How should one interpret this? Facebook is too big to follow the rules, they should be fined for emotional damages to everyone on whom they have collected the shadow dossiers over the years.
It’s just the opinion of a lower court, there are multiple levels of appeals available and it doesn’t set precedent outside this courts jurisdiction (I don’t know if it sets precedent inside).
> Civil law contracts do not need to fulfill the strict requirements of "consent" under the GDPR. [...] Facebook users now have fewer rights under the GDPR than they did before under the old data protection law because, according to the Vienna Higher Regional Court, they have entered into a [civil law] contract to receive personalized advertising.
On the other hand, we now know that Facebook is in essence a contractor for delivering targeted advertising. (Meaning, receiving and/or sharing any messages is just an accidental side effect of this objective.) ;-)
More seriously, I don't think that this will hold. The idea about contracts is about services that imply the use of certain data in order to fulfil the respective objective of a contract. (E.g., a postal service will need to handle the name of the recipient and the delivery address, as implied by the objective of the very contract.) Here, however, the extraction and use of personal data is not a side effect of the contract, it rather describes the objective of the contractor in its entirety.
(Disclaimer: I'm not learned in the law, but actually Austrian, if this is of any help.)
I hope this is just a narrow ruling based on the specific legal claim. It does make sense that you can skip having a separate consent step by making it part of the contract, if and only if the user is actually aware that is part of the terms (and no, the fiction that they will read through the legalese does not count). If the contract said something prominent like "Faceboot will process your data for purposes of publishing it to your friends", that would be reasonable consent to me. But it is obviously nonsensical for a user to be thinking they're signing up to interact with their friends, while insisting they're technically somehow contracting for "advertising services". There's also the severability part of the GDPR, where a user should be able to consent solely for the interaction with friends, while explicitly not consenting for these "advertising services".
> if and only if the user is actually aware that is part of the contract
And if the user understand s/he's entering into a contract with Facebook.
It's very unusual to digitally/personally sign a contract when entering a relationship with a site like Facebook giving away a service for no money. It's very usual or inevitable (and expected) to do it when starting an online bank account or for a car sharing service, internet and phone providers, even a subscription to music/movie streaming or online news, something you pay for. There are usually a lot of forms to fill to enter into those contracts and that makes those contracts very visible and understood.
There is nothing new in the fact that a contract is what the parties agree on and consent to.
Where the law requires explicit consent it is perfectly valid to include this consent in a contract. An important aspect, though, especially in relation to consumer protection laws is that this must be clear and attention may even need to be specifically brought to it.
Yeah, I am curious how it was worded in 2018 in their new contract/agreement? I can't believe it would have been something similar to what Apple demands now for the Apps in the App Store
Facebook, as a data controller, is required to provide all information specified in GDPR Article 13 regardless of whether its legal basis for processing that data is consent or contract.
Article 13 is a long list of mandatory disclosures that data controllers have to provide to data subjects, informing them of the identity of the data controller, categories of data collected, data retention periods, etc.
I think the point here is that Facebook are allowed to process data under the legal basis of 'performance of a contract' rather than 'consent'.
This means that a Facebook user cannot both use the service and require Facebook not to process their personal data by refusing to provide consent.
My understanding is that where you rely on consent, you are not allowed to refuse to offer the service based on refusal to provide consent, otherwise consent is not considered to be 'freely given'.
It will be interesting to see how this pans out, because the link says 'Consent isn’t freely given [...] when a business/organisation requires individuals to consent to the processing of unnecessary personal data as a pre-condition to fulfil a contract or service.'
A contract implies consent as consent is the basis for a contract to be formed.
Note also that in the text you quote there is an important word, "unnecessary". So the question is whether the data Facebook collects is unnecessary. The specific circumstances are key here. One argument is that what Facebook collects is necessary since it is the very business model here: you get access and in exchange Facebook shows you targeted ads, for which the data are necessary.
I have never been clear about the basis for claiming that consent is not freely given if it is linked to accessing the service. To me that negates the very nature of contracts, which is an exchange. People freely agree or they don't.
Sometimes it seems that 'freely' is interpreted as meaning 'gratis', but that would not be what is typical meant by 'freely given' when discussing agreement or consent, which usually means 'without being coerced or misled'.
The first sentence is not correct. The EU has established that various forms of contract (eg: employment contracts) do not allow for consent to be given freely - and as your tailor is rich, I'm assuming that you'll be comfortable with the less ambiguous French wording: '[le] consentement [...] doit être donné librement'.
