EU to Facebook: 'Drop Dead'

A leak from the European Data Protection Board reveals that the EU’s top privacy regulator is about to overrule the Irish Data Protection Commission and declare Facebook’s business model illegal, banning surveillance-based ads without explicit consent:

https://noyb.eu/en/noyb-win-personalized-ads-facebook-instagram-and-whatsapp-declared-illegal

In some ways, this is unsurprising. Since the GDPR’s beginning, it’s been crystal clear that the intention of the landmark privacy regulation was to extinguish commercial surveillance and ring down the curtain on “consent theater” — the fiction that you “agree” to be spied on by clicking “I agree” or just by landing on a web-page that has a link to some fine-print.

Under the GDPR, the default for data-collection is meaningful consent, meaning that a company that wants to spy on you and then sell or use the data it gathers has to ask you about each piece of data they plan to capture and each use they plan to make of it.

These uses have to be individually enumerated, and the user has to actively opt into giving up each piece of data and into each use of that data. That means that if you’re planning to steal 700 pieces of information from me and then use it in 700 ways, you need to ask me 1,400 questions and get a “Yes” to each of them.

What’s more, I have to be given a single tickbox at the start of this process that says, “No to all,” and then I have to be given access to all the features of the site or service.

The point of this exercise is to reveal consent theater for the sham it is. For all that apologists for commercial surveillance insist that “people like ads, so long as they’re well-targeted” and “the fact that people use high-surveillance services like Facebook shows a ‘revealed preference’ for being spied on,” we all know that no one likes surveillance.

There’s empirical proof of this! When Apple added one-click tracker opt-out on its Ios platform, 96% of users opted out, costing Facebook more than $10b in the first year (talk about a ‘revealed preference!’) (of course, Apple only opted those users out of tracking by its rivals, and secretly continued highly invasive, nonconsenual tracking of its customers):

https://pluralistic.net/2022/11/14/luxury-surveillance/#liar-liar

Properly enforced, the GDPR would have upended the order of the digital world: any argument about surveillance between product managers at a digital firm would have been settled in favor of privacy, because the pro-privacy side could argue that no one would give consent, and the very act of asking would scare off lots of users.

But the GDPR wasn’t properly enforced, thanks to structural problems with European federalism itself. The first line of GDPR enforcement came from privacy regulators in whatever country a privacy-violator called home. That meant that when Big Tech companies violated the GDPR, they’d have to account for themselves to the privacy regulator in Ireland.

For multinational corporations, Ireland is what old-time con-artists used to call a “made town,” where the cop on the beat is in on the side of the criminals. Ireland’s decision to transform itself into a tax haven means that it can’t afford to upset the corporations that fly Irish flags of convenience and maintain the pretense that all their profits are floating in a state of untaxable grace in the Irish Sea.

That’s because there are plenty of other EU countries that compete with Ireland in the international race to the bottom on corporate governance: Malta, Luxembourg, the Netherlands, Cyprus, etc (and of course, there’s post-Brexit UK, where the plan is to create an unregulated haven for the worst, wealthiest companies in the world).

All this means that seeking Irish justice from a corporation that wronged you is like asking a court in Moscow to punish an oligarch’s commercial empire on your behalf. Irish regulators are either “dingo babysitters” (guards in league with the guarded) or resource-starved into ineffectual torpor.

That’s how Facebook got away with violating the GDPR for so many years. The company hid behind the laughable fairy-tale that it didn’t need our consent to spy on us because it had a “legitimate purpose” for its surveillance, namely, that it was contractually obliged to spy on us thanks to the “agreement” we clicked on when we signed up for the service.

That is, you and Facebook had entered into a contract whereby Facebook promised you that it would spy on you, and if it didn’t spy on you, it would be violating that promise.

Har.

Har.

Har.

But while the GDPR has a structural weakness — allowing corporations to choose to be regulated in countries that can’t afford to piss them off — it also has a key strength: the private right of action, that is, the right of individuals to sue companies that violate the law, rather than having to convince a public prosecutor to take up their case.

https://www.eff.org/deeplinks/2019/01/you-should-have-right-sue-companies-violate-your-privacy

The private right of action is vital to any privacy regulation, which is why companies fight it so hard. Whenever a privacy bill with a private right of action comes up, they tell scare-stories about “ambulance chasers” who’ll “clog up the system,” trotting out urban legends like the McDonald’s Hot Coffee story:

https://pluralistic.net/2022/06/12/hot-coffee/#mcgeico

But here we are, in the last days of 2022, and the private right of action is about to do what the Irish regulators wouldn’t do: force Facebook to obey the law. For that, we can thank Max Schrems and the nonprofit he founded, noyb.

