Max Schrems Files New Privacy Complaints That Seem To Show The Impossibility Of Complying With The GDPR

from the what-a-stupid-law dept

Tue, Jan 22nd 2019 10:45am — Mike Masnick

We've written many times about privacy activist Max Schrems, who almost single-handedly brought down the silly privacy safe harbors between the EU and the US. Last year, we wrote about his newest project called noyb.eu, which stands for "None Of Your Business."

Last week, Schrems and noyb announced a big list of GDPR complaints filed in Austria, against basically every streaming media company, none of which -- they claim -- are in compliance with the GDPR. Schrems also provided everyone with a handy dandy chart showing the basic details of the results of the GDPR requests they made to eight different streaming platforms, where they fell down, and how much they might be on the hook for:

If you'd like to see the actual complaints, here they are for Amazon, Apple, DAZN, Flimmit, Netflix, Soundcloud, Spotify, and YouTube.

I have lots of thoughts about this, so let's list them out:

This demonstrates the near impossibility of complying with the GDPR: While I'm sure many will view this as a positive for the GDPR, in that Schrems is going after a bunch of big companies who many people love to hate, I'd argue that these complaints really show just how ridiculous the GDPR is in practice. At least with the larger companies on this list (Amazon, Apple, YouTube, Netflix, and Spotify) it is ridiculous to argue that any of them were deliberately avoiding the GDPR requirements. All of those companies have been well aware of the GDPR for years and spent the past few years spending many, many millions of dollars preparing for the GDPR. All have decently large teams focused on doing everything they can to comply, in part because of the possibility of massive fines if they fail.

The fact that those large companies, who have all the resources in the world, are still deemed by Schrems to fail on nearly every aspect of the GDPR suggests, pretty clearly, that it is nearly impossible for anyone to truly be GDPR compliant in any reasonable sense.
The nature of the complaints shows just how silly the GDPR continues to be: Taking the Apple Music complaint as an example, the company did allow noyb and its client to download all the data it had, but noyb is demanding significantly more information under the GDPR -- much of it is information that would effectively be impossible to provide in the first place. For example, the complaint notes that Apple didn't provide "information about the purposes of the processing." But... isn't that the kind of information that anyone signing up for Apple Music already knows about when they sign up? Apple is using your information to provide you access to music and to recommend other music to you. What good does it do to have that information need to be spelled out once again at a later date to avoid massive billion dollar fines?
The possible fines remain completely insane: Note the numbers on the "maximum penalty" associated with these complaints. Under the GDPR, a company can be fined either €20 million or 4% of annual global turnover whichever is greater. So those eye-popping numbers are basically that 4%. Remember, most of the companies here bent over backwards to try to comply, with most of them setting up useful systems that allow users to download all of their data, even if noyb didn't like the format that data was in. And yet they might still face billions in fines?
GDPR could destroy some of these companies: It is surprising to see two companies -- DAZN and Soundcloud -- not respond at all to these requests. Both of them are based in the EU (though DAZN may escape via Brexit shortly, but it operates in many EU countries). I would think, at the very least, these companies would have in place some method of responding to GDPR requests. Soundcloud, despite its level of popularity, has struggled even to stay alive -- and came very close to shutting down a year and a half ago before getting a last minute reprieve from some investors. Either way, the company is clearly struggling, and the fact that both of these company's "maximum" possible fines are €20 million suggests that this is "greater" than 4% of their annual turnover. In short, this is likely a crippling and possibly company-destroying amount for these smaller operations. I'm still surprised neither responded to the requests at all -- but it's going to be difficult for either to stay in business facing these kinds of headwinds thanks to the EU's overaggressive regulations.

I'm sure that many don't seem to care that this might cause problems for these companies, or that it may be literally impossible to comply with these regulations. But we should all be concerned if regulations make it effectively impossible to be in business on the internet in the EU. We should be even more concerned that -- as many of us predicted -- regulations like the GDPR seem to have a high likelihood of completely destroying smaller players, like SoundCloud. The huge fines for the big companies are eye-popping and totally disconnected from any actual "harms," but most of those big companies can grudgingly afford to pay them. That seems unlikely for the smaller players meaning that -- once again -- the EU seems to be clearing the field of smaller internet companies, and leaving in place only the giants, from whom the government will just keep siphoning off cash.

One final point on all of this: I recognize that there are lots of legitimate concerns about privacy in this day and age -- and, in particular, how various data collection companies are using our private data. And I've long been on record that companies should be not just a lot more transparent about the data they collect and how they use it, but also should push control over that data out to the end users. But, looking over this list, none of these are companies that I'm particularly worried about concerning how they use my data. Yes, there are potential privacy concerns here, but the idea that SoundCloud or Spotify contains data so sensitive that they should be fined massive amounts for not making it "intelligible" just seems disconnected from any real harms and any real concerns.

Indeed, my concern with this type of litigation is that it actually waters down and distorts the real concerns we should be having over privacy in the internet era. Netflix not giving me all of the data on what I've been watching via streaming doesn't seem like a particularly big consumer concern -- and yet if it sucks all the air out of the room, it makes it that much harder to deal with real privacy questions raised by internet giants.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data protection, eu, gdpr, max schrems, privacy, streaming
Companies: amazon, apple, dazn, flimmit, netflix, noyb, soundcloud, spotify, youtube

63 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Mason Wheeler (profile), 22 Jan 2019 @ 9:34am

Soundcloud, despite its level of popularity, has struggled even to stay alive -- and came very close to shutting down a year and a half ago before getting a last minute reprieve from some investors.

