Favorited EDPB Urgent Binding Decision on processing of personal data for behavioural advertising by Meta by EDPB

This is very good news. The European Data Protection Board, at the request of the Norwegian DPA, has issued a binding decision instructing the Irish DPA and banning the processing of personal data for behavioural targeting by Meta. Meta must cease processing data within two weeks. Norway already concluded a few years ago that adtech is mostly illegal, but European cases based on the 2018 GDPR moved through the system at a glacial pace, in part because of a co-opted and dysfunctional Irish Data Protection Board. Meta’s ‘pay for privacy‘ ploy is also torpedoed with this decision. This is grounds for celebration, even if this will likely lead to legal challenges first. And it is grounds for congratulations to NOYB and Max Schrems whose complaints filed the first minute the GDPR enforcement started in 2018 kicked of the process of which this is a result.

…take, within two weeks, final measures regarding Meta Ireland Limited (Meta IE) and to impose a ban on the processing of personal data for behavioural advertising on the legal bases of contract and legitimate interest across the entire European Economic Area (EEA).

European Data Protection Board

Bookmarked 1.2 billion euro fine for Facebook as a result of EDPB binding decision (by European Data Protection Board)

Finally a complaint against Facebook w.r.t. the GDPR has been judged by the Irish Data Protection Authority. This after the EDPB instructed the Irish DPA to do so in a binding decision (PDF) in April. The Irish DPA has been extremely slow in cases against big tech companies, to the point where they became co-opted by Facebook in trying to convince the other European DPA’s to fundamentally undermine the GDPR. The fine is still mild compared to what was possible, but still the largest in the GDPR’s history at 1.2 billion Euro. Facebook is also instructed to bring their operations in line with the GDPR, e.g. by ensuring data from EU based users is only stored and processed in the EU. This as there is no current way of ensuring GDPR compliance if any data gets transferred to the USA in the absence of an adequacy agreement between the EU and the US government.

A predictable response by FB is a threat to withdraw from the EU market. This would be welcome imo in cleaning up public discourse and battling disinformation, but is very unlikely to happen. The EU is Meta’s biggest market after their home market the US. I’d rather see FB finally realise that their current adtech models are not possible under the GDPR and find a way of using the GDPR like it is meant to: a quality assurance tool, under which you can do almost anything, provided you arrange what needs to be arranged up front and during your business operation.

This fine … was imposed for Meta’s transfers of personal data to the U.S. on the basis of standard contractual clauses (SCCs) since 16 July 2020. Furthermore, Meta has been ordered to bring its data transfers into compliance with the GDPR.


Favorited Rocket.Chat Leverages The Matrix Protocol for Decentralized and Interoperable Communications (Rocket.chat press release 25-05-2022)

This press release by Rocket.chat is interesting to me for several reasons, despite it being written in marketing speak as press releases tend to do.

  • My company uses a self-hosted Rocket.chat instance for internal communication since 2019, for reasons of information hygiene.
  • It positions Matrix as the way of bringing federation and interoperability to Rocket.chat.
  • It leads with e-mail’s SMTP protocol as a useful example of federation.
  • It cites the interoperability requirements for chat that the EU Digital Markets Act requires as evidence that there’s a growing market need for both openness and data control in inter-company collaboration.
  • It states “Big Tech may say that this cross-communication isn’t technically feasible, but Matrix and others prove” otherwise.
  • With those statements it’s directly speaking against the gaslighting Meta did earlier about the EU Digital Markets Act

It seems to me even before its adoption the Digital Markets Act is showing signs of working as intended: breaking monopolistic behaviour by demanding a.o. interoperability.

HT Stephen Downes.

The Rocket.Chat adoption of Matrix makes it simple for organizations to easily connect with external parties, whether they’re using Rocket.Chat or any other Matrix compatible platform. This initiative is another step forward on Rocket.Chat’s journey to let every conversation flow without compromise and enable full interoperability with its ecosystem….The importance of openness and data control in inter-company collaboration is growing. The European Union’s recent Digital Markets Act to limit the market power of large online chat and messaging platforms is evidence of this need.