However, I do agree 'unnecessary' is an odd choice of word from the EU here, as 'consent' is the only legal basis for data processing which does not include the word 'necessary' in the actual regulation.
> I have never been clear about the basis for claiming that consent is not freely given if it is linked to accessing the service.
The basis for this is Article 7.4.
As an example, if I walk in to a restaurant, it would be 'unnecessary' to require me to provide a name before serving me. They can still require it, and they can refuse to serve me if I don't.
HOWEVER, if I do provide my name they cannot claim that I have consented to doing so (and therefore, they must have another legitimate basis for processing my personal data - a good recent example might be a track and trace scheme, where they have a legitimate basis to process personal data as it is in the vital interests of both myself and other patrons).
However, it would not be unnecessary to require me to provide a name before reserving a table, as the name would be necessary to identify me as the person who reserved the table, and so they can rely on consent as a basis for processing my personal data here.
Moving back to Facebook:
It is necessary for Facebook to process some personal data in order to provide the service of allowing me to communicate with my friends - for example, my name, my friends' network graph, maybe my email address, information that I upload to the site, etc. As a result, this personal data can be processed under the basis of consent.
It is not necessary for Facebook to share that information with advertisers, so they cannot use consent as a basis for processing this data, and they must have another legitimate basis for doing so (and they may well do, I would imagine they could build a pretty solid case either for performance of a contract or legitimate business interests).
This means that either: Facebook agree that they are processing this data based on consent, in which case consent can be withdrawn or refused for specific purposes (which is not possible), or they cannot rely on consent as a basis. It is important which legal basis is used for processing personal data as the paperwork and thresholds for passing PIAs vary.
this is the same as before GDPR, this seems like the judge didn't know what the purpose of GDPR was?? or maybe Austria's legislative implementation of GDPR really does allow this much latitude.
The judge originally even didn’t want to rule on the case. It looks very much they wanted the case to go to a different court and have nothing to do with it.
the so called "facebook pixel" allows webservice owners to tell FB about all the people interacting with their service. Next to page impressions and interaction events it allows to send the customers personal data (name, address, phone number, email and gender) to FB, so the interaction can be matched to a profile. Cookies, IP address and browser metadata are always sent due to loading of code from FB servers. AdBlockers kill that ridiculous violation of consumer rights.
However a good number of online services with user registration integrate some identity resolution provider that sends all customer data to FB among others on the backend in exchange for a link to the profile, if it exists, reasoning that automated stalking increases the performance of their sales/support agents.
Even if not integrated directly many use some crm/csm/lead/sales/support/stuff-tooling that gets a copy of all their customers personal data and then shares it with services they integrate in bulk. Registering for one service can thus create many "shadow profiles" with other companies the consumer never directly interacts with.
The consumer facing corporations are required to disclose such third parties in their privacy policies (and should strife to make such data sharing configurable by optin -> see consent), but often skimp on the data protection impact assessment, at most disclose why they share with some other company but not what actually happens with the data, and prefer to tell lies about how much they value privacy, while they don't actually care who gets a copy of their customers personal data as long as they don't have to pay for sharing it.
So if you regularly register with some fancy new service, then there is a non zero chance that FB has a "shadow profile" about you even if you don't have a FB account. Same goes for SalesForce, Google, Adobe and other players in the big data business.
Now in EU-vs-FB the megacorp stated they are not keeping data on non-fb-users because they are getting so much data about registered users, who are the people they are getting paid to show targeted content to by their customers, that they really don't care about people who are not on their platform. And since it would be illegal to profile them, they are especially not doing that. Rumors are this is a lie and FB is keeping huge data swamps, but i have seen no proof: so far there is a certain lack of whisteblowers.
> using Facebook and entering into a contract with Facebook is optional
It just doesn't work this way (please search for implications bellow, it was nuked during the USA daylight by people who think that lowering the visibility will make GDPR go away):
EDPS Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, 14 March 2017, p. 7.
"There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give the market the blessing of legislation. One cannot monetize and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction."
Bottom line, you cant discriminate who can use the service based on giving you allowance to use personal data, if it is free for people who give you consent, then it must also be free for people who don't give you the consent.
I talked with a fellow electrician friend of mine: At his job they're organising their on-call rotation via Facebook. I was horrified. Refusal to use Facebook in this situation would be very difficult. I very much suspect this situation is not unique.