As a long-time Soundcloud user, I'm not surprised. Their system is very consumer-unfriendly in a lot of little ways that aren't immediately obvious, but become clear once you start to do non-trivial things with it. The sort of stuff that the people who end up paying Soundcloud for their services might end up needing to do--or that might drive them away to other platforms once they realize how needlessly complicated, restrictive, and expensive a lot of it is.
[ link to this | view in chronology ]
jilocasin, 22 Jan 2019 @ 11:07am

A little naive with point #2.
I think you are being more than a little naive with your point #2.

For example, the complaint notes that Apple didn't provide "information about the purposes of the processing." But... isn't that the kind of information that anyone signing up for Apple Music already knows about when they sign up? Apple is using your information to provide you access to music and to recommend other music to you. What good does it do to have that information need to be spelled out once again at a later date to avoid massive billion dollar fines?

I believe that the whole point of the GDPR and Max Schrems' request was to make sure that Apple is only using his information to provide him access to music and to recommend other music. There is nothing that says that Apple isn't using your data to target personalized ads at you, or selling your music tastes to the highest bidder, or even collecting your GPS location of every time you listen to a song.

The GDPR request wants to make it clear what it's using his data for, that it is what the user thinks it's being used for (and not some other reason buried in a 100+ page EULA).

Personally I think the the major companies have spent the last coupe of years trying to come up with systems that they believe will pass muster without having to change their currently lucrative practices, and without letting the user know just how much/what they are using it for. Because if they did they just might stop.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 11:47am
  
  Re: A little naive with point #2.
  
  make sure that Apple is only using his information to provide him access to music and to recommend other music.
  
  Careful with that second point: do you mean recommend music to Schrems, or use his personal data (listening history) to recommend music to others? Those are two very different uses that are not inherently tied together, and should have permissions requested separately.
  [ link to this | view in chronology ]
- OldMugwump (profile), 22 Jan 2019 @ 2:30pm
  
  Re: A little naive with point #2.
  If the purpose *is* "buried in a 100+ page EULA", would it not be compliant with GDPR to simply re-send the 100 page EULA?
  
  How do you think having the GDPR is going to help anyone here?
  [ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 4:03pm
  
  Re: A little naive with point #2.
  I think the point here though is that unlike many streaming companies, when you enable streaming from Apple, you actually get a dialog that pops up that clearly explains that in doing so, they're collecting usage data. This same dialog then explains how Apple is going to use that data and asks you if you want to continue. Apple's been doing this ever since it launched Genius around a decade ago.
  
  So since Apple is already disclosing how they're using the data, disclosing it again doesn't really help much, unless you're implying that the first disclosure means nothing because it's not mandated, and so they could be doing other things with the data without telling you, until you request the details.
  
  But it's obvious that Apple CAN disclose this data because they do so at the point of activation -- so the fact that they don't leads me to believe that they figured they were already covered by having disclosed the usage data previously to the customer.
  [ link to this | view in chronology ]
Designerfx (profile), 22 Jan 2019 @ 11:23am

typo: noyb
under 3.

even if noyb didn't like the format that data was in. And yet they might still face billions in fines?

*nobody?
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 11:32am
  
  Re: typo: noyb
  Noyb is the website of Max Schrems mentioned at the top of the article and throughout.
  [ link to this | view in chronology ]
- jilocasin, 22 Jan 2019 @ 11:35am
  
  Re: typo: noyb
  No, I believe he was referring to noyb.eu, which stands for "None Of Your Business" the group Max Schrems founded.
  
  Also, I don't think it was noyb.eu not liking the format that was provided, but the format provided being chosen to be unhelpful/useless. This is a common ploy with FOIA respondents.
  
  Ex: request a copy of data that's originally in an easily searchable/analyzable database format, receive a badly scanned pdf copy of the data that was poorly formatted, printed, copied a few times and then scanned into an unsearchable pdf file.
  
  Or in Apple's case; maybe the data was provided as a single line text file (everything in one long line) filled with loads of abbreviations and no key to interpret them with.
  
  Without knowing the format of the data that was received, it's rather cavalier to assume fining the company over their choice is just noyb not liking the format it was provided in.
  [ link to this | view in chronology ]
  - Anonymous Coward, 22 Jan 2019 @ 11:57am
    
    Re: Re: typo: noyb
    
    Also, I don't think it was noyb.eu not liking the format that was provided, but the format provided being chosen to be unhelpful/useless. This is a common ploy with FOIA respondents.
    
    That seems lazy on Mike's part. What format was provided, what format was wanted, and what's reasonable/required? None of that was mentioned, and it's necessary to evaluate Mike's argument. (Did the company maliciously hand out an encrypted blob nobody could possibly ever read? Did they simply forget to explain an acronym, and all will be good when they post a glossary?)
    [ link to this | view in chronology ]
    - jilocasin, 22 Jan 2019 @ 12:07pm
      
      Re: Re: Re: typo: noyb
      Well according to the pdf for the Apple Music Store at least, what data Apple provided was in a series of machine readable .csv and .json files that were unintelligible.
      
      The majority of the files are , indeed, coded information, non-intelligible to humans (Attachment 3: “ Apple Index der heruntergeladenen Dateien ” and Attachment 4:App Store, iTunes Store, iBooks Store, Apple Music.zip). For examples, some of the files that could not be read by the Complainant include: 1)Apple Music Play Activity.csv 2)AMP Purchase History Page & Click Activity.csv 3)Apps And Service Analytics.csv 4)Review profile.json
      
      Also according to the complaint:
      
      The respondent also has not provided any explanation, software or other means to make the data readable and understandable for the average consumer.
      
