Re: Kind of scary
There is no such thing as PII any more, just personal data and special category personal data.
Secondly it is not just residents of the EU, it is anyone in the EU. A tourist on vacation in Europe is covered by GDPR...
226 posts • joined 1 Jul 2009
No this is simply not true. Under Case c-210/16 (European Court) using a third party service makes you a joint controller which comes with joint risk and in fact puts you in a much worse position.
As a joint controller, you can be sued directly without the data subject ever having to sue other joint controllers. This makes you even more of a target because it is much cheaper to sue some crappy Linux distro than say... Facebook.
Even worse than that, you can be sued for the processing Facebook does on that page...
The reason why ICANN do not want to change their contract is because if they do they will have to do it for the ENTIRE world. Registrars in countries outside of Europe are not going to be co-operative with ICANN if they are being treated differently to European Registrars - THIS is why ICANN has a problem. They want to continue to force public WHOIS for non-EU registrars.
Of course this is already doomed to failure and they know it (the public WHOIS system globally will die in May 2018 or shortly after) but they are (as usual) behaving like a petulant teenager screaming that white is blue and stamping their feet until eventually they will be forced to comply - at which point they will go sulk for a while and then come back with the attitude that it was always supposed to be this way and they have no idea why everyone is making such a fuss; that it was not their idea to have a public WHOIS in the first place and they always opposed it...
Nah you are confused - you are reading the wrong part of the Regulation. Consent definition is covered under Article 4.11:
"'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes...."
The key part of the sentence is "freely given" - it has been determined by legislators that this means it can not be a condition of access to a service because then there is an imbalance in the relationship given that if the data subject does not give consent they cannot engage in that service, which means when you put this into the wider context data subjects would literally be excluded from digital society if they wanted to maintain their Art.8 fundamental rights because literally 99.9999% of digital services would eventually simply block access to anyone who does not consent.
Under such circumstances it cannot be argued that consent is freely given and as such it was intended specifically during drafting and trialogue that such activities would be unlawful.
This is also not new - the issue of freely given consent goes all the way back to Convention 108 in 1980 and is actually the same level of protection provided for in 95/46/EC (the previous Data Protection Directive) the problem is 95/46/was secondary legislation and therefore implemented in different ways in different member states, GDPR is primary legislation and has no such wriggle room.
The new ePrivacy Regulation goes a step further in Recital 18 which states:
"Consent should not be considered as freely given if it is required to access any service or obtained through repetitive requests. In order to prevent such abusive requests, users should be able to order service providers to remember their choice not to consent and to adhere to technical specifications signaling not to consent, withdrawal of consent, or an objection."
So this also means that for example - if a data subject has denied consent (say through a Do Not Track signal) but a web site keeps showing those cookies banners over and over again - this would also not be considered as freely given consent.
For -most- digital services it is likely that the ePrivacy Regulation will be the relevant Regulation as opposed to GDPR when it comes to consent - GDPR is more likely to apply to services which are non-digital (there will of course be some exceptions).
"The law also only affects European citizens so it is not necessary for, say, US citizens' details to be protected equally."
This is not correct - GDPR applies to anyone who is located in the EU (even US citizens who happen to be on vacation) - not just EU Citizens. Article 3, Recitals 22 & 23 make multiple references to Data Subjects "in the Union". You can literally be passing through for the day and you are covered under GDPR for that single day.
So for example, if an American happens to be on a trip to Berlin and registers a domain whilst they are there, they would be theoretically covered.
In a lawful society we do not force people to pay for their rights. If we do that you would end up with a privacy underclass, where only wealthy people can afford to maintain their fundamental rights and poor people have none. This is exactly why GDPR makes it illegal to force people to give up their rights to access digital society.
The entire web as we know it for over 20 years was funded by non-privacy invading contextual advertising (which still to this day remains as a much more successful model than behavioural based ads) so forcing people to be tracked is not only not ok it is a really stupid thing for publishers to do - it benefits no-one other than giant adtech firms as publishers are forced to give up control of their content (they have no idea what ads will appear on their pages, how they will look and whether or not they will offend people) as well as insert multiple middlemen into their audience engagement.
