Max Schrems Files New Privacy Complaints That Seem To Show The Impossibility Of Complying With The GDPR

from the what-a-stupid-law dept

We’ve written many times about privacy activist Max Schrems, who almost single-handedly brought down the silly privacy safe harbors between the EU and the US. Last year, we wrote about his newest project called noyb.eu, which stands for “None Of Your Business.”

Last week, Schrems and noyb announced a big list of GDPR complaints filed in Austria, against basically every streaming media company, none of which — they claim — are in compliance with the GDPR. Schrems also provided everyone with a handy dandy chart showing the basic details of the results of the GDPR requests they made to eight different streaming platforms, where they fell down, and how much they might be on the hook for:

If you’d like to see the actual complaints, here they are for Amazon, Apple, DAZN, Flimmit, Netflix, Soundcloud, Spotify, and YouTube.

I have lots of thoughts about this, so let’s list them out:

  1. This demonstrates the near impossibility of complying with the GDPR: While I’m sure many will view this as a positive for the GDPR, in that Schrems is going after a bunch of big companies who many people love to hate, I’d argue that these complaints really show just how ridiculous the GDPR is in practice. At least with the larger companies on this list (Amazon, Apple, YouTube, Netflix, and Spotify) it is ridiculous to argue that any of them were deliberately avoiding the GDPR requirements. All of those companies have been well aware of the GDPR for years and spent the past few years spending many, many millions of dollars preparing for the GDPR. All have decently large teams focused on doing everything they can to comply, in part because of the possibility of massive fines if they fail.

    The fact that those large companies, who have all the resources in the world, are still deemed by Schrems to fail on nearly every aspect of the GDPR suggests, pretty clearly, that it is nearly impossible for anyone to truly be GDPR compliant in any reasonable sense.

  2. The nature of the complaints shows just how silly the GDPR continues to be: Taking the Apple Music complaint as an example, the company did allow noyb and its client to download all the data it had, but noyb is demanding significantly more information under the GDPR — much of it is information that would effectively be impossible to provide in the first place. For example, the complaint notes that Apple didn’t provide “information about the purposes of the processing.” But… isn’t that the kind of information that anyone signing up for Apple Music already knows about when they sign up? Apple is using your information to provide you access to music and to recommend other music to you. What good does it do to have that information need to be spelled out once again at a later date to avoid massive billion dollar fines?

  3. The possible fines remain completely insane: Note the numbers on the “maximum penalty” associated with these complaints. Under the GDPR, a company can be fined either €20 million or 4% of annual global turnover whichever is greater. So those eye-popping numbers are basically that 4%. Remember, most of the companies here bent over backwards to try to comply, with most of them setting up useful systems that allow users to download all of their data, even if noyb didn’t like the format that data was in. And yet they might still face billions in fines?

  4. GDPR could destroy some of these companies: It is surprising to see two companies — DAZN and Soundcloud — not respond at all to these requests. Both of them are based in the EU (though DAZN may escape via Brexit shortly, but it operates in many EU countries). I would think, at the very least, these companies would have in place some method of responding to GDPR requests. Soundcloud, despite its level of popularity, has struggled even to stay alive — and came very close to shutting down a year and a half ago before getting a last minute reprieve from some investors. Either way, the company is clearly struggling, and the fact that both of these company’s “maximum” possible fines are €20 million suggests that this is “greater” than 4% of their annual turnover. In short, this is likely a crippling and possibly company-destroying amount for these smaller operations. I’m still surprised neither responded to the requests at all — but it’s going to be difficult for either to stay in business facing these kinds of headwinds thanks to the EU’s overaggressive regulations.

I’m sure that many don’t seem to care that this might cause problems for these companies, or that it may be literally impossible to comply with these regulations. But we should all be concerned if regulations make it effectively impossible to be in business on the internet in the EU. We should be even more concerned that — as many of us predicted — regulations like the GDPR seem to have a high likelihood of completely destroying smaller players, like SoundCloud. The huge fines for the big companies are eye-popping and totally disconnected from any actual “harms,” but most of those big companies can grudgingly afford to pay them. That seems unlikely for the smaller players meaning that — once again — the EU seems to be clearing the field of smaller internet companies, and leaving in place only the giants, from whom the government will just keep siphoning off cash.

