Bookmarked 1.2 billion euro fine for Facebook as a result of EDPB binding decision (by European Data Protection Board)

Finally a complaint against Facebook w.r.t. the GDPR has been judged by the Irish Data Protection Authority. This after the EDPB instructed the Irish DPA to do so in a binding decision (PDF) in April. The Irish DPA has been extremely slow in cases against big tech companies, to the point where they became co-opted by Facebook in trying to convince the other European DPA’s to fundamentally undermine the GDPR. The fine is still mild compared to what was possible, but still the largest in the GDPR’s history at 1.2 billion Euro. Facebook is also instructed to bring their operations in line with the GDPR, e.g. by ensuring data from EU based users is only stored and processed in the EU. This as there is no current way of ensuring GDPR compliance if any data gets transferred to the USA in the absence of an adequacy agreement between the EU and the US government.

A predictable response by FB is a threat to withdraw from the EU market. This would be welcome imo in cleaning up public discourse and battling disinformation, but is very unlikely to happen. The EU is Meta’s biggest market after their home market the US. I’d rather see FB finally realise that their current adtech models are not possible under the GDPR and find a way of using the GDPR like it is meant to: a quality assurance tool, under which you can do almost anything, provided you arrange what needs to be arranged up front and during your business operation.

This fine … was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.

EDPB

This looks like a very welcome development: The European Commission (EC) is to ask for status updates of all international GDPR cases with all the Member State Data Protection Authorities (DPAs) every other month. This in response to a formal complaint by the Irish Council for Civil Liberties starting in 2021 about the footdragging of the Irish DPA in their investigations of BigTech cases (which mostly have their EU activities domiciled in Ireland).

The GDPR, the EU’s data protection regulation, has been in force since mid 2018. Since then many cases have been progressing extremely slowly. To a large extent because it seems that Ireland’s DPA has been the subject of regulatory capture by BigTech, up to the point where it is defying direct instructions by the EU data protection board and taking an outside position relative to all other European DPA’s.

With bi-monthly status updates of ongoing specific cases from now being requested by the EC of each Member State, this is a step up from the multi-year self-reporting by MS that usually is done to determine potential infringements. This should have an impact on the consistency with which the GDPR gets applied, and above all on ensuring cases are being resolved at adequate speed. The glacial pace of bigger cases risks eroding confidence in the GDPR especially if smaller cases do get dealt with (the local butcher getting fined for sloppy marketing, while Facebook makes billions of person-targeted ads without people’s consent).

So kudos to ICCL for filing the complaint and working with the EU Ombudsman on this, and to the EC for taking it as an opportunity to much more closely monitor GDPR enforcement.

De Nederlandse overheid gaat mogelijk van Facebook af. In Duitsland is het overheidsgebruik van Facebook door de Duitse autoriteit persoonsgegevens stilgelegd in 2021, omdat Meta zich (uiteraard) niet aan de AVG houdt. De AP doet dat soort uitspraken sinds 2018 niet meer zelf, omdat Facebook in Ierland is gevestigd. De Duitse instantie heeft dat soort consideratie niet, en gaat uit van een eigen verantwoordelijkheid. In plaats van veel te lang wachten op een Iers oordeel over Facebook, steekt ze de hand in eigen boezem en stelt dat de eigen overheid in ieder geval niet aan de eigen AVG verplichtingen kan voldoen door Facebook pages te hebben.

Staatssecretaris van Digitalisering Alexandra van Huffelen bereidt nu mogelijk een besluit voor langs dezelfde lijnen. Terecht lijkt me. Meta houdt zich zelf niet aan de AVG, en bovendien is de algemene uitwisseling van Europese persoonsgegevens met de VS geheel niet juridisch gedekt op dit moment.

De overheid moet zelf het goede voorbeeld geven bij online interactie met burgers en de omgang met eigen gegevens. Dit geldt voor Meta, voor Twitter, maar ook voor cloud diensten en de Microsoft lock-in waar de overheid zich grotendeels in bevindt. Facebook zelf niet meer gebruiken is een bescheiden eerste signaal, dat al verrassend lastig lijkt voor de overheid om helder af te geven.

Ik hoop dat de staatssecretaris de knoop snel doorhakt.

Ein datenschutzkonformer Betrieb einer Facebook-Fanpage sei nicht möglich, schrieb Kelber in einem Brief an alle Bundesministerien und obersten Bundesbehörden.

Bundesdatenschutzbeauftragte

The Bavarian state court in Munich, Germany, on 20 January 2022, decided that using Google fonts in your site breaches the GDPR. This because:

  • it discloses your (dynamic) IP address, a person identifiable datum, to Google when you visit a site that uses their fonts,
  • disclosing your IP address can’t be motivated as necessary as these fonts can be used without establishing a connection between a website visitor and Google’s servers, (and visitor consent wasn’t sought by website owner)
  • as Google is known to actively track users, sending the IP address to Google means a loss of control over personal data by the website visitor,
  • in this case resulting in discomfort for plaintiff such that the website owner as defendant is ordered to
    • stop sending visitor’s IP addresses to Google for their fonts, or face up to 250.000 Euro or 6 months imprisonment for each visit to defendant’s websites by the plaintiff,
    • pay plaintiff 100 Euro compensation plus interest since the filing of the case.