That said, despite the FUD, the law does NOT ban behavioural advertising, it just requires that true consent is obtained and we have to remember here that the definition of consent in EU law has not changed - the definition has existed since 1980 with the introduction of Convention 108.
What has changed is that definition has been explicitly clarified in the context of modern digital services and enforcement is now improving with potential penalties that are high enough to make most organisations think about the risk of ignoring the law.
Article 5(3) of Directive 2002/58/EC never required any such thing, it was the adtech industry that came up with that to deliberately piss off consumers in an attempt to undermine the law. I was at the round tables - we offered other solutions and warned that the adtech solution was inappropriate. The Directive required consent - it did not specify how that consent should be obtained and in fact deliberately avoided doing so.
Do try to get your facts right.
You are a bit thick aren't you? You realise that most UK Ministers are elected MPs right?
Also as I already stated the EU Commission NEVER pass laws - they have no mandate or power to pass laws - all they can do is propose new laws and enforce existing laws. You should probably go and read Art. 255 of the TFEU - whilst you are at it, you could do with a refresher on the Single European Act and the Maastricht, Amsterdam, Nice and Lisbon treaties which since 1986 have ALL extended the legislative powers of the EP.
As I previously stated - EP now have equal footing with the Council (in almost all cases) when it comes to passing new laws. You should update your knowledge you seem to be stuck in 1980 - but then why let facts get int he way of Eurosceptic bullshit eh?
And here you are completely incorrect - the Parliament is equal weight with Council of the EU on passing laws - it is the Commission that is not able to pass laws. The way things work is as follows:
The Commission introduce a proposal which is then reviewed by the Parliament which is either voted forward to negotiation with the Council (as happened today) or not. The Council also review and either accept the proposal as per the Parliament report or offer amendments. In the case of amendments the Trialogue discussions begin at the conclusion of which a final vote is made (again with 50/50 weight between the Council and the EP).
The Commission do NOT pass laws (they put forward proposals and enforce laws) and the Parliament CAN introduce laws indirectly by requesting the Commission to do so.
In many cases Ministers ARE elected members of their national Government and ALL EU laws go through an extensive period of public review and consultation (you seem to be confusing treaties with laws).
Perhaps you should go read a little about how European Politics actually works...
You realise that BOTH bodies with powers to pass new laws in the EU are made up (primarily) of elected officials right? The Parliament is made up of MEPs which are elected. The Council is made up of Ministers from EU Member States and guess what....they are either elected or chosen by those elected to represent you in your national Government...
f fails for exactly the same reasons as e - the balance of the fundamental rights of the data subject. It is not necessary or proportionate for this data to be public - ICANN could run the system as a private registry and require legal instruments be used for access.
And no ICANN is not an official authority and trying to argue that in Europe would fail dramatically - there is absolutely no way any EU member state (or pretty much any other state in the world other than perhaps the US) who would agree to ICANN being classed as an official authority. They are nothing more than a body setup to manage dns infrastructure and that in and of itself is not without controversy.
And you would be wrong for example:
6.1c - There is no legal obligation for Whois - it is entirely ICANN policy and nothing to do with law.
6.1e - Public Interest would not cover a domain registration Whois database
You should perhaps read some of the Recitals and existing case law.
The article is actually quire accurate - GDPR does (in my opinion) make existing Whois databases unlawful and I have discussed as much with 2 national tld registrars recently. The key issues you have to look at are whether or not requiring the data be public is proportional to the fundamental rights of the data subject (Art. 8 of the EU Charter) and whether they are necessary. This fails immediately at the first test but even if it didn't, there is no necessity for a public whois database in order for domain registrations to work - they would continue to work even without such public databases. For example, with regards to law enforcement access - it would still be available with the relevant safeguards in place (such as requiring a warrant or court order).
I was on a committee/consultation a few years back looking at the issue of shutting down "illegal" content by seizing domains which was run by the UK registrar and you would be shocked to hear the methods used by the police to avoid having to use the judiciary as well as how many false positives there are.
You could ask for "Hello, World" but first it would need to define what World is, in every context and then it would need to understand what Hello is across all lexical constructs throughout time and space - at which point it would be able to give every possible accurate interpretation of "Hello, World" that has ever been, is or will ever be.