One final point on all of this: I recognize that there are lots of legitimate concerns about privacy in this day and age — and, in particular, how various data collection companies are using our private data. And I’ve long been on record that companies should be not just a lot more transparent about the data they collect and how they use it, but also should push control over that data out to the end users. But, looking over this list, none of these are companies that I’m particularly worried about concerning how they use my data. Yes, there are potential privacy concerns here, but the idea that SoundCloud or Spotify contains data so sensitive that they should be fined massive amounts for not making it “intelligible” just seems disconnected from any real harms and any real concerns.

Indeed, my concern with this type of litigation is that it actually waters down and distorts the real concerns we should be having over privacy in the internet era. Netflix not giving me all of the data on what I’ve been watching via streaming doesn’t seem like a particularly big consumer concern — and yet if it sucks all the air out of the room, it makes it that much harder to deal with real privacy questions raised by internet giants.

Filed Under: , , , , ,
Companies: amazon, apple, dazn, flimmit, netflix, noyb, soundcloud, spotify, youtube

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Max Schrems Files New Privacy Complaints That Seem To Show The Impossibility Of Complying With The GDPR”

Subscribe: RSS Leave a comment
63 Comments
Mason Wheelersays:

Soundcloud, despite its level of popularity, has struggled even to stay alive — and came very close to shutting down a year and a half ago before getting a last minute reprieve from some investors.

As a long-time Soundcloud user, I’m not surprised. Their system is very consumer-unfriendly in a lot of little ways that aren’t immediately obvious, but become clear once you start to do non-trivial things with it. The sort of stuff that the people who end up paying Soundcloud for their services might end up needing to do–or that might drive them away to other platforms once they realize how needlessly complicated, restrictive, and expensive a lot of it is.

jilocasinsays:

A little naive with point #2.

I think you are being more than a little naive with your point #2.

For example, the complaint notes that Apple didn’t provide "information about the purposes of the processing." But… isn’t that the kind of information that anyone signing up for Apple Music already knows about when they sign up? Apple is using your information to provide you access to music and to recommend other music to you. What good does it do to have that information need to be spelled out once again at a later date to avoid massive billion dollar fines?

I believe that the whole point of the GDPR and Max Schrems’ request was to make sure that Apple is only using his information to provide him access to music and to recommend other music. There is nothing that says that Apple isn’t using your data to target personalized ads at you, or selling your music tastes to the highest bidder, or even collecting your GPS location of every time you listen to a song.

The GDPR request wants to make it clear what it’s using his data for, that it is what the user thinks it’s being used for (and not some other reason buried in a 100+ page EULA).

Personally I think the the major companies have spent the last coupe of years trying to come up with systems that they believe will pass muster without having to change their currently lucrative practices, and without letting the user know just how much/what they are using it for. Because if they did they just might stop.

Anonymoussays:

Re: Re: A little naive with point #2.

make sure that Apple is only using his information to provide him access to music and to recommend other music.

Careful with that second point: do you mean recommend music to Schrems, or use his personal data (listening history) to recommend music to others? Those are two very different uses that are not inherently tied together, and should have permissions requested separately.

Anonymoussays:

Re: Re: A little naive with point #2.

I think the point here though is that unlike many streaming companies, when you enable streaming from Apple, you actually get a dialog that pops up that clearly explains that in doing so, they’re collecting usage data. This same dialog then explains how Apple is going to use that data and asks you if you want to continue. Apple’s been doing this ever since it launched Genius around a decade ago.

So since Apple is already disclosing how they’re using the data, disclosing it again doesn’t really help much, unless you’re implying that the first disclosure means nothing because it’s not mandated, and so they could be doing other things with the data without telling you, until you request the details.

But it’s obvious that Apple CAN disclose this data because they do so at the point of activation — so the fact that they don’t leads me to believe that they figured they were already covered by having disclosed the usage data previously to the customer.

jilocasinsays:

Re: Re: typo: noyb

No, I believe he was referring to noyb.eu, which stands for "None Of Your Business" the group Max Schrems founded.

Also, I don’t think it was noyb.eu not liking the format that was provided, but the format provided being chosen to be unhelpful/useless. This is a common ploy with FOIA respondents.

Ex: request a copy of data that’s originally in an easily searchable/analyzable database format, receive a badly scanned pdf copy of the data that was poorly formatted, printed, copied a few times and then scanned into an unsearchable pdf file.

Or in Apple’s case; maybe the data was provided as a single line text file (everything in one long line) filled with loads of abbreviations and no key to interpret them with.

Without knowing the format of the data that was received, it’s rather cavalier to assume fining the company over their choice is just noyb not liking the format it was provided in.

