Best endorsement of GDPR they could possibly make. Everyone knows Facebook collects more data than most people probably want so it follows that a privacy law they don't want to roll out everywhere must help curtail that to some degree.
Yeah, and to a degree that theyre willing to eat the cost of maintaining a much more complicated privacy structure (and, inherently, code base) to not roll it out everywhere.
I don't think that maintaining different strategies in different areas is the more costly procedure.
The assumption you're making here is that GDPR is one and done. In all likelihood, most major jurisdictions are going to introduce privacy laws at some point. If you don't build your international service to allow for different rules in different jurisdictions you're going to have to follow the strictest of those laws. Heck, I'd put money on some countries forcing some web services to record some data for law enforcement purposes and other countries barring facebook from recording the same data for privacy reasons.
So really, you have to build this system in a way that can be tailored to each market you operate in.
Playing devil's advocate: it could also be that their implementation of the GDPR necessarily restricts functionality from the user's point of view. And they simply want their users to have the best (in their view) possible experience.
It's quite telling in such a situation when a company like Facebook hypothetically won't deliver a certain feature if they have to make their intentions clear. The immediate assumption is that they don't believe their justifications for it are sound and nobody would opt in, so they depend on keeping those motives private. Quite ironic, expecting your users to trust you but not trusting them at all, but I suppose that's business more than anything (sadly).
In the same sense as medical trial guidelines diminish scientist freedom and safety regulations regulate the freedom of engineers. Sorry, but just as I demand that if I walk into a hospital I'm being treated safely, consumers can demand the same thing from me as a developer.
Compared to the freedoms of millions and billions of uses my 'developer freedom' is pretty far down the list of things that matter. As developers we are servicing people, they are not our lab rats.
Social networking software is not in any way equivalent to medicine so thank you for making this false equivalence because it proves the point that these regulations are ridiculous.
If you don't want facebook to track you don't make an account on their website and don't click any of the stupid buttons on their website.
Having seen the influence social media can have on our discourse and even our political systems, including manipulation of democratic elections I think that comparison is absolutely warranted. It is the infrastructure of our modern communication, not just a 'website with stupid buttons'.
Without regulation like GDPR, Facebook aren't obliged to state what those stupid buttons actually do with regards to the information they store about you.
Being open and honest with people really doesn't slow down development all that much.
This is like saying that prescription-drug regulations are limiting speed/freedom. When those things are dangerous to the user, they should be limited!
And I still don't agree that it slows anyone down. Want to launch a new feature quickly? No problem, go ahead and launch it. All you have to do is add an opt-in dialog at the beginning.
As far as freedom goes, we've seen the abuses of that freedom and it's time to limit it.
There is an approach to use a disclaimer to state a controversial view. There are many forms to this: "I am not a racist, but...", "No offense, but..." , "Let me play a devil's advocate, ..." , Etc.
The form usually proceeds by stating a view. You think attribution is more important than the propagation (or content) of the view, and that is fine. For me, the content and propagation usually rank higher.
In the case of FB, I think we all had enough proof that the quest for money is above everything. According to the latest leaks about their execs, even above human lives.
So, at this point, I find any attempt to defend them, even hypothetical, sad.
I know of at least two of the large (multiple tens and hundreds of billions in market cap) tech companies (other than Apple, already mentioned in this thread) who are making a lot of global changes for GDPR.
> obviously
Isn't it a significant expense to comply with the GDPR, especially in Facebook's business? I'm guessing the only companies doing this don't have much to lose by complying globally.
1. The administrative/maintenance cost of complying: this is sunk if you have European users at all.
2. The cost of the measures to your business model, if personal user data is a central part of your business model.
3. The adminstrative cost of maintaining radically different user data management systems for EU -vs- non-EU users.
Doing number 3 is only worthwhile if it's a lower cost than number 2. I would guess 3 would be higher than 2 for most companies. Clearly, 2 is extremely high for Facebook.
I can imagine that there is a local minimum of costs 2 & 3 where the infrastructure is modelled so that privacy legislation is supported, but the company makes no commitment to enforcement/compliance anywhere but the relevant jurisdiction. That way you've take the sunk costs of development (technical and compliance), but drained the project of any administrative costs for the rest of the world...
If you do business in the EU, you'll incur most of those expenses anyways. It makes sense that companies would offer privacy protection to all their paying customers.
In the case of Facebook, it makes sense that they wouldn't want to offer privacy protection to their livestock.
I mean cloud providers are different. First, there's that level of indirection. You're a customer, not necessarily falling under the GDPR, but your customers might. So the mechanisms are in place to handle that worldwide, which you could choose to extend to everybody. Then there's the data from you being a customer directly, which is largely exempt from many GDPR things like opt-in anyway, since they actually need it to e.g. bill you, provide customer support, etc.
So far, I don't think any cloud providers show you ads based on your usage, but it's only a matter of time :) / :(
At some stage Americans need to expand their definition of what "freedom" is. Right now maintaining freedom from government is almost a national passtime (and arguably quite effect), but in the meantime infringement from private organizations has expanded and I'd argue is now the predominant issue facing your average citizen.
You have HOAs acting as government, tech companies acting as intelligence organizations, private security acting as police, and heck even private companies buying up roads/bridges maintaining them and charging a fee.
The whole "make a different choice" retort whenever private organizations do something evil is getting less and less believable with every passing day. For example, in a lot of cities almost every neighborhood has a HOA.
While there certainly is room to improve privacy legislation, it must be done carefully. More legislation is not always better. For example, I'm strongly against forcing search engines to remove entries based on a single person's 'right to forget.'
Then let's talk about how careful. "Right to forget" premises data ownership by the person, with which you apparently disagree.
So, if people should not have complete control over data about themselves, where should the line be drawn on the usage of that data when people can't tell companies what to do with it? Who should draw that line?
You seem incredulous that anyone can have a good faith argument against the "right to be forgotten."
One person's right to be forgotten conflicts with the public's interest in knowing things. For example, if a given doctor has botched several surgeries, and I am considering to become his patient, the doctor's right to have those incidents forgotten conflicts with my interest in knowing his track record. This is one example, but such cases are myriad.
Of course the laws surrounding the right to be forgotten in Europe are not boundless (though they are, to my mind, quite vague) and I'm sure supporters will be quick to point out the the case of the doctor above may not be covered by the right to be forgotten. And that is a nice point in theory, but in practice is moot. Europe has put the burden of correctly determining what is in the public interest squarely on the shoulders of online aggregators. If an aggregator's interpretation of a broad set of laws is later found to not be in keeping with the opinion of European courts, the aggregators are the ones that will be footing the fines.
Forcing search engines to all become court systems which adjudicate millions of cases is extremely onerous. Companies are not going to spend billions doing that. They are just going to remove whatever requests they get, DMCA style. The end result is that Europe has given everyone a more or less unrestricted delete button. Google has already delisted more than a million URLs (including for a doctor that botched several surgeries).
Further, until the the whole world gets on board, I imagine there will always be access to search engines that do not delist results. So not only are companies forced to rubber stamp millions of delist requests, it's also completely pointless!
Personally, if society believes the right to be forgotten is worth enshrining, instead of shirking responsibility of actually enforcing it onto tech giants, we should have the courts adjudicate the requests so that the public interest will be appropriately weighed. Of course this will be much more expensive, but like health, education, and so on, doing the right thing is often expensive.
Except even in Europe, there isn't really a "right to be forgotten". Your "right to be forgotten" doesn't mean you can make a newspaper to take down a factually accurate article about you, just to force a search engine to stop linking to that factually accurate article. They didn't give anyone control of the data about themselves, just the right to make it harder to find.
I had posted it on the other link as well where Panera Bread's leaks were discussed (1 and 2), but since it is relevant to this discussion, reposting it here. I have edited my conclusion a bit from the original two postings:
Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (3) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (4).