"Also in June, the Developers Alliance and IAB Europe held a round-table discussion in the European Parliament on “The impact of the proposed ePrivacy Regulation on the data-driven ecosystem”, with MEPs Michał Boni and Daniel Dalton. The event was framed as how the draft ePrivacy regulation would impact upon “innovative companies”, innovation being a key EU policy mantra which is often used to mean that nothing must get in the way of business doing business."
Having sat in sessions with him at the EP on the draft regulation I can personally verify that he has sang the song of a dutiful IAB spokesperson in every single event he has attended on the Regulation and refused to provide any evidence to support his position whilst refusing to acknowledge the vast mountain of evidence supporting the opposing view.
Just this week, he displayed his overwhelming ignorance in a series of tweets which were challenged by several long time privacy experts and groups to which he was unable and unwilling to answer or again provide supporting evidence for his position. I even offered to donate £100 to a charity of his choice if he could provide evidence of just 25% public support from a poll on his position.
He is in ECR Group (which should be the first alarm bell) and is in LIBE and IMCO (which does not a civil rights advocate make). Being a member of a committee doesn't mean you are pro civil liberties many of the pro corporate people join various committees in an attempt to influence votes - that's politics.
"MEPs in the European Conservatives and Reformists party have responded similarly, with civil liberties spokesman Dan Dalton saying that the vote "gets the balance all wrong”" and risks the future of online services."
Dan Dalton is NOT a civil liberties spokesman - he is an industry influenced shill - I can't even believe you typed that - a clear lack of investigative journalism there. Not only is he an industry man, he is completely clueless about technology - I have seen badgers dead at the side of the road with more technical acuity than Daniel Dalton - to call him an imbecile would be an insult to Trumpsters across the world.
Seriously, change that, it is embarrassing to see such a statement on El Reg...
The vote was opposed by members of EPP - the majority of committees approved the draft and compromises were made on many issues which were not approved. EPP were kicked out of the negotiations because they were trying to gut the entire draft and weaken existing laws. There is very little chance this will not pass a full vote of Parliament at plenary next week - the LIBE vote was the main hurdle at this stage.
The only real difficulty we face now is ensuring this gets through the Council without too much damage.
I have worked on the draft for the past 18 months and was a special adviser to the rapporteur (some of my text actually appears in the draft) so I have been very close to the discussions at all levels. It has been a tough battle but there is an urgency among many MEPs to introduce a strong regulation which protects our Article 7 rights under the EU Charter.
The very fact that there is such a tough stance on state interference with encryption is a clear indication of just how important MEPs think these rights are.
The result yesterday was a very good result for privacy and I know I and many others will continue to drive the regulation through to adoption whilst keeping as close to the current draft as possible. But it will take you guys to do some work to - you need to write to your ministers and MEPs and make it clear to them that this is an important issue and that (providing you agree of course) you will vote for a competitor in the next election if they do not represent your rights in this matter.
Do not allow the industry lobby to create a privacy underclass. See my plea on this (which I wrote on Monday night before heading to Brussels) and take action yourself to help protect your fundamental rights - we need literally 10s of thousands of people across Europe to take their elected officials to task on this issue, the risk of losing privacy is a very real if you don't. And please (as I always recommend) try to send faxes or paper letters - they cost a great deal more money to process than emails and are far more likely to attract attention when they start eating into MEP and Ministerial budgets. If 100 000 people send emails, they are cheap and easy to process - if 100 000 people send letters and faxes they require personnel and paper to process; when it comes to lobbying and campaigning, paper is ALWAYS better than bits and bytes.
I can think of several who presumably have given their utter support of the usefulness and economic value of commercial stalking^Wmarketing by consenting to automated calls:
1. Nick Stringer - IAB
2. Ed Vaizey - Former Minister of Culture, Communications and Creative Industries
3. Lord West - because there must be a surveillance angle there somewhere
4. Kent Ertugrul - CEO of the late Phorm
5. City of London Police - They love all businesses especially when they buy them nice lunches.
The iPhone X was never produced as a market booster and should not be used to measure market trends - it was a concept phones that Apple knew would appeal to only a modest percentage of their customers. The iPhone 8 and 8 Plus are the phones which should be used to gauge market response - that was the primary release and is the device most customers are likely to upgrade to.