Anonymoussays:

Re: Re: Re: Re: typo: noyb

Also, I don’t think it was noyb.eu not liking the format that was provided, but the format provided being chosen to be unhelpful/useless. This is a common ploy with FOIA respondents.

That seems lazy on Mike’s part. What format was provided, what format was wanted, and what’s reasonable/required? None of that was mentioned, and it’s necessary to evaluate Mike’s argument. (Did the company maliciously hand out an encrypted blob nobody could possibly ever read? Did they simply forget to explain an acronym, and all will be good when they post a glossary?)

jilocasinsays:

Re: Re: Re: Re: Re: Re: typo: noyb

Well according to the pdf for the Apple Music Store at least, what data Apple provided was in a series of machine readable .csv and .json files that were unintelligible.

The majority of the files
are
, indeed, coded information, non-intelligible to humans
(Attachment 3: ?
Apple Index der heruntergeladenen Dateien
? and Attachment 4:App Store, iTunes Store, iBooks
Store, Apple Music.zip).
For examples, some of the files that could not be read by the Complainant include:
1)Apple Music Play Activity.csv
2)AMP Purchase History Page & Click Activity.csv
3)Apps And Service Analytics.csv
4)Review profile.json

Also according to the complaint:

The respondent also has not provided any explanation, software or other means to make the data readable and understandable for the average consumer.

Which is a big no no under the GDPR. So it looks like Apple is indeed trying to appear GDPR compliant without actually being so.

Mason Wheelersays:

Re: Re: Re:2 Re: Re: Re: Re: typo: noyb

Far be it from me to defend a company as inherently abusive as Apple, but in this particular case I don’t see anything wrong with what they did. When you have a large amount of data, returning it as a machine-readable format such as CSV (which can be trivially read into Excel) or JSON is absolutely the right answer.

Large data sets are very difficult to read the way a normal human being would read a book, from beginning to end. Instead, what you want to do with that sort of data is subject it to analysis, and for that you need some format that’s easy to parse by a computer, which can then search through it and help the user work out points that are of interest.

If the GDPR doesn’t recognize this simple fact, it’s just another point demonstrating that it’s a bad law.

MathFoxsays:

Re: Re: Re:3 Re: Re: Re: Re: Re: typo: noyb

There are the (offices) of the Data Protection Agencies that will review the complaint and form their own opinion. Apple gets a chance to present their side… The DPA might suggest some simple chances (Like: provide a document that describes the columns in the CSV files and the meaning of the JSON fields), Apple might implement them and the DPA could decide that the issue is sufficiently resolved.

When the DPA decides that a fine is warranted, it’s unlikely to be close to the maximum fine for a company that makes a good faith effort. And there is the option for a legal review of the DPA ruling and penalties. Expect a body of jurisprudence in five years.

Anonymoussays:

Re: Re: Re:3 Re: Re: Re: Re: Re: typo: noyb

Far be it from me to defend a company as inherently abusive as Apple, but in this particular case I don’t see anything wrong with what they did. When you have a large amount of data, returning it as a machine-readable format such as CSV (which can be trivially read into Excel) or JSON is absolutely the right answer.

We don’t know enough about "what they did". Both formats are trivial to lex, so sure, you could read CSV into Excel. Then what? You need to know what each row and column represent to know how to interpret it, and that could be really obvious or completely obscure.

jilocasinsays:

Re: Re: Re:3 Re: Re: Re: Re: Re: typo: noyb

Mason,

I think you missed the point. Neither the GDPR nor Max is saying that the data can’t be provided in a machine readable format. With the amount of data that most companies probably keep, it would be silly to download the data any other way. But just because the data is in a CSV doesn’t mean that it’s intelligible.

For example compare the following by necessity short examples:

Intelligible:

UserName, TimeStamp, ClientIP Address, MusicGenre, SongTitle

joe01, 2019-01-01 12:24 GMT, 10.10.1.1, Country, ‘Tequila’

joe01, 2018-12-30 01:15 GMT, 10.10.1.1, Country, ‘You make it Easy’

joe01, 2018-12-30 02:05 GMT, 10.10.1.1, Country, ‘Break Up in the End’

joe01, 2018-06-18 15:00 GMT, 10.10.1.1, Pop,’Thank u, next’

joe01, 2013-04-10 09:02 GMT, 10.10.1.1, Country, ‘Get Along’