      Which is a big no no under the GDPR. So it looks like Apple is indeed trying to appear GDPR compliant without actually being so.
      [ link to this | view in chronology ]
      - Mason Wheeler (profile), 22 Jan 2019 @ 12:16pm
        
        Re: Re: Re: Re: typo: noyb
        Far be it from me to defend a company as inherently abusive as Apple, but in this particular case I don't see anything wrong with what they did. When you have a large amount of data, returning it as a machine-readable format such as CSV (which can be trivially read into Excel) or JSON is absolutely the right answer.
        
        Large data sets are very difficult to read the way a normal human being would read a book, from beginning to end. Instead, what you want to do with that sort of data is subject it to analysis, and for that you need some format that's easy to parse by a computer, which can then search through it and help the user work out points that are of interest.
        
        If the GDPR doesn't recognize this simple fact, it's just another point demonstrating that it's a bad law.
        [ link to this | view in chronology ]
        
        MathFox, 22 Jan 2019 @ 12:29pm
        
        Re: Re: Re: Re: Re: typo: noyb
        There are the (offices) of the Data Protection Agencies that will review the complaint and form their own opinion. Apple gets a chance to present their side... The DPA might suggest some simple chances (Like: provide a document that describes the columns in the CSV files and the meaning of the JSON fields), Apple might implement them and the DPA could decide that the issue is sufficiently resolved.
        
        When the DPA decides that a fine is warranted, it's unlikely to be close to the maximum fine for a company that makes a good faith effort. And there is the option for a legal review of the DPA ruling and penalties. Expect a body of jurisprudence in five years.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2019 @ 12:42pm
        
        Re: Re: Re: Re: Re: typo: noyb
        
        Far be it from me to defend a company as inherently abusive as Apple, but in this particular case I don't see anything wrong with what they did. When you have a large amount of data, returning it as a machine-readable format such as CSV (which can be trivially read into Excel) or JSON is absolutely the right answer.
        
        We don't know enough about "what they did". Both formats are trivial to lex, so sure, you could read CSV into Excel. Then what? You need to know what each row and column represent to know how to interpret it, and that could be really obvious or completely obscure.
        [ link to this | view in chronology ]
        
        jilocasin, 22 Jan 2019 @ 12:48pm
        
        Re: Re: Re: Re: Re: typo: noyb
        Mason,
        
        I think you missed the point. Neither the GDPR nor Max is saying that the data can't be provided in a machine readable format. With the amount of data that most companies probably keep, it would be silly to download the data any other way. But just because the data is in a CSV doesn't mean that it's intelligible.
        
        For example compare the following by necessity short examples:
        
        Intelligible:
        
        UserName, TimeStamp, ClientIP Address, MusicGenre, SongTitle
        
        joe01, 2019-01-01 12:24 GMT, 10.10.1.1, Country, 'Tequila'
        
        joe01, 2018-12-30 01:15 GMT, 10.10.1.1, Country, 'You make it Easy'
        
        joe01, 2018-12-30 02:05 GMT, 10.10.1.1, Country, 'Break Up in the End'
        
        joe01, 2018-06-18 15:00 GMT, 10.10.1.1, Pop,'Thank u, next'
        
        joe01, 2013-04-10 09:02 GMT, 10.10.1.1, Country, 'Get Along'
        
        Unintelligible:
        
        ux, st, m12, x17, au32
        
        278E4A8DB999EBF6B04D4787142D36BC7975D231, 2019-01-01 12:24 GMT, 10.10.1.1, am12, 180b133cbeeb94004708a06c1631ccfb
        
        278E4A8DB999EBF6B04D4787142D36BC7975D231, 2018-12-30 01:15 GMT, 10.10.1.1, am12, 8f81b5a32cbb21db94c5396284505729
        
        278E4A8DB999EBF6B04D4787142D36BC7975D231, 2018-12-30 02:05 GMT, 10.10.1.1, am12, 1b558644691b71ddc59ca9b2630e041f
        
        278E4A8DB999EBF6B04D4787142D36BC7975D231, 2018-06-18 15:00 GMT, 10.10.1.1, zx92, e2fa24536a5ad7782969d0f940b34ee4
        
        278E4A8DB999EBF6B04D4787142D36BC7975D231, 2013-04-10 09:02 GMT, 10.10.1.1, am12, 698a8af60cdd4b83e5120474cccbac8a
        
        See, the same data, but the second version doesn't really tell you what information about you they are keeping.
        [ link to this | view in chronology ]
        
        PaulT (profile), 23 Jan 2019 @ 3:01am
        
        Re: Re: Re: Re: Re: Re: typo: noyb
        That's a fair point, but given the usual idiotic demands related to these things, they probably mean it wasn't in a nice infographic they can show to a 5 year old. A lot of this stuff seems to be excuses to get companies to fail, rather than making sure they comply with anything realistic.
        
        On the flip side, I'd assume the companies are doing the bare minimum, which might mean supplying raw data in several tables rather than a nicely formatted single sheet, but if the legislation doesn't demand that's required then some companies won't make life easy out of principle.
        
        Without more detail it's true that it could go either way, but if literally nobody is presenting data in the way they want it then I'd presume it's the demands and not the companies that are being unreasonable.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 23 Jan 2019 @ 9:17am
        
        Re: Re: Re: Re: Re: Re: Re: typo: noyb
        > A lot of this stuff seems to be excuses to get companies to fail, rather than making sure they comply with anything realistic.
        
