This is very good news. The European Data Protection Board, at the request of the Norwegian DPA, has issued a binding decision instructing the Irish DPA and banning the processing of personal data for behavioural targeting by Meta. Meta must cease processing data within two weeks. Norway already concluded a few years ago that adtech is mostly illegal, but European cases based on the 2018 GDPR moved through the system at a glacial pace, in part because of a co-opted and dysfunctional Irish Data Protection Board. Meta’s ‘pay for privacy‘ ploy is also torpedoed with this decision. This is grounds for celebration, even if this will likely lead to legal challenges first. And it is grounds for congratulations to NOYB and Max Schrems whose complaints filed the first minute the GDPR enforcement started in 2018 kicked of the process of which this is a result.
…take, within two weeks, final measures regarding Meta Ireland Limited (Meta IE) and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).
The AdTech industry club since a long time uses a highly irritating pseudo-consent form (you know the kind, it takes one click to give away everything, and a day of clicks to deny consent). Today the good news is that IAB’s ‘Transparency and Consent Framework‘ is deemed illegal by the EU data protection authorities, because it is neither transparent nor has any meaningful connection with the word consent. This verdict was to be expected since last year November. This impacts over 1000 companies who as IAB members pay for the privilege of IAB violating the GDPR for them, amongst which Google, Amazon and Microsoft, but also to my surprise Automattic (WordPress) whom I expect much better of.
It should also impact the real time bidding system for adverts (OpenRTB) based on the data involved. This decision isn’t about that real time bidding system, but it does draw welcome attention to “the great risks to the fundamental rights and freedoms of the data subjects posed by OpenRTB, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance“. Which amounts to ‘please bring some complaints about OpenRTB before us asap’.
The decision finds IAB is non-compliant with no less than 11 different GDPR articles. The Belgian DPA called IAB negligent and TCF systematically deficient. IAB must within 2 months provide a plan to reach compliance within at most 6 months. Every day after those two time limits will cost 5000 Euro. A fine of 250.000 Euro is also ordered.
I am grateful to the organisations who brought this complaint, amongst which is the Dutch foundation ‘Bits of Freedom’ which I support financially. The Timelex law office, whom I had the pleasure of closely working with in the past, deserve thanks for their legal assistance in this complaint.
Three years ago I mentioned here a French verdict that I read as meaning the end of IAB’s approach, but now it seems to be happening for real. Good to see the Timelex law firm involved in this. A decade ago I worked closely with them on European open data topics.
Amazon has been fined 746 million Euro by the Luxembourg DPA (where Amazon’s EU activities reside). In its response Amazon shows it isn’t willing to publicly acknowledge to even understand the EU data protection rules.
There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed., said an Amazon spokesperson according to Techcrunch.
Those facts are of course undisputed because a data breach or exposure of data to third parties is not a prerequisite for being in breach of GDPR rules. Using the data yourself in ways that aren’t allowed is plenty reason in itself for fines the size of a few percentage points of your global yearly turnover. In Amazon’s case the fine isn’t even a third of a percentage point of their turnover, so about a day’s worth of turnover for them: they’re being let-off pretty lightly actually compared to what is possible under the GDPR.
How Amazon uses the data it collects, not any breach or somesuch, is the actual reason for the complaint by La Quadrature du Net (PDF) filed with the Luxembourg DPA: the complaint “alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.” (emphasis mine)
The complaint and the ruling are laying bare the key fact Amazon and other tech companies aren’t willing to publicly comment upon: adtech in general is in breach of the GDPR.
There are a range of other complaints along these lines being processed by various DPA’s in the EU, though for some of those it will be a long wait as e.g. the Irish DPA is working at a snail’s pace w.r.t. complaints against Apple and Facebook. (The slow speed of the Irish DPA is itself now the subject of a complaint.)
Meanwhile two new European laws have been proposed that don’t chime with the current modus operandi of Amazon et al, the Digital Markets Act and the Digital Services Act, which both contain still bigger potential fines than the GDPR for non-compliance w.r.t. e.g. interoperability, service-neutrality, and transparency and accountability measures. And of course there are the European anti-trust charges against Amazon as well.
Amazon will of course appeal, but it can only ever be an attempt to gaslight and gloss over the fundamental conflict between adtech and GDPR. Let’s hope the Luxembourg DPA continues to see through that.
In the past few weeks I came across several links to ‘Nitter’, each on different domains. Nitter, it turns out, is a web front-end to see Twitter without Twitter being able to track you.
Twitter has been fighting third party apps for its services because it threatens their tracking and advertising, so they want to keep you inside their walled garden. Which is why they closely guard who and what has access to their API. Nitter doesn’t use the API, so Twitter doesn’t have their hands on the off-switch.
This is useful for seeing some of the things others link to, like the increasingly annoying habit of tweets being added to ‘journalism’. (“Politician x said something and Twitter wasn’t having it”)
It is also very useful that it provides RSS feeds for all Twitter content (users, #, and search terms).
For now I found a Dutch instance (on this list), and will see if adding some RSS feeds through them is workable.
My public Twitter profile seen through Nitter
Stephen Downes makes a good point. As ‘content consumers’ we correctly have the expectation that paying for something does not mean reduced advertising. In no medium is that actually the case, so the web isn’t and won’t be different. The issue of adverts on the web isn’t about ads per se. It’s about ad tech, which needs to die. It’s about web ad intermediaries too, who currently ensure there’s no link between me seeing an ad, the site I’m seeing it on knowing it’s there, and the actual money going to that site. There should however be such a link between the adverts shown on a site and the site knowing that, and the money flowing as direct as possible between advertiser and site. Advert intermediaries (deemed necessary because of their ad tech expertise) purposefully make the connection between me and the medium opaque to all but the advert intermediary. The problem with web ads isn’t ads.