Unintelligible:

ux, st, m12, x17, au32

278E4A8DB999EBF6B04D4787142D36BC7975D231, 2019-01-01 12:24 GMT, 10.10.1.1, am12, 180b133cbeeb94004708a06c1631ccfb

278E4A8DB999EBF6B04D4787142D36BC7975D231, 2018-12-30 01:15 GMT, 10.10.1.1, am12, 8f81b5a32cbb21db94c5396284505729

278E4A8DB999EBF6B04D4787142D36BC7975D231, 2018-12-30 02:05 GMT, 10.10.1.1, am12, 1b558644691b71ddc59ca9b2630e041f

278E4A8DB999EBF6B04D4787142D36BC7975D231, 2018-06-18 15:00 GMT, 10.10.1.1, zx92, e2fa24536a5ad7782969d0f940b34ee4

278E4A8DB999EBF6B04D4787142D36BC7975D231, 2013-04-10 09:02 GMT, 10.10.1.1, am12, 698a8af60cdd4b83e5120474cccbac8a

See, the same data, but the second version doesn’t really tell you what information about you they are keeping.

PaulTsays:

Re: Re: Re:4 Re: Re: Re: Re: Re: Re: typo: noyb

That’s a fair point, but given the usual idiotic demands related to these things, they probably mean it wasn’t in a nice infographic they can show to a 5 year old. A lot of this stuff seems to be excuses to get companies to fail, rather than making sure they comply with anything realistic.

On the flip side, I’d assume the companies are doing the bare minimum, which might mean supplying raw data in several tables rather than a nicely formatted single sheet, but if the legislation doesn’t demand that’s required then some companies won’t make life easy out of principle.

Without more detail it’s true that it could go either way, but if literally nobody is presenting data in the way they want it then I’d presume it’s the demands and not the companies that are being unreasonable.

PaulTsays:

Re: Re: Re:2 Re: Re: Re: Re: typo: noyb

“Which is a big no no under the GDPR”

Is it really? The formats provided are industry standards act are readable by industry standard software that is supplied either free of charge or pre-installed on the computer, or by numerous online tools.

Is it now a GDPR violation to not teach people to use their own computer? I’d understand if you’re talking some weird proprietary format, but this is probably less difficult for most devices to read than the original web page.

” So it looks like Apple is indeed trying to appear GDPR compliant without actually being so.”

No, it looks like you don’t know what CSV and JSON formats are.

Anonymoussays:

  1. Doesn?t he mean ?this shows the impossibility for big internet companies to MAKE MONEY while complying with a law that protects individuals?? If the internet ?business model? can?t survive respecting internet rights, it deserves to perish.

    2. See 1) above.

    3. The fines must be that big to deter the conduct of the near-trillionaires.

    4. See 1) above.

    ?Many? do not care about these companies any more than certain bloggers care about music and film companies. Too bad. Love these tantrums because it means you?re losing.
    Was there any commentary on the Music Modernization Act or whatever it?s called that was passed in October to deal with royalties from streaming services.

Anonymoussays:

Re: Re: Re: Re:

Wow, ad-hominem proof-by-assertion from a 4Chan Aspie with a hidden agenda.

The article doesn’;t make it sound like Apple is winning this.

As for the ad-hominem, see the “how many profitable copyrigths do you own?” threads.

The more than throw the tantrum, the more desperate they are. No need to respond with anything but brutal logic. Make sure every time Google sends traffic here that all points of view are presented. That can have an interesting effect on a lawn.

Anonymoussays:

Re: Re: Re:2 Re: Re: Re: Re:

It is a sign of verbal aggression, which we instinctively consider a prelude to physical aggression.

Masnick runs his mouth safely behind a monitor in a way he wouldn’t dare to anyone’s face, and he hides behind frew speech to allow his uses to do far worse. The best way to confront him is to have a reporter start asking questions on camera when he’s at one of those events or whatever or to do the Michael Moore thing and stand outside his office building while rebutting him.

However he is ultimately dealth with, it won’t be here. This is his turf, and he lets the bullies run wild. Like a dog chained to a post, however, his influence has no range to match that of those he allows to be bullied. If he weren’t such a gnat he’d already see what he’s starting with regard to a free-speech war but that day will come sooner or later.

This site is just a stupid little echo chamber that will never influence policy. Everything he supports keeps losing and losing and losing.