In other words, now is the time to start hosting Google fonts locally on your webserver, and to quit providing your visitor’s IP addresses to Google with each visit to your site. I don’t use G’s fonts on this site, and generally block them in my browser. We are in the process of revamping our company website, and will ensure we will no longer load Google fonts remotely from now on.

The spam about GDPR and CCPA I received last week, turns out to be part of a study by the US based Princeton university, with one of the researchers recently having joined the Dutch Radboud University. The more recently sent out mails apparantly had a link to the project page added, I assume in light of feedback received, which then was shared in my Mastodon timeline by someone who as a Mastodon moderator had received these mails.

I sent a mail to the research team explaining my complaint about the mails I received. I also approached the Radboud University’s Digital Security (RU DiS) research group where one of the researchers works, and filed a complaint there.
In the past few days I’ve had e-mail exchanges with the research team, as well as with the RU DiS department head. All those I approached have been very responsive and willing to provide information, which I very much appreciate.

That doesn’t make the mails I received ok though. The research team itself may have come to the same notion, as they informed me they’ve stopped sending out new mails for now. They are also working to add have added a FAQ to the project page. [UPDATE 2021-12-19 Jonathan Mayer, the Principal Investigator in this Princeton research project has now issued an apology. These are welcome words.]

On the research

The research project is interested in how companies have set up their process for responding to requests for data access under the European general data protection regulation (GDPR) and the California Consumer Privacy Act (CCPA). They also intended these requests for organisations who don’t a priori fall within scope of those acts. Both acts are intended to set a norm for those not covered by it. The GDPR is written to export the EU’s norms for data protection to the rest of the world, and the CCPA is set up to encourage companies not active in California to follow its rules regardless. So far I have no issues.

How I ended up in the list of sites approached

My blog is a personal website, so it falls outside of the declared scope of the study (companies). It can’t fall under the CCPA, as it only applies to businesses (that do business in California, with a certain turnover, or selling data). It is less clear if it falls under the GDPR: In my reading of the GDPR it doesn’t, but at the same time have written a personal data protection policy as if it does (out of professional interest). So how did I end up in Princeton’s list of site owners to approach? In my conversation with one of the researchers they indicated that the list of sites to approach was a selection taken out of the Tranco list. That list combines the results from various lists of the 1 million most popular websites. Such as Alexa (soon to be discontinued), Cisco Umbrella, and Majestic Million. My URL is in both the Alexa and the Majectic list. Cisco’s list looks at DNS requests for domains on their hardware, and unsurprisingly I’m not in their current list as it is based on today’s web traffic. The Majestic list seems to use backlinks to a site as a ranking factor. This favors old websites, as they build up a sediment of such backlinks over time. Such as weblogs that are some 20 years old, such as mine. Unsurprising then that blogs like Dave‘s, David‘s, and those of longtime blogging friends feature in the list. In the graph below you see my and their blogs as they rank in the Tranco list.


The relative positions of the blogs of several old time blogging friends and myself in the Tranco list of over 1 million sites.

That I might be on the long list when the Tranco list is used makes sense. However the research group says they used filtering and categorisation to then select the websites to approach. A meaningful selection seems less likely, given that they approached personal sites like mine (and judging by other sites approached as apparent from other online comments on the mails sent).

Still it’s wrong

The research was designed by Princeton’s computer science department, and was discussed with Princeton’s Institutional Review Board (IRB) they say. During this process the team ‘extensively discussed potential risks of our study, and took measures to minimize undue burden on websites, especially websites with less traffic and resources’.
The IRB concluded the research doesn’t constitute human subject research. True, from a design perspective, but as shown by me as a private individual receiving their e-mails not true in practice. Better determination of which sites to approach and not to approach would have been needed for that.

The e-mails sent out for this study are also worryingly problematic in two aspects:
First they pretend to be actual e-mails by individuals, nowhere is made clear it’s research. On top of that the names used for these individuals are clearly fake, and the domains from which e-mails were sent also easily raise suspicion. Furthermore the request lacks any context, an individual with a real request would never use a generic text or use the domain name and not the actual name of a website. This makes it unclear to recipients what the very purpose of the e-mails is. This is not only true for individuals or e.g. small non-profits, this is confusing and suspicious to every recipient even if they had limited their inquiries to major corporations. I’m sure that negatively impacts the results, and thus the validity of conclusions. It also means many recipients will have spent time evaluating, or worse bringing in advice, on how to deal with these suspicious looking requests.

Second the wording of the e-mail makes it worse. The mails have a legalese ring to them (e.g. stating it is not a formal data access request at this time though it might still follow, another thing a real individual would not phrase like that). What is worse each mail suggests a legal threat at the end. They say that a response is required within a month based on Article 12 of the GDPR, or within 45 days based on Section 1798.130 of the California Civil Code. Both those statements are lies. Art 12 GDPR sets a response deadline for data access requests, which this mail emphasises it is not, and the same is true for the California Civil Code.