I believe UnderArmor's case is the norm we can expect going forward. As most companies are not "tech" in nature, unlike FB which happens to be one, it will make sense for them to keep just one security policy and the legally mandated strictest one may be the dominant policy across the enterprise.
It's worth noting that Article 33(1)[1] states that a breach must be reported to the local supervisory authority unless said breach is 'unlikely to result in a risk to the rights and freedoms of natural persons'. This call is made by the organisation which suffered from the breach, by the way (certainly in the absence of any case law).
It will be interesting to see the interpretation of that clause in action, specifically when looking at information such as IP address which is still considered a grey area.
While the decision to do/not-do is up to the company; They still have to document it (in any case, even non-personal), mention the reason for not reporting (e.g. "it's only an IP address") and make that document available upon request.
So if the breach turns out to be a bit more major than then want every one to think it is and it turns out that it was major in the end, there either is a paper trail or worst case for them no paper trail and probably a worse fine.
Definitely, as do most of us. But that IMO is mostly attributable to the network effect and not to anything particularly special about Facebook as an application. An incumbent social network with mostly identical software, minus the spying plus an ethical monetization strategy, would be out-competed financially by Facebook unless user tracking is regulated more closely.
I now live in a country where Facebook is a major part of how people function online. I deleted my profile and stayed off for 2 years when I still lived in the US, but here it's more vital to have one unfortunately.
Not because it's a particularly good service. Mainly because everyone is on there. It would also be fine if everyone was on Google plus or anything else but it's the only place where I know I can reach most people I know.
I stopped using facebook in 2008, and I wonder if my social life degraded because of not using it.
Since everyone is on it, it would make sense that not using it would "exclude" you or a social standard or norm.
There are two sides to this.
First, I don't since exchanging on facebook is relevant or meaningful social exchange. Teamspeak or skype are more meaningful, but facebook only brings delayed text, photo and video, while real time matters more.
The second side is that as I've discussed already, there are no discovery feature on facebook. You don't make new friends thanks to facebook, you only do with Tinder, meetup, Uber, etc. The friendship relation in facebook is one of exclusivity. I don't think facebook events or groups are really attractive to users, or really do create new friendships, beyond the classical scenario of real life meeting. If you make new friends, it's not really thanks to facebook, because organizing an event can be done on any other platform, or even by email.
So it's true that user base matters a lot, but facebook seems to have little to no usefulness. It's just for messaging, posting photos, event exposure. It's just a very large myspace, with improved features, but it brings nothing new to the table.
facebook only brings delayed text, photo and video, while real time matters more.
You mean, except for FB Messenger (and Whatsapp, which should be included if one it talking about the company practices).
The second side is that as I've discussed already, there are no discovery feature on facebook.
I'm not a user, but AFAIK it does suggest friends to you. Plus, you often interact with friends-of-friends (e.g. through comments on posts of your friends), which does allow you to discover new people.
Facebook is like a phonebook with everyone I've met. I live away from where I grew up so often contact with friends has large gaps. I don't have everyone's email/phone and those change. To get them once they change I'd need a directory like Facebook.
Network effect and low friction is why it's useful but if everyone was on some other platform where I could find them by name I'd happily switch given I mostly use it for messaging and event planning.
I think anyone who argues it’s not useful or at least compelling is being disingenuous. None of this would even be an issue if Facebook wasn’t important to the infrastructure of modern life for billions of people.
I'd be totally fine without the routine of going to Facebook. My problem is that there's not a clear substitute for the specific typos of info I use it for, for the specific relationships I maintain through it, and for the reach I get for things I share.
I don't know if you have a fanpage or anything, but if you just do it personally, I have far more reach sharing on HN, reddit, and my personal site compared to Facebook.
The problem with Facebook other than bad privacy is that it doesn't take much to press the like button. Someone clicking like doesn't mean shit - maybe they're being nice to you. Most likely they're bored. Next 5 seconds their mind will be to something else. Plus, Facebook is ruthless to the freshness of things, so shit you spent a lot of time producing only gets a shot temporarily in the present and then imediatelly forgotten if they shared to 10 people and they don't care. You're not a creator, you're an easily replacacle cog in their system. I have had things that picked up long after I produced them on my site - I can't imagine doing that with Facebook.
FYI, I recently deactivated my Facebook account and found I could still use messenger. That seemed like a great compromise to me. I still have had to reactivate it a couple times for some third party login, but I deactivated again right after that.
How does Facebook distinguish between US and European users? Does it do it based in IP address? On GPS data it slurps up from mobile applications? On the manually selected city the user specifies that they live in? Facebook also operates a TOR service, how can it comply whilst not knowing where the user is signing in from? Does a European user who uses an American VPN become classified as an American user and vice versa? There is probably a business opportunity here somewhere to provide European data privacy as a service. It all seems pretty complicated.
If a company wants to operate in Europe and accept European customers, they abide by the law.
If they can't manage to figure out they're servicing european customers and protect their data according to the law, then they get fined substantially.
It might be complicated, but the onus is on the company not the user, making this Facebook's problem to resolve.
This seems a bit too dismissive to me. The notion of jurisdiction for a transaction or contractual relationship is indeed pretty complicated.
It isn't clear to me that the burden should be on the service provider to discern the legal domicile of a user and to be required to adjust its business practices to accommodate the regulations of their 'home' jurisdiction. Wouldn't that rapidly devolve into every service provider being required to operate within the rules of some extremely complicated intersection of all possible jurisdictions?
It is actually very simple. Ask the user. If the user says he lives in Berlin, then apply EU laws to his data. If Facebook tries to "discern" the domicile and incorrectly discerns the domicile then that's Facebook's problem.
> If the user says he lives in Berlin, then apply EU laws to his data. If Facebook tries to "discern" the domicile and incorrectly discerns the domicile then that's Facebook's problem.
I hope they do this, and don't try to cross-check against login IPs or anything. I just set my FB city and hometown to European ones to increase my chances of benefiting from the GDPR.
And what if the user says they live in <insert-evil-country-here>? Are you then required to apply the laws of <insert-evil-country-here>? If not, why not? Do I know need to understand the laws of every country in the world?
And how to you decide between <good-country>, <so-so-country>, and <evil-country>?
As of now, yes.
If <evil country> has any leverage on your company (you have a business presence there, you travel there, or they have access to your assets) you’ll need to comply with their rules for the users living there.
Why not? Presumably they're the ones seeking to make money off the user's data; I see no problem with putting the onus on them to protect the user's privacy as well.
I think you are changing the problem definition a bit.
"Protect the user's privacy" is not at all the same thing as "follow all the laws of the user's home jurisdiction".
If there is a legal obligation to follow the laws regarding privacy then what about any other laws? What about disclosure laws where service providers in the home country are required to disclose information to the government? Should the foreign service provider be required to follow those laws also? If not, why not?
I'm saying if that you argue that country-a service provider is required to follow the laws of a user from country-b, perhaps because you agree with the laws of country-b (regarding "protection of privacy" in this case), then that logic creates a problem when you don't like the laws of country-b or when they in fact conflict with the laws of country-a.
I was specifically responding the the assertion that "If a company wants to operate in Europe and accept European customers, they abide by the law" and pointing out that accepting that logic may not lead where you want it to lead.
Sure you can refuse to do business with customers from other countries, but now you have to have some process for determining what jurisdiction the user is from including figuring out how to protect yourself from a foreign jurisdiction that decides that you didn't do enough to discern the true jurisdiction of the user (who may have given incorrect information, clicked through the form, etc).
It is not obvious exactly what would be the best way to manage that risk.
If FB took the absolute safest approach, they'd apply the restrictions to any account that has been signed in from an EU IP address -or- which lists an EU address.
