These are likely to be the first shots in a long, grim, regulation war. The payoff may be a better GDPR data protection regime, or a confused mess of case law. The basis of the lawsuits against Facebook and Google appears to be the idea that Facebook and Google “coerce” users in to sharing personal data. This particular raw nerve, much aggravated by the 2016 United States election, is very sore, in many ways. Making it a possible source of money is likely to make it a lot worse.
The current lawsuit, however, has ramifications beyond money. Schrems claims that Facebook and Google, which have created policies for GDPR compliance, haven’t gone far enough, and in effect, don’t comply. Schrems alleges that user consents using click boxes don’t equate to “clear consent”, which is a requirement of the GDPR. Another point being made is that clicking boxes is an “all or nothing” option; not a selective, or particularised, choice.
Another, less impressive, allegation is that users are “forced” to consent to use the service in context with personal data acquisition. That doesn’t quite fly at all, in my opinion. Terms of Service require, rather than force, acceptance of conditions of use. Is specifying that you shouldn’t try to misuse the website coercion, or common sense? Schrems may mean that consents are targeted, or selective, or inadequate, but “force” doesn’t quite cut it.
If you’ve ever worked on an admin board in a botnet attack, and I have, you can’t consider basic TOS and data acquisition as “oppressive”. If it hadn’t been for the data available, I could never have shut down the attack. For all I know, my actions may also have protected other site users from attack, too. Ironically, the site was based in Belgium. So let’s not get too cute about the practical values of some personal data.
Missing the Point?
Maybe, maybe not. It’s possible to go too far in demands for consent formats, too, and meanwhile, exactly what is being proposed as an alternative? A heartfelt text box, crafted lovingly by dewy-eyed users, saying “send me your Facebook notifications, you awful people, you.”, or what? Administratively, a practical consent has to be something which can be applied, not turned in to a piece of string -like philosophical argument.
To be workable, personal data protection needs standards and a range of doable things for users to protect their data.
In fairness to the GDPR, there hasn’t really been much in terms of protection of user data in hard, enforceable form. The regulation, which has as many skeptics as supporters, at least sets a standard.
The skepticism is based on the user dynamics of normal business. Let’s face it; personal data protection isn’t why people do business. It’s a facet, but not the whole story. Personal data protection only becomes an issue when it actually IS an issue. In most countries, privacy is what you consider private.
So consider –
1. How is a company supposed to know that your purchase of a small light globe relates to your sex life, or some other privacy issue?
2. If you publicly and of your own free will express an opinion, is that private?
3. If you look at a lot of ads for houses, should you be inflicted with every known type of human habitation as your standard advertising material on every page you visit?
4. If you’re an obnoxious jerk who helps to make social media the unusable horror that it now is, where and when does your personal data, a tale of fun, no doubt, turn in to a useful way of getting rid of you?
5. OK, you don’t want to see some ads – Thanks to the insane marketing of 24/7 sales to people who don’t care, does your ad usage equate to personal data, or just your desperate attempts to avoid ads or try to get ads relevant to you?
6. How about searches? Most people search areas of special interest, current info needs, and sometimes just follow the links. Personal data? Yes, to a definite degree, but really – If you’re searching 1930s train sets, at what point does this become a serious personal security issue? Should you be sentenced to train set ads forever as a result?
What Could Go Wrong with GDPR Litigation?
If you’re somehow getting the impression that there are both very important and very unimportant elements in personal data, bingo. Any effective regulation (and basic best practice) will make the distinction between “data dandruff”, the incidental, unimportant stuff, and things like medical data, addresses, phone numbers, financial data, etc. The bottom line is that important stuff is high value security, the rest is basically dross.
This is where the really important stuff happens – Security issues and personal data are an unavoidable mix. This type of personal data does have to be protected, GDPR does have the capacity to do some real good, and it’s a pretty positive move.
However, this is also where the problems start. The question of whether consent should be given in a particular form, could blur that distinction. In basic law, identifying personal information is considered private by default. Adding a dimension by specifying consent to personal data usage sounds good, but may have a few ulcers to tag along with it.
The risk here is based on the fact that your online usage also acts as an identifier, and can therefore be considered private. You might have to specifically define what’s private, and consent to specific personal data acquisition and usage.
You can see where the potential train wrecks are coming from. Make the process too complex, and it could go wrong quite easily. Add a healthy dose of bureaucracy, and GDPR could come unstuck on the minutiae, as well as the big issues.
Schrems isn’t being frivolous, or trying to sabotage the theory of personal data privacy. He’s trying to make a point. In a world of nitpickers, though, good intentions may not be enough. Clarifying the consent rules IS a good idea, basically.
Creating any kind of ambiguity regarding consents which are the basis of data protection through case law will definitely NOT be a good idea. With all due respect to both GDPR and Schrems, can we stick to the point, please? What’s doable is the issue. Let’s not get too picky about anything which might create an unworkable consent format, or worse, a consent format which the online companies might actively resist because it’s too expensive, bureaucratic, or whatever.