Schrems, you may recall, is the Austrian activist, who, as a Stanford law student, realized that EU law barred American tech companies from sending their surveillance data on Europeans to US data-centers, which the NSA and other spy agencies treated as an arm of their own surveillance projects:

https://pluralistic.net/2020/07/16/text-adventures-resurgent/#nein

Schrems brought a case against the Irish regulator to the EU’s top privacy authority, arguing that it had failed its duty by ruling that Facebook’s “contractual obligation” excuse held water. According to the leaked report, Schrems has succeeded, which means, once again, Facebook’s business model is illegal.

Facebook will doubtless appeal, but the writing is on the wall here: it’s the end of the line for surveillance advertising in Europe, an affluent territory with 500m+ residents. This decision will doubtless give a tailwind to other important privacy cases in the EU, like Johnny Ryan’s case against the ad-tech consortium IAB over its “audience taxonomy” codes:

https://pluralistic.net/2021/06/16/inside-the-clock-tower/#inference

It’s also likely good news for Schrems’ other ongoing cases, like the one he’s brought against Google:

https://pluralistic.net/2020/05/15/out-here-everything-hurts/#noyb

Facebook has repeatedly threatened to leave the EU if it is required to stop breaking the law:

https://pluralistic.net/2020/09/22/uncivvl/#fb-v-eu

This is a pretty implausible threat, growing less plausible by the day. The company keeps delivering bad news to investors, who are not mollified by Mark Zuckerberg’s promise to rescue the company by convincing all of humanity to spend the rest of their lives as highly surveilled, legless, sexless, low-polygon cartoon characters:

https://www.fool.com/investing/2022/12/06/why-meta-platforms-stock-dove-today/

Zuckerberg and his entire senior team have seen their net worth plummet with Meta’s share price, and that means the company needs to pay engineers with actual dollars, rather than promises of shares, which kills the massive wage-bill discount the company has enjoyed. This is not a company that can afford to walk away from Europe!

Between Apple’s mobile (third-party) tracker-blocking and the EU calling time on surveillance ads, things are looking grim for Facebook. You love to see it! But things could get even worse, and soon, thanks to the double-edged sword of “network effects.”

Facebook is a network effects business: people join the service to socialize with the people who are already there — then more people join to socialize with them. But what network effects give, they can also take away: a service that gets more valuable when a new user signs up loses value when that user leaves.

This is beautifully explained in danah boyd’s “What if failure is the plan?” which recounts boyd’s experiences watching MySpace unravel as key nodes in its social graph disappeared when users quit: “Failure of social media sites tends to be slow then fast”:

http://www.zephoria.org/thoughts/archives/2022/12/05/what-if-failure-is-the-plan.html

Facebook long understood this, which is why it spent years creating artificial “switching costs” — penalties it could impose on users who quit, such as the loss of their family photos:

https://www.eff.org/deeplinks/2021/08/facebooks-secret-war-switching-costs

This is why Facebook and other tech giants are so scared of interoperability, and why they are so furious about the new EU Digital Markets Act (DMA), which will force them to allow new services to connect to their platforms, so that users who quit Big Tech won’t have to lose their friends or data:

https://www.eff.org/deeplinks/2022/04/eu-digital-markets-acts-interoperability-rule-addresses-important-need-raises

An interoperable Facebook would make it easy to leave social media by removing the penalties Facebook imposes on its disloyal users, and the EU’s privacy framework means that when they flee to a smaller safe haven, they won’t have to worry about commercial surveillance:

https://www.eff.org/interoperablefacebook

But what about advertising-supported media? Sure, being spied on sucks, but a subscription-first media landscape is a world where “the truth is paywalled, but the lies are free”:

https://www.currentaffairs.org/2020/08/the-truth-is-paywalled-but-the-lies-are-free/

Ironically, killing surveillance ads is good news for ad-driven media. Surveillance-based ad-targeting is nowhere near as effective as Google, Facebook and the other ad-tech companies claim (these companies are compulsive liars, it would be amazing if the only time they told the truth is when they were boasting about their products!):

https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59

And consent-theater or no, targeted ads reach fewer users every day, thanks to ad- blockers, AKA, “the biggest boycott in world history”:

https://blogs.harvard.edu/doc/2015/09/28/beyond-ad-blocking-the-biggest-boycott-in-human-history/