Have you been in a coma for the past 10 years? Facebook is a surveilance company, they know everything about you. Where you are physically located was probably the bits of informaiton they learned about you.
How can this be legal? I travel to Europe frequently for work. I use (well technically used) Facebook to stay in touch with people back home. But shouldn't my data be covered under GDPR if I've saved data from within the European Economic Area?
> 1. A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
It's not even resident, the bar is far lower. A US resident on holidays to europe is covered.
How is this enforced? For facebook, let's say, is all I have to do is change my country from a non-European country to a European country, and I'm good? Because that is a fairly easy line to cross.
I've asked about this before in another thread but didn't get anything useful for me. How can I get the benefit of being a EU resident, with respect to GDPR, while not physically being in the EU? What I'm asking for may probably sound like a fraudulent thing, but I value my privacy a lot, and if there are any steps I can consider to make myself come under GDPR (without moving to the EU), I'd like to know.
Using a VPN to connect to a location in Europe might work, if the company uses IP address to check whether a user is in the EU.
Of course, Facebook has other options (many users just tell them where they live, you can even fill out an address) so you could try claiming to live in the EU there, too.
Which is particularly interesting for me the next couple of election cycles, as I am a US citizen registered to vote back in the last place in the US I resided - and live in Germany, which was notable for its data protection laws even before GDPR.
I might have a moral obligation to use Facebook again.
This is less attractive when you realize that all big companies will have a non-European subsidiary pay a non-European component of facebook for all their advertising needs, which would hugely lower the revenue base that 4% is calculated from.
Cooperations have had 2 years meeting GDPR requirements.
If you're late to the party, which I think the majority businesses in and out of Europe are, means you have made other priorities.
Question is whether or not how hard they hit when GDPR goes live 25th of May. That remains to be seen, but it wouldn't surprise me if there's a `grace` period.
Even if you could somehow hide that, the penalty is 4% of global revenue or 20 million euros, whichever is higher. So That's still a very high fine since it's per violation and I'm sure I'm not alone in that I will be sending facebook, google and many other data companies these requests as soon as the law takes effect.
Of course you could simply comply with the law. It's only made to look super difficult by those that would like to avoid compliance. But in practice it is actually fairly reasonable and if you were a conscientious operator you most likely already had 90% or so of the technical measures in place long ago.
Maybe an unpopular opinion, but I think GDPR is not net good. It has its good parts, but overall it doesn't really improve security (think of all the big data breaches, GDPR wouldn't help there), but makes many things harder, especially for small companies and hence stifles innovation. Like the infamous "cookies law" but on larger scale. Governments pressure private companies with this, but in the same time are making it easier and easier for themselves (govmnts) to spy on people and infringe on people's privacy (in the name of fight against terrorism, or "for the children" etc)
GDPR is already reducing the number of data breaches before it has even come into existence. Try booking a pentest from a company with a good rep in Europe right now and see what answers you get. Companies have finally woken up to the fact that security is no longer optional, that's a good thing in my book.
GDPR can help advocates for privacy within an organisation. Rather than argue with nebulous harm from potential bad PR, you can say "If we don't do this, we risk a fine of $LOTS"
GDPR puts legal teeth with $MegaFines onto a lot of internal IT political battles beyond security, too.
Unified project processes, mandatory architectural reviews, IT-driven planning... if you're in a domain with lots of personal data the answer to why can't be cowboys and ignore IT 'just this one time' goes from "because we are trying to do IT right, dammit" to "because it's illegal" or "because the compliance costs are too high".
It actually mandates that you need to protect the data, and if it gets breached you need to notify the data subjects. So for example uber couldn't have a massive breach and just pay the hackers off and keep quiet.
The GDPR is a massive good for users of online services.
The basics of it aren't hard: build your systems to not store too much data you don't need, get permission for the data you store, make sure it's secure and make sure you can delete it when needed. I don't think that is too much to ask, do you?
EDIT:
> Governments pressure private companies with this, but in the same time are making it easier and easier for themselves (govmnts) to spy on people and infringe on people's privacy
Looking at how prism and other programs worked/works it seems like what GDPR encourage (Don't store what you don't need) would have actually helped against that.
With GDPR it will be harder to create a service that stores everything about you forever to be retrived by FISA or whoever, and simpler to create a service that just stores what it needs, and encrypts everything it can.
The counter to that is all you are left with is giant mega corps that can pay the associated costs. I'm not sure that this is a much better alternative
Or you'll end up with small business that don't make their money taking a garden rake across your personal data and bagging it up for the world to see.
I can't help but feel that the decisions behind `excluding these features globally` or `targeting these features specifically` are made for less than savory reasons.
I would understand if these features are available, though default to their 'current'/'non GDPR compliant' setting - but this does not seem to be the case.
Without an explanation how and why these decisions are being made, which is not 'legally' required; I think more and more users should question Facebook, and their motives.
“We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing,” Reuters quotes Zuckerberg on the GDPR question.
I'd prefer "no comment atm" rather than this string of vague words, but then TC wouldn't have an article.
We're spending a lot of money finalizing our GPDR implementation right now. I wouldn't know how to not extend it globally. That would be significant additional work at this point.
This was my reaction: they're either even better programmers than I thought if they don't see bifurcating their approach to users based on temporal geographic locations or they're dumber than rocks.
Since it applies to all EU citizens, there's no way for them to filter geographically or they wouldn't be honoring the rights of expats or anyone travelling. I'm going with dumber than rocks.
Yeah, and I'm sure there are solutions smarter than I can imagine, where all user-generated data gets consumed through a pipe and it's just a matter of having guards that look at the combination of user data type and user location and filter it out. But it feels to me like there are still going to be a million little branching problems at places beyond the pipe.
I can't imagine it would be too hard for Facebook to extend the work they've done for GDPR to all other countries and am surprised they are choosing not to as it only puts them in a worse position with the American public and any other non-EU country that is privacy conscious.
Then you get into the quagmire of what is personal data, right? As in, how many clicks on external ads are considered personal data? IIRC the definition of personal data under GDPR is "any data or collection of data that when combined with any other data can uniquely identify you" (or at least that is what my company is operating under). So that means a lot more that what we traditionally see as "personal data".
I’m not sure I follow? By clicking on an advert you’re moving to a 3rd party with their own potential collection and collation of personal data, and their own opt-in requirements. It would be down to the advertiser at that point to receive consent from the user.
In this case the advertisers don’t get a choice. Under GDPR data subjects have to opt in to personal data collection and processing by third parties, and they can’t be denied access to the service for failing to opt in. The advertisers are going to have to get used to a new reality of mostly targeting page context.
Does anyone know how one can mark him/herself as a "European Citizen" on Facebook so that this GDPR protection applies? Not for me personally, asking for a friend.
A Data Subject under GDPR is anyone within the borders of the EU at the time of processing of their personal data. However, they can also be anyone and anywhere in the context of EU established Data Controllers an Data Processors.
If the Data Subject, moves out of the EU border and say becomes an expat, or goes on holiday then their personal data processed under these circumstances is not covered by the GDPR and they are no longer a Data Subject in the context of the GDPR, unless their data is still processed by an organisation “established” in the EU.
It is based on where you and the business are at, not the users citizenship. If you are in the EU you are covered. If the business is in the EU you are also covered. Data being processed in the EU is covered (and transferring it to the US is also processing it). In other words the data is covered by the GDPR if it is inside the EU at any point.
EDIT: So to answer the question directly: No, if you use a US located business from outside the EU you aren't covered no matter your citizenship, unless the data is being processed in the EU at some point.
That does not appear to be correct in general, although it is correct in special cases.
Here's Article 3, "Territorial Scope", from the regulations.