It’s exactly this wording, with false legal threats, and lacking any context to evaluate what the purpose of the e-mails is, that makes people worry, spend time or even money figuring out what they might be exposed to. As an individual I concluded to ignore the mails, others didn’t, but would you if you are a small non-profit, or other business that does not have the inhouse legal knowledge to deal with this? Precisely those who have some knowledge about the GDPR or CCPA but not enough to be fully sure of themselves will spend unnecessary time on these requests. Princeton is thus externalising a burden and cost on website owners. Falsifying the very thing Princeton states about aiming to “minimize undue burden on websites“. Using the word websites obfuscates that every mail will have to be answered by a real person. They could have just mailed me asking me straight up for their research if I have a process for the GDPR in place. I would have replied to them and be done with it.

Filed complaint

Originally I had filed a complaint with the Digital Security research team at Radboud University, as they are named as partners in the study. Yesterday I withdrew my complaint with them, as they weren’t part of the study design, just have recently hired one of the researchers involved. Nevertheless they informed me they have alerted their own ethics board about this, to take lessons from it w.r.t guidelines and good practices, even as the head of department said to me it is now too late to prevent damage. At the same time he wrote, they cannot let it pass because “Even if privacy researchers do these projects with the best of intentions, it doesn’t mean they aren’t required to set them up well”.
It also means that I will refile my complaint with Princeton’s Review Board. Meanwhile this has spilled out online (it’s what you get if you target the 1 million most popular websites…), and I am not the only one filing a complaint judging by the responses of a tonedeaf tweet by one of the researchers.

Others blogging about this study:
Questions About GDPR Data Access Process Spam from Virginia
Free Radical: CCPA Scam
What’s the deal with those weird GDPR emails?
I Was Part of a Human Subject Research Study Without My Consent

December always seems to be the season of increased and novel forms of email spam in my inbox. As if they’re hoping my spam filters will take time off, or something.

This year’s personal novelty in my inbox is what seems a trolling attempt w.r.t. the EU data protection regulation (GDPR) and the similar Californian consumer privacy act (CCPA).

Yesterday I received an email titled “Questions About GDPR Data Access Process for zylstra.org” sent from an address that has left no previous online search traces, and for which the domain name was first registered in March 2021. The sender’s domain envoiemail.fr looks set up specifically for this. The name used seems fake (no one in the world has that name if I’m to believe Google, LinkedIn et al).

The mail reads:

To Whom It May Concern:

My name is … , and I am a resident of Paris, France. I have a few questions about your process for responding to General Data Protection Regulation (GDPR) data access requests:

Do you process GDPR data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
What personal information do I have to submit for you to verify and process a GDPR data access request?
What information do you provide in response to a GDPR data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing GDPR requests regarding zylstra.org, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within one month of this email, as required by Article 12 of GDPR.

Sincerely,

That last bit about Article 12 and having a month to reply, seems ominous but in my reading of the GDPR only concerns actual data access requests.

When I received that mail it appeared fake to me, mostly because it’s boilerplate text without context about me as the receiver and using the domain name as some sort of organisation name. I replied nonetheless, which I probably shouldn’t have, with a single line message that my private website doesn’t fall within scope of the GDPR. I do have a GDPR policy page out of professional interest in the subject matter.

Then today I received another mail. This time concerning the Californian Consumer Privacy Act (CCPA), which is a data protection act modelled on the EU GDPR. The text was the same, the name used was different but also fake / trace-less online, the sender’s domain name (potomacmail.com) was registered in March 2020 and like the previous one pretends to be an e-mail service (but one whose online traces are all blogposts like mine outing it as some sort of scam attempt). The mail reads the same as the first one:

To Whom It May Concern:

My name is …, and I am a resident of Norfolk, Virginia. I have a few questions about your process for responding to California Consumer Privacy Act (CCPA) data access requests:

Would you process a CCPA data access request from me even though I am not a resident of California?
Do you process CCPA data access requests via email, a website, or telephone? If via a website, what is the URL I should go to?
What personal information do I have to submit for you to verify and process a CCPA data access request?
What information do you provide in response to a CCPA data access request?

To be clear, I am not submitting a data access request at this time. My questions are about your process for when I do submit a request.

Thank you in advance for your answers to these questions. If there is a better contact for processing CCPA requests regarding zylstra.org, I kindly ask that you forward my request to them.

I look forward to your reply without undue delay and at most within 45 days of this email, as required by Section 1798.130 of the California Civil Code.

Sincerely,

….

Needless to say, this blog is not within scope of the CCPA.

Both domain names used, envoiemail.fr and potomacmail.com show the same message if you visit the domains. Judging by the mail headers they use Amazon simple e-mail services.

What would be the purpose of such spam messages. The blogpost I linked to says there was a tracking pixel in the mail they received but I don’t see that in my mail’s source. The hard thing is I now have to wait 30 and 45 days according to these mails to see if there’s a follow-up. 😉