And when a publisher does manage to display a targeted ad, they get screwed. The Googbook dupololy is a crooked affair, with the two tech companies illegally colluding (via the Jedi Blue conspiracy) to divert money from publishers to their own pockets:

https://techcrunch.com/2022/03/11/google-meta-jedi-blue-eu-uk-antitrust-probes/

Targeted ads are a cesspit of ad-fraud. 15% of all ad revenues are just unaccounted for:

https://twitter.com/swodinsky/status/1511172472762163202

The remaining funds aren’t any more trustworthy. Ad-tech is a bezzle (“the magic interval when a confidence trickster knows he has the money he has appropriated but the victim does not yet understand that he has lost it”):

https://pluralistic.net/2021/01/04/how-to-truth/

As Tim Hwang foretold in his essential Subprime Attention Crisis, the pretense that targeted ads are wildly effective has been slowly but surely losing ground to the wider awareness of the fraud behind the system, and a reckoning is at hand:

https://pluralistic.net/2020/10/05/florida-man/#wannamakers-ghost

Experiments with contextual ads (ads based on the content of the page you’re looking at, not on your behavior and demographics) have found them to about as effective in generated clicks and sales as surveillance ads.

https://pluralistic.net/2022/04/29/taken-in-context/#creep-me-not

But this is misleading. Contextual ads don’t require consent opt-in (because they’re not based on your data) and they don’t drive users to install blockers the way creepy surveillance ads do, so lots more people will see a contextual ad than a surveillance one. Thus, even if contextual ads generate slightly less money per reader or viewer, they generate far more money overall, because they are aren’t blocked.

Even better for publishers: contextual ads don’t erode their own rate cards. Today, when you visit a high-quality publisher like the Washington Post, many ad brokers bid to show you an ad, but only one wins the auction. However, all the others have tagged you as a “Washington Post reader,” and they can sell that to bottom-feeder junk sites. That is, they can collude with Tabooleh or its rivals to offer advertisers a chance to advertise to Post readers at a fraction of what the Post charges. Lather, rinse, repeat, and the Post’s own ad revenues are drained.

This doesn’t apply with contextual ads. Indeed, none of the tech giants’ much-vaunted “data advantage” — the largely overstated value of knowing what you did online 10 or 20 years ago, the belief in which keeps new companies out of the market — applies to context ads:

https://pluralistic.net/2021/04/11/halflife/#minatory-legend

The transformative power of banning surveillance advertising goes beyond merely protecting our privacy. It also largely answers the case for “link taxes” (pseudo-copyright systems that let giant media companies decide who can link to them and charge for the privilege).

The underlying case for link taxes, snippet taxes, etc, is that Big Tech is stealing the news media’s content (by letting their users talk about and quote the news), when the reality is that Big Tech is stealing their money (through ad-fraud):

https://doctorow.medium.com/big-tech-isnt-stealing-news-publishers-content-a97306884a6b

Unrigging the ad-tech market is a much better policy than establishing a link-tax, like the Democrats are poised to do with their Journalism Competition and Preservation Act (JCPA):

https://www.politico.com/newsletters/politico-influence/2022/12/06/jcpa-opponents-spring-into-action-to-block-ndaa-inclusion-00072602

It’s easy to understand why the monopoly/private-equity-dominated news industry wants JCPA, rather than a clean ad market. The JCPA just imposes a tax on the crooked ad-tech giants that is paid to the largest media companies, while a fair ad market would reward the media outlets that invested most in news (and thus in expensive, unionized news-gathering reporters).

Indeed, the JCPA only works if the ad-tech market remains corrupt: the excess Big Tech rents that Big News wants to claim here are the product of a rigged system. Unrig the system and there won’t be any money to pay the link tax with.

Image: Anthony Quintano (modified) https://commons.wikimedia.org/wiki/File:Mark_Zuckerberg_F8_2018_Keynote_%2841118883004%29.jpg

CC BY 2.0 https://creativecommons.org/licenses/by/2.0/deed.en

[Image ID: A theater proscenium. Over the proscenium, in script, are the words 'Consent Theatre.' On the screen is an image of Mark Zuckerberg standing in front of the words 'Data Privacy.' He is gesturing expansively. A targeting reticle is centered on his face. The reticle is made of the stars from the EU flag.]

Max Schrems

Our only defense against surveillance capitalism in the short run is to avoid being surveilled. Quitting platforms which suck personal information out of you is essential to protect privacy. Avoiding cookies and trackers is another way to protect yourself.

I’m a compulsive history clearer. My history is cleared automatically when the browser (either Firefox or Safari) is closed. Sometimes I’ll clear much of it selectively in mid session. I NEVER use Chrome which is just a vacuum cleaner of personal info for Google. And speaking of Google, it’s rare for me ever to be signed in there.

To control your personal information it’s necessary to be proactive and to endure a little inconvenience. I see this inconvenience as minor and beneficial – in the same way that conscientious recycling is in the long run.