---- begin quote ----
(1) This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
(2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(3) This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
---- end quote ----
In the following, I'm going to say "company" rather than "processor or controller", and am going to say "EU company" or "non-EU company" instead of all that verbiage about established in the Union.
From (1) we have that an EU company has to apply GDPR everywhere to everyone.
From (2) we have have that a company, regardless of whether it is an EU company or a non-EU company, has to apply GDPR if it offers good or services to people in the EU or monitors their behavior in the EU.
(3) is just telling us that non-EU companies may also fall under (1) if international law says so.
Putting this together, it seems that for an EU citizen abroad they are under GDPR as far as EU companies are concerned, but are NOT under it for non-EU companies unless they are abroad somewhere where (3) applies. They are under it for non-EU companies only when being offered goods or services in the EU or when being monitored in the EU, so only when they are not abroad.
While that may be technically true, the specifics of the law would make it impossible to follow unless companies assumed everyone who visited their site was an EU citizen.
For example , using google analytics in many cases in the EU will now require opt-in consent, even for anonymous visitors. But unless a user registers and says, "hey, I'm an EU Citizen actually" you wouldn't know ahead of time. Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
> Make much more sense to segment for EU IPs if you are a large company that relies on such stuff to make decisions.
That could be risky for EU users abroad or behind VPN's, no?
While I understand the 'plight' of companies who rely on data sucking in some way, this strikes me as a good reason to just assume everyone is from the EU and figure out how to make a profit despite that.
My unprofessional, based on nothing guess is that no one will be prosecuted for that kind of technicality, as there will be much bigger fish to fry of large companies totally flaunting major pieces of the law.
I don’t think that’s true with Google Analytics: the ToS there already prohibits you from storing personal data in it, so there are theoretically no GDPR implications if you’re doing it properly (e.g. /edit-account rather than /[username]/edit-account)
We've posted two conflicting answers to this question and I think that's indicative of how little the law is understood, only a few weeks from going into force.
Just because people on messageboards are posting different things, doesn't mean the law is unclear. GDPR Art 3 is relatively clear that it wouldn't apply just because an EU citizen is in the USA. Once that person is in the EU, then it applies.
Well I didn't necessarily say the law itself is unclear, just that the understanding of it as a whole seems to be unclear. Anecdotally, almost everyone I speak to at events seems to have different views on what they need to do. I'm in the EU.
I've never been a member, but I know they have a shadow profile of everyone. I blocked facebook and other tracking at the router some time ago, but am thinking of "showing up" from a European VPN in hopes they get spooked enough to delete my data.
As someone implementing GDPR right now on a news website, its going to come down to this...
We detect that traffic is coming from the EU so we treat you differently and ask for consent etc. If you are Non-EU its business as usual.
There are weird edge cases: If you are in the EU and use a VPN to appear to be in Virginia then we will not know you are really in the EU and you will get the non-GDPR treatment. Again, technically we can only do so much.
Has there been a discussion if it wouldn't be easier/cheaper to apply the GDPR rules for everyone?
I mean, if you keep the logs in the same place you will still need to scrub IP addresses from them and every other thing that comes with it, so wouldn't it be easier to treat everyone with the most strict privacy standard?
GDPR doesn't differentiate by citizenship. However it applies if the company is in the EU (which Facebook Ireland Ltd is, and (AFAIK) all non-USA & non-Canadian citizens have a contract with them), or if the person is in the EU.
No surprise there. But it may serve as yet another reminder that privacy protection can only result from laws and not from the mercy of Facebook and its ilk.
Doubt that lawmakers will really protect users. Think the only way to lead to substantive change would be for users to take collective action through protests [1]. Imagine how quickly the company would take action to make real changes to user privacy if a Facebook User strike took place...
So we get the people in charge of handling equifax and creating the nsa to create privacy laws? The only thing these laws will do is moat out competition who can't handle regulatory costs, which is likely why it's being supported in the first place.
... and suddenly legislation/coercion doesn't seem so bad if you value privacy as a path society should veer towards. It doesn't seem the market's doing its magic in our favor in this area.
I'm so glad I closed my FB account a while back. It has restored my sanity and I also don't have to worry about megalomaniacs such as Zuckerberg sifting through my data and selling it.
I think we should start a campaign and lobby our own government to pass a law similar to GDPR.
> I also don't have to worry about megalomaniacs such as Zuckerberg sifting through my data and selling it.
No, they track everyone across the web via their embedded pixels and create "shadow profiles." I have never joined Facebook, but they still know me. I block their tracking by blocking their various websites. I'm not sure that's enough as I understand they still buy data. In their defense, I don't think they sell my data, except perhaps to the NSA.
I don't see how shadow profiles can be justified under GDPR and ePrivacy. If have identifiable information (just "some" ID will do, but also IP and various other fingerprints) then you need to allow for deletion/takeout/opt-out. Current strategy of implied consent ("if you're on this site you agree") is strictly not allowed.
It's not. Well, as long as the GDPR applies. So, if we assume there are a 5 billion profiles on fb (2 billion actual users, and everyone else that use the Web at least occasionally - I'm not sure if 5 billion total is a bit high) - compliance with GDPR would render some 100s million high value profiles illegal. Applying the GDPR to the remaining profiles would require an entirely new business model for Facebook.
You may have closed your account with Facebook. They haven't closed their account with you. They maintain information on people who don't have accounts
> Zuckerberg said many of the tools that are part of the law, such as the ability of users to delete all their data, are already available for people on Facebook.
Uhm, do those tools actually delete the data though? Are they not required to under GDPR?
Disingenuous as always.
Gdpr requires a maximum grace period of 30 days to comply with the erase request.
Facebook holds your stuff for 90 days. Just as an example.
Data management is just a part of the law, by the way. Facebook is currently not complying with all the obligations about privacy by design and defaulting to opt-out.
And that's not even getting into logs or backups, which will probably be a problem to delete from for smaller companies (since I'm assuming that facebook couldn't keep logs or backups for 30 days since that would be massive)
“The vast majority of what is required here are things that we’ve already had for years across the world for everyone.”
My understanding is that GDPR would require a deep delete of user data from Facebook's systems. Anyone have info on how that would work with shadow profiles that Facebook creates on your behalf and without your consent? Seems like this would fall under the domain of GDPR. (Which also makes me think of just how misleading that quote is from Zuckerberg)
Yes. I've talked with some in the social media industry about addressing GDPR. What it means is a massive shift in the way data is handled.
What's the difference? Well, it's helpful to have some context on how data is used in a place like FB. Data originates (for the most part) with the user. It get's dropped in one of the many operational data sources that back the service. From there, it's mostly waiting to be used by someone for some reason, which might be a ML project or something else. So, then you will want to move the data. You'll make some sort of pipeline from the source to where you want to work, such as ETL the data you want out or set up some sort of messaging system to handle things in an online way.
Maybe now that you have the data, you'll share it with other people working on the project. The data might be distributed (best case) through an environment meant to work with the data (e.g., Spark/HDFS/Hadoop) or might just be sent piecemeal as CSVs. Once the project is done, the data might just be left in place. Who knows where those CSV's go?
One of the big requirements of GDPR is deleting an individual's data EVERYWHERE. And while the above is a sort of simplified view of user of data in a logical manner, I can assure you someone out there somewhere is doing something that doesn't make sense. In light of that, getting rid of a person's data everywhere is a HUGE architectural/infrastructural/process problem for a platform like FB.
That is because it is misleading. Under the GDPR, they would have to hard delete those shadow profiles. For everyone else, they would not delete that data.
Not only that, but any linkable information about that shadow profile will need to be scrubbed. So a photo of me and a friend which my friend has uploaded to facebook will need to have my face or other identifying details scrubbed or the photo deleted.
GDPR requires protection for all EU citizens regardless of location of the user or the data. This means that the millions of EU citizens living in the US have to be afforded the same protection, or FB faces very punitive fines.