        What in the world gives you the idea that what they're being asked (demanded) to comply with is anything realistic, dood?
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2019 @ 12:51pm
        
        Re: Re: Re: Re: Re: typo: noyb
        I agree. Raw data shows everything. They prove that they aren't hiding anything. What are they expecting, a bunch of people reviewing what music a person like? It is never to be read by an average person, just a bunch of algorithms and the occasional programmer.
        [ link to this | view in chronology ]
      - Anonymous Coward, 22 Jan 2019 @ 12:56pm
        
        Re: Re: Re: Re: typo: noyb
        Kind of like when a car company responses to 5000 cars blowing up with "customer safety is our top priority."
        
        Corporate doublespeak is leading to government doublefines.
        [ link to this | view in chronology ]
      - PaulT (profile), 23 Jan 2019 @ 2:49am
        
        Re: Re: Re: Re: typo: noyb
        "Which is a big no no under the GDPR"
        
        Is it really? The formats provided are industry standards act are readable by industry standard software that is supplied either free of charge or pre-installed on the computer, or by numerous online tools.
        
        Is it now a GDPR violation to not teach people to use their own computer? I'd understand if you're talking some weird proprietary format, but this is probably less difficult for most devices to read than the original web page.
        
        " So it looks like Apple is indeed trying to appear GDPR compliant without actually being so."
        
        No, it looks like you don't know what CSV and JSON formats are.
        [ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

Anonymous Coward, 22 Jan 2019 @ 11:29am

1. Doesn’t he mean “this shows the impossibility for big internet companies to MAKE MONEY while complying with a law that protects individuals?” If the internet “business model” can’t survive respecting internet rights, it deserves to perish.

2. See 1) above.

3. The fines must be that big to deter the conduct of the near-trillionaires.

4. See 1) above.

“Many” do not care about these companies any more than certain bloggers care about music and film companies. Too bad. Love these tantrums because it means you’re losing.
Was there any commentary on the Music Modernization Act or whatever it’s called that was passed in October to deal with royalties from streaming services.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 11:34am
  
  Re:
  “Many” do not care about these companies any more than certain bloggers care about music and film companies. Too bad. Love these tantrums because it means you’re losing.”
  
  Oh Jhon boy. As ever your projection is top notch.
  [ link to this | view in chronology ]
  - This comment has been flagged by the community. Click here to show it
    
    Anonymous Coward, 22 Jan 2019 @ 12:44pm
    
    Re: Re:
    Wow, ad-hominem proof-by-assertion from a 4Chan Aspie with a hidden agenda.
    
    The article doesn';t make it sound like Apple is winning this.
    
    As for the ad-hominem, see the "how many profitable copyrigths do you own?" threads.
    
    The more than throw the tantrum, the more desperate they are. No need to respond with anything but brutal logic. Make sure every time Google sends traffic here that all points of view are presented. That can have an interesting effect on a lawn.
    [ link to this | view in chronology ]
    - Anonymous Coward, 22 Jan 2019 @ 1:08pm
      
      Re: Re: Re:Those goddamn kids just won’t stay off your lawn!
      “The more than throw the tantrum, the more desperate they are.”
      
      Every time I think you can’t project any harder. BOOM another masterpiece from the inside of your slightly mushy grey matter.
      [ link to this | view in chronology ]
    - Anonymous Coward, 22 Jan 2019 @ 1:54pm
      
      Re: Re: Re:
      God, you people latched on that term like a dog with bone. News flash: simply calling someone mean names is NOT, in and of itself, an ad hominem.
      [ link to this | view in chronology ]
      - This comment has been flagged by the community. Click here to show it
        
        Anonymous Coward, 22 Jan 2019 @ 2:43pm
        
        Re: Re: Re: Re:
        It is a sign of verbal aggression, which we instinctively consider a prelude to physical aggression.
        
        Masnick runs his mouth safely behind a monitor in a way he wouldn't dare to anyone's face, and he hides behind frew speech to allow his uses to do far worse. The best way to confront him is to have a reporter start asking questions on camera when he's at one of those events or whatever or to do the Michael Moore thing and stand outside his office building while rebutting him.
        
        However he is ultimately dealth with, it won't be here. This is his turf, and he lets the bullies run wild. Like a dog chained to a post, however, his influence has no range to match that of those he allows to be bullied. If he weren't such a gnat he'd already see what he's starting with regard to a free-speech war but that day will come sooner or later.
        
        This site is just a stupid little echo chamber that will never influence policy. Everything he supports keeps losing and losing and losing.
        [ link to this | view in chronology ]
        
        Mason Wheeler (profile), 22 Jan 2019 @ 3:19pm
        
        Re: Re: Re: Re: Re:
        
        Masnick runs his mouth safely behind a monitor in a way he wouldn't dare to anyone's face
        
        Have you listened to the podcast? He's had several episodes which consist of him participating in some sort of panel, espousing these same opinions in person to the live audience and the other panelists as he does on here.
        
        You could say a lot of things about Mike, but moral inconsistency of this kind is most certainly not one of them.
        
        This site is just a stupid little echo chamber that will never influence policy. Everything he supports keeps losing and losing and losing.
        
        Wow. Just wow. How long have you been hanging around here?
        
        Just off the top of my head, one of the most notable things he supported was resisting SOPA and ACTA. These both got shot down in Congress, and he's had notable people, both elected representatives and senior staff members of elected representatives, come around here and talk about how Techdirt's coverage was instrumental in helping them understand why these were bad bills that they needed to shut down.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2019 @ 3:34pm
        
        Re: How them lawsuits going bro?
        “Everything he supports keeps losing and losing and losing.”
        