But ultimately, legislation is needed to protect internet users. There are plenty of precedents. We already have laws to protect safety, to ensure pure food and pharmaceuticals, and to regulate financial transactions. It’s long overdue for online privacy to get the same treatment.

There need to be limits on personal information which online commercial entities can collect, store, and share. 

I've seen a number of people worried and concerned about this language on Ao3s current "agree to these terms of service" page. The short version is:

Don't worry. This isn't anything bad. Checking that box just means you forgive them for being US American.

Long version: This text makes perfect sense if you're familiar with the issues around GDPR and in particular the uncertainty about Privacy Shield and SCCs after Schrems II. But I suspect most people aren't, so let's get into it, with the caveat that this is a Eurocentric (and in particular EU centric) view of this.

The basic outline is that Europeans in the EU have a right to privacy under the EU's General Data Protection Regulation (GDPR), an EU directive (let's simplify things and call it an EU law) that regulates how various entities, including companies and the government, may acquire, store and process data about you.

The list of what counts as data about you is enormous. It includes things like your name and birthday, but also your email address, your computers IP address, user names, whatever. If an advertiser could want it, it's on the list.

The general rule is that they can't, unless you give explicit permission, or it's for one of a number of enumerated reasons (not all of which are as clear as would be desirable, but that's another topic). You have a right to request a copy of the data, you have a right to force them to delete their data and so on. It's not quite on the level of constitutional rights, but it is a pretty big deal.

In contrast, the US, home of most of the world's internet companies, has no such right at a federal level. If someone has your data, it is fundamentally theirs. American police, FBI, CIA and so on also have far more rights to request your data than the ones in Europe.

So how can an American website provide services to persons in the EU? Well… Honestly, there's an argument to be made that they can't.

US websites can promise in their terms and conditions that they will keep your data as safe as a European site would. In fact, they have to, unless they start specifically excluding Europeans. The EU even provides Standard Contract Clauses (SCCs) that they can use for this.

However, e.g. Facebook's T&Cs can't bind the US government. Facebook can't promise that it'll keep your data as secure as it is in the EU even if they wanted to (which they absolutely don't), because the US government can get to it easily, and EU citizens can't even sue the US government over it.

Despite the importance that US companies have in Europe, this is not a theoretical concern at all. There have been two successive international agreements between the US and the EU about this, and both were struck down by the EU court as being in violation of EU law, in the Schrems I and Schrems II decisions (named after Max Schrems, an Austrian privacy activist who sued in both cases).

A third international agreement is currently being prepared, and in the meantime the previous agreement (known as "Privacy Shield") remains tentatively in place. The problem is that the US government does not want to offer EU citizens equivalent protection as they have under EU law; they don't even want to offer US citizens these protections. They just love spying on foreigners too much. The previous agreements tried to hide that under flowery language, but couldn't actually solve it. It's unclear and in my opinion unlikely that they'll manage to get a version that survives judicial review this time. Max Schrems is waiting.

So what is a site like Ao3 to do? They're arguably not part of the problem, Max Schrems keeps suing Meta, not the OTW, but they are subject to the rules because they process stuff like your email address.

Their solution is this checkbox. You agree that they can process your data even though they're in the US, and they can't guarantee you that the US government won't spy on you in ways that would be illegal for the government of e.g. Belgium. Is that legal under EU law? …probably as legal as fan fiction in general, I suppose, which is to say let's hope nobody sues to try and find out.

But what's important is that nothing changed, just the language. Ao3 has always stored your user name and email address on servers in the US, subject to whatever the FBI, CIA, NSA and FRA may want to do it. They're just making it more clear now.

Before the pause, the company had been hoping to rely "on the legal basis of ‘legitimate interests’" to process the data, because it's needed "to improve AI at Meta." But Noyb and EU data regulators had argued that Meta's legal basis did not comply with the GDPR, with the Norwegian Data Protection Authority arguing that "the most natural thing would have been to ask the users for their consent before their posts and images are used in this way." Rather than ask for consent, however, Meta had given EU users until June 26 to opt out. Noyb had alleged that in going this route, Meta planned to use "dark patterns" to thwart AI opt-outs in the EU and collect as much data as possible to fuel undisclosed AI technologies. Noyb urgently argued that once users' data is in the system, "users seem to have no option of ever having it removed." Noyb said that the "obvious explanation" for Meta seemingly halting its plans was pushback from EU officials, but the privacy advocacy group also warned EU users that Meta's privacy policy has not yet been fully updated to reflect the pause. "We welcome this development but will monitor this closely," Max Schrems, Noyb chair, said in a statement provided to Ars. "So far there is no official change of the Meta privacy policy, which would make this commitment legally binding. The cases we filed are ongoing and will need a determination."