It will be interesting to see how this plays out. Will FB require users to stipulate that they do not have an EU passport? What happens if we all say we have one? How would they verify that?
What if I am an Austrian citizen and resident traveling to the SF Bay Area? Does it still apply? (Not clear on how jurisdiction works in these sorts of cases)
I predict sign-up dialogs where you will have to unequivocally state if you're a EU resident or not - because there is next to no algorithmic way of making sure you're dealing with a EU resident.
> GDPR requires protection for all EU citizens regardless of location of the user or the data.
I haven't yet read the whole of GDPR, so maybe there is something further in that changes this, but based on Article 3 that does not to be the case. Here's an earlier comment of mine that quotes Article 3 and discusses this [1]. Here's a link to a nicely formatted online copy of GDPR [2].
It appears to require protection when either (1) the entity processing the data is in the EU or (2) the person whose data is being processed is in the EU.
Even if they did I doubt Facebook has enough of a handle on their data to avoid the fines for GDPR. They're infrastructure must be massive, and they have a big target on them. I can't say I feel bad for them.
GDPR applies to companies/orgs which are (i) based in the EU, or (ii) process personal data of people who live in the EU (regardless of where the corp/org is).
I think lots of EU law applies to residents, rather than citizens of an EU member state.
This is really the wrong time for Zuck to decide to not commit to literally any privacy request someone has.
They already have to meet GDPR in Europe, it's actually easier to not maintain two separate sets of rules, so the decision to not give people worldwide the same protections as in Europe is an intentional choice to do more work to give people less privacy.
Facebook's fear isn't privacy requests made directly by individuals (likely a tiny number), but rather privacy requests made programmatically, on behalf of users, by third party services who can use clever marketing and growth hacks to scale quickly. There are some interpretations of GDPR that would allow this broadly and it could create some meaningful competitive scenarios.
I don't know that much has been written about this yet, but consider data portability as one example. If an EU court rules that Facebook must allow extraction of a social graph with an email address and consistent ID included for each contact, it dramatically weakens their network effect and lowers the barriers to on-boarding users onto competing social networks.
In that scenario I could also write a quiz app that gives you your personality based on that export. That would be an amazing data set for a researcher at e.g. Cambridge and an example of the EU supporting researchers.
I would trust Zuckerberg to understand better if something is easier or harder to implement at Facebook. Also considering that they make money from data, it might be very expensive to throw away everybody's data.
Sure it does. Data is an asset from which they derive revenue. Implementation of rules is just a cost. Throwing away a huge asset would also reduce revenue.
You’re missing the distinction between easy and profitable.
Going back to the top of the thread, the idea was that this is a decision that looks bad in a moment where everyone’s looking at Facebook.
If extending the behaviour worldwide were a difficult engineering feat, that’d provide a simple outward justification for Facebook to not bother.
But in reality, It’s more difficult to keep the two systems around.
Taking that path implies that Facebook actively benefits from breaking the EU law, and justifying it outwardly in the current climate means establishing how the EU law actively harms Facebook’s users... while not admitting that they violate user’s privacy, and profit from doing so.
[And as others have suggested... even if it’s the right move to implement things this way — it makes ~0 sense to draw attention to it.]
Indeed they will set up so they can meet the letter of the law of GDPR. They just will look at the GeoIP of where the submittion was made, and rote deny if out of European jurisdiction.
This is actually a legitimate business decision, as there is a linear cost to servicing each request - letters need to be read manually, likely escalated to counsel in all but "boilerplate" cases, and executed by vetted (and expensive) individuals with strict security training.
Now, could Zuck have said something more articulate than “We’re still nailing down details on this, but it should directionally be, in spirit, the whole thing?” Absolutely. He could have said "we'll be working to create a streamlined interface for people to achieve many of the most important benefits enjoyed by EU residents under the GDPR, without requiring them to jump through legal hoops and read a 90-page law to format a request correctly. This is all in progress, but we're committed to making radical transparency accessible to our users." Then there could have been positive spin. But instead the "less is more" approach leads to articles that assume the company to be operating in bad faith.
GDPR actually applies to all EU citizen data, regardless of where the citizen resides.
"If your enterprise has a presence on the internet in the form of a website and if your enterprise collects personal data from customers regardless of where those customers are located, it is subject to the provisions of the GDPR." [1]
> So will users have to set a new site-wide "citizenship" setting on their profile?
What about users who have two or more citizenships? What about users who have none? What about users who have citizenship only in countries the site doesn't recognize?
> Short of actually requiring you to upload your passport
Given that this is about the GDPR, wouldn't that only make things worse for the site? Edit: also, what about people who have neither a passport nor an identity card?
> What about users who have two or more citizenships?
As long as one of them is in the EU, the GDPR would presumably apply. Generally you get all the rights (and responsibilities) of all your citizenships should you have multiple. Even without multiple citizenships this often arises since you have have rights as a resident in one country, while having a single citizenship in another country.
> What about users who have none?
The GDPR would not apply.
> ... what about people who have neither a passport nor an identity card?
The easy out would be to allow the GDPR benefits to anyone who claimed to be from the EU, without requiring them to prove it. This would be compatible with the GDPR, although it might allow some "leakage" (from Facebook's perspective) in that people outside of the EU might fraudulently claim the GDPR benefits.
> also, what about people who have neither a passport nor an identity card?
Not possible. Can't say 100% about all countries, but in my country it's a must to have either passport or ID once you hit 16. There's even a small fine if you don't take out or renew personal document on time.
US and their passport-less life looks very strange from Europe. You can't do anything without ID in EU. No bank account, no employment, no driving license and the list couldgo on and on.
That's not true in the UK, there's no ID card here. IMO it's quite a nuisance, for example you need to always bring 2 documents to verify your identity and address for a variety of situations (opening a bank account, even opening a new savings account at the SAME bank, renting a new place, new job, mortgage, requesting information from the government).
Don't get me started on the UK and the ID card. It's stupidity at the highest level. There is a de-facto "ID", your national insurance number (like a social security number). Except it has no ID features, and cannot be changed. So much, much worse than an ID card. As far as practical ID for bars/clubs, people usually just use a driving license, or are forced to use a passport. Complete idiocy.
(However to get back onto topic, most people in the UK will have a passport, otherwise they should have a NINo allocated at birth. For the people who have neither, the GDPR is the least of their worries.)
Fun fact, in Lithuania people are allocated personal number (similar to NINo?) on birth. ID and/or passport is mandatory regardless.
However, personal number is not guaranteed to be unique because of how it's issued. We have funny stories once in a while when people with similar (or even identical) names happen to have same personal number. A photocopy of ID in important governmental or banking actions.
Same here: I'd already made the decision that I want to move to an EU country, GDPR just makes me want to accelerate that so I can get in on the action sooner. It's not the only, or the biggest reason of course, but it's a nice benefit.
If there has to be a new citizenship profile setting will the following be acknowledged? Taiwan and Palestine both have heavily contested status by the nation states that refuse them.
The specifics is an implementation detail, but as an european citizen (residing anywhere) you have rights under the GDPR and should assert those rights.
It should be noted that merely being accessible in the EU doesn't automatically make the GDPR apply to a site, although the line is not sharply delineated.
> What happens if a site operator in Iowa just ignores it.
Other European businesses, will be banned from doing business with them. For facebook they can stop them buying advertising space, for others they might issue orders to block payments to them. Some small players in Iowa may still get away from things but no one notable will.
Having GDPR applied in USA also is arguable a positive thing, so why not entertain the idea, or at least leave the door open rather then prematurely shut any efforts down? Maybe its best for Mark Zuckerberg to take a break. It might help him to step back and see the big picture, what happened at Facebook is the perfect example of Normalization of Deviance: http://lmcontheline.blogspot.com/2013/01/the-normalization-o...