The X (and it's descendants) may be relevant next year if Apple moves towards that design for its primary market but until the two lines converge the X should simply be considered as a PoC for future generations.
“There is no such thing as a VPN that doesn't keep logs. If they can limit your connections or track bandwidth usage, they keep logs.”
This is factually incorrect, I have been running OpenVPN on my server for about 10 years and there is not a single log file - so yes a VPN can be configured to not log anything. I think what you meant was "there is no such thing as a VPN service that doesn't keep logs..." and I suspect that may be true (although there are several who claim they don't).
What the FBI did do here though is just destroy PureVPN's business as I suspect people will now run for the hills knowing that PureVPN is not only logging but working with LEAs.
The difference is we have an "effective remedy" - in other words we can take our governments to court and win (lots of case law on this in ECtHR) and EU governments can be forced to change their laws (see RIPA in the UK, Data Retention Directive etc. - again lots of case law).
There is no dispute that EU governments spy - but if they break the rules and you find out about it, you can (in theory) take them to court and win.
The Law has never been about being able to stop people doing bad things - nothing will ever stop that. The Law is about providing effective means of redress (effective remedy) when bad things are done.
Actually it rarely means that your data is safe (I have written on this many times) - if the data center is owned by a US corporation or even if they set up a subsidiary (such as Twitter, Facebook etc.) then it is all fair under US law because these subsidiaries are owned by the US corps and as an asset of the corps they and any tangible things they have (such as data) can be seized under US law (no matter where they are located in the world).
The DOJ actually screwed up in the Microsoft case - they used the wrong law to try to obtain the emails (Stored Communications Act if I remember correctly) - there are multiple other instruments they could have used which would have been more effective (such as FISAAA and at the time PATRIOT or even an NSL) because they were complacent and figured they wouldn't be challenged.
With regards to the UK spying on US citizens and then sending that back tot he US - no you are mistaken in thinking that is legal it is not, it is surveillance by proxy and both Congress and the Senate have already stated this is not legal.
The biggest issue US citizens have is that companies are not protected by the 4th Amendment leaving them wide open to s215 of PATRIOT until 2015 at which time it was not renewed - however FISA has since been amended under Title 1 - Business Records to provide similar access to 'tangible things' relating to US citizens (the entire thing is currently a mess that Trump is certainly not coherent enough or interested enough to fix).
So it is a little more complex than most people might think...
Post Brexit the UK will have to obtain an adequacy decision just the same as any other country not in the EU and given there is existing infringement proceedings against the UK for not correctly implementing 95/46/EC (the Data Protection Directive) with 7 outstanding issues that the European Commission will not disclose because they claim it would do irreparable damage to International Relations (read that as holy shit they are doing some really bad stuff at GCHQ), despite having received multiple FOI request for the details; it is HIGHLY unlikely an adequacy agreement will be forthcoming, meaning it will be illegal to send data from the EU to the UK (and actually this will be the default until an adequacy decision is made - so the day Brexit happens it will become illegal to transfer personal data to the UK).
Unless by some miracle another arrangement is put into place prior to Brexit as part of the agreement (not bloody likely).
Oh please not another "the fines, the fines" - very few organisations will see large fines as a result of a breach under GDPR - this has been made clear over and over again by various Supervisory Authorities. Very serious cases where there was a lack of due diligence by the Data Controller will result in fines but even then, few will result in the maximum penalty.
GDPR should not be presented as a big stick because will not make corporations behave appropriately - what companies should be doing is look at the positive things in GDPR such as creating structured business processes with accountability, security and data protection by design, transparency. Using these positives to create a competitive advantage and build trust.
GDPR is not about huge fines and never has been - it is focused on trying to make companies behave more responsibly and at its very core it is build on the premise of protecting the Fundamental Rights of people living in the EU (Article 8 of the EU Charter specifically).
I have been doing this a long long time (waay before Schrems and Snowden) and have taken on corporations many times with some very significant successes, as well as having been directly involved in the changes to EU law - and even I don't wave the 4% stick around. Ruling by fear does not work - changing minds to work in a better, more ethical and quite frankly more efficient way is how we save privacy. Please do stop trying to undo all the hard work real privacy advocates have been doing.