        Another projection masterpiece. You’re like the Michangello of accusing other people of how you think.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2019 @ 5:25pm
        
        Re: Re: Re: Re: Re:
        Article 13 was coming close to approval. Up to the point where you rightsholders realized that you couldn't sue people as willy-nilly as you'd like and tossed it back into the fire.
        
        You had it. It was offered up to you on a silver platter. And you still managed to screw it up!
        
        Your tears are delicious.
        [ link to this | view in chronology ]
    - Thad (profile), 22 Jan 2019 @ 2:20pm
      
      Re: Re: Re:
      You know, most people probably wouldn't go directly from complaining about ad hominems to using a slur against people with disabilities in the same sentence.
      [ link to this | view in chronology ]
      - Anonymous Coward, 22 Jan 2019 @ 2:30pm
        
        Re: Re: Re: Re:
        It really is a piece of art in its own way.
        [ link to this | view in chronology ]
      - Scary Devil Monastery (profile), 24 Jan 2019 @ 1:52am
        
        Re: Re: Re: Re:
        "most people probably wouldn't go directly from complaining about ad hominems to using a slur against people with disabilities in the same sentence."
        
        ...yes, but the "Child Porn Is Great" brigade isn't "most people". Please bear in mind that we're discussing the sort of people who appoint the likes of johan Schlüter, John Steele and Andrew Crossley to lead their efforts.
        [ link to this | view in chronology ]
- Mike Masnick (profile), 22 Jan 2019 @ 2:18pm
  
  Re:
  If the internet “business model” can’t survive respecting internet rights, it deserves to perish.
  
  I actually agree wholeheartedly with this. My question is what in the above is actually "respecting internet rights." I don't se that.
  
  “Many” do not care about these companies any more than certain bloggers care about music and film companies.
  
  I don't care about these companies either. I do care about the end users of those services and how they are harmed by bad regulations on the companies. So, sure, kill off those companies. No big deal. But what about the services that people rely on and find so useful these days?
  [ link to this | view in chronology ]
Peter (profile), 22 Jan 2019 @ 11:29am

A small amendment to the headline ...
Impossibility Of doing business as before and Complying

So far, the large platforms appear to try getting away with not changing data collection and data analysis at all. Instead, they coerce "permission" from customers through elaborate T&C - a practice that has just been fined by French authorities.

If that avenue gets closed, or if noyb's complaint is accepted, it will indeed be difficult to continue collecting insane amounts of data (up to, as has recently been uncovered, camera recordings of people's bedroom in case of Amazon) in the hope of mining some gold nuggets out of them.

The real question is if Google, Amazon, Facebook & co will continue to be viable businesses if they were forced to work with smaller data sets, and possibly more transparent (read public) algorithms.

If Amazon's current "suggestions", and some of their current processes are anything to judge by, restarting their AI-systems from scratch with fewer, better data might actually be an improvement.

We may find out soon ...
[ link to this | view in chronology ]
Anonymous Coward, 22 Jan 2019 @ 11:45am

For example, the complaint notes that Apple didn't provide "information about the purposes of the processing." But... isn't that the kind of information that anyone signing up for Apple Music already knows about when they sign up?

Really, you're using that as an example of why it's impossible to comply? Because that can be trivially solved by writing "Apple is using your information to provide you access to music and to recommend other music to you"—unless that doesn't work, for some reason you haven't explained. (But: why do they need personal information to provide the music? Can I opt out of suggestions? Are we sure that's all they're going to do with it, because Facebook especially has been known to collect for one obvious reason and use it for something else entirely.)

You didn't provide any detail at all on why the complaints are otherwise "silly" or "ridiculous". As for the "maximum fine", haven't you had to explain similar things to people when we see a "maximum sentence" of 9001 years or whatnot? It's a theoretical number used for intimidation, rarely actually applied (and yeah, we should really have more realistic numbers rather than rely on selective enforcement).
[ link to this | view in chronology ]
ECA (profile), 22 Jan 2019 @ 11:47am

Consideration
This is 1 group of nations..
Someone with a Thought is creating a backdoor into the net.. HOW to control the internet..
IF' these laws would be used Fairly, by every corporation.. On/OFF the net..
How many corps Would be hit hard.. How about the credit Bureau's. Those strange persons and groups that Monitor and Give us Credit cards..
THEY DO sell our info..
How about Cellphone companies?? They have already shown that Some App's are tracking us, and our locations..

Who needs the old conspiracy about Chips and pets, and Soon it will be everyone and be Tracked by Satellite.. You carry your tracking device in your hand, and While using the net at home on your PC...

I dont mind Anonymous Data.. IF' you leave out certain data.
1. Name/address/SS#
2. location of store it was purchased, Region is ok..
3. The format of payment.

Beyond that, I dont have a problem...But with alittle bit of this info, they DO have programs that will figure out WHO you are.
Limiting it to...Person bought an item in IDAHO, at ??/??/??? date is enough.

ALSO..
I suggest you read your Current Bank terms..and notice if they Sell your data. A track you can do, and you can even tell the bank its a security format..is to add a Single extra character to your name or address...A MISS-SPELLING..
So that If you get a MAIL with this miss-spelling..you KNOW your bank sold your data.
Advert agencies and collectors DONT spell check or verify data.(psst..Add a number to the Middle initial)
[ link to this | view in chronology ]
NeghVar (profile), 22 Jan 2019 @ 11:51am

I believe such draconian regulations could lead to a splinternet. Each country or union could end up with its own internet. The US internet, EU internet, AU internet, JP internet. Just like how China and North Korea have their own isolated internets to maintain their level of censorship and data collection.
[ link to this | view in chronology ]
Ninja (profile), 22 Jan 2019 @ 11:52am

Remember the old wisdom?