Europe’s most famous privacy activist, Max Schrems, landed another blow against Meta today after the EU’s top court ruled the tech giant cannot exploit users’ public statements about their sexual orientation for online advertising.

Since 2014, Schrems has complained of seeing advertising on Meta platforms targeting his sexual orientation. Schrems claims, based on data he obtained from the company, that advertisers using Meta can deduce his sexuality from proxies, such as his app logins or website visits. Meta denies it showed Schrems personalized ads based on his off-Facebook data, and the company has long said it excludes any sensitive data it detects from its advertising operations.

The case started with Schrems challenging whether this practice violated Europe’s GDPR privacy law. But it took an unexpected turn when a judge in his home country of Austria ruled Meta was entitled to use his sexuality data for advertising because he had spoken about it publicly during an event in Vienna. The Austrian Supreme Court then referred the case to the EU’s top court in 2021.

Today, the Court of Justice of the European Union (CJEU) finally ruled that a person’s sexual orientation cannot be used for advertising, even if that person speaks publicly about being gay.

“Meta Platforms Ireland collects the personal data of Facebook users, including Mr. Schrems, concerning those users’ activities both on and outside that social network,” the court said. “With the data available to it, Meta Platforms Ireland is also able to identify Mr. Schrems’ interest in sensitive topics, such as sexual orientation, which enables it to direct targeted advertising at him.”

The fact that Schrems had spoken publicly about his sexual identity does not authorize any platform to process related data to offer him personalized advertising, the court added.

“Now we know that if you're on a public stage, that doesn't necessarily mean that you agree to this personal data being processed,” says Schrems, founder of the Austrian privacy group NOYB. He believes only a handful of Facebook users will have the same issue. “It's a really, really niche problem.”

The CJEU also ruled today Meta has to limit the data it uses for advertising more broadly, essentially setting ground rules for how the GDPR should be enforced. Europe’s privacy law means personal data should not be “aggregated, analyzed, and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data,” the court said in a statement.

“It's really important to set ground rules,” says Katharina Raabe-Stuppnig, the lawyer representing Schrems. “There are some companies who think they can just disregard them and get a competitive advantage from this behavior.”

Meta said it was waiting for the CJEU’s judgment to be published in full. “Meta takes privacy very seriously and has invested over 5 billion Euros to embed privacy at the heart of all of our products,” Meta spokesperson Matt Pollard told WIRED. “Everyone using Facebook has access to a wide range of settings and tools that allow people to manage how we use their information."

Schrems has been a prolific campaigner against Meta since a legal challenge he made resulted in a surprise 2015 ruling invalidating a transatlantic data transfer system over concerns US spies could use it to access EU data. His organization has since filed legal complaints against Meta’s pay-for-privacy subscription model and the company’s plans to use Europeans’ data to train its AI.

“It's major for the whole online advertisement space. But for Meta, it's just another one in the long list of violations they have,” says Schrems, of this latest ruling. “The walls are closing in.”

Noyb filed 11 complaints over Meta’s data use for AI training

Digital rights NGO Noyb filed 11 complaints across Europe over changes in Meta’s privacy policy allowing it to use posts and images to train its artificial intelligence (AI) model.

Noyb, founded by Austrian activist and lawyer Max Schrems, filed some of the most serious privacy complaints in the EU on Thursday (6 June), according to Euractiv.

The company is demanding a ruling from 11 data protection authorities in Austria, Belgium, France, Germany, Greece, Italy, Ireland, the Netherlands, Norway, Poland, and Spain before the changes come into force on 26 June.

However, Meta is “confident” that it complies with EU privacy laws. The statement said Meta “develops AI responsibly” before submitting it to the EU and the UK, and uses publicly available information.

This is the latest step in the battle over what data can be used to train AI models. Generative artificial intelligence, such as chatbots (ChatGPT) and image generators (Midjourney), reportedly use vast amounts of data, often extracted from the internet without user consent, to train models that can then generate content.

Read more HERE

The European Commission has announced a pact with the US to allow easier legal transfer of personal data across the Atlantic.

Data privacy activists vowed to challenge the agreement in court.

President Joe Biden and EU officials welcomed the deal, which overcame objections about US intelligence agencies' access to European data.

The deal ensures Meta, Google and other tech giants can continue sharing information with the US.

Two previous attempts to create a legal framework on US-EU data sharing had been shot down in European courts over privacy concerns.

Monday's pact aims to ease European concerns over any personal information that ends up shared with US intelligence agencies.