There seems to be some confusion here - this case has no bearing on Privacy Shield (yet) - this case is entirely related to Standard Contractual Clauses.
The judge stated that despite the Ombudsman (which was introduced as a role under Privacy Shield and a role which has yet to even be filled) there is still no sufficient remedy under Art.47.
When the case goes to the CJEU, they will rule solely on Standard Contractual Clauses and whether or not European Commission decisions 2991/497/EC, 2004/915/EC & 2010/87/EU are valid. These are the EU Commission decisions which make Standard Contractual Clauses a legal basis for an international transfer (and in this particular case with regards to the United States).
It is likely they will rule against these decisions and invalidate SCC's (because if they don't they contradict their previous ruling on Safe Harbor as they are addressing identical issues) but this will not invalidate Privacy Shield (or Binding Corporate Rules, which is currently the other legal basis used by many global organisation based in the US).
What will happen after that is another case will need to brought regarding Binding Corporate Rules and then another one regarding Privacy Shield (all on the same grounds as Safe Harbour and Standard Contractual Clauses).
There have already been attempts to bring Privacy Shield to the CJEU by a French NGO, but they were blocked by the European Commission on the grounds that currently, organisations cannot file cases unless they are directly impacted (this changes once GDPR starts being enforced in May - as that allows organisations to file cases on behalf of citizens). This was a shitty move by the Commission because it was obviously just a stalling tactic but you can kind of understand why they did it (to try and fix Privacy Shield before May 2018 - which of course won't happen).
This case will not invalidate Privacy Shield or Binding Corporate Rules because they are not the models on trial;
This case is highly likely to invalidate Standard Contractual Clauses.
It doesn't matter how good the hardware is (and let's forget about Huawei's ties to the Chinese Government for just a few minutes), it is still an Android phone. You couldn't pay me to use an Android device - and I mean that literally - if you offered me 5k Euros a month to use Android, I would say no.
Irrespective of whether or not Apple are keeping up with the hardware, iOS is why I buy Apple, not the hardware.
I haven't changed my tune - the two scenarios are completely different.
In the Phorm situation, citizens' communications were being intercepted, copied, scanned and then the content of those scans used to profile individuals behaviour. It was active surveillance over which the citizen had zero choice or control.
In the adblocking scenario, communications are scanned for specific patterns which only match advertising code. The content of the comms is not copied and used for profiling behaviour and the citizens has to opt in to the service (if they don't their comms bypass the tech).
Another big difference between the two is in the Phorm case, all parties in the communication were likely to object to the interception. However, in the adblocking case, publishers have a vested interest in not consenting to the activity because they benefit from the ads being blocked.
With the privacy and security issues surrounding programmatic ads and privacy being a fundamental right under European Law (Article 8 of the Charter of Fundamental Rights of the European Union) it is absurd to suggest that publishers should have a veto over a citizen's choice to block ads.
Furthermore, I haven't changed my tune - I have not stated that RIPA doesn't apply in the adblocking case - I have been actively lobbying to have EU Law changed to remove the all party consent requirement for situations where ISP customers have explicitly requested a service (opt in) and I still fully support the prohibition of arbitrary blocking imposed by the ISP without the explicit opt in consent of the customer.
I find it amusing that some people think I need reminding of what I wrote - I don't, I wrote it. I also find it strange that certain people think I have no right to have a different opinion in different situations - the Phorm case and the adblocking scenario are opposites in many respects and it is entirely my right to have a different opinion on both scenarios.
And you clearly are unable to read as well.
The scripts in question are used for the specific purpose of detecting adblockers - they print a lovely message on the screen saying "YOU ARE USING AN ADBLOCKER PLEASE TURN IT OFF" (or words similar depending on the tool) - their ENTIRE purpose is to detect the use of an adblocker, some even look for specific adblockers as opposed to just any adblocker (for example there are some which block AdBlock Plus but do not block other adblockers - they look for behaviour specifically related to the use of adblock plus).