> I'm not sure I'd want to have Chinese law applied to me here in the US
Facebook could incorporate the bulk of the EU's GDPR into its privacy policy without violating U.S. law. The same could not be said of Chinese policies.
> This is really the wrong time for Zuck to decide to not commit to literally any privacy request someone has
Forget decide--why did he feel the need to make a personal announcement? He is too busy to testify in front of the United Kingdom's MPs [1]. Yet he can find time to personally throw dirt on the EU's privacy rules?
For the head of a social network, this man is shockingly clueless.
When national legislatures call people to testify, that's not a neutral information-gathering exercise. The MPs are going into that panel with a very clear idea of what the witness is going to say, and how they can spin it towards their preferred talking points. Zuckerberg isn't a UK citizen and didn't authorize any misconduct specific to the UK; why should he personally participate in Parliament's ritual shaming of Facebook?
> why should he personally participate in Parliament's ritual shaming of Facebook?
Because it sends a bad message, and Parliament et al have the ability to materially affect facebook's revenue by passing & enforcing laws like the GDPR etc
it's actually easier to not maintain two separate sets of rules
The GDPR version of Facebook really can’t function as a social network - at least not the kind of social network that we would recognize today. So it may be easier to have one version, but that’s not going to happen, and it would be a disservice for the 99% of users that don’t care about privacy but do care about all of the features they are going to have to give up.
There seems to be a strange friction between this statement and the reasoning behind it. You say GDPR's restrictions on collecting more information than necessary or storing it longer than necessary would prevent Facebook from functioning as a social network — but if that's the case, then it sounds like the data collection and retention was necessary after all. Am I missing something here?
The problem is that we don’t know. It doesn’t specify a definition of necessary. Necessary for whom? It isn’t necessary for Facebook to solicit people to make wall posts, so arguably they’d run afoul of the law by simply offering the option to do so.
My point was that the law leaves massive room for interpretation. The threat of aggressive application and interpretation of this law could deliver significant leverage to the EU over these companies in matters reaching far beyond privacy.
FTFY. This is a gamble on Facebook's part that for now and forever, the American users it has do not care about privacy enough to seek an alternative or stop using the service. They might be right. But it is also possible they are wrong, in which case this move certainly would affect their profitability (negatively). It remains to be seen how Americans will react and feel about their privacy as time goes on - and these feelings are already changing somewhat rapidly in some places in the US.
The truth of it is is that it will probably cost them less to engage with each GDPR dispute individually than it would to comply with the letter of the law. I can't say I blame them.
Of course just because the GDPR _sounds_ tough doesn't mean enforcement will be tough in practice.
The UK decided that all UK companies must disclose the actual humans who control them. This sounded like a really good rule, which would help expose some of the worst abuses going on, although it wouldn't fix everything.
But it turned out that the shadowy figures just ignored it completely and the government did nothing. So you have a form field saying "Persons with significant control: You must list one or more natural human persons who exercise significant control over this company" and a lawyer writes "Offshore Shadowy Puppet Corporation #36656" and hits submit and it's accepted.
My reading of the law is that the government _could_ identify companies that ignored this rule, and seize their assets, on the justification that they haven't taken anything from any actual natural person, no natural human person was identified as controlling these assets anyway. But even if I'm right they do nothing, so what was announced as this big important policy change became in fact just a PR stunt.
However the various groups I've spoken too are very concerned that this directive does have teeth and willingness to use enforcement power.
In the same way that legal firms started patent-trolling, there is concern that GDPR is ripe for the same treatment (legal firms brining cases on behalf of users in order to earn fees).
Right now I think there is legitimate concern, but time will tell.
Nonsense. Patent litigation allows trolls to sue for and receive damages from the other party. GDPR violations lead to fines fines that go to the government; the plaintiff does not receive damages.
Law firms working GDPR cases will only make money off of their clients, not from the companies they bring suits against.
Micro targeting fuels an insatiable greed for user data. You can target by sexual preference, political leaning, race, religious beliefs, moods, socio-economic status, life events and a never ending list of sub groups.
This requires vast amounts of data to make inferences and create models. So behemoths like Facebook and Google are motivated to collect as much data about users as possible so they can put them in various buckets.
The only way to address this is to clamp down on micro targeting by advertisers. And stop platforms like Google and Facebook from offering micro targeting to advertisers. Data collation from multiple sources by marketing folks and their agencies should similarly not be allowed. Only textual context and location is ok.
This kills invasive surveillance at source, still lets online businesses make money, still lets advertisers advertise by location and text context and best of all protects civil society and democracy from the toxic effects of a surveillance culture.
> There’s no way to sugarcoat this message: Facebook’s founder Mark Zuckerberg believes North America users of his platform deserve a lower data protection standard than people everywhere else in the world.
Orrrrrrrrrrrrrrrrrrrr he thinks no one deserves data protection/privacy, but is forced to give them it as demanded by law.
I don't know about anyone else, but as an EU skeptical European I've never been more happy about GDPR. The tech hegemons clearly don't deserve the public trust and good will they've enjoyed for the last decade.
Although GDPR is a European law, people all over the world want to have more data protection. As a German Startup, we have to offer a good data protection already and the GDPR is a great opportunity to serve our customers better than before.
As a social network like Facebook, you need the support of your users to hold them. So why is Facebook making one mistake after another? They are not only loose users, they also lose their image.
Yes, but Facebook is an American company. Because they have users all over the world (in EU too) they should serve all people with the same policies. It might be better for their image and they will get happy users too.
Does GDPR apply for my new data if I created my account in Europe but now live abroad?
> The European law, called the General Data Protection Regulation (GDPR), is the biggest overhaul of online privacy since the birth of the internet, giving Europeans the right to know what data is stored on them and the right to have it deleted.
This is one of the sorta controversial aspects -- the consensus is you either hard-delete or, if that's impossible or difficult, writing over or otherwise scrubbing the personal data bits with the goal of removing that data from a given person's identity.
It applies to the person and doesn't depend on where you were when you created the account. If you are an EU citizen (possibly living abroad) or a current EU resident, you get the protections.
If you created the account in the EU but are now living outside and are not an EU citizen, it would not apply to you (until, perhaps, you returned to being an EU resident).
>Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Well IANAL but the couple of summaries I read on this specific issue (who is covered) seemed to take the position that EU-resident non-citizens would be covered, including perhaps even just travelers and other people passing through.
I admit to not having looked into it in depth, however.
Yup, you are rght and I was wrong. EU residents outside the EU are not covered by the GDPR. In practice, they may still be able to invoke many of the protections depending on how they are implemented.
You probably created your account was with Facebook Ireland Ltd (and I'm sure still are with that entity). So GDPR applies to companies within the EU, i.e. yes.
Happy I’ve left FB and other online social giants for almost 10 years ago. It was obvious back then where this was heading. Young positive entrepreneurs should listen to there senior peers, now and then, or history will repeat itself. This is also a result of ageism, I think.
Arguably the GDPR is more important to user who fb only have a shadow profile on, than those that use the platform. At least as a user you might get some utility from Facebook - otherwise you are simply a victim of spying.
In relation to another comment in the thread about who exactly GDPR covers (seemingly anyone in Europe right now), what about EU citizens not currently in the EU? I made my FB account when I was a teen in Greece, but now reside elsewhere.
It also applies to companies which are based in the EU. AFAIK everyone outside the USA & Canada has a contract with Facebook Ireland Ltd. If your account is with them, then they have to follow GDPR
Parent comment says that EU legislating for the whole world is bad. For example, UK (still EU yet) has antiporn laws, next they decide that all online porn should be forbidden, in the whole world. And so on. Is it good?
No, they clearly said "following GDPR for the whole world is not [good]." And so, why?
