WELCOME to Connected Rights, your ruby slippers on the yellow-brick road of digital rights news and analysis.
THE INTRODUCTION OF THE GDPR HAS BEEN nothing if not dramatic, so what the heck, let’s focus on that today. (Don’t worry, there’s a bit of non-GDPR-related stuff towards the end.)
The complaints: One of the GDPR’s fun bits is the fact that it allows non-profits to launch complaints on behalf of people who might be affected. The aim here is to encourage well-thought-out complaints written by people who know the law, so regular people aren’t forced to bone up on this stuff in order to defend their rights.
Max Schrems and his NOYB (“None Of Your Business”) group took mere minutes to whack Google and Facebook with a series of four “forced consent” complaints across four different jurisdictions, apparently to ensure that data protection authorities coordinate their efforts. So it’s a Facebook case in Austria, an Instagram case in Belgium, a WhatsApp case in Hamburg and an Android case in France. And Schrems told me there are more coming.
Then, on Monday, the French digital rights group La Quadrature du Net followed up with seven complaints, lodged with the French regulator CNIL. This time the targets are (deep breath) Facebook, Gmail, YouTube, Google Search, Apple, Amazon and LinkedIn. Again, there are more coming – La Quad prepped for its offensive by getting more than 12,000 people to sign up as participants in the complaints, and its material made clear that it would also be complaining about Android, WhatsApp, Instagram, Skype and Outlook.
CNIL advised La Quad that it would be better to keep its complaints down to seven for now, in order to stop the case from getting over-complicated right at the start (and presumably to preserve CNIL’s sanity).
In case you’re wondering what the forced consent issue is, Article 7(4) of the GDPR says: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
In other words, if you’re forcing people to consent to having their data exploited for reasons other than providing the core service, in order to let them use the core service, then that probably doesn’t count as real consent. And guess what all these services do?
Adpocalypse Now: The digital media and marketing news site Digiday has a handy article – illustrated with a mushroom cloud emblazoned with the EU stars – breaking down the immediate impact the GDPR has had on the programmatic ad (aka targeted ad, aka surveillance) industry.
Ad demand volumes have plummeted “between 25 and 40 percent in some cases”. That means publishers are suddenly very scared about running surveillance-based advertising on their websites. American publishers have particularly taken fright, and some have “halted all programmatic ads on their European sites”.
Examples of news sites that no longer seem to carry targeted ads in Europe include USA Today and the New York Times. Some publishers – notably “Tronc”, the ridiculously-named company behind the Chicago Tribune and LA Times – are now entirely blocking Europeans from reading their stuff.
The total-blocking approach is just silly, of course, though it’s worth noting that Tronc (formerly known as Tribune Publishing) has no European presence to speak of anyway, and also insists that it’s a data company now. But what about those sites that have just gotten rid of targeted ads? Well done to them! If they can’t figure out a way to make targeted advertising work without trampling all over people’s rights, then the targeted advertising needs to go.
The Washington Post is compensating by whacking a 50% premium on its subscription rate for EU readers, who will no longer see any on-site advertising or endure any third-party ad tracking on that site. That’s fair, as long as the Post honours its commitment, though it does seem to be going a bit far – it is possible to run ads without tracking people; it’s how advertising used to work, after all.
The environmental impact: The what now? Oh yes, it turns out that article pages that aren’t trying to communicate with a gazillion different tracking services contain a lot less data, which not only means faster loading times and cheaper phone usage – it also reduces the reader’s carbon footprint. They did warn that the GDPR would have unintended consequences…
The mass misreadings: By now you should hopefully be aware that those many requests for you to re-consent to receiving emails were almost all unnecessary – if you signed up for something then you don’t need to consent again, and if they didn’t have your permission to email you then they shouldn’t even be sending those emails out.
But while the email tsunami has mostly been frustrating or amusing, depending on the case, in some cases it’s just been tragic. Consider the case of the Glasgow Children’s Hospital Charity, which seems to genuinely believe that it must stop contacting its donors unless they reply to its emails.
Won’t someone think of the AI? Tech law ace Lilian Edwards already has – I interviewed her on the clash between the GDPR and machine learning technology.
To support my work, why not become a patron of Connected Rights or buy my book, Control Shift?
PAPUA NEW GUINEA IS SHUTTING DOWN FACEBOOK for a month so regulators can “carry out research and analysis of its use”. That really means the collection of information on miscreants who set up fake accounts and use the service to spread “fake news” and other “false and misleading information”.
“One month is an interesting time limit for a ban,” Dr Aim Sinpeng from the University of Sydney told the Grauniad. “I am not exactly sure what they think they can achieve, and why a ban is necessary. You can do Facebook analysis without it. And what data are the government collecting?”
SOUTH AFRICAN’S DATA PROTECTION AUTHORITY has offered its assistance in the investigation into online traffic fine service Viewfines, which seems to have accidentally leaked almost a million records of people’s ID numbers, plaintext passwords and other details.
THE PROPRIETORS OF ONLINE PORN GIANT PORNHUB have released their own virtual private network (VPN) service, so users can protect their privacy online. You don’t have to be a Pornhub subscriber to use it, but I can’t think of a bigger red flag suggesting you’re doing something naughty online. Also, the free version hits you with ads, unless you pay $12.99 a month.