The road to Hell is paved with good intentions.

The idea behind the GDPR certainly is pretty sound and even desirable to some degree. The implementation? Not so much. And to think these same giants brought it upon themselves by abusing their position and the data consumers are handing them.

I hope the EU will rethink it and use the initial numbers to go back to the drawing board to fix these problems before imposing fines. The cynic in me says they'll use this selectively and collateral damage be damned.
[ link to this | view in chronology ]
Anonymous Coward, 22 Jan 2019 @ 12:20pm

Does Schrems come across as a bit of a troll to anyone else? His bull-in-a-china-shop approach has done a lot of harm over the years, and he just keeps it up. Is he one of those folks who just wants to watch the world (or in this case the Web) burn?
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 1:00pm
  
  Re:
  
  Does Schrems come across as a bit of a troll to anyone else?
  
  I can see your point, but I don't think he's trolling any more than Mike is with his coverage. What's the point of having privacy laws if they're not enforced? Max is good at getting PR but I don't think he's blowing things out of proportion or going for a payday. He uses these services and doesn't want them shut down; he just wants them to comply with the law.
  
  Look at all the green and orange marks on his grid. They'd have almost all been red 5 years ago. As Mike writes "there are lots of legitimate concerns about privacy in this day and age... companies should be not just a lot more transparent about the data they collect and how they use it, but also should push control over that data out to the end users." That Mike's not worried doesn't mean much to me. We could make the same argument about FOIA—why should the government release the details? The law says what data the government can collect, and knowing the law should be enough. In practice, the amount and detail of what's being collected, or how it's being analyzed, often is the story.
  
  If Facebook is deciding whether or not I'm suicidal, I want to know. The same goes if Netflix is determining my bladder health by how often I pause. BTW, librarians can explain better than I that tracking a person's media consumption is not innocuous.
  [ link to this | view in chronology ]
  - Mason Wheeler (profile), 22 Jan 2019 @ 1:14pm
    
    Re: Re:
    > The same goes if Netflix is determining my bladder health by how often I pause.
    
    I certainly hope not; they don't have the data for something like that.
    
    Even assuming, just for the sake of argument, that the only possible reason for a pause of a certain length is a bathroom break, how often I feel like taking one has far more to do with how much water I've drunk recently than anything related to my health. (Assuming, again for the sake of simplicity, that the amount of water I'm drinking is not itself unhealthy.)
    [ link to this | view in chronology ]
    - Anonymous Coward, 22 Jan 2019 @ 1:40pm
      
      Re: Re: Re:
      
      > The same goes if Netflix is determining my bladder health by how often I pause.
      
      I certainly hope not; they don't have the data for something like that.
      
      You think they don't have the data on how often you pause?
      
      The example was farcical, but not that far off from what Facebook's doing with the suicide prevention. Netflix can't be certain of any conclusions drawn from pausing, just as Facebook is only guessing, but that's not the point. I want to know what they're going to use my data for, and I don't mean some vaguery like "to improve customer experience".
      
      In the old days of analog cable TV, all the company knew was what channels you subscribed to, where you lived, and whether you paid your bill. In the digital world, they know every channel every subscriber is tuned to, all the time. They probably know what shows I've read the descriptions of, via the onscreen guide, and decided not to watch. What are they doing with all this newfound data? I'm not in Europe, so I'll likely never know.
      [ link to this | view in chronology ]
      - Mason Wheeler (profile), 22 Jan 2019 @ 1:46pm
        
        Re: Re: Re: Re:
        > You think they don't have the data on how often you pause?
        
        They don't have the data on what I've been drinking. Without that, the pause information (which they probably do have) can't tell them enough to distinguish whether I have a bladder problem or am just over-hydrated.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2019 @ 2:19pm
        
        Re: Re: Re: Re: Re:
        Of course. The point is 1) a company might be collecting/retaining more data than you expect, such as recording every button press forever and 2) they might use it in surprising ways. Don't focus on the jokey hypothetical, because Facebook is a real example of both points (especially #2). It's notable that FB claims they do not try to predict suicide in Europe, due to medical privacy regulations and requirements for informed consent.
        
        Consent matters. Who ever expected Facebook might send the local police over for using too many sad-face emojis?
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2019 @ 4:38pm
        
        Re: Re: Re: Re: Re:
        
        They don't have the data on what I've been drinking.
        
        Let me give you a tip from 20 minutes into the future: when you buy an internet-of-things coffeemaker or juicer, read the privacy policy, particularly the data-sharing provisions, really carefully.
        [ link to this | view in chronology ]
        
        Mason Wheeler (profile), 23 Jan 2019 @ 7:24am
        
        Re: Re: Re: Re: Re: Re:
        ...which is exactly why I have no intention of ever buying such a thing.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 22 Jan 2019 @ 11:56pm
        
        Re: Re: Re: Re: Re:
        i would rather bet that various bladder issues and over-hydration-by-choice exhibit different patterns of bathroom breaks. seeing this stuff through the lens of big data is the entire point of big data.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 23 Jan 2019 @ 11:28am
        
        Re: Re: Re: Re: Re: Re:
        Maybe, but they still can't necessarily tell if we paused because I'm going off to the bathroom, or my wife is, or my 6 year old is, and I've paused it for 1 of them. (Okay, I mean, when it's on my 6 year old's account, sure, but if we're watching a movie together, no.)
        [ link to this | view in chronology ]
      - PaulT (profile), 23 Jan 2019 @ 3:14am
        
        Re: Re: Re: Re:
        "You think they don't have the data on how often you pause?"
        