When a country passes new safety standards for building cars, I'm sure car makers don't like that, but they still do it. And for models sold world-wide, they're often build the same (except local variances like steering wheel side, etc), so if you live in a country with less strict safety standards, you effectively still get the higher standard. GDPR should be implemented in most places. Why not extend that treatment to everybody? Less edge cases. It has nothing to do with the EU legislating "the world", just engineering pragmatism for a global world, and being user friendly.
If you do have to be a citizen, I wonder what happens if someone moves to the EU, and becomes a citizen. Does it only apply to data since they became a citizen, or retroactively to all data?
Also, how could facebook verify that you're a citizen or not, couldn't you just say you were always a citizen, just on a greencard in the US for a few years?
So this covers the "right to be forgotten" part of GDPR. However, there are plenty of other parts -- like not using tracking cookies til you explicitly give permission, that most sites will likely implement just with geoip targeting.
If being a citizen is enough, does that mean that someone who never set foot in the EU but has European parents (from a jus sanguinis jurisdiction) would also be covered?
No, Art 3 says it applies to companies/orgs within the EU, regardless of where their users are, and to companies who process data about EU residents regardless of where the company is
Legally no, you have to reside in the EU. You might trick Facebook's algorithms into putting you in the EU category.
Check who you have your Facebook account with, AFAIK people outside the USA & Canada have an account with Facebook Ireland Ltd, so would be covered by GDPR. So, someone in India probably has an account with FB Irl, so is covered by GDPR. A VPN is not necessary!
"As it had done consistently in its history, the firm, when faced with financial pressure, moved ever further in the direction of monetizing users` personal data. In this case, it finally went after the like button.
A little over a year after the IPO, on June 12th, 2014, Facebook quietly announced a change to its terms of service. "Starting soon in the U.S., we will also include information from some of the websites and apps you use," the company wrote. "This is a type of interest-based advertising, and many companies already do this."
...
In perhaps the creepiest example, Facebook applied for (and received, last year) a patent for a tool called Techniques, for emotion detection and content delivery. It would use the camera in your phone to take pictures of you as you scroll through content. Facebook would then use facial analysis to measure how much you did or did not like the content in question, so as to determine what kind of stuff to send your way. Ideas like this are what make Facebook, at times, feel like a giant blood-engorged tick hanging off your frontal lobe.""
Oh wow, earlier this year, a few friends and I built a proof-of-concept of emotion-targetted content delivery in news feeds for a hackathon [1], as a way of warning people that this was plausible. Pretty wild to find out that Facebook actually holds a patent on the very idea that we were toying around with.
This is why the argument that "you agreed to this" doesn't really make sense from a practical point of view. The only thing Facebook would need to make this work is probably the generic Camera permission, which I believe is already used to allow you to take photos with the Facebook app.
This is the sort of trick companies like Facebook can use to mislead people. They give them a feature that they actually use and need and isn't too nefarious. Then they request the permission to make that feature work, and then they add other features silently to further track you and analyze your behavior in ways most people wouldn't even imagine.
How could anyone possibly know that this is what Facebook intended to use that permission for? Shenanigans like these are what make me think even the GDPR may not provide enough privacy protection.
The GDPR doesn't allow you to ask for generic "Camera permissions". You have to specify for what you'll use the data. If later you want to use it for something else, you need to ask for further permissions.
IANAGE (I am not a GDPR expert)
EDIT: I don't think you need to ask if it's obvious (e.g. asking for generic Camera permission may be fine if the user is using the "take picture for profile" functionality). But that only gives you the right to use the PII for that specific functionality.
To my understanding, IANAGE either, you are right. The purpose of data capture and processing must be explicitly acknowledged for the user. If you intend to use that data for another purpose, you need to ask consent. Plus, the user may revoke those permissions anytime. GDPR is going to be hard stuff.
There is an idea that I saw (I believe it was an HN comment some years ago) that would massively help privacy in the smartphone age. For every set of permissions an app requests, you can choose to allow or deny these permissions (as currently possible) or there would be a third option: provide a false set of data that imitates the data normally requested. e.g., instead of providing camera permission, the false data would return a black image with your camera resolution, and the app would function normally except that pictures would not appear.
I believe that this would be an insanely useful feature. I know that I would use it quite a lot.
It kind of reminds me of the secret codes that they show in spy movies- there is an authentication word that spies normally use when communicating with a contact, and a second alternative authentication word they can use when they are under duress (third party coercion) and need the contact to know this but interact under the guise that authentication proceeded as normal.
GDPR allows you to remove the data if you discover they cross the line. Optimistically that encourages them to be good citizens about it so they can keep using that data.
If they were looking at my face through my camera while I read their ToS, they wouldn't need a patented technology to know how I felt about their technology.
Well, they would probably think I am happy as I was laughing in tears and some mumbling was heard in a form of "people.. are... really using this... they are really using it..." ;)
If it makes that person money, then it's going to happen. Moral considerations don't factor into capitalism. Only raw maximisation of individual profit.
> Who is sociopathic enough to follow through on an idea like this?
On one hand, you are bound to find at least a few individuals that were born lacking the sufficient amount of human morality and/or empathy, among the 7 billion humans on this planet.
However, it's much easier to find examples if you look at organisms that by their very nature are incapable of relating to humans in that way. Such as cats or spiders or lizards. However they usually aren't in a position to follow through on the idea. But this lack of power also holds for most of the humans in the previous paragraph (even considering sociopaths are said to hold many positions of power).
So that basically leaves corporations as the answer to your question.
People need to live - not many are in a position to leave their job if they don’t like what they’re doing. Whether they morally agree with it is irrelevant - they have debts, a lifestyle, a family, and so on and so forth. This goes from the programmer up to the CEO level, and the shareholders (largely regular people through an index fund) aren’t close enough to the company/don’t feel enough ownership over it to demand it does something else. The other actors are those playing on the financial markets more directly, and again, they have a job of making as much money as possible, consequences be damned, or they lose their job/home/ability to support themselves and their family/etc.
This is capitalism at its finest - putting people into positions where they’re unable to express their moral preferences. And you can’t change this as an individual or minority group, as everybody grows up in a system that heavily encourages (and in many cases forces) that people put themselves into that position - as a minority actor, you can’t prevent the system from working.
Living like a FB Dev is not the same as merely living (well or otherwise). You sound like you are trying to rationalize (not just explaining, but justifying) their behavior.
I would agree those in poverty are not in a position to leave their job (and even then, I'm willing to consider options). Devs in Silicon Valley do have a choice though. You are correct to identify capitalism as a fundamental problem, but you've conveniently minimized their privilege too far in this case. They don't get to say "capitalism made me do it." They really did and still do have an opportunity to be moral, costly as it may be to their standard of living. They are part of the problem because this just is their expression of their moral preferences.
They might not be able to prevent evil, but that doesn't mean they should actively participate in it. Just because you can't stop the Nazis doesn't give you license to be one.
I hold programmers responsible for what they program, especially anyone living above the poverty line. There is no justification for their behavior. It's plain evil.
> People need to live - not many are in a position to leave their job if they don’t like what they’re doing.
It seems quite likely most of the developers at FB that work with these kind of features are in a position to leave. I mean, a face recognition expert at Facebook isn't really something that just falls out of your pocket.
They would however likely change to something similar though.
Not everyone working in a gun factory has that much liberty to pick and chose a job, maybe it's the only big business in town, but software developers aren't exactly starved for opportunities.
You're telling me someone who can get a job at Facebook is at risk of poverty and cannot find at least an employer who is marginally less creepy?
A better analogy might be the engineers who help design the guns, and the various other well-compensated, high-skill, and socioeconomically mobile individuals who facilitate their design and production.
"... there are no privacy laws in the United States that directly prohibit political campaigns from buying, selling, or manipulating voter data and personally identifiable information.