Mason Wheelersays:

Re: Re: Re:3 Re: Re: Re: Re: Re:

Masnick runs his mouth safely behind a monitor in a way he wouldn’t dare to anyone’s face

Have you listened to the podcast? He’s had several episodes which consist of him participating in some sort of panel, espousing these same opinions in person to the live audience and the other panelists as he does on here.

You could say a lot of things about Mike, but moral inconsistency of this kind is most certainly not one of them.

This site is just a stupid little echo chamber that will never influence policy. Everything he supports keeps losing and losing and losing.

Wow. Just wow. How long have you been hanging around here?

Just off the top of my head, one of the most notable things he supported was resisting SOPA and ACTA. These both got shot down in Congress, and he’s had notable people, both elected representatives and senior staff members of elected representatives, come around here and talk about how Techdirt’s coverage was instrumental in helping them understand why these were bad bills that they needed to shut down.

Anonymoussays:

Re: Re: Re:3 Re: Re: Re: Re: Re:

Article 13 was coming close to approval. Up to the point where you rightsholders realized that you couldn’t sue people as willy-nilly as you’d like and tossed it back into the fire.

You had it. It was offered up to you on a silver platter. And you still managed to screw it up!

Your tears are delicious.

Scary Devil Monasterysays:

Re: Re: Re:2 Re: Re: Re: Re:

"most people probably wouldn’t go directly from complaining about ad hominems to using a slur against people with disabilities in the same sentence."

…yes, but the "Child Porn Is Great" brigade isn’t "most people". Please bear in mind that we’re discussing the sort of people who appoint the likes of johan Schl?ter, John Steele and Andrew Crossley to lead their efforts.

Mike Masnicksays:

Re: Re:

If the internet ?business model? can?t survive respecting internet rights, it deserves to perish.

I actually agree wholeheartedly with this. My question is what in the above is actually "respecting internet rights." I don’t se that.

?Many? do not care about these companies any more than certain bloggers care about music and film companies.

I don’t care about these companies either. I do care about the end users of those services and how they are harmed by bad regulations on the companies. So, sure, kill off those companies. No big deal. But what about the services that people rely on and find so useful these days?

Petersays:

A small amendment to the headline ...

Impossibility Of doing business as before and Complying

So far, the large platforms appear to try getting away with not changing data collection and data analysis at all. Instead, they coerce "permission" from customers through elaborate T&C – a practice that has just been fined by French authorities.

If that avenue gets closed, or if noyb’s complaint is accepted, it will indeed be difficult to continue collecting insane amounts of data (up to, as has recently been uncovered, camera recordings of people’s bedroom in case of Amazon) in the hope of mining some gold nuggets out of them.

The real question is if Google, Amazon, Facebook & co will continue to be viable businesses if they were forced to work with smaller data sets, and possibly more transparent (read public) algorithms.

If Amazon’s current "suggestions", and some of their current processes are anything to judge by, restarting their AI-systems from scratch with fewer, better data might actually be an improvement.

We may find out soon …

Anonymoussays:

For example, the complaint notes that Apple didn’t provide "information about the purposes of the processing." But… isn’t that the kind of information that anyone signing up for Apple Music already knows about when they sign up?

Really, you’re using that as an example of why it’s impossible to comply? Because that can be trivially solved by writing "Apple is using your information to provide you access to music and to recommend other music to you"?unless that doesn’t work, for some reason you haven’t explained. (But: why do they need personal information to provide the music? Can I opt out of suggestions? Are we sure that’s all they’re going to do with it, because Facebook especially has been known to collect for one obvious reason and use it for something else entirely.)

You didn’t provide any detail at all on why the complaints are otherwise "silly" or "ridiculous". As for the "maximum fine", haven’t you had to explain similar things to people when we see a "maximum sentence" of 9001 years or whatnot? It’s a theoretical number used for intimidation, rarely actually applied (and yeah, we should really have more realistic numbers rather than rely on selective enforcement).

ECAsays:

Consideration

This is 1 group of nations..
Someone with a Thought is creating a backdoor into the net.. HOW to control the internet..
IF’ these laws would be used Fairly, by every corporation.. On/OFF the net..
How many corps Would be hit hard.. How about the credit Bureau’s. Those strange persons and groups that Monitor and Give us Credit cards..
THEY DO sell our info..
How about Cellphone companies?? They have already shown that Some App’s are tracking us, and our locations..

Who needs the old conspiracy about Chips and pets, and Soon it will be everyone and be Tracked by Satellite.. You carry your tracking device in your hand, and While using the net at home on your PC…

I dont mind Anonymous Data.. IF’ you leave out certain data.
1. Name/address/SS#
2. location of store it was purchased, Region is ok..
3. The format of payment.