        They do. They do not have the data on what I was doing at that time, why I chose to pause at that moment, why it took me however long to unpause, whether or not it was actually me using the device or someone else accidentally logged into my profile, etc.
        
        I think his point is that the dataset is hopelessly incomplete to draw such a specific conclusion.
        
        "They probably know"
        
        ...that if you're this hopelessly paranoid about the data you explicitly give the company in question, that you also have the option not to subscribe to their service,.
        [ link to this | view in chronology ]
  - PaulT (profile), 23 Jan 2019 @ 3:11am
    
    Re: Re:
    "What's the point of having privacy laws if they're not enforced?"
    
    What's the good of having them if nobody is able to satisfactorily comply?
    [ link to this | view in chronology ]
    - Anonymous Coward, 23 Jan 2019 @ 8:55am
      
      Re: Re: Re:
      
      What's the good of having them if nobody is able to satisfactorily comply?
      
      Government income by way of fines.
      [ link to this | view in chronology ]
      - PaulT (profile), 24 Jan 2019 @ 12:44am
        
        Re: Re: Re: Re:
        That's not "good", especially if the net result is that companies stop offering services that the public want because it's impossible for them to comply with the law.
        [ link to this | view in chronology ]
Max, 22 Jan 2019 @ 12:27pm

NO. Not strictly related to these particular filings, but as long as almost all websites choose to interpret "no snooping until you have explicit consent and you are not allowed to refuse service in the absence of consent" as "we'll just lock you out (or cover a literal half - or all - of your screen, which is the same thing) until you click accept to basically everything we declare 'necessary'", they never did the slightest attempt to comply and they deserve to get fined all the way to the depths of the ninth circle of hell and some more just for good measure.

Not for a second do these bastards conceive of the notion that some of their beloved tracking data might be going bye-bye - all they care about is exactly what lip service is needed in order to be left alone to continue _exactly_ as before, zero change. Their whole point is that nothing less than before is acceptable, and the whole point of the ever more privacy conscious folks is that that is not going to continue to happen. Something obviously has to break. If it is to be some of their spines, that sounds great...
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 12:45pm
  
  Re:
  Blowback is a bitch.
  [ link to this | view in chronology ]
spamvictim (profile), 22 Jan 2019 @ 1:03pm

A complaint is not a determination
I will be interested to see what the DPAs do with these complaints. It's not like the US, they prefer to negotiate and agree to undertakings, and they rarely fine unless the offender has been intransigent. Their version of intelligible is likely not the same as Schrems'.
The French DPA did just fine Google 50M€ on another Scrhems complaint, which is enough to get their attention but hardly going to put them out of business.
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 1:43pm
  
  Re: A complaint is not a determination
  His earlier complaints might be the only reason some of these companies have data-export features and policies. That's a good outcome for everyone—even people outside of Europe get many of the benefits—and I'd rather see similar developments than massive fines.
  [ link to this | view in chronology ]
Anonymous Coward, 22 Jan 2019 @ 1:30pm

It,s strange , how does a music service work
if they cant suggest music tracks you might like,
And keep a record of your favourite singers ,pop groups ?
eg i like madonna ,i,d probably like to hear
any new songs she release,s and songs she might appear
on as a duo with any other artist.
If i live in england i probably would prefer songs in the english language rather than the top 20 in russia .
.
I Presume youtube is keeping a list of the video,s
i watch in order to offer me suggestions as to new video,s i might like .
i have no problem with that .
They get some data from me, in return i get acess
to millions of videos at zero cost .
They save me time , they suggest the latest uploads from creators i subscribe to .
[ link to this | view in chronology ]
- Anonymous Coward, 22 Jan 2019 @ 2:23pm
  
  Re:
  The best way to get a youTube video profitable is to make one which autoplays alongside videos with much larger audiences. Say you do a video on homebuying, then Congress and the Fed start tangling over mortgage rates. Some big news corporation will then do a video about it that gets 1,000,000 hits, and the coattails will cause even unknown videos to go from like 100 hits a day to as many as 5,000. I've seen it firsthand.
  
  There is a LOT of money to be made on YouTube, specifically because they track viewing history, and because piracy is not an issue. Knockoffs, however, are, as anyone who has ever made a fortune in mail order knows.
  [ link to this | view in chronology ]
- Anonymous Coward, 23 Jan 2019 @ 12:07am
  
  Re:
  a music service merely has to offer a catalogue unless the user wants more. how do you think anything works? have you ever tried services without being logged in and refusing tracking? or how about only tracking of explicit "likes", because seriously YT is shit at guessing, or good gods, recommending shit at me. if they stuck to saves and likes they would do better and be less awful.
  [ link to this | view in chronology ]
ryuugami, 22 Jan 2019 @ 2:22pm

I'm sorry, Mike, but you're being disingenuous here.

First, these are *complaints*. Being able to complain does not, in itself, mean anything. How many baseless lawsuits have you written about over the years? Remember, idiots suing people for defamation does not mean that the defamation law is an absolute disaster and should be abolished.

