Mastodawn

Can smart EU lawyers with data protection chops help me understand the basic legal proposition of this case?
I get the Art 6 bases for processing, and how Meta’s latest maneuvers (moving from consent to contractual basis) were legally sketchy and made EDPB mad. 1/

But I don’t get at a more fundamental level why “take it or leave it” is not an option. I’m probably out of practice.
2/

Why can EDPB say “Meta, you have to offer this service on different and less profitable terms than you do now”? Why was consent not an OK basis, with FB saying “this version, where you consent to targeted ads, is the one we offer”? 3/

I’m not trying to push back (yet). I assume there’s a good answer, or else I’d see more coverage. But I haven’t found it so far. @[email protected]? @[email protected]? @[email protected]? 4/

I get that the GDPR offers a substantive baseline of privacy protection. So the US’s quasi-contractual, Lochnerian shenanigans won’t cut it. Platforms can’t offer terms below that baseline level of protection and say “the user consented, it’s fine!” 5/

But for processing that the GDPR permits with consent, if controllers can’t say “the consent-based service is the only one we offer,” it seems like there’d be endless cases where DPAs can require an alternate version of a commercial service, with different privacy tradeoffs. 6/

Like “Airlines can’t offer frequent flyer perks — tracking flight history requires consent. But passengers must also have an option to get those perks even if the airline can’t see their flight history.”
7/

It just seems like data protection rules would become deeply enmeshed with, and displace, competition or fair trade rules. 8/

Is the difference that certain kinds of businesses must offer versions that don’t require consent, and that can operate solely on some other basis? 9/

Or that the social network is one service, and the ads are another, so the GDPR rules for the social network can presume that ads are not relevant?

That one also seems like a competition policy question.

Thanks, it’s late here, I assume I missed something. 10/10

@daphnehk This is a great thread and it's something that confuses me too about some of the European rulings I've seen come out.

It seems like the rulings boil down to "Internet companies offering any non-paid service in Europe must offer it free of any obligation whatsoever to the people using the service for free."

@amuse @daphnehk this is not about whataoever obligations, it's about: which law regulates data protection (contract law, or data protection law), and about data protection, so the scope is rather narrow, and not extremely broad as you put it.

@DiogoConstantino @daphnehk I'm probably speaking much more broadly than Daphne was, sorry for being confusing there.

Beyond this specific law and case, just seems to me that the collection of EU perspectives on tech in general seems to be "You can offer free services, but you can't ask anything in return from their users"

I can totally understand from a privacy perspective why that's desirable, I'm having a harder time seeing how that's a feasible way to run tech businesses.

And I'm personally happy to just pay a small fee for ad-free, pro-privacy things but I doubt I'm in the majority.

@amuse @daphnehk running tech business doesn't require personalized advertising, personalized advertising isn't even the only way to do advertising.

If business can't get people to pay for a service that is a failing of the business plan and of the managers.

@amuse @DiogoConstantino @daphnehk isn't this a bit like saying:

seems to me that the collection of EU perspectives on tech in general seems to be "you can offer ride sharing services, but you have to treat your full time workers as employees, not independent contractors"

I can totally understand from a labour law and worker rights perspective why that's desirable, I'm having a harder time seeing how that's a feasible way to run a tech business.

@MechanicalTurk @amuse @daphnehk I'm not, however even if it's that's a fault of the business people and of the business plan, not of the protection of what's an Human Right (privacy), and not a fault of the regulators not allowing business to try to be smart asses and avoid compliance with the Law.

@DiogoConstantino @amuse @daphnehk There is obviously a tension between allowing companies to operate without too much of a regulatory burden, and protecting users, but if you take it to the extreme, you could as easily argue that we can't tax CO2 emissions because it makes it too hard to be an oil company, or that we can't require pharma to run clinical trials, because it makes it too hard for them to be profitable.

If a company can't find a legal business model, good riddance I say.

@MechanicalTurk @amuse @daphnehk I believe personalized advertising shouldn't be allowed at all, but that's not even what's happening as a result of this.

@MechanicalTurk @DiogoConstantino @daphnehk I think it's actually a lot more like the government saying "You can offer ride sharing services, but you can't require the user to enable location sharing to summon the vehicle".

That's technically do-able, but completely changes a major pillar of what the business actually does to operate.

@amuse @MechanicalTurk @daphnehk it's a reasonable requirement for a government to do, if the business can'g operate like that, it shouldn't exist

@amuse @DiogoConstantino @daphnehk it feels like you're conflating the business model and the service provided to the user here.
The ride sharing business needs to know where you are to provide the service the user is getting. A Facebook user doesn't come to Facebook for the great personalised ads, they come there for the social network.
That's why location sharing in your example is explicitly legal under EU law.

@MechanicalTurk it needs to go from where I want to go, to where I want to get, not to track where I'm.

@DiogoConstantino @amuse @daphnehk there's definitely a spectrum there

@MechanicalTurk @DiogoConstantino @daphnehk Facebook does need advertising to provide the service though - nobody pays for their Facebook account.

@MechanicalTurk @daphnehk

@amuse they made their choice. Also personalized advertisng is far from being the only form of avdvertising, it's not even the only form of doing advertising for specific audiences.

@DiogoConstantino @amuse @daphnehk exactly, they can even just ask for consent and fall back to context based ads for the people that don't give it.

@MechanicalTurk @DiogoConstantino @amuse Just catching up here, useful thread. Thanks. I think the Uber and employment law analogy (and my similar one about emissions from cars) would be apt if the rule were “FB can never offer users this harmful deal.” But isn’t it more like “Users can consent to this deal, but not on a take it or leave it basis. FB must offer an alternative.” @joris since he also mentioned employment.

@amuse @DiogoConstantino @daphnehk Meta can absolutely ask for things 8n return for providing a no-cost service. Just when it comes to things that require consent, like collecting personal information, they have to ASK for that consent, not just assume it. They can refuse to provide service if you don't consent, but they can't leave the whole thing about advertising unsaid and just assumed.

Diogo Constantino Jan 8, 2023

@tknarr That's not how it really goes, they can't refuse service if what they are asking in return is not necessary to provide the service, otherwise consent wouldn't be free and therefore lawful. This is why facebook stopped asking for consent and tried this trick.

@DiogoConstantino @amuse @daphnehk Under 6(1)(n), true. However, 6(1)(a) says "the data subject has given consent to the processing of his or her personal data for one or more specific purposes". That's the one that would allow it. And yes, you can say "If you don't consent, we won't offer you service.". There's no coercion there when done BEFORE service is offered and where there's no other requirement that the service be used.

@DiogoConstantino @amuse @daphnehk There are ruling that say demanding consent isn't allowed, but they all involve cases where service has already been extended and accepted and refusing consent will take away something you had before the demand was made. Legally it's the difference between taking the customer's money and then demanding additional terms vs. demanding those terms before you'll ring up the sale.

Diogo Constantino Jan 8, 2023

@tknarr
You're mistaken. Consent can only be requested if it can be meaningful refused without detriment. If the subject feels compeled to consent, the consent is not freely given, and subjects may obviously and easily feel compeled to have the service. It has nothing to do with being before or after.

@DiogoConstantino @amuse @daphnehk I'm pretty sure it doesn't work that way. If it did, it would throw offer and acceptance out the window entirely. After all, by your definition their not receiving what was being offered if they didn't accept the terms offered would mean their acceptance was coerced.

Diogo Constantino Jan 8, 2023

@tknarr it does work this way, and this is thr reason why facebook stopped using consent.

@DiogoConstantino @amuse @daphnehk So, how then would contracts of any sort work if one party could always claim they were coerced (because they wouldn't receive what you offered if they didn't accept the contract's terms) thus invalidating the contract?

Suzanne Vergnolle Jan 6, 2023

@daphnehk maybe this article can help: https://verfassungsblog.de/why-are-you-on-facebook/
I analyzed why the DPC interpretation was problematic. If Facebook can legitimately use contract as its legal basis for processing your personal data for targeted ads, it means that targeted ads are the reason you are on Facebook, which I doubt it is. If targeted ads are not the “counterpart” of the contract, then Facebook cannot process your data on the contract legal basis.
Hope it helps!

Why are you on Facebook?

The NGO None Of Your Business (noyb) recently made public a draft decision sent by the Irish Data Protection Commissioner (DPC) to other European Data Protection Authorities under the GDPR’s cooperation

Verfassungsblog

Dr James J Teeth Jan 6, 2023

@daphnehk

I scanned the replies. Did a lawyer ever respond?

@jimgon Yes! On Twitter and here.

Dr James J Teeth Jan 8, 2023

@daphnehk

The social media behavior where people respond to a question for input by “expert”, by starting with “I’m not expert, but in my opinion…” really makes life challenging.