Beyond that, I dont have a problem…But with alittle bit of this info, they DO have programs that will figure out WHO you are.
Limiting it to…Person bought an item in IDAHO, at ??/??/??? date is enough.

ALSO..
I suggest you read your Current Bank terms..and notice if they Sell your data. A track you can do, and you can even tell the bank its a security format..is to add a Single extra character to your name or address…A MISS-SPELLING..
So that If you get a MAIL with this miss-spelling..you KNOW your bank sold your data.
Advert agencies and collectors DONT spell check or verify data.(psst..Add a number to the Middle initial)

Ninjasays:

Remember the old wisdom?

The road to Hell is paved with good intentions.

The idea behind the GDPR certainly is pretty sound and even desirable to some degree. The implementation? Not so much. And to think these same giants brought it upon themselves by abusing their position and the data consumers are handing them.

I hope the EU will rethink it and use the initial numbers to go back to the drawing board to fix these problems before imposing fines. The cynic in me says they’ll use this selectively and collateral damage be damned.

Anonymoussays:

Re: Re:

Does Schrems come across as a bit of a troll to anyone else?

I can see your point, but I don’t think he’s trolling any more than Mike is with his coverage. What’s the point of having privacy laws if they’re not enforced? Max is good at getting PR but I don’t think he’s blowing things out of proportion or going for a payday. He uses these services and doesn’t want them shut down; he just wants them to comply with the law.

Look at all the green and orange marks on his grid. They’d have almost all been red 5 years ago. As Mike writes "there are lots of legitimate concerns about privacy in this day and age… companies should be not just a lot more transparent about the data they collect and how they use it, but also should push control over that data out to the end users." That Mike’s not worried doesn’t mean much to me. We could make the same argument about FOIA?why should the government release the details? The law says what data the government can collect, and knowing the law should be enough. In practice, the amount and detail of what’s being collected, or how it’s being analyzed, often is the story.

If Facebook is deciding whether or not I’m suicidal, I want to know. The same goes if Netflix is determining my bladder health by how often I pause. BTW, librarians can explain better than I that tracking a person’s media consumption is not innocuous.

Mason Wheelersays:

Re: Re: Re: Re:

The same goes if Netflix is determining my bladder health by how often I pause.

I certainly hope not; they don’t have the data for something like that.

Even assuming, just for the sake of argument, that the only possible reason for a pause of a certain length is a bathroom break, how often I feel like taking one has far more to do with how much water I’ve drunk recently than anything related to my health. (Assuming, again for the sake of simplicity, that the amount of water I’m drinking is not itself unhealthy.)

Anonymoussays:

Re: Re: Re: Re: Re: Re:

> The same goes if Netflix is determining my bladder health by how often I pause.

I certainly hope not; they don’t have the data for something like that.

You think they don’t have the data on how often you pause?

The example was farcical, but not that far off from what Facebook’s doing with the suicide prevention. Netflix can’t be certain of any conclusions drawn from pausing, just as Facebook is only guessing, but that’s not the point. I want to know what they’re going to use my data for, and I don’t mean some vaguery like "to improve customer experience".

In the old days of analog cable TV, all the company knew was what channels you subscribed to, where you lived, and whether you paid your bill. In the digital world, they know every channel every subscriber is tuned to, all the time. They probably know what shows I’ve read the descriptions of, via the onscreen guide, and decided not to watch. What are they doing with all this newfound data? I’m not in Europe, so I’ll likely never know.

Mason Wheelersays:

Re: Re: Re:2 Re: Re: Re: Re:

You think they don’t have the data on how often you pause?

They don’t have the data on what I’ve been drinking. Without that, the pause information (which they probably do have) can’t tell them enough to distinguish whether I have a bladder problem or am just over-hydrated.

Anonymoussays:

Re: Re: Re:3 Re: Re: Re: Re: Re:

Of course. The point is 1) a company might be collecting/retaining more data than you expect, such as recording every button press forever and 2) they might use it in surprising ways. Don’t focus on the jokey hypothetical, because Facebook is a real example of both points (especially #2). It’s notable that FB claims they do not try to predict suicide in Europe, due to medical privacy regulations and requirements for informed consent.

Consent matters. Who ever expected Facebook might send the local police over for using too many sad-face emojis?