Second, you seem to assume that any minor (real or perceived) infraction will bring about the "maximum fine" and bankrupt the small services. *That is not the goal.* If your company is earnestly trying to comply, the fine will be negligible, or you may even just get a warning. There was a GDPR ruling ruling against Google a few days ago, for 50 million Euros. That's 0.05% of Google's revenue, not 4%.
[ link to this | view in chronology ]
- Rocky, 22 Jan 2019 @ 5:07pm
  
  Re:
  
  I'm sorry, Mike, but you're being disingenuous here.
  
  I'm sorry, you did read the article - all of it, right?
  
  First, these are complaints. Being able to complain does not, in itself, mean anything. How many baseless lawsuits have you written about over the years? Remember, idiots suing people for defamation does not mean that the defamation law is an absolute disaster and should be abolished.
  
  First, these complaints are in a sense a way to highlight the absurdity of trying to be wholly compliant with GDPR. OTOH, if the complaints aren't taken seriously by the court system it will undermine the enforcement of the GDPR.
  
  Second, you seem to assume that any minor (real or perceived) infraction will bring about the "maximum fine" and bankrupt the small services. That is not the goal. If your company is earnestly trying to comply, the fine will be negligible, or you may even just get a warning. There was a GDPR ruling ruling against Google a few days ago, for 50 million Euros. That's 0.05% of Google's revenue, not 4%.
  
  Second, see point 3 & 4 in the article. You do understand that the qualifiers of 'can be fined', 'might face fines' and 'could destroy' isn't the same as 'maximum fines' and 'will destroy'. At no point did Mike imply that maximum fines will be applied to destroy some services - he implied that small services with no financial muscles might be destroyed if they are fined.
  [ link to this | view in chronology ]
anon, 24 Jan 2019 @ 10:29am

Can't agree at all
1. Companies do a basic risk assessment and compare it with their gain from taking the risk of regulatory fines. By providing -some- data, they reduced their risk of high fines so the residual risk was low enough to go on and wait for first jurisdiction.
2. If it needed only two lines or text to explain how they used what parts of the data, why would apple not send this information? Wouldn't that be ridiculously easy then?
3.& 4. It's a maximum penalty that won't be charged for minor fuckups. But here I have to agree that I don't understand why it isn't just the 4% as this would be fair imho. Would be interesting how this decision was made to have a lower limit of 20m. The 4% for big companies are good as otherwise no huge Enterprise would give a fuck.

The rest of the text:
How can you not be worried about your data on Amazon? A colleague is having a discussion atm as they are saying that it is technically not possible to delete his old data (he even said they could keep anything fresher than 6months but can't see the reason why they would need his data from the early 2000's. Common. Billions and a few years time and they're not capable of developing a system where data can be deleted??
[ link to this | view in chronology ]
neverest, 5 Feb 2019 @ 8:06am

phorm storm
you seem to totally not get The EU General Data Protection Regulation (GDPR)

at its most fundamental EU torts state that a person's personally generated data is their exclusive property automatically, without explicit consent no interception,processing, or storage of any kind is legal, see the masses of legal "phorm storm" coverage (before fake news was so prevalent)
[ link to this | view in chronology ]
Wilhelm, 18 Dec 2020 @ 1:25pm

The GDPR was never meant to protect individual privacy.
The first problem with GDPR is the absence of the clause "quantifiable loss". If fines aren't based on this, why just stop at 4%/20 million? Why not 500,000% and 500 trillion? Second is the assumption that high fines can lead companies to shut down. So what? The people in control can just float another one. There are non-falliable legal ways to circumvent that. In other words, no court of law in the world and/or no ammdndments in law can do anything against these measures. I won't divulge these ways, but any good lawyer can help. Third is the clear ambiguity on consequences of false accusations. If a company stands to lose any amount from such accusations, whether it be in fines and/or a dip in share price/loss of goodwill, the false accuser should be fined with the same amount. Fourth, is the part where a data breach occurs due to the negligence of the data subject. Laws as such leads to a scenario where the only option left would be to implant users with NFC microchip authenticators, the controls for which would rest on the users themselves. Let's not forget, these same group of people in the EU were the ones who failed at implementing the previous Data Protection Rules. Who let the blatant misuse of personal data continue? The GDPR would be replaced soon, as the CJEU now says that some companies have baked in the cost of fines in terms of non compliance into their OPEX and a fine might not be the optimal way to stop privacy violations. The basic problem that proponents of such laws, people like Max Schrems had with misuse of personal data was with the government (especially the US government) having access to his personal data. Has the GDPR stopped governments in doing what they were doing? NO. As per GDPR exemptions, any government can process the data of any EU individual, under the pretext of National Safety/Public Benefit. As per GDPR, such situations fall outside the purview of the GDPR and the EU itself. Schrems has been able to do nothing in this regard. It would be funny if the US DOD installs a datacentre right at the EU parliament under the excuse of national safety. What all of these leads to is a situation of corporate rule over a country as it's government. Last but not the least, let's not forget one important fact that history has taught us humans again and again. Laws work good only till the extent of good intentions of the lawmakers. Singapore has a robust system of data protection. Far, far less data breaches than any other nation in the world and the people over there live a lifestyle that's far better than any other country can boast off (with average pension being more than US$ 300k). All while not having huge fines and following a strict rule of capitalism and free market ideology. A country that was a mere fishing village a few decades ago. Politicians over there have understood the necessity of not interfereing into businesses. P.S.- You have my irrevocable and final permission to use my data as you wish. I also willingly forego of my right to request you to do anything with ny data anytime in the future.
[ link to this | view in chronology ]