Rocket.chat press release

Wired talks about the potential consequences of the EU Digital Markets Act which will enter into force later this year. It requires amongst others interoperability between messenger services by so-called tech ‘gatekeepers’ (Google, Apple, Facebook/Meta etc). The stance taken is that such interoperability is bad for end-to-end encryption. Wired uncritically accepts the industry’s response to a law that is addressing Big Tech’s monopolistic and competivity problems by regulating lock-in. Wired even goes hyperbolic by using ‘Doomed To Fail’ in the title of the piece. What stands out to me is WhatsApp (Facebook/Meta) gaslighting with the following:

“Changes of this complexity risk turning a competitive and innovative industry into SMS or email, which is not secure and full of spam,”

Will Cathcart, Meta’s head of WhatsApp, gaslighting the public about the DMA.

A competitive and innovative industry you say? Incapable of dealing with a mere rule change that just happens to break your monopolistic chokehold on your customers, you say? Nice dig towards e-mail and SMS too.

Meanwhile the non-profit Matrix has scoped out ways forward. Not easy, but also not impossible for the innovation and competivity inclined, as per the previous boasts of the competitive and innovative.

It reminds me of a session I with colleagues once had years ago with most providers of route navigation services, where it was about opening up real time traffic and road information by the Dutch government, specifically changes to roads. The big navigation providers, both of the consumer products, as well as the in-car providers, generally struggled with anything that would lead to more frequent changes in the underlying maps (adding stuff to dynamic layers on top of a map is easier, changing the map layer is harder). It would mess up their update cycles because of months long lead times for updates, and the tendency of the general public to only sporadically update their maps. This is the reason you still come across traffic signs saying ‘situation changed, switch off navigation’, because of your navigation provider’s ‘competitive and innovative’ attitude towards change.

There was one party in the room who already was able to process such deeper changes at whatever frequency. It wasn’t a ‘gatekeeper’ in that context of course but a challenger. It was the non-profit in the room, Open Street Map. Where changes are immediately rolled out to all users and services. Where interoperability is built in since the start.

“Situation changed, navigation on”, the type of response you’d expect instead of the usual ‘situation changed, navigation off’. This photo taken in 2016 or 2017 in Leeuwarden, where I’ve been working on open data. Image Ton Zijlstra, license CC BY NC SA

(The EU DMA is part of a much wider package of regulation, including the GDPR, expressing a geopolitical position w.r.t. everything digital and data.)
(I’m looking forward to the fits thrown when they close read the Data Act, where any consumer has the right of access to all data created through their use of a product of service, and can assign third parties to share it with. PSD2-for-everything, in short)

There are many companies named Meta, Opencorporates lists 8890 of them, about a third of them in the USA, and a handful named Meta Company. Interestingly the one doing the rounds the past few days with an ‘open letter‘ decrying Facebook’s behaviour in trying to wrest their name and domains from them, isn’t among them: Meta.Company. Nick Stulic, signing as founder, has no Google search results alongside the name Meta but without Facebook, and also has almost no online traces for the name only. Quite a feat in itself, but it raises questions in this context. There’s no Linkedin Profile for the name, the social media accounts have been created last month, and the domain has no archive traces earlier than this month. The logo above the letter has no results on tineye.com.

True, Open Corporates does not seem to hold US companies from Chicago/Illinois, where this one says to originate. Searching for the Meta company name in Chicago does surface a local fintech company that had an angel investment round last year. They used a different domain, metacash.io (now for sale), and name a different founder. There is a Nick Stulic, who coded in python some years back it seems. The domain meta.company was registered in 2014.

But there is nothing about what the company actually does in the letter, nor is there anything but that letter on its website. The named legal offices exist but don’t pertain to the company, but to the suggested FB actions.

The ‘open letter’ precisely boosts a notion about FB that seems to fit perfectly, and that many will want to believe. But I’ll put this one in the stack marked fake.