PaulTsays:

Re: Re: Re:2 Re: Re: Re: Re:

“You think they don’t have the data on how often you pause?”

They do. They do not have the data on what I was doing at that time, why I chose to pause at that moment, why it took me however long to unpause, whether or not it was actually me using the device or someone else accidentally logged into my profile, etc.

I think his point is that the dataset is hopelessly incomplete to draw such a specific conclusion.

“They probably know”

…that if you’re this hopelessly paranoid about the data you explicitly give the company in question, that you also have the option not to subscribe to their service,.

Maxsays:

NO. Not strictly related to these particular filings, but as long as almost all websites choose to interpret “no snooping until you have explicit consent and you are not allowed to refuse service in the absence of consent” as “we’ll just lock you out (or cover a literal half – or all – of your screen, which is the same thing) until you click accept to basically everything we declare ‘necessary'”, they never did the slightest attempt to comply and they deserve to get fined all the way to the depths of the ninth circle of hell and some more just for good measure.

Not for a second do these bastards conceive of the notion that some of their beloved tracking data might be going bye-bye – all they care about is exactly what lip service is needed in order to be left alone to continue exactly as before, zero change. Their whole point is that nothing less than before is acceptable, and the whole point of the ever more privacy conscious folks is that that is not going to continue to happen. Something obviously has to break. If it is to be some of their spines, that sounds great…

A complaint is not a determination

I will be interested to see what the DPAs do with these complaints. It’s not like the US, they prefer to negotiate and agree to undertakings, and they rarely fine unless the offender has been intransigent. Their version of intelligible is likely not the same as Schrems’.
The French DPA did just fine Google 50M? on another Scrhems complaint, which is enough to get their attention but hardly going to put them out of business.

Anonymoussays:

It,s strange , how does a music service work
if they cant suggest music tracks you might like,
And keep a record of your favourite singers ,pop groups ?
eg i like madonna ,i,d probably like to hear
any new songs she release,s and songs she might appear
on as a duo with any other artist.
If i live in england i probably would prefer songs in the english language rather than the top 20 in russia .
.
I Presume youtube is keeping a list of the video,s
i watch in order to offer me suggestions as to new video,s i might like .
i have no problem with that .
They get some data from me, in return i get acess
to millions of videos at zero cost .
They save me time , they suggest the latest uploads from creators i subscribe to .

Anonymoussays:

Re: Re:

The best way to get a youTube video profitable is to make one which autoplays alongside videos with much larger audiences. Say you do a video on homebuying, then Congress and the Fed start tangling over mortgage rates. Some big news corporation will then do a video about it that gets 1,000,000 hits, and the coattails will cause even unknown videos to go from like 100 hits a day to as many as 5,000. I’ve seen it firsthand.

There is a LOT of money to be made on YouTube, specifically because they track viewing history, and because piracy is not an issue. Knockoffs, however, are, as anyone who has ever made a fortune in mail order knows.

Anonymoussays:

Re: Re:

a music service merely has to offer a catalogue unless the user wants more. how do you think anything works? have you ever tried services without being logged in and refusing tracking? or how about only tracking of explicit "likes", because seriously YT is shit at guessing, or good gods, recommending shit at me. if they stuck to saves and likes they would do better and be less awful.

ryuugamisays:

I’m sorry, Mike, but you’re being disingenuous here.

First, these are complaints. Being able to complain does not, in itself, mean anything. How many baseless lawsuits have you written about over the years? Remember, idiots suing people for defamation does not mean that the defamation law is an absolute disaster and should be abolished.

Second, you seem to assume that any minor (real or perceived) infraction will bring about the “maximum fine” and bankrupt the small services. That is not the goal. If your company is earnestly trying to comply, the fine will be negligible, or you may even just get a warning. There was a GDPR ruling ruling against Google a few days ago, for 50 million Euros. That’s 0.05% of Google’s revenue, not 4%.

Rockysays:

Re: Re:

I’m sorry, Mike, but you’re being disingenuous here.

I’m sorry, you did read the article – all of it, right?

First, these are complaints. Being able to complain does not, in itself, mean anything. How many baseless lawsuits have you written about over the years? Remember, idiots suing people for defamation does not mean that the defamation law is an absolute disaster and should be abolished.

First, these complaints are in a sense a way to highlight the absurdity of trying to be wholly compliant with GDPR. OTOH, if the complaints aren’t taken seriously by the court system it will undermine the enforcement of the GDPR.