Americans are mostly shielded legally from electronic snooping by US spy agencies, but foreigners are not.

The EU-US agreement allows Europeans to object if they suspect their data has been collected by American intelligence.

A Data Protection Review Court, made up of US judges, will be created to hear the claims.

The EU-US Data Privacy Framework, which goes into effect on Tuesday, also pledges only "necessary and proportionate" data will be collected.

EU Justice Commissioner Didier Reynders said the "robust" agreement meant "personal data can now flow freely and safely" from Europe to the US.

But non-profit group NOYB (None of Your Business), led by Austrian privacy activist Max Schrems, vowed to challenge the decision.

Mr Schrems said in a statement: "Just announcing that something is 'new,' 'robust' or 'effective' does not cut it before the [European] Court of Justice.

"We would need changes in US surveillance law to make this work and we simply don't have it."

Mr Schrems previously challenged Facebook's storage of data, saying it violated his European privacy rights, and the European Union's top court agreed.

President Biden paved the way for the final deal by issuing an executive order in October 2022 requiring US intelligence officials to add more data collection protections while balancing them with national security concerns.

Compared with the EU, the US has lenient privacy laws.

In May, the EU hit Facebook owner Meta with a $1.3bn (£1bn) fine, ordering the company to stop sharing European users data across to the US.

Meta has said without a legal outline for data transfers, it would be forced to stop providing its products and services in Europe.

Jahreskonferenz der Plattform Privatheit

Freiheit in digitalen Infrastrukturen

... war der Titel der diesjährigen Jahreskonferenz der Plattform Privatheit am letzten Donnerstag und Freitag in der Berliner Villa Elisabeth. Aktion Freiheit statt Angst e.V. war mit mehreren Aktiven dabei. Für das viele Forschungsgebiete umfassende Programmheft verweisen wir dorthin.

Ziel der Plattform ist es ja gerade, die aus der Digitalisierung entstehende Probleme auf die verschiedenen Gebiete Jura, Soziologie, Politik, Psychologie herunterzubrechen und die Experten von dort mit einzubinden.

Im Folgenden wollen wir keine Inhaltsangabe versuchen, sondern beschränken uns auf einige Highlights, die uns ins Auge gesprungen sind.

Keynote: Pay or Okay

In seinem Vortrag berichtet der österreichische Datenschützer Max Schrems (NOYB – Europäisches Zentrum für digitale Rechte) über die Probleme, wenn man vor die Wahl gestellt wird, einem Web Auftritt mit Werbung oder als Abo zuzustimmen. Die Frage nach der Datenschutzgrundverordnung ist dann nämlich, ist das noch eine freiwillige Zustimmung?

Österreichische Gerichte hatten entschieden, dass von einer Freiwilligkeit auszugehen ist, wenn dies günstiger ist als ein Print Abo. Fragt man jedoch die Menschen nach der Freiwilligkeit, so ergibt sich, dass

3-10 % mit der Werbung einverstanden wären,

aber 50-70 % darauf hereinfallen,

und im Endergebnis 99 % bei den umständlichen Fragen zum Abschluss eines Abonnements (Name Adresse Bankverbindung, weitere Zustimmungen und Einwilligungen) aufgeben.

Die Preise für Abonnements variieren in verschiedenen europäischen Staaten, so wären es für eine Familie in Österreich 35 € im Monat, in Deutschland nur 12,50 €. Allein ein Abo für die 100 Top Webseiten (Zeitungen/Zeitschriften) würde eine deutsche Familie mit 150 € im Monat belasten. Sozial schwache Menschen können sich dies nicht leisten – ist das noch freiwillig? Gleichheit verlangt auch gleiche Teilhabe.

Wichtig in diesem Zusammenhang ist seine Feststellstellung, dass die wichtigen Print Verlage durch das Verfahren durchschnittlich nur 0,8 % mehr an Einnahmen generieren. Für die Verlage ist dies eigentlich unwesentlich, aber sie wollen mit einem Abo „den Fuß in die Tür des Kunden bekommen“.

Wir müssen nun das Urteil des EuGH zum Fall "Zustimmen oder Abo"  abwarten. Eine weitere Erkenntnisse die bei seinen Untersuchungen heraus kam war, dass entweder die Einwilligung  bei einige Webseiten DSGVO-widrig nicht abgefragt wird oder sogar trotz eines „nein“ getrackt wurde.

Panel „Freiheit mit allen Mitteln?“

In dem Panel „Freiheit mit allen Mitteln?“ ging es ebenfalls um GAFAM, die 5 großen Internetkonzerne, deren Umsatzgröße die Haushalte vieler europäische Staaten übertrifft. Ein wichtige Frage war beim Thema Smart Home wer in einer Familie den Admin spielt, beziehungsweise die Entscheidungen über die Überwachung der restlichen Familienmitglieder trifft.