Without any privacy protections for individuals in the United States, companies such as Cambridge Analytica are able to exploit trillions of bits of personal information about individual voters.
And while Facebook has offered a plethora of apologies and suspended the company from its platform, there's not much you can do about it after the fact.
...
Yet, Facebook users ultimately have little recourse against Facebook itself.
...
Again, federal and state privacy laws offer very little protection."
Source:
Joel Winston (@joelwinston) is a Pittsburgh-based attorney who specializes in privacy and cybersecurity law. He formerly served as a Deputy Attorney General for the State of New Jersey and currently provides global legal and regulatory counsel to technology companies. [cf. technology users]
Having read the GDPR requirements, I don’t think that Facebook, or any other social network, can fully comply and still be a social network. Many features will be impossible to offer to people
that are subject to these requirements, such that the GDPR version of Facebook wouldn’t really even be the same service anymore. If I were starting a social network today, I’d simply block EU IPs from accessing it.
I'm also curious as to the answer, but more generally I don't think it's beneficial to allow users to waive the privacy protections. Then you basically get the situation we have today: services can hide objectionable terms behind a wall of legalese that changes often, and we agree to them because we want to use the product and can't realistically keep up with the terms for everything.
> Then you basically get the situation we have today: services can hide objectionable terms behind a wall of legalese that changes often
GDPR is meant to prevent this though? What you're agreeing to has to be understandable and the data you're collecting has to be directly related to the service you're providing?
> services can hide objectionable terms behind a wall of legalese that changes often, and we agree to them because we want to use the product and can't realistically keep up with the terms for everything.
GDPR addresses some of that. You need informed consent, which means it has describe in plain language what happens, if you want to change it, you need explicit opt in again.
There's debate about how far you can deny service if someone withholds (or withdraws) consent.
Features like being required to delete (actually delete) your information if you request it. Features like being required to show you what they know about you.
Once you realize facebook/google/etc probably know better than you where you are going to eat lunch tomorrow you are going to opt out of everything you can, and that hurts their ability to sell targeted ads.
"Required to show what they know" has been part of EU data protection law for decades. Max Schrems first made news by doing a data request to Facebook (which they complied with) in 2011. This is nothing new.
> Once you realize facebook/google/etc probably know better than you where you are going to eat lunch tomorrow you are going to opt out of everything you can, and that hurts their ability to sell targeted ads.
When people are willingly tagging the location of where they're having lunch and posting pictures of what they're eating, I can't say I agree. Preventing companies from tracking information users aren't aware of is a good thing though.
The problem is that the law raises more questions than it answers. But arguably, features like being having a profile in the first place could be affected. The law demands that only the minimal amount of personal information required for a specific purpose be collected, and then that it must be deleted as soon as that purpose has been completed. They cannot request more information than perhaps the person’s name and email address, lest they run afoul of this law. So if someone posts something in their timeline, how long is it allowed to stay? Until all friends have seen it, or longer? Was it a violation of the law to even have a space for the user to enter the information into the timeline, since it wasn’t “necessary”?
So the EU has created a law that Facebook and many other online services will arguably at all times be in violation of. This will create an environment where the EU can use the threat of enforcing the law to effectively impose its will on these massive businesses that cannot comply and still run their business. This was sold to the public as a privacy law, but it’s really just a huge power play.
This comment is really inaccurate. Under GDPR you must have a legal basis for all data processing activities. In the case of maintaining a social profile, the legal basis is "explicit consent" pursuant to "serving the interests of the data subject". Therefore the posts on the wall can stay up as long as the user continues to consent to their staying up.
What cannot be kept indefinitely is the data that Facebook has not received explicit consent for -- the profiling in the background, scraping information from other sites, and so on.
HN seems united in its love of this legislation (someone even called me a "f*cking ignorant clown" in a flagged comment below), so I'll leave this thread with this. GDPR wouldn't be the first time that well-intentioned but broadly written laws have created the potential for unforeseen and very nasty results. One recent example is how the passage of FOSTA - a law designed to deter human trafficking - resulted in the instant shutdown of one of the largest and oldest personals sites on the Internet [1].
Broadly written legislation, whether intended by its authors or not, always winds up being used as a tool to gain leverage where the government didn't have it before. So yes, there will be some good things that result from this legislation, just as some good things will likely result from FOSTA. But because it is so broadly written and many things in it will be up to the interpretation of individual courts when actions are brought under it, mark my words: it will be used in ways that nobody defending it in this thread has thought about, to impose fines and other sanctions on companies (perhaps even some of the startups of HN users, should some government person in the EU take issue with their business) for reasons that you may very well not agree with.
I believe previous legislation regarding cookies was a mess like you said, and a big learning process for the EU.
I’ve worked with people who are experts on the new regulations. They don’t seem to be at all confused about what it means or implies. The only unknowns they’re talking about is the practicalities of someone like Facebook conforming eg requesting many different permissions. But that’s because businesses like Facebook are doing unethical stuff, ie they’ve been doing things you really won’t want to explicitly give them permission to do.
> always winds up being used as a tool to gain leverage where the government didn't have it before.
GDPR builds on previous law, such as PECR and DPA.
If it's not legal under GDPR there's a good chnce it was already not legal under PECR or DPA. And we didn't see those used by governments to get leverage.
> The law demands that only the minimal amount of personal information required for a specific purpose be collected, and then that it must be deleted as soon as that purpose has been completed. [...] So if someone posts something in their timeline, how long is it allowed to stay? Until all friends have seen it, or longer?
In that example, wouldn't the specific purpose be "to display it on the user's timeline" (or on the user's profile)? So it would be allowed to stay as long as the timeline (or the user's profile) is visible (and the user didn't mark that piece of information as hidden).
But collecting the wall post in the first place, which was not necessary for any party, may in fact be illegal under this law. It says specifically that companies are to collect "the minimum amount of information necessary". If I put a box in front of you and encourage you to input highly personal data, such as what you had for lunch, who you voted for, what you're doing at work today, or how you're feeling today...am I not actively violating this law? There's at least an argument to be made that I am.
> So if someone posts something in their timeline, how long is it allowed to stay? Until all friends have seen it, or longer? Was it a violation of the law to even have a space for the user to enter the information into the timeline, since it wasn’t “necessary”?
I'm not following the logic here. A social network to me is a place where you post information you're willing to broadcast publicly or to your friends. That's the whole point of social networks. Users understand this and want their data used in that way so I don't see how it would be against GDPR.
Eeeee... yes you are not following logic, one thing is you sharing your data to your friends. Something else is social network selling those data or use them against you for their benefit.
Every time the EU implements some law or regulation regarding control of personal data and privacy, someone has to dismiss all the problems those laws are intended to address entirely, and go on to post some defensive, nationalist spiel about it being an attack on US companies.
Perhaps the problem is that these companies make their money in an incredibly unethical way that an increasing number of people are very uncomfortable with?
Stop turning this into something it isn't. All you are doing is poisoning the debate.
What the fuck are you smoking. Five fucking years this legislation has been open for public discussion, thousands of hours of open hearings. Every arsehole has had their five minutes. Every fucking detail and possible consequence discussed and argued over. Nearly two fucking years since it became law across the EU, a month from going into force and fucking ignorant clowns like you pop up with the dumbest fucking takes.
> If I were starting a social network today, I’d simply block EU IPs from accessing it.
You're be free to do that. And then you'd have to cut off a large revenue stream (~25% of FB's revenue comes from the EU). And if you get popular, some EU start up can just copy your site. They already know what works, what features to build, so it'll be quicker for them to copy than it took you to build. This competitor will be able to operate in the USA and EU, but you won't be able to take them on in the EU. They'll have a safe, protected user base of ~500 million potential users to rely on.
