Share this page!

Wolfie Christl Profile picture
Twitter logo
10 Feb, 13 tweets, 5 min read
Council proposal for the EU ePrivacy regulation:
data.consilium.europa.eu/doc/document/S…

This, brought to you by publisher lobbyists, is bad: Image
And this looks unclear and/or just broken.

What is an "equivalent offer"? Would this allow "tracking or pay"?

The other recital basically doesn't say anything, does it?

("consent directly expressed by an end-user should always prevail") ImageImage
If so then bad. I want people to pay for content and quality journalism, but "tracking or pay" is unacceptable. Those who cannot afford to pay for myriads of subscriptions would continue being exposed to tracking. Acceptable: "non-intrusive ads or pay".
Generally, I lost track about the ePrivacy negotiations in recent years, unfortunately. I guess, it would be a full-time-job.

Anyway, I'm worried about the many occurrences of 'pseudonymization' as a safeguard.

And of course, articles 6 and 8 are key:
So, communications metadata can be further processed for 'compatible' purposes other than the purposes it was initially collected for if there is "any link" between them, plus some considerations about the context, plus pseudonymization? And profiling is ok if no 'legal effects'? Image
I hope, the European Parliament will fight hard in the Trilogue negotiations.
I'd be willing to accept limited comms metadata analytics for specific limited purposes at aggregate levels in order to avoid high-frequency consent requests in certain cases.

But the industry will exploit every tiny little loophole, and I'm afraid the proposal contains several.
Did I ever mention that I am not a fan of mixing

- scientific research in the public interest
- research for commercial interests
- statistical purposes in general

...into one? Image
And what's that?

Do I get this right that this would mean that third-party network/cybersecurity/fraudprevention firms such as ThreatMetrix and Iovation, as well as CDNs, would be completely EXEMPT from ePrivacy?

When did this enter the Council's ePrivacy proposals? Image
There's a provision that requires measures that aim to ensure security etc to be "proportionate" and "performed in the least intrusive manner", which is VERY important.

But what if you're exempt from ePrivacy? Image
Even if exempt from ePrivacy, personal data processing is still subject to the GDPR, I know.

But I think it's crucial to make clear that data processing for network security and fraud prevention must be 'proportionate' and 'performed in the least intrusive manner' in ePrivacy.
Why? Just take a look at ThreatMetrix, only one of many vendors in the space:
"I tracked all relevant ePrivacy events since 2016. I also directly participated in the works as an expert ... The EP version is best for privacy, while the Council one is the weaker one, and even self-inconsistent in certain places, which is worrying"

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Wolfie Christl

Wolfie Christl Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @WolfieChristl

Wolfie Christl Profile picture
9 Feb
Antitrust probes against Google data/advertising empire are much needed and very worthy. They bring light into the dark, but the conclusions are often a two-edged sword.

The Australian regulator seeks submissions for proposals that would increase data sharing with third parties.
The ACCC also seeks submissions for proposals to regulate Google's internal data sharing, from prohibiting certain data uses to purpose limitation...

This would also decrease Google's data advantage, and in my opinion this is the way to go, of course.
Very similar issues in the UK/CMA report:
Read 5 tweets
Wolfie Christl Profile picture
7 Feb
The CFPB "is preparing to change its rules on financial data, and a battle is brewing between existing financial institutions that control it, such as banks, and the upstart fintechs looking to unlock this data"

Fintechs want better financial data access:
protocol.com/cfpb-banks-fin…
"The fintech companies argue that this data belongs to consumers and they should be able to share it with whichever app or company they want"

Translation:

"This data belongs not only to banks and credit unions, but also to us, the fintechs. We want to exploit it, too"
Are traditional financial institutions exploiting financial data for business purposes? I'm sure they do.

Is it necessarily better if a wide range of fintech companies and apps are also able to exploit it, perhaps in even more invasive and problematic ways? Not sure.
Read 8 tweets
Wolfie Christl Profile picture
6 Feb
RTL Group, a large European media company majority-owned by Bertelsmann, sells its US adtech subsidiary SpotX, yet keeps operating its EU subsidiary Smartclip.

Both SpotX and Smartclip engage in large-scale personal data processing and digital profiling.
rtlgroup.com/en/press_relea…
Smartclip states it uses 'anonymous identifiers' and 'anonymous user IDs for TV devices' and the 'advertiser ID' for devices, and it is 'synchronizing anonymous user IDs' with DMPs and DSPs to 'match users to user information on that 3rd party systems' 🙄
privacy-portal.smartclip.net
On their privacy info page, they use the word 'anonymous' 22 times.

IDs cannot be 'anonymous' according to the GDPR, this is just misleading.
Read 4 tweets
Wolfie Christl Profile picture
5 Feb
The location data set included a "unique ID for each user that is tied to a smartphone. This made it even easier to find people, since the ... ID could be matched with other databases containing the same ID, allowing us to add real names, addresses" nytimes.com/2021/02/05/opi…
Many app vendors + data brokers are still using the deceptive notion that the use of mobile advertising IDs would make personal data somehow 'anonymous' both in marketing materials and legal docs.

But everyone knows that information linked to mobile ad IDs is just PERSONAL DATA.
Data linked to ad IDs is 'personal data' according to the GDPR, and also according to Californian privacy law. To be more specific, it is 'pseudonymous' personal data.

It cannot get 'de-anonymized', because it's not anonymized at first. Perhaps, it can get 'de-pseudonymized'.
Read 5 tweets
Wolfie Christl Profile picture
5 Feb
"We periodically analyze the 1000 most used web sites in France in order to reveal these practices and follow their evolution"

Very basic examination of web tracking vs third-party cookies by French data protection authority @CNIL_en /ht @montezumachavez

linc.cnil.fr/obs-cookies/en/
- Why focus on cookies only? What about web storage, cache headers etc?
- Why focus on client storage at all and not on the processing/transmission of personal data, its purposes and legal bases?
- What about enforcement rather than analysis w/o any assessment of compliance? 😬
Btw. Classifying third parties based on the purposes mentioned in their privacy policies is not very helpful.

I'd classify most adtech firms as data brokers, but classifying LiveRamp, BlueKai, Neustar, ID5, Weborama etc as 'advertising agencies' really doesn't make much sense.
Read 6 tweets
Wolfie Christl Profile picture
4 Feb
MS Viva, a "new suite of employee management tools", provides "human resource functions like payroll, management tools to track employee performance and resources for staff covering benefits, career development and other aspects of their life at work" wsj.com/articles/micro…
"Microsoft Viva Insights uses data and signals from Microsoft Teams, Outlook, and other Microsoft 365 apps and services, and can also access data from an existing ecosystem of ... tools and services, including Zoom, Slack, Workday, and SAP SuccessFactors" techcommunity.microsoft.com/t5/microsoft-v…
"Viva Insights gives individuals, managers, and leaders personalized and actionable insights that help everyone in an organization thrive ... [it] will, over time, bring the power of Microsoft Workplace Analytics and Microsoft MyAnalytics together under the Microsoft Viva brand"
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @WolfieChristl has new unrolls!

Check out other threads from @WolfieChristl!

Read all threads by @WolfieChristl