Second, you seem to assume that any minor (real or perceived) infraction will bring about the "maximum fine" and bankrupt the small services. That is not the goal. If your company is earnestly trying to comply, the fine will be negligible, or you may even just get a warning. There was a GDPR ruling ruling against Google a few days ago, for 50 million Euros. That’s 0.05% of Google’s revenue, not 4%.

Second, see point 3 & 4 in the article. You do understand that the qualifiers of ‘can be fined’, ‘might face fines’ and ‘could destroy’ isn’t the same as ‘maximum fines’ and ‘will destroy’. At no point did Mike imply that maximum fines will be applied to destroy some services – he implied that small services with no financial muscles might be destroyed if they are fined.

anonsays:

Can't agree at all

  1. Companies do a basic risk assessment and compare it with their gain from taking the risk of regulatory fines. By providing -some- data, they reduced their risk of high fines so the residual risk was low enough to go on and wait for first jurisdiction.
    2. If it needed only two lines or text to explain how they used what parts of the data, why would apple not send this information? Wouldn’t that be ridiculously easy then?
    3.& 4. It’s a maximum penalty that won’t be charged for minor fuckups. But here I have to agree that I don’t understand why it isn’t just the 4% as this would be fair imho. Would be interesting how this decision was made to have a lower limit of 20m. The 4% for big companies are good as otherwise no huge Enterprise would give a fuck.

    The rest of the text:
    How can you not be worried about your data on Amazon? A colleague is having a discussion atm as they are saying that it is technically not possible to delete his old data (he even said they could keep anything fresher than 6months but can’t see the reason why they would need his data from the early 2000’s. Common. Billions and a few years time and they’re not capable of developing a system where data can be deleted??

neverestsays:

phorm storm

you seem to totally not get The EU General Data Protection Regulation (GDPR)

at its most fundamental EU torts state that a person’s personally generated data is their exclusive property automatically, without explicit consent no interception,processing, or storage of any kind is legal, see the masses of legal "phorm storm" coverage (before fake news was so prevalent)

Wilhelmsays:

The GDPR was never meant to protect individual privacy.

The first problem with GDPR is the absence of the clause “quantifiable loss”. If fines aren’t based on this, why just stop at 4%/20 million? Why not 500,000% and 500 trillion?

Second is the assumption that high fines can lead companies to shut down. So what? The people in control can just float another one. There are non-falliable legal ways to circumvent that. In other words, no court of law in the world and/or no ammdndments in law can do anything against these measures. I won’t divulge these ways, but any good lawyer can help.

Third is the clear ambiguity on consequences of false accusations. If a company stands to lose any amount from such accusations, whether it be in fines and/or a dip in share price/loss of goodwill, the false accuser should be fined with the same amount.

Fourth, is the part where a data breach occurs due to the negligence of the data subject.

Laws as such leads to a scenario where the only option left would be to implant users with NFC microchip authenticators, the controls for which would rest on the users themselves.

Let’s not forget, these same group of people in the EU were the ones who failed at implementing the previous Data Protection Rules. Who let the blatant misuse of personal data continue? The GDPR would be replaced soon, as the CJEU now says that some companies have baked in the cost of fines in terms of non compliance into their OPEX and a fine might not be the optimal way to stop privacy violations.

The basic problem that proponents of such laws, people like Max Schrems had with misuse of personal data was with the government (especially the US government) having access to his personal data. Has the GDPR stopped governments in doing what they were doing? NO. As per GDPR exemptions, any government can process the data of any EU individual, under the pretext of National Safety/Public Benefit. As per GDPR, such situations fall outside the purview of the GDPR and the EU itself. Schrems has been able to do nothing in this regard. It would be funny if the US DOD installs a datacentre right at the EU parliament under the excuse of national safety.

What all of these leads to is a situation of corporate rule over a country as it’s government.

Last but not the least, let’s not forget one important fact that history has taught us humans again and again. Laws work good only till the extent of good intentions of the lawmakers.

Singapore has a robust system of data protection. Far, far less data breaches than any other nation in the world and the people over there live a lifestyle that’s far better than any other country can boast off (with average pension being more than US$ 300k). All while not having huge fines and following a strict rule of capitalism and free market ideology. A country that was a mere fishing village a few decades ago. Politicians over there have understood the necessity of not interfereing into businesses.

P.S.- You have my irrevocable and final permission to use my data as you wish. I also willingly forego of my right to request you to do anything with ny data anytime in the future.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow