Max Schrems

Our only defense against surveillance capitalism in the short run is to avoid being surveilled. Quitting platforms which suck personal information out of you is essential to protect privacy. Avoiding cookies and trackers is another way to protect yourself.

I’m a compulsive history clearer. My history is cleared automatically when the browser (either Firefox or Safari) is closed. Sometimes I’ll clear much of it selectively in mid session. I NEVER use Chrome which is just a vacuum cleaner of personal info for Google. And speaking of Google, it’s rare for me ever to be signed in there.

To control your personal information it’s necessary to be proactive and to endure a little inconvenience. I see this inconvenience as minor and beneficial – in the same way that conscientious recycling is in the long run.

But ultimately, legislation is needed to protect internet users. There are plenty of precedents. We already have laws to protect safety, to ensure pure food and pharmaceuticals, and to regulate financial transactions. It’s long overdue for online privacy to get the same treatment.

There need to be limits on personal information which online commercial entities can collect, store, and share. 

I've seen a number of people worried and concerned about this language on Ao3s current "agree to these terms of service" page. The short version is:

Don't worry. This isn't anything bad. Checking that box just means you forgive them for being US American.

Long version: This text makes perfect sense if you're familiar with the issues around GDPR and in particular the uncertainty about Privacy Shield and SCCs after Schrems II. But I suspect most people aren't, so let's get into it, with the caveat that this is a Eurocentric (and in particular EU centric) view of this.

The basic outline is that Europeans in the EU have a right to privacy under the EU's General Data Protection Regulation (GDPR), an EU directive (let's simplify things and call it an EU law) that regulates how various entities, including companies and the government, may acquire, store and process data about you.

The list of what counts as data about you is enormous. It includes things like your name and birthday, but also your email address, your computers IP address, user names, whatever. If an advertiser could want it, it's on the list.

The general rule is that they can't, unless you give explicit permission, or it's for one of a number of enumerated reasons (not all of which are as clear as would be desirable, but that's another topic). You have a right to request a copy of the data, you have a right to force them to delete their data and so on. It's not quite on the level of constitutional rights, but it is a pretty big deal.

In contrast, the US, home of most of the world's internet companies, has no such right at a federal level. If someone has your data, it is fundamentally theirs. American police, FBI, CIA and so on also have far more rights to request your data than the ones in Europe.

So how can an American website provide services to persons in the EU? Well… Honestly, there's an argument to be made that they can't.

US websites can promise in their terms and conditions that they will keep your data as safe as a European site would. In fact, they have to, unless they start specifically excluding Europeans. The EU even provides Standard Contract Clauses (SCCs) that they can use for this.

However, e.g. Facebook's T&Cs can't bind the US government. Facebook can't promise that it'll keep your data as secure as it is in the EU even if they wanted to (which they absolutely don't), because the US government can get to it easily, and EU citizens can't even sue the US government over it.

Despite the importance that US companies have in Europe, this is not a theoretical concern at all. There have been two successive international agreements between the US and the EU about this, and both were struck down by the EU court as being in violation of EU law, in the Schrems I and Schrems II decisions (named after Max Schrems, an Austrian privacy activist who sued in both cases).

A third international agreement is currently being prepared, and in the meantime the previous agreement (known as "Privacy Shield") remains tentatively in place. The problem is that the US government does not want to offer EU citizens equivalent protection as they have under EU law; they don't even want to offer US citizens these protections. They just love spying on foreigners too much. The previous agreements tried to hide that under flowery language, but couldn't actually solve it. It's unclear and in my opinion unlikely that they'll manage to get a version that survives judicial review this time. Max Schrems is waiting.

So what is a site like Ao3 to do? They're arguably not part of the problem, Max Schrems keeps suing Meta, not the OTW, but they are subject to the rules because they process stuff like your email address.

Their solution is this checkbox. You agree that they can process your data even though they're in the US, and they can't guarantee you that the US government won't spy on you in ways that would be illegal for the government of e.g. Belgium. Is that legal under EU law? …probably as legal as fan fiction in general, I suppose, which is to say let's hope nobody sues to try and find out.

But what's important is that nothing changed, just the language. Ao3 has always stored your user name and email address on servers in the US, subject to whatever the FBI, CIA, NSA and FRA may want to do it. They're just making it more clear now.

Europe’s most famous privacy activist, Max Schrems, landed another blow against Meta today after the EU’s top court ruled the tech giant cannot exploit users’ public statements about their sexual orientation for online advertising.

Since 2014, Schrems has complained of seeing advertising on Meta platforms targeting his sexual orientation. Schrems claims, based on data he obtained from the company, that advertisers using Meta can deduce his sexuality from proxies, such as his app logins or website visits. Meta denies it showed Schrems personalized ads based on his off-Facebook data, and the company has long said it excludes any sensitive data it detects from its advertising operations.

The case started with Schrems challenging whether this practice violated Europe’s GDPR privacy law. But it took an unexpected turn when a judge in his home country of Austria ruled Meta was entitled to use his sexuality data for advertising because he had spoken about it publicly during an event in Vienna. The Austrian Supreme Court then referred the case to the EU’s top court in 2021.

Today, the Court of Justice of the European Union (CJEU) finally ruled that a person’s sexual orientation cannot be used for advertising, even if that person speaks publicly about being gay.

“Meta Platforms Ireland collects the personal data of Facebook users, including Mr. Schrems, concerning those users’ activities both on and outside that social network,” the court said. “With the data available to it, Meta Platforms Ireland is also able to identify Mr. Schrems’ interest in sensitive topics, such as sexual orientation, which enables it to direct targeted advertising at him.”

The fact that Schrems had spoken publicly about his sexual identity does not authorize any platform to process related data to offer him personalized advertising, the court added.

“Now we know that if you're on a public stage, that doesn't necessarily mean that you agree to this personal data being processed,” says Schrems, founder of the Austrian privacy group NOYB. He believes only a handful of Facebook users will have the same issue. “It's a really, really niche problem.”

The CJEU also ruled today Meta has to limit the data it uses for advertising more broadly, essentially setting ground rules for how the GDPR should be enforced. Europe’s privacy law means personal data should not be “aggregated, analyzed, and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data,” the court said in a statement.

“It's really important to set ground rules,” says Katharina Raabe-Stuppnig, the lawyer representing Schrems. “There are some companies who think they can just disregard them and get a competitive advantage from this behavior.”

Meta said it was waiting for the CJEU’s judgment to be published in full. “Meta takes privacy very seriously and has invested over 5 billion Euros to embed privacy at the heart of all of our products,” Meta spokesperson Matt Pollard told WIRED. “Everyone using Facebook has access to a wide range of settings and tools that allow people to manage how we use their information."

Schrems has been a prolific campaigner against Meta since a legal challenge he made resulted in a surprise 2015 ruling invalidating a transatlantic data transfer system over concerns US spies could use it to access EU data. His organization has since filed legal complaints against Meta’s pay-for-privacy subscription model and the company’s plans to use Europeans’ data to train its AI.

“It's major for the whole online advertisement space. But for Meta, it's just another one in the long list of violations they have,” says Schrems, of this latest ruling. “The walls are closing in.”

Noyb filed 11 complaints over Meta’s data use for AI training

Digital rights NGO Noyb filed 11 complaints across Europe over changes in Meta’s privacy policy allowing it to use posts and images to train its artificial intelligence (AI) model.

Noyb, founded by Austrian activist and lawyer Max Schrems, filed some of the most serious privacy complaints in the EU on Thursday (6 June), according to Euractiv.

The company is demanding a ruling from 11 data protection authorities in Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland, and Spain before the changes come into force on 26 June.

However, Meta is “confident” that it complies with EU privacy laws. The statement said Meta “develops AI responsibly” before submitting it to the EU and the UK, and uses publicly available information.

This is the latest step in the battle over what data can be used to train AI models. Generative artificial intelligence, such as chatbots (ChatGPT) and image generators (Midjourney), reportedly use vast amounts of data, often extracted from the internet without user consent, to train models that can then generate content.

Read more HERE

The European Commission has announced a pact with the US to allow easier legal transfer of personal data across the Atlantic.

Data privacy activists vowed to challenge the agreement in court.

President Joe Biden and EU officials welcomed the deal, which overcame objections about US intelligence agencies' access to European data.

The deal ensures Meta, Google and other tech giants can continue sharing information with the US.

Two previous attempts to create a legal framework on US-EU data sharing had been shot down in European courts over privacy concerns.

Monday's pact aims to ease European concerns over any personal information that ends up shared with US intelligence agencies.

Americans are mostly shielded legally from electronic snooping by US spy agencies, but foreigners are not.

The EU-US agreement allows Europeans to object if they suspect their data has been collected by American intelligence.

A Data Protection Review Court, made up of US judges, will be created to hear the claims.

The EU-US Data Privacy Framework, which goes into effect on Tuesday, also pledges only "necessary and proportionate" data will be collected.

EU Justice Commissioner Didier Reynders said the "robust" agreement meant "personal data can now flow freely and safely" from Europe to the US.

But non-profit group NOYB (None of Your Business), led by Austrian privacy activist Max Schrems, vowed to challenge the decision.

Mr Schrems said in a statement: "Just announcing that something is 'new,' 'robust' or 'effective' does not cut it before the [European] Court of Justice.

"We would need changes in US surveillance law to make this work and we simply don't have it."

Mr Schrems previously challenged Facebook's storage of data, saying it violated his European privacy rights, and the European Union's top court agreed.

President Biden paved the way for the final deal by issuing an executive order in October 2022 requiring US intelligence officials to add more data collection protections while balancing them with national security concerns.

Compared with the EU, the US has lenient privacy laws.

In May, the EU hit Facebook owner Meta with a $1.3bn (£1bn) fine, ordering the company to stop sharing European users data across to the US.

Meta has said without a legal outline for data transfers, it would be forced to stop providing its products and services in Europe.

Jahreskonferenz der Plattform Privatheit

Freiheit in digitalen Infrastrukturen

... war der Titel der diesjährigen Jahreskonferenz der Plattform Privatheit am letzten Donnerstag und Freitag in der Berliner Villa Elisabeth. Aktion Freiheit statt Angst e.V. war mit mehreren Aktiven dabei. Für das viele Forschungsgebiete umfassende Programmheft verweisen wir dorthin.

Ziel der Plattform ist es ja gerade, die aus der Digitalisierung entstehende Probleme auf die verschiedenen Gebiete Jura, Soziologie, Politik, Psychologie herunterzubrechen und die Experten von dort mit einzubinden.

Im Folgenden wollen wir keine Inhaltsangabe versuchen, sondern beschränken uns auf einige Highlights, die uns ins Auge gesprungen sind.

Keynote: Pay or Okay

In seinem Vortrag berichtet der österreichische Datenschützer Max Schrems (NOYB – Europäisches Zentrum für digitale Rechte) über die Probleme, wenn man vor die Wahl gestellt wird, einem Web Auftritt mit Werbung oder als Abo zuzustimmen. Die Frage nach der Datenschutzgrundverordnung ist dann nämlich, ist das noch eine freiwillige Zustimmung?

Österreichische Gerichte hatten entschieden, dass von einer Freiwilligkeit auszugehen ist, wenn dies günstiger ist als ein Print Abo. Fragt man jedoch die Menschen nach der Freiwilligkeit, so ergibt sich, dass

3-10 % mit der Werbung einverstanden wären,

aber 50-70 % darauf hereinfallen,

und im Endergebnis 99 % bei den umständlichen Fragen zum Abschluss eines Abonnements (Name Adresse Bankverbindung, weitere Zustimmungen und Einwilligungen) aufgeben.

Die Preise für Abonnements variieren in verschiedenen europäischen Staaten, so wären es für eine Familie in Österreich 35 € im Monat, in Deutschland nur 12,50 €. Allein ein Abo für die 100 Top Webseiten (Zeitungen/Zeitschriften) würde eine deutsche Familie mit 150 € im Monat belasten. Sozial schwache Menschen können sich dies nicht leisten – ist das noch freiwillig? Gleichheit verlangt auch gleiche Teilhabe.

Wichtig in diesem Zusammenhang ist seine Feststellstellung, dass die wichtigen Print Verlage durch das Verfahren durchschnittlich nur 0,8 % mehr an Einnahmen generieren. Für die Verlage ist dies eigentlich unwesentlich, aber sie wollen mit einem Abo „den Fuß in die Tür des Kunden bekommen“.

Wir müssen nun das Urteil des EuGH zum Fall "Zustimmen oder Abo"  abwarten. Eine weitere Erkenntnisse die bei seinen Untersuchungen heraus kam war, dass entweder die Einwilligung  bei einige Webseiten DSGVO-widrig nicht abgefragt wird oder sogar trotz eines „nein“ getrackt wurde.

Panel „Freiheit mit allen Mitteln?“

In dem Panel „Freiheit mit allen Mitteln?“ ging es ebenfalls um GAFAM, die 5 großen Internetkonzerne, deren Umsatzgröße die Haushalte vieler europäische Staaten übertrifft. Ein wichtige Frage war beim Thema Smart Home wer in einer Familie den Admin spielt, beziehungsweise die Entscheidungen über die Überwachung der restlichen Familienmitglieder trifft.

Zur Unterscheidung zwischen analog und digital wird festgestellt, dass man in der analogen Welt circa fünf Verträge pro Jahr abschließt, während es in der digitalen Welt einige 100 pro Jahr sein können. Damit sind die Menschen völlig überfordert und lesen nicht in was sie einwilligen (AGB).

Entgegen getreten wird auch der Auffassung "meine Daten gehören mir". Das ist  falsch, da Daten nie normales Eigentum sind. Daten dürfen keine Handelsware sein, denn auch nach dem Verkauf sagen Sie weiter etwas über mich aus - sie bleiben „meine Daten“ (Alexander Roßnagel). Nur physische Dinge können Eigentum sein, die Kommunikationsordnung ist keine Eigentumsordnung, auch wenn der Data Act dies eventuell anders sieht.

Zu den erfolgreiche Klagen gegen große Internetkonzerne und die verhängten Bußgelder wird angemerkt: Zehn Jahre wurde gegen META geklagt, am Ende war der Prozess gewonnen. Doch es nützt nichts, denn META behauptet, dass inzwischen bei ihnen alles anders geregelt wäre. So bleibt uns nur übrig, erneut zu klagen.

Keynote: Digitale Infrastrukturen und Geopolitik

Frau Ingrid Schneider von der Uni Hamburg untersuchte in ihrem Projekt die Globalisierung des Internets. So hat sie in verschiedenen Ländern vor allem des Südens die dortige Datenschutzgrundlagen untersucht. Dabei hat sie teilweise erschreckende Erkenntnisse über die Lebensrealität und das Gebaren der großen Internetgiganten gewonnen. Positiv ist zu vermerken, dass die Länder der BRICS Staaten ebenfalls das Ziel haben, wie die EU, gegen GAFAM vorzugehen. Allerdings ist ihre Durchsetzungskraft noch geringer als die der EU. Negativ ist zum Beispiel die Erkenntnis, dass in Südafrika viele Menschen bis zu 9 Stunden pro Tag online sind, 4-5 Stunden täglich sind dort normal. Erklärlich ist dies dadurch, dass das Handy der einzige Internetzugang ist und fast sämtliche Bezahlvorgänge damit geschehen.

In Südafrika gibt es seit 2021 den POPI Act als Grundrecht für den Datenschutz. Die Bußgelder sind für GAFAM allerdings viel zu niedrig. Fazit: Der Datenschutz ist schwach aber vorhanden.

In Brasilien haben viele Menschen einen zeitlich, bzw. datenmäßig limitierten Zugang zum Internet, so dass bereits Mitte des Monats bei Vielen ihr Datenvolumen erschöpft ist. Meta hat bei den brasilianischen Telekommunikationsunternehmen durchgesetzt, dass der Zugang zu Meta in diesem Limit nicht berechnet wird. Die Folge ist, dass für viele Brasilianer das Internet praktisch nur aus den Diensten von Meta (Facebook, WhatsApp, Instagram) besteht.

In Indien gibt es seit 2017 ein Grundrecht auf Privatheit. Allerdings gehen indische Gerichte bei Klagen regelmäßig von einer „angenommenen Zustimmung“ aus. China: So wie wir gegen GAFAM kämpfen, so geht der chinesische Staat gegen BAT vor (Baidoo, Alibaba, Tencent), um die Macht der eigenen Internetkonzerne gegenüber der Staatsführung in Grenzen zu halten. Die EU ist unberechtigter Weise stolz auf den so genannten Brüssel-Effekt. Danach werden die Regeln in der EU von den großen Internet Konzernen in Teilen bei ihren Implementationen übernommen, da die EU versucht hat die EU-Datenschutzregeln auch in internationale Handelsverträge einzubringen. Allerdings haben die Internetkonzerne ihre Software inzwischen modularisiert, so dass sie je nach lokalen Datenschutzregeln diese entweder ein- oder ausschalten können.

Fazit von Frau Schneiders Vortrag: 82 % der Staaten auf der Welt haben Regeln zum Datenschutz, Lediglich die USA und Iran haben überhaupt keine. In den USA gilt seit den neunziger Jahren die Section 206, die die Anbieter von Internetdiensten von jeglicher Haftung frei stellt.

Aufbau eines EU-weiten Offenen Web Index

Das Projekts über den Aufbau eines EU-weiten Offenen Web Index (PRIDI) wird unterstützt von der Open Search Foundation und ist sehr wichtig, um die fast 100%-ige Dominanz von Google zu brechen. Die Aufgaben des Web Index umfassen das Crawling, die Speicherung, die Analyse und die Aufbereitung der Information. Das ist ein sehr umfangreiches Unterfangen. Auch die geplante Nutzung des Web Index geht von der Suchanfrage über den Abgleich mit dem Index, dem Setzen einer Rangfolge und der Anzeige der Ergebnisse einen weiten Weg.

Da Google für den Aufbau seiner Suchmaschine viele Milliarden investiert hat und mehr als zehn Jahre gebraucht hat, wäre der Offene Web Index zwar sehr wünschenswert, wird aber bei den begrenzten Mitteln der EU dafür (einige 10 Millionen Euro) kaum durchsetzbar sein.

Privatheit versus individuelles Nutzerverhalten

1,8 Milliarden Bilder werden pro Tag auf Instagram hochgeladen. Es sind meist idealisierte Körper und damit Fake Bilder des Menschen. Hinzu kommen nun KI generierte Bilder, die ebenfalls nicht das reale Menschenbild wiedergeben. Es bleibt der Kampf zwischen „Freedom versus Liberty“ (Freiheit gegen Unternehmensfreiheit). Fazit: Der Staat muss Standards definieren.

Natürlich gab es viele weitere Erkenntnisse aus den beiden Tage zu gewinnen. Die Vorträge und Diskussionen werden als Text und auch als Videos auf den Webseite der Plattform Privatheit sichtbar bleiben.

Mehr dazu bei https://plattform-privatheit.de/p-prv/jahreskonferenzen/jahreskonferenz-2024.php

Kategorie[26]: Verbraucher- & ArbeitnehmerInnen-Datenschutz Short-Link dieser Seite: a-fsa.de/d/3Do Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8939-20241020-jahreskonferenz-der-plattform-privatheit.html

UE determina que Meta limite dados para anúncios personalizados #ÚltimasNotícias #tecnologia

Hot News A União Europeia (UE) determinou, na última sexta-feira (4), que a Meta diminua a quantidade de dados pessoais utilizados na região para criação de propagandas publicitárias personalizadas. A decisão veio do Tribunal de Justiça da União Europeia (TJUE) após queixa de Max Schrems, ativista de privacidade, afirmando que o Facebook usou seus dados pessoais acerca de sua orientação sexual,…

View On WordPress

UE determina que Meta limite dados para anúncios personalizados

A União Europeia (UE) determinou, na última sexta-feira (4), que a Meta diminua a quantidade de dados pessoais utilizados na região para criação de propagandas publicitárias personalizadas. A decisão veio do Tribunal de Justiça da União Europeia (TJUE) após queixa de Max Schrems, ativista de privacidade, afirmando que o Facebook usou seus dados pessoais acerca de sua orientação sexual, de forma…

Meta Can't Use Sexual Orientation to Target Ads in the EU, Court Rules

Morgan Meaker for WIRED:

Europe's most famous privacy activist, Max Schrems, landed another blow against Meta today after the EU's top court ruled the tech giant cannot exploit users' public statements about their sexual orientation for online advertising.