@daphnehk the personalized ads are not a requirement for providing social media services.

pschlzbm Jan 6, 2023

@daphnehk That’s already the case. See Germany’s Federal Cartel Office 2019 case against FB/Meta regarding data collection based on competition law https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2019/07_02_2019_Facebook.html?nn=3591568

Bundeskartellamt - Homepage - Bundeskartellamt prohibits Facebook from combining user data from different sources

Chris Riley Jan 6, 2023

@daphnehk IMO there's a coherent logic - I'm not saying it's the normatively best logic, plus it seems not always technically feasible - in saying, "in order to offer any service here that uses user data in X way, you have to also offer a comparatively-functional-to-the-user version of the service that doesn't use user data in X way, somehow". Lots of ambiguities and questions inherent in that, but I do think that's the direction the EU is trying to steer the ecosystem.

resipiscent Jan 6, 2023

@daphnehk It's more that tracking *is their sole business for purposes of astonishingly invasive marketing but also hiring, access to services/housing/insurance. You seem to assume user-generated media is their revenue stream, but of course they see no money, zero, from the "social media" surface.

Don Marti Jan 6, 2023

@daphnehk cc @Frederik_Borgesius

Charles Gillanders Jan 6, 2023

@daphnehk not a lawyer but from a pure consumer perspective I want the eu authorities to be able to insist that monetising my data to provide a service which is not actually connected to or associated with my data is not a legal business.

I don’t expect things for free, I’d expect to have to pay for a non data monetised Facebook and that would then be a take it or leave it choice which I could happily make.

@daphnehk it was facebook who decided to not use consent.
In order for consent to be free you have to be able to refuse it without consequences, if usage of service depends on consent, then consent is not free. Obviously if some data processing is requires by Law, or a requirement for the service to be made it would be different, but it's not, and it's not even for providing advertising.

Todd Knarr Jan 6, 2023

@daphnehk Because the basis Meta is using is "contractual necessity". The DPA is saying "You can fulfill the contract completely without personalizing ads, so you can't claim it's necessary to fulfill the contract.". Meta could get past that by making delivery of personalized ads part of the service they were contracting to deliver, no opt-out of personalization offered, but they don't want to say that openly because users wouldn't accept it.

Sam Gross Jan 6, 2023

@tknarr @daphnehk I suspect the fact that they added the requirement in later, without adding substantial new features, makes this worse. If you didn’t need agreement before, but all of a sudden you do, it is transparent that you’re just manufacturing consent.

@SamTheGeek @tknarr Or that the GDPR made them switch — changed the definition or Recitals etc. about consent, or failed to make some “clarifying” change FB had hoped for?

@daphnehk @SamTheGeek I don't think there's been any significant changes to the GDPR or it's interpretation. It's just the GDPR's position is "ask clearly and explicitly for permission", Meta is doing everything they can think of to not do that, and the DPAs are responding to each attempt with "Did we stutter?".

@tknarr @SamTheGeek Maybe I’m not understanding the consent/contract difference. Is FB saying “we have a contract” or “we have consent and the contract proves it”?

@daphnehk @SamTheGeek They're saying "We have a contract, and we don't need consent because what we would need consent for is necessary to fulfill the contract.".

@daphnehk @SamTheGeek I think the real question is why is Meta so resistant to the idea of simply being open about it: "We make our money from personalized advertising. If you don't consent to us collecting your information for that purpose, we won't offer our service to you. Do you consent? Y/N"

@daphnehk The EDPB has clearly said before that consent cannot be a basis for processing in a take it or leave it basis because then it is no longer freely given. Meta would have to offer a tracking-free variant of its services (not necessarily for free, methinks) in order to be able to claim that consent is freely given. Which is an unattractive proposition given their intrinsically problematic business model.

Mike Masnick ✅Jan 6, 2023

@daphnehk I am not smart, nor EU, nor a lawyer. But I also raised questions about this... and in response got yelled at for daring to question the GDPR.

@mmasnick @daphnehk You got screamed at for misrepresenting the GDPR in a rather Silicon Valley way that had grown pretty old by then, iirc.

Mike Masnick ✅Jan 6, 2023

@whvholst @daphnehk I don't know if you were the one doing the yelling, but I find an odd characteristic in all the yelling: silly accusations like "silicon valley way" WITHOUT ANY ACTUAL explanation of what it is people think I got wrong.

I continue to stand by my claims, and the lack of actual explanations of any errors, and just nonsense ad homs, suggests... that it's just some sorta weird GDPR fandom.

@mmasnick @daphnehk It is just so tiresome, especially considering that the data protecion principles originated in the US, to see so many US media staying almost willfully ignorant of them. Many of us on this side of the pond are pretty much fed up with that attitude and yes, that may lead to collateral damage. At the same time it is very grating that US media does a better job on reporting on enforcement of the GDPR than European media does.