It looks like Austrian court didn't do their homework. An interesting quote from GDPR authors:
(This is quote from official document. It wasn't written by me and no down-voting will change it (but it will potentially hurt people business for those who should see it and comply but didn't as they weren't aware of). It is as it is, regardless if you like it or not, if you agree with it or not,... it doesn't matter. https://edps.europa.eu/sites/edp/files/publication/17-03-14_...)
EDPS Opinion 4/2017 on the Proposal for a Directive on certain aspects concerning contracts for the supply of digital content, 14 March 2017, p. 7.
"There might well be a market for personal data, just like there is, tragically, a market for live human organs, but that does not mean that we can or should give the market the blessing of legislation. One cannot monetize and subject a fundamental right to a simple commercial transaction, even if it is the individual concerned by the data who is a party to the transaction."
According to that, the "contract" (or as they want to shovel it under consent - not even owner of personal data is allowed to give data in exchange for anything - it can give it as an option, surely you can demand the data like address if you are having online shop, once the buyer ordered something, but that is different case) was obtained using illegal means as the access to the Facebook was granted based on agreement where user should sell its "organs" (personal data) as a commercial transaction - allowing them to register to Facebook.
Max Schrems has shown that he will go to the highest courts before and probably will do the same here.
GDPR is not something that business is used to. It doesn't explicitly say "you can do this (and this,...) while you cant do this (and this,...)" allowing you to be able to tweak your business and circumvent it. It is conceptual and if you are breaking the concept you are breaking the law.
Or (I cant remember where I read this, but it illustrates it very well):
As an owner of chemical plant you are not told by the law how may toxic fumes (mg/m3) you can exhaust into the air. It tells you, "think of the children playing down the wind and you wont go far wrong". But if we will figure out your were intoxicating the children, you will be punished.
I just don't understand why Austrian court is hurting Facebook business and Max Schrems (in wasted hours) as at the end EU court will drop the decision (hopefully not charging Austria) and Facebook will have to comply to GDPR regardless. This is a lost game for Facebook, I don't understand why are they hurting their own business for something they cant win. Buying more time?
> Facebook users now have fewer rights under the GDPR than they did before under the old data protection law because, according to the Vienna Higher Regional Court, they have entered into a contract to receive personalized advertising.
Well played, Facebook.
Does this loophole completely neutralize the GDPR?
Everyone was supporting GDPR because it was advertised as bringing the big tech corps back in line. But big tech corps have big standing armies of lawyers. They love these kinds of stifling regulations that only they can navigate and mitigate while human persons trying to do things, or use things (like WHOIS), are crushed.
What's your point here? Corporations have big coffers, therefore political intervention is meaningless, therefore we should just roll over and accept our new overlords?
I've noticed a lot of comments that are either in support of the GDPR or even those that merely provide factual information about it or correct misunderstandings get downvoted.
Yeah, and I use Apple devices. But I’m not shocked when they do user-hostile things. Nor am I shocked that GDPR isn’t nearly the cure all that everybody expected. Starting with the absurd claim that it applies to every company in the universe.
Thankfully you’re still wrong. It doesn’t apply to businesses that the EU has no jurisdiction over, just as Chinese laws against criticizing China do not apply to companies it has no jurisdiction over.
EU residents are, of course, free to not do business with those they don’t want to. Likewise, businesses are free to comply or not, just as companies can choose to comply when China says to stop reporting on their human rights violations.
> It doesn’t apply to businesses that the EU has no jurisdiction over
It applies, though indeed it doesn't matter in the immediate future because the EU won't be able to collect on it. However, I would expect it to prevent that company from ever being able to open a EU-based subsidiary in the future, so it's still a good deterrent (that is, if the GDPR was actually enforced).
In practice though, the worst offenders which the GDPR is supposed to protect us against (though again the enforcement of it leaves much to be desired) have big EU presences so it's not a problem.
> EU residents are, of course, free to not do business with those they don’t want to
The problem is that companies that the GDPR applies to seem very determined to be doing "business" with EU residents even without their knowledge or agreement. This "business" is of course about collecting, reselling or using their personal information in nefarious ways.
Indeed, if the solution was as simple as "don't do business with these companies" we would've never had the GDPR because there wasn't a need for it.
Nobody expected GDPR to be the cure for everything.
We had hope that it would do good and change the direction we were on. And it has been a success, the changes are industry wide and massive. Of course it isn't without faults, but we are far better off with it and have a better foundation for the future.
NOYB is doing some good work in this area. If you care about privacy, please consider supporting them.
[0] https://ruben.verborgh.org/facebook/