Over the years I have linked to many books from this blog, usually to an Amazon page with an affilliate link. In the early days (2003-2004) of such affilliate links I made 70 USD at one time, and then nothing. Over time linking to Amazon, links that included a tracking pixel for years, became less helpful for readers to find books, and more helpful for Amazon to track readers.

I stopped linking to Amazon last year April, but this blog still held the links I previously made. When I deleted my Amazon affilliate account they gave me a gift card with the outstanding balance: 35 cents. They still got their tracking on the links I used here though, so those links needed to go. Removing such links isn’t much work, but I wanted to maintain the usefulness of my postings, by linking to an author’s homepages, Wikipedia entries, as well as to the publisher’s page, Wikipedia page, Internet Archive or Open Library page for their books. That work does cost time, and is now finished. I no longer link to Amazon on this blog anywhere (nor Amazon’s Goodreads), and no Amazon tracking pixels remain.

I do still buy e-books from Amazon, although that too is ever so slowly shifting to other sources (directly from publishers for instance). It’s just that I no longer send any website visitor’s data their way as well.

Early last year I wrote about how I don’t track you here, but others might. Third party sites whose content I re-use here by embedding them have the ability to track you to a certain extent. Earlier I already stopped using Slideshare and Scribd completely as a consequence, self-hosting my slide decks from now on.

For photos and videos the story is slightly different. Where it’s not essential that a video can be viewed inside my posting, I simply link to it with a screenshot, thus avoiding that YouTube or Vimeo tracks you on my page. In other cases I still embed the video.

For images I have been using Flickr since 2005. Back then uploading images to my hosting account quickly depleted the available storage space, and Flickr always was a good way to avoid that. I have and am a paying customer of Flickr, even through the years it was also available for free. Flickr is my online third place storage of images (now over 26k), as well as the place where I share those images for others to freely re-use (under Creative Commons licenses).

Embedding my Flickr photos here provides them with the opportunity to track views to the embedded images. The 2005 scarcity in storage space on my web host package is no longer a concern, whereas reducing readers’ exposure to tracking in whatever shape has become more important.

So from the start of the summer vacation I have stopped using Flickr embeds, and all images are and will be hosted on my webserver. The images do link to their counterparts on Flickr. In the case of my own images to point to re-usable versions of the photo, and the rest of my images. In the case of other people’s images I re-use to point to the source and its author. As before I will keep using Flickr to store and share photos.

Over the almost two decades of blogging I’ve embedded hundreds of images from Flickr, and I haven’t replaced those yet. Over time I will. It will become part of my daily routine of checking old postings made on the same day as today.

It makes ‘I don’t track you (but others here might)’ tilt some more towards ‘I don’t track you’ period.

The Irish Data Protection Authority (DPA), has issued a decision on a 2018 investigation into WhatsApps data processing. It concerned at first glance two aspects, one the uploading of WhatsApp user’s contact lists, and the retention of non-user (hashed) phone numbers, as well as the information exchange between WhatsApp and its parent company Facebook. WhatsApp argued they were not a data controller in this case, but their users were, and they were merely processing data, but that defense failed. (I think the language used by WhatsApp itself, the word ‘user’, gives away the actual locus of power quite clearly.)

The An Coimisiúm um Chosaint Sonraí, Irish Data Protection Commission, issued a fine of 225 million Euro’s. This seems right up there at the top of the potential fine range of 4% of global turnover in the last year (2020).

It is good to see the Irish DPA finally coming down with a decision. With enforcement of the GDPR starting mid 2018, a range of complaints and investigations landed on the Irish DPA’s plate, as several large tech companies maintain their EU presence in Ireland. The slow pace of the Irish DPA in handling these complaints has been itself a source of complaints. With this decision on the WhatsApp investigation there now finally is some visible movement.

Also see the earlier announcement concerning Amazon receiving a 746 million fine from the Luxembourg DPA.

In response to my question about overviews of GDPR decisions across the EU, GDPR Hub was mentioned, a project by noyb. noyb is the initiave of Max Schrems, a leading voice in ensuring GDPR enforcement by bringing cases against e.g. BigTech. I decided to become a nyob supporting member, and applied to volunteer for processing Dutch DPA and court decisions to be added to the GDPR Hub. A business colleague does something similar for market related court cases across the EU, and I see what value such a pan-EU resource has. Having a good and thorough overview of GDPR related decisions helps citizens to better argue their own cases where companies breach the GDPR. This makes it a source of agency, enabled by working together to ensure we all have the same information.

Amazon has been fined 746 million Euro by the Luxembourg DPA (where Amazon’s EU activities reside). In its response Amazon shows it isn’t willing to publicly acknowledge to even understand the EU data protection rules.

There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed., said an Amazon spokesperson according to Techcrunch.

Those facts are of course undisputed because a data breach or exposure of data to third parties is not a prerequisite for being in breach of GDPR rules. Using the data yourself in ways that aren’t allowed is plenty reason in itself for fines the size of a few percentage points of your global yearly turnover. In Amazon’s case the fine isn’t even a third of a percentage point of their turnover, so about a day’s worth of turnover for them: they’re being let-off pretty lightly actually compared to what is possible under the GDPR.

How Amazon uses the data it collects, not any breach or somesuch, is the actual reason for the complaint by La Quadrature du Net (PDF) filed with the Luxembourg DPA: the complaint “alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.” (emphasis mine)

The complaint and the ruling are laying bare the key fact Amazon and other tech companies aren’t willing to publicly comment upon: adtech in general is in breach of the GDPR.

There are a range of other complaints along these lines being processed by various DPA’s in the EU, though for some of those it will be a long wait as e.g. the Irish DPA is working at a snail’s pace w.r.t. complaints against Apple and Facebook. (The slow speed of the Irish DPA is itself now the subject of a complaint.)

Meanwhile two new European laws have been proposed that don’t chime with the current modus operandi of Amazon et al, the Digital Markets Act and the Digital Services Act, which both contain still bigger potential fines than the GDPR for non-compliance w.r.t. e.g. interoperability, service-neutrality, and transparency and accountability measures. And of course there are the European anti-trust charges against Amazon as well.

Amazon will of course appeal, but it can only ever be an attempt to gaslight and gloss over the fundamental conflict between adtech and GDPR. Let’s hope the Luxembourg DPA continues to see through that.

My first reading of the yet to be published EU Regulation on the European Approach for Artificial Intelligence, based on a leaked version, I find pretty good. A logical approach, laid out in the 92 recitals preceding the articles, based on risk assessment, where erosion of human and citizen rights or risk to key infrastructure and services and product safety is deemed high risk by definition. High risk means more strict conditions, following some of the building blocks of the GDPR, also when it comes to governance and penalties. Those conditions are tied to being allowed to put a product on the market, and are tied to how they perform in practice (not just how they’re intended). I find that an elegant combination, risk assessment based on citizen rights and critical systems, and connected to well-worn mechanisms of market access and market monitoring. It places those conditions on both producers and users, as well as other parties involved along the supply chain. The EU approach to data and AI align well this way it seems, and express the European geopolitical proposition concerning data and AI, centered on civic rights, into codified law. That codification, like the GDPR, is how the EU exports its norms to elsewhere.

The text should be published soon by the EC, and I’ll try a write-up in more detail then.