…

Today, the Court of Justice of the European Union (CJEU) finally ruled that a person's sexual orientation cannot be used for advertising, even if that person speaks publicly about being gay.

…

The CJEU also ruled today Meta has to limit the data it uses for advertising more broadly, essentially setting ground rules for how the GDPR should be enforced. Europe's privacy law means personal data should not be "aggregated, analyzed, and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data," the court said in a statement.

How do we get one of him for the U.S. Well, I guess we'd need a GDPR for the U.S. first, which isn't happening any time soon

Meta should restrict information for personalised adverts

Fb-owner Meta should minimise the quantity of individuals’s information it makes use of for personalised promoting, the EU’s highest court docket says. The Courtroom of Justice for the European Union (CJEU) dominated in favour of privateness campaigner Max Schrems, who complained that Fb misused his private information about his sexual orientation to focus on adverts at him. In complaints first…

Max Schrems wins privacy case against Meta over data on sexual orientation

https://apnews.com/article/facebook-meta-schrems-privacy-80fd4e6c59f48a3b583d6665af3ede86

Meta should restrict knowledge for personalised advertisements

Fb-owner Meta should minimise the quantity of individuals’s knowledge it makes use of for personalised promoting, the EU’s highest court docket says. The Courtroom of Justice for the European Union (CJEU) dominated in favour of privateness campaigner Max Schrems, who complained that Fb misused his private knowledge about his sexual orientation to focus on advertisements at him. In complaints…

Mozilla Hit With Privacy Complaint Over Firefox User Tracking | Daily Reports Online

Vienna-based advocacy group NOYB on Wednesday said it has filed a complaint with the Austrian data protection authority against Mozilla accusing the Firefox browser maker of tracking user behaviour on websites without consent. NOYB (None Of Your Business), a digital rights group founded by privacy activist Max Schrems, said Mozilla has enabled a so-called privacy preserving attribution (PPA)…

Digital rights NGO files complaints against European Parliament for data leakage

Following a major breach of the European Parliament’s hiring system in April 2024, when sensitive personal information was exposed, digital rights NGO Noyb has filed two legal complaints for alleged breaches of data protection law.

In May, the Parliament said it had experienced a data breach in its PEOPLE recruitment app, used to hire temporary staff. It was confirmed that the leak occurred in April, when sensitive personal data, such as identity documents, criminal records, and work experience, were exposed.

Parliament recommended that affected individuals replace their ID cards and passports as a precautionary measure, offering to cover the costs involved.

Now the NGO Noyb, the European Centre for Digital Rights, has lodged two complaints with the European Data Protection Supervisor (EDPS) on behalf of four parliamentary staff, noting that the data of more than 8,000 employees, including that of former employees, has been affected. Max Schrems, activist and chairman of Noyb, said:

As an EU citizen, it is worrying that EU institutions are still so vulnerable to attacks. Having such information floating around is not only frightening for the individuals affected, but it can also be used to influence democratic decisions.

Personal data processing requirements

Noyb believes that the breach highlights Parliament’s failure to comply with the General Data Protection Regulation (GDPR) on data minimisation and retention.

The data minimisation rules require organisations to collect and retain the minimum amount of personal data necessary for a particular purpose. Meanwhile, the data retention requirement sets limits on how long this data can be retained, ensuring that it is not kept for longer than necessary.

One of the legal complaints concerns Parliament’s refusal to delete the data after the leak, citing a 10-year retention policy, despite the complainant’s concerns and the fact that he had not worked at the EU institution for many years. The NGO also called on EDPS to use its remedial powers to bring the EU institution into compliance and impose an administrative fine to prevent future breaches.

The leaked files may contain sensitive data that must be protected under the GDPR, including ethnicity, political views, and sexual orientation. One of the plaintiffs emphasises that an uploaded marriage certificate inadvertently revealed an employee’s sexual orientation.

Read more HERE