="_blank"> > wrote:Hi Tim,picking up an older thread here.In your blog post you said " The barely veiled message is that the regulators will not allow Google to claim that personalized ads – and all of the data collection, aggregation, and profiling that powers it – is “necessary” for the fulfillment of a contract to provide a Google service."What are you thoughts on the following two points:1 - Is there actually a contract involved ie "ohne gelt" where is the privity between Google and user?2 - It seems reasonable (well, at least not dismissable out of hand anyway) for Google, in the example here, to claim that they require revenue, namely generated from ad personalization, in order to recover the cost of making any given service available free of cost at the point of use.I'm left wondering whther Google might withdraw from physical and financial presence in the EU so as to avoid fines and crucially still be able to generate revenue indirect from the EU market through even more aggressive ad personalization?If so then might we see the Great Firewall of EU emerge to rival that of China and an ever growing balkanization of the internet?GuyOn Tue, Jan 22, 2019 at 9:31 PM Tim Walters < " target="_blank"> > wrote:Here is my post on the story, the real story, and the real real story about Google's GDPR fine.On Tue, Jan 22, 2019 at 5:42 PM Tim Walters < " target="_blank"> > wrote:I would say no, in the sense that, say, Italy cannot now fine Google for the violations determined by France. If you look at the English summary from the CNIL, they point out that they first coordinated with the other DPAs to determine whether they should conduct the investigation. Interestingly, they say "the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow [us] to consider [conclude?] that GOOGLE had a main establishment in the European Union."Normally, a "main establishment" would determine the lead authority. It will be interesting to see if Ireland takes the lead on all/most Google complaints now that they have shifted processing for all EU residents to Ireland. However, the authorities and the EDPS are very keen to avoid "DPA-arbitrage" -- i.e., where processors locate "main establishments" in states with weak regulators. (Weak could mean resource constraints and/or enforcement restraint.) So I *guess* it's possible that if, say, Ireland is overworked, they could agree to have another state take the lead on an investigation of an Irish processor.Finally, it's worth repeating that a violator can be fined multiple times for the "same" non-compliant practices. So if Google does not respond appropriately (ignoring the appeal options), they could conceivably be fined 4%, or $4.4 billion, over and over again.
On Tue, Jan 22, 2019 at 5:19 PM StJ Deakins < " target="_blank"> > wrote:Thanks Tim, I missed that.Out of interest, does anyone know if can each of the 27 member state regulators can levy a fine (of their choosing) against the same company for the same reason? If so, how often?
On 22 January 2019 at 16:14:15, Tim Walters ( " target="_blank"> ) wrote:
Well, there was Italy's €10 million fine against Facebook in December.
On Tue, Jan 22, 2019 at 3:20 PM StJ Deakins < " target="_blank"> > wrote:Hi Iain,Yes, it’s decided by the national govt that sets up the regulator. I understand that in Italy, Spain and a couple of others the regulator must self fund from fines. There was therefore an expectation that these countries regulators would be more active than others after GDPR but I’m not aware that this has happened. Maybe they’ve been more active locally?StJ
On 22 January 2019 at 13:15:37, Iain Henderson ( " target="_blank"> ) wrote:
Yes, I think how fine income is allocated is a local country decision. I also vaguely recall some concept of fines gathered from multi-nationals (e.g. Facebook) being shared across other countries by the fining regulator (e.g. Ireland).In any case, i’d expect the regulators to now be see-ing the big data aggregators (in the broadest sense) as easy money. And the model where the investigation is triggered by informed activists (NOYB, Open Rights Group, Privacy International etc) is also a good one that i’d expect to continue. I would certainly like to launch a missile called ‘Data Portability’ into the mix; anyone interested in collaborating on that let me know.CheersIain
On 22 Jan 2019, at 12:50, Tim Walters < " target="_blank"> > wrote:
I've received various answers about this, but the consensus is that the sums go into the general member state revenues, with nothing (officially) for the DPA. It may vary by country, as I'm pretty sure there is nothing about it the text of the GDPR.Cheers,tw
On Mon, Jan 21, 2019 at 11:21 PM Iain Henderson < " target="_blank"> > wrote:I don’t think we need worry too much about funding DPO’s; as I recall they get a proportion of fines levied. So there will be an incentive to go after the big fish first, bring in some cash from the low hanging fruit and then scale up. That will do some good obviously for the individual, but it will be years down the track before some mid range GDPR breaches and failings get to the top of the queue.Iain
On 21 Jan 2019, at 20:00, Tim Walters < " target="_blank"> > wrote:
Here is the CNIL's (quasi) English announcement: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llcLaw firm FieldFisher analysis: https://privacylawblog.fieldfisher.com/2019/european-data-protection-authorities-finally-flex-their-gdpr-musclesTo tie this back into the Zuboff thread, and specifically my response earlier today to Doc's pessimism about the GDPR, the CNIL largely determined what you would expect a DPA to determine if you've simply read the text of the GDPR. Namely, Google's notification/consent request:- Violates the requirements for transparency and intelligibility. "Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information." The CNIL does not say so, but I think this is a violation of Articles 12(1) and 5(1)(a); see also Recitals 39 and 60.- Does not allow for valid consent. This second violation basically follows from the first. Because of the failure to communicate purposes, transfers, retention periods, etc. clearly, the consent acquired from the user cannot be "informed," "specific," as required by the GDPR. Here the CNIL rejects the failure to provide granular choices: "For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined."- Moreover, the CNIL rejects Google's use of pre-checked "yes" options -- which, excuse me, ARE USED DEPLOYED IN MOST OF THE CURRENT RIDICULOUS COOKIE NOTICES -- "However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance)."It's interesting -- but also vaguely disturbing -- that the CNIL focuses on what they call "ads personalization." (Also interesting that they use the US spelling rather than the British!) On the one hand, Goggle's failures viz the GDPR are much, much larger than sufficient notice about ad personalization. On the other hand, this focus may be a convenient way for the DPA to draw the CRUCIAL line between processing purposes "necessary" for the service to operate" and all other purposes. In this sense, the CNIL is rejecting any effort by Google to assert that targeted advertising is "necessary" for search, email, YouTube, etc, to function.I propose that we start a crowd funding campaign that will pay for all EU DPAs to go on a week-long retreat with Shoshana Zuboff, Brett Frischmann, and Evan Selinger.Cheers,tw
On Mon, Jan 21, 2019 at 7:35 PM Elizabeth M. Renieris < " target="_blank"> > wrote:It's good that we're acknowledging what meaningful consent is and is not. But we are also going in circles because this could result in more & more push notifications, pop ups, and boxes to tick, which will actually end up diluting consent. So maybe they'll be forced to admit that consent is the wrong basis to rely upon (and if they can't find another basis, then maybe it will actually undermine the ad tech business model). If not, then we will end up where everything went wrong with cookie laws.
On Mon, Jan 21, 2019 at 12:49 PM Tim Walters < " target="_blank"> > wrote:Very quickly -- (This broke while I was on a call and now I need to leave the house.)This was the result of the complaint filed by Max Schrems' NOYB group on the morning of 25 May.Commentators are convinced that the flaw (mainly -- speak of the devil -- non-granularity of proposed purposes) applies to the IAB's consent framework was well.Here is Max Schrems' tweet with several links: https://twitter.com/maxschrems/status/1087379606594818048Cheers,tw
Archive powered by MHonArc 2.6.19.