Sooo, I just clicked through the link to this article on MPs slamming @ICOnews for not enforcing the GDPR against the UK government.
It IS a problem, @ICOnews and other DPAs not doing their job.
(A thread)
wired.co.uk/article/ico-da…
It IS a problem, @ICOnews and other DPAs not doing their job.
(A thread)
wired.co.uk/article/ico-da…
Which is interesting, because this is the Conde Nast cookie notice I had to work through before I could even access the article about the MP complaint mentioned above.
Lets take a look, shall we?
Lets take a look, shall we?
As a reminder, with very few exceptions the use of cookies requires informed consent signified by an affirmative step (opt-in). Also, controllers must not “bundle” consents for processing that is necessary to perform a contract, with consents for processing that is not.
Does this cookie notice comply with these requirements? [snorts sarcastically]
It starts promising. This is the default on “strictly necessary” and “performance” cookies. The former (probably covered by an exception) are “always on”, while the latter are on by default. If no change is made, this is taken as user consent. Where is the “affirmative step”?
These are the consents for a bunch of other cookies that are clearly not covered by the exemptions. They are off by default, which is good.
Although, if I had taken the easy route and just clicked away the original cookie notice thather than being a pesky nerd, I would presumably have accepted them all in one go. The calculation here is my convenience v my protection.
Convenience here too, because the “Allow all” button is right at the top, in bright blue for everyone to see, while the “Confirm your settings” option is at the bottom (of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard’).
Next we are looking at a bunch of “legitimate interest” purposes. These are curious, because I can object to them, as the GDPR requires, but I don’t know quite how to.
On the right side are the same sliders I used for my cookie consent, but do I switch them on or off to object?
On the right side are the same sliders I used for my cookie consent, but do I switch them on or off to object?
Questions, questions...
But actually, lets try tapping on the “Object to legitimate interests” box itself and see what happens.
But actually, lets try tapping on the “Object to legitimate interests” box itself and see what happens.
Oh look! It seems like THAT’S the way to do it. Or is it? Because the sliders on the right don’t change at all. So what are they there for? Have I properly objected now?
OK, but lets assume we’ve switched everything off now.
Only we haven’t, because right at the bottom is this new fresh hell: the info about cookies set by so-called “IAB vendors”. Which is shorthand for the myriad of ad networks that have access to the page.
Only we haven’t, because right at the bottom is this new fresh hell: the info about cookies set by so-called “IAB vendors”. Which is shorthand for the myriad of ad networks that have access to the page.
And guess what, not all of those can be switched off. Among the ones that are “Always active” is the right of those vendors to “Match and combine offline data sources” with your online activity “in support of one or more purposes”. Which sources? What purposes? I have no idea.
I teach data protection law at a Russel Group University and I have worked in this area in HE and as a practicing solicitor for over 15 years. I have written more privacy policies, both for individual clients and as templates for law firms, than you can shake a stick at.
But after I just went through this notice, I have no idea which permissions I have just granted and which I have denied. What processing I have objected to and what I let stand. And if someone like me cannot know this, what chance does anybody else have?
This notice is a prime example of how irregular patterns and contradictory choices can be used to confuse even those of us, who take the time to adjust privacy settings (and who know a little bit about this) into making choices that we never meant to make.
This is on top of the fact that some of those choices are denied us in fairly clear contravention of existing law. Enforcing the law in these circumstances should be a doddle. But it isn’t because the regulator has decided that it is not worth their time right now to do that.
.@ICOnews historical inclination to “work with controllers in an advisory capacity” rather than take actual steps to stop them from breaking the law has long led to its complete capture by an industry that is just not willing to face the fact ...
... that its business model is incompatible with the protection of data subjects’ fundamental rights.
We also see this “cosying up” process with @DPCIreland , which - even after two CJEU decisions - is still reluctant to take on Facebook.noyb.eu/en/dpc-has-no-…
We also see this “cosying up” process with @DPCIreland , which - even after two CJEU decisions - is still reluctant to take on Facebook.noyb.eu/en/dpc-has-no-…
All kudos to @maxschrems and @NOYBeu , btw, for sticking with it and being a perpetual thorn in @DPCIreland ‘s side.
But while all of this is playing out, the adtech industry is allowed to put together large dossiers about everybody’s online behaviour, interests and preferences that can not only be used by them to manipulate our every decision, whether commercial, social or political, ...
... but that also, by virtue of their mere existence, create unwholesome desires in other entities, including law enforcement, national security, public health, researchers and anyone calling themselves “innovators”. Because “if the data is already there”, why not use it?
The GDPR was a massive step in the right direction to prevent a potential future that we have so far only seen in dystopian YA novels (@doctorow ‘s “Little Brother” springs to mind).
But the buck ultimately stops with the regulator.
But the buck ultimately stops with the regulator.
So, if DPAs like @iconews or @DPCIreland do not do their job, the best data protection framework in the world is going to be useless. The question, therefore, is not so much “who guards the guardians”, but how do we get the effing guardians to guard us?