Zur Unterscheidung zwischen analog und digital wird festgestellt, dass man in der analogen Welt circa fünf Verträge pro Jahr abschließt, während es in der digitalen Welt einige 100 pro Jahr sein können. Damit sind die Menschen völlig überfordert und lesen nicht in was sie einwilligen (AGB).

Entgegen getreten wird auch der Auffassung "meine Daten gehören mir". Das ist  falsch, da Daten nie normales Eigentum sind. Daten dürfen keine Handelsware sein, denn auch nach dem Verkauf sagen Sie weiter etwas über mich aus - sie bleiben „meine Daten“ (Alexander Roßnagel). Nur physische Dinge können Eigentum sein, die Kommunikationsordnung ist keine Eigentumsordnung, auch wenn der Data Act dies eventuell anders sieht.

Zu den erfolgreiche Klagen gegen große Internetkonzerne und die verhängten Bußgelder wird angemerkt: Zehn Jahre wurde gegen META geklagt, am Ende war der Prozess gewonnen. Doch es nützt nichts, denn META behauptet, dass inzwischen bei ihnen alles anders geregelt wäre. So bleibt uns nur übrig, erneut zu klagen.

Keynote: Digitale Infrastrukturen und Geopolitik

Frau Ingrid Schneider von der Uni Hamburg untersuchte in ihrem Projekt die Globalisierung des Internets. So hat sie in verschiedenen Ländern vor allem des Südens die dortige Datenschutzgrundlagen untersucht. Dabei hat sie teilweise erschreckende Erkenntnisse über die Lebensrealität und das Gebaren der großen Internetgiganten gewonnen. Positiv ist zu vermerken, dass die Länder der BRICS Staaten ebenfalls das Ziel haben, wie die EU, gegen GAFAM vorzugehen. Allerdings ist ihre Durchsetzungskraft noch geringer als die der EU. Negativ ist zum Beispiel die Erkenntnis, dass in Südafrika viele Menschen bis zu 9 Stunden pro Tag online sind, 4-5 Stunden täglich sind dort normal. Erklärlich ist dies dadurch, dass das Handy der einzige Internetzugang ist und fast sämtliche Bezahlvorgänge damit geschehen.

In Südafrika gibt es seit 2021 den POPI Act als Grundrecht für den Datenschutz. Die Bußgelder sind für GAFAM allerdings viel zu niedrig. Fazit: Der Datenschutz ist schwach aber vorhanden.

In Brasilien haben viele Menschen einen zeitlich, bzw. datenmäßig limitierten Zugang zum Internet, so dass bereits Mitte des Monats bei Vielen ihr Datenvolumen erschöpft ist. Meta hat bei den brasilianischen Telekommunikationsunternehmen durchgesetzt, dass der Zugang zu Meta in diesem Limit nicht berechnet wird. Die Folge ist, dass für viele Brasilianer das Internet praktisch nur aus den Diensten von Meta (Facebook, WhatsApp, Instagram) besteht.

In Indien gibt es seit 2017 ein Grundrecht auf Privatheit. Allerdings gehen indische Gerichte bei Klagen regelmäßig von einer „angenommenen Zustimmung“ aus. China: So wie wir gegen GAFAM kämpfen, so geht der chinesische Staat gegen BAT vor (Baidoo, Alibaba, Tencent), um die Macht der eigenen Internetkonzerne gegenüber der Staatsführung in Grenzen zu halten. Die EU ist unberechtigter Weise stolz auf den so genannten Brüssel-Effekt. Danach werden die Regeln in der EU von den großen Internet Konzernen in Teilen bei ihren Implementationen übernommen, da die EU versucht hat die EU-Datenschutzregeln auch in internationale Handelsverträge einzubringen. Allerdings haben die Internetkonzerne ihre Software inzwischen modularisiert, so dass sie je nach lokalen Datenschutzregeln diese entweder ein- oder ausschalten können.

Fazit von Frau Schneiders Vortrag: 82 % der Staaten auf der Welt haben Regeln zum Datenschutz, Lediglich die USA und Iran haben überhaupt keine. In den USA gilt seit den neunziger Jahren die Section 206, die die Anbieter von Internetdiensten von jeglicher Haftung frei stellt.