So please do stop talking so much crap about other scripts, scripts which are not for detecting adblockers etc. The issue discussed between myself, regulators, lawyers and legislators has been specifically about scripts which are designed for the sole purpose of detecting/circumventing adblockers.
You have not been party to those discussions, so please stop trying to tell me what was said in those discussions because you don't know. All discussions have taken place with technical experts and legal experts present - the letter is just a formal written version of the response I received verbally 14 months ago after such a meeting.
Now no matter how many times you guys try to turn this into something it isn't, try to talk about other scripts, other tools or other technologies - it will not change what has happened, it will not change what is going to happen. Legal test cases will be filed, publishers will be investigated and judgments will be made. Get over it already.
If the regulators think there is no legal issue then the judgments will support your arguments - if the regulators think there is a legal issue then the judgments will support my arguments.
"in so far as this takes place for the sole purpose of carrying out the transmission in the electronic communications network"
Adblock detection scripts are nothing to do with carrying out the transmission in the electronic communications networks - their purpose is to detect adblockers.
"their use should be allowed on condition that users are provided with clear and precise information in accordance with Directive 95/46/EC about the purposes of cookies or similar devices so as to ensure that users are made aware of information being placed on the terminal equipment they are using. Users should have the opportunity to refuse to have a cookie or similar device stored on their terminal equipment."
Which just verifies exactly what I have stated - users need to give their consent - current methods of detection are happening without consent. Also note the "users should have the opportunity to refuse" so these scripts cannot be used until the user is given the opportunity to refuse such activities.
So thanks for your input but if you think it does anything other than verify -everything- I and the European Commission have stated, you seem to be having some issues with your comprehension.
These scripts are covered by the Directive (as clarified by the European Commission) and fall into the same category as Spyware.
Let me make this clear to you once more - the European Commission -wrote- the law, trying to claim their interpretation of the law is wrong is beyond ridiculous.
It doesn't matter a damn what you think, what I think or what everyone else thinks - what matters is what the Regulators and the EU Commission thinks and they all agree that this activity is both covered by the Directive and illegal - please get that into your head.
There is a very good reason I spent 14 months traveling Europe talking to regulators and legislators before commencing with any legal actions - to ensure that they would support and act on such actions. So whether you agree with the law or not, whether you agree with my interpretation of the law or not is wholly irrelevant - those responsible for writing and enforcing the law do and we will see what action they choose to take when I file my legal complaints.
And even if these test cases end up in the CJEU - the CJEU -always- relies on recitals for interpretations of laws and the recitals support this viewpoint fully.
Nothing is certain in law (that is why these are "test cases") but there comes a point where you have to admit you are unlikely to win and in this matter the publishers and adtech industry are up against the full weight of regulators and the European Commission - it is not likely they are going to win...
So please do stop posting nonsense - read the law, understand the law and read the opinion of the Commission. I will not respond further to obvious industry trolls repeating the same deliberately incorrect and misleading crap over and over again.
Well that might be the case had I written to the "Your Europe Advice" service but I didn't and the letter has no such disclaimer. I wrote directly to President Juncker who tasked the response directly to Gunther Oettinger.
Still it is nice to know that my stalkers are still wasting their lives obsessing over me.
The ePrivacy Directive doesn't require access to "personal information" it covers ALL information as highlighted in the European Commission's letter. The main point of the amendments in 2009 (Article 5(3)) were to deal with spyware, malvertising and behvioural tracking/profiling - it is not the Data Protection Directive it is the ePrivacy Directive and exists for completely different purposes to the DPD.
The European Commission regards adblock detection as a form of Spyware it also falls under the category of behavioural profiling (using an adblocker is a "behaviour").
The web page (and how it is rendered) is STORED on the device.
All of this falls under the definition of 5(3).
So it is you who are misunderstanding the law, not me misunderstanding the technology.
It is nothing to do with personal data - the ePrivacy Directive forbids access to -any- information on the terminal equipment of the user and also forbids web sites from storing any information on that same terminal equipment without clear consent which is informed and freely given.
So the detectors are in breach of both parts of the law:
1. When they are stored on the computer/device
2. When they execute and access information stored on the computer/device.
It is really straight forward.
Biting the hand that feeds IT © 1998–2019