Aufbau eines EU-weiten Offenen Web Index

Das Projekts über den Aufbau eines EU-weiten Offenen Web Index (PRIDI) wird unterstützt von der Open Search Foundation und ist sehr wichtig, um die fast 100%-ige Dominanz von Google zu brechen. Die Aufgaben des Web Index umfassen das Crawling, die Speicherung, die Analyse und die Aufbereitung der Information. Das ist ein sehr umfangreiches Unterfangen. Auch die geplante Nutzung des Web Index geht von der Suchanfrage über den Abgleich mit dem Index, dem Setzen einer Rangfolge und der Anzeige der Ergebnisse einen weiten Weg.

Da Google für den Aufbau seiner Suchmaschine viele Milliarden investiert hat und mehr als zehn Jahre gebraucht hat, wäre der Offene Web Index zwar sehr wünschenswert, wird aber bei den begrenzten Mitteln der EU dafür (einige 10 Millionen Euro) kaum durchsetzbar sein.

Privatheit versus individuelles Nutzerverhalten

1,8 Milliarden Bilder werden pro Tag auf Instagram hochgeladen. Es sind meist idealisierte Körper und damit Fake Bilder des Menschen. Hinzu kommen nun KI generierte Bilder, die ebenfalls nicht das reale Menschenbild wiedergeben. Es bleibt der Kampf zwischen „Freedom versus Liberty“ (Freiheit gegen Unternehmensfreiheit). Fazit: Der Staat muss Standards definieren.

Natürlich gab es viele weitere Erkenntnisse aus den beiden Tage zu gewinnen. Die Vorträge und Diskussionen werden als Text und auch als Videos auf den Webseite der Plattform Privatheit sichtbar bleiben.

Mehr dazu bei https://plattform-privatheit.de/p-prv/jahreskonferenzen/jahreskonferenz-2024.php

Kategorie[26]: Verbraucher- & ArbeitnehmerInnen-Datenschutz Short-Link dieser Seite: a-fsa.de/d/3Do Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8939-20241020-jahreskonferenz-der-plattform-privatheit.html

UE determina que Meta limite dados para anúncios personalizados #ÚltimasNotícias #tecnologia

Hot News A União Europeia (UE) determinou, na última sexta-feira (4), que a Meta diminua a quantidade de dados pessoais utilizados na região para criação de propagandas publicitárias personalizadas. A decisão veio do Tribunal de Justiça da União Europeia (TJUE) após queixa de Max Schrems, ativista de privacidade, afirmando que o Facebook usou seus dados pessoais acerca de sua orientação sexual,…

View On WordPress

UE determina que Meta limite dados para anúncios personalizados

A União Europeia (UE) determinou, na última sexta-feira (4), que a Meta diminua a quantidade de dados pessoais utilizados na região para criação de propagandas publicitárias personalizadas. A decisão veio do Tribunal de Justiça da União Europeia (TJUE) após queixa de Max Schrems, ativista de privacidade, afirmando que o Facebook usou seus dados pessoais acerca de sua orientação sexual, de forma…

Meta Can't Use Sexual Orientation to Target Ads in the EU, Court Rules

Morgan Meaker for WIRED:

Europe's most famous privacy activist, Max Schrems, landed another blow against Meta today after the EU's top court ruled the tech giant cannot exploit users' public statements about their sexual orientation for online advertising.

…

Today, the Court of Justice of the European Union (CJEU) finally ruled that a person's sexual orientation cannot be used for advertising, even if that person speaks publicly about being gay.

…

The CJEU also ruled today Meta has to limit the data it uses for advertising more broadly, essentially setting ground rules for how the GDPR should be enforced. Europe's privacy law means personal data should not be "aggregated, analyzed, and processed for the purposes of targeted advertising without restriction as to time and without distinction as to type of data," the court said in a statement.

How do we get one of him for the U.S. Well, I guess we'd need a GDPR for the U.S. first, which isn't happening any time soon

Meta should restrict information for personalised adverts

Fb-owner Meta should minimise the quantity of individuals’s information it makes use of for personalised promoting, the EU’s highest court docket says. The Courtroom of Justice for the European Union (CJEU) dominated in favour of privateness campaigner Max Schrems, who complained that Fb misused his private information about his sexual orientation to focus on adverts at him. In complaints first…

Max Schrems wins privacy case against Meta over data on sexual orientation

https://apnews.com/article/facebook-meta-schrems-privacy-80fd4e6c59f48a3b583d6665af3ede86

Meta should restrict knowledge for personalised advertisements

Fb-owner Meta should minimise the quantity of individuals’s knowledge it makes use of for personalised promoting, the EU’s highest court docket says. The Courtroom of Justice for the European Union (CJEU) dominated in favour of privateness campaigner Max Schrems, who complained that Fb misused his private knowledge about his sexual orientation to focus on advertisements at him. In complaints…