I'm glad it all worked out for this individual. I hope more people live their lives like this as the dystopia progresses.
Unfortunately, especially in the US, exercising your rights, or even just reading every paper you're expected to put your name to, not only constantly pisses people off for some reason, but also puts you at a significant disadvantage compared to the people that never push back in the interest of not making waves, or even because "whatever it's fine."
> Unfortunately, especially in the US, exercising your rights, or even just reading every paper you're expected to put your name to, not only constantly pisses people off for some reason
Yup. It's particularly sad seeing other people in this very thread talking about how they would "ban this customer for life" just for knowing their rights.
I think it's pathetic that this has become the culture amongst large swathes of Americans - especially ones who consider themselves patriotic. This country was founded in rebellion and the assertion of our rights, and somehow the exact opposite is now the ideal of many citizens now.
>I think it's pathetic that this has become the culture amongst large swathes of Americans - especially ones who consider themselves patriotic. This country was founded in rebellion and the assertion of our rights, and somehow the exact opposite is now the ideal of many citizens now.
DHS is putting on the domestic terrorists watch list those people who took parts in the protests. Or at minimum threatens to put. And if you google a bit more you'd see that it isn't limited to ICE. Any dissent is perceived by the current government in a similar "terrorism" way. For majority of population that would completely chill any desire to assert rights.
"U.S. Immigrations and Customs Enforcement (ICE) officers and senior Trump
administration officials have repeatedly suggested that the Department of Homeland Security (DHS) is building a “domestic terrorists” database comprising information on U.S. citizens protesting ICE’s actions in recent weeks.
...
In recent weeks, DHS personnel and senior officials have repeatedly stated that the agency is engaged in efforts to monitor, catalog, and intimidate individuals engaged in peaceful protests"
It’s reprehensible and I am demanding accountability from my elected politicians. The only way we’ll see someone answer for these crimes, though, is if enough Americans give a shit to get off their fucking asses and actually put people into office who will bring change.
The current government? Don't let partisanship blind one to how dumb things are. The Occupy Wallstreet protests were extensively surveilled and harassed [1], and it was a vastly more peaceful protest movement. Had it gained more traction there's a 100% chance Obama would've happily greenlit COINTELPRO [2] 2011. Such actions were already being effectively carried out in any case.
I don't know that signing up for a rewards club and then complaining that you're being marketed to is quite the platonic ideal of rebellion you make it out to be.
Once I rented an apartment in US, and the documents said that they can make videos, pictures and audio recordings of me and my family, and use it for their own purposes including commercial. I objected, but their position was that no one is going to involve legal department for me, and I am free to go away.
It doesn’t mean _inside_ the apartment. It means if they decide to film a commercial and you’re walking your dog in the background, they don’t have to ask you.
That sounds a lot like a rationalization desperately grasping at "surely it's not as insane as it sounds, what it _must_ mean is ... "
I would want to read and perhaps get legal advice before relying on that interpretation - and before finding I signed over rights to my landlord to make candid porn of me and all his other tenants.
Am pretty sure he's right. I rent out my house, and it is very illegal for the landlord to record video inside the house (or even of the driveway). You are infringing the privacy of your tenants and is a huge no-no.
Yeah, if you accidentally recorded families walking through their homes unclothed, this could land a landlord in jail.
The contract terms could very well have actually had a meaning that included filming inside the apartment. The existence of other laws overriding the contract isn't actually the same thing as the contract not having that invasive meaning.
That doesn't even make any sense. Fascism is generally about top-down enforced control, whereas contracts are heavily decentralized. The world where you'd have contracts override laws would be some sort of extreme anarcho-libertarian society, which is rather the opposite of fascism.
That's what you heard in school, defending the US style of fascism as "democratic".
Fascism was a scheme to keep the old aristocrats turning industrialists to keep control of the state, whilst still keeping it under the democratic name. This was devised in the US in the 30ies and then in the old states also. Heavily supported by the US industrialists. Without them the fascism movement had no chance.
The US scheme of fascism came up with cooperate contracts overriding state laws, also pleasing the Chicago crowd, with decentralized control. At the will of the cooperations, who know better than the government of course. That's why Rockefeller could gun down strikers without any repercussions. That's why the Railroad Commission could call state military to gun down independent oil cooperations which undercut prizes of the industrialists. That's not liberalism, that's pure fascism/cooperatism/aristocratism.
That's pretty far from the usual views of fascism. Generally fascism can be seen as a form of right wing collectivism organizing all of society into one big hierarchy, with industrialist somewhat below the top and subservient to political leadership. In a fascist society political decrees override both laws and contracts. This means that fascism is inherently centralized and that what companies receive state support depends on who are political favourites at the moment. E.g. a fascist state might support the independent oil companies if it felt the established industrialists were getting too influential, i.e. classical divide and conquer.
By the way, I'm not claiming the things you describe didn't take place for the reasons you claimed. I just don't think it's accurate to describe it as based on fascism.
I call it fascism, even if the US ur-fascist favored the French and German model, over Mussolini. Mussolini was pro-union, and of course all other fascists are contra-union. That's their biggest goal, denying workers rights.
But the US implemented all the subsequent fascist governments until today. If in Europe, Asia or Latin America's.
But if laws can override contracts (which presumably they can), then contracts can appear to establish permissions/restrictions that are illegal. At least one contract I've signed includes something about the rest being enforceable if any part of it isn't enforceable. Perhaps that helps to contain actual mistakes, but I assume employers use it to persuade employees that they're bound by illegal non-compete clauses, for example.
> At least one contract I've signed includes something about the rest being enforceable if any part of it isn't enforceable.
Which is funny, because if it worked like that - that any unenforceable demand in it made the whole thing invalid - then presumably the clause asserting the opposite would also be invalid.
This is my understanding, too. Sorry if that wasn't clear in my earlier comment.
However, I also believe that unenforceable parts of a contract have no effect, except in the minds of the parties to that contract. My suspicion is that contracts are sometimes drafted with this in mind.
> before finding I signed over rights to my landlord to make candid porn of me and all his other tenants.
If the law says you cannot do XYZ, your landlord can state otherwise in whatever verbiage but that's all void.
This is why good consumer protection laws exist, in a well functioning society there things you sign are to protect the landlord from bad renters (don't pay, cause a nuisance etc). The law in general should protect you as the tenant from a bad landlord.
That is probably why it is in there, and probably how it would be used in practice. But these types of documents are almost written to be as broad and ask you to give up as many rights as possible.
Well the document didn't say "public spaces". I also think they meant public spaces, but it wasn't in the documents.
Even then, I do not consent to work as an unpaid actor even in public spaces. I'm ok to be it at conferences, organized coworking parties -- no problem. But my living space when I don't suspect it -- hell no.
It isn't really that onerous, they aren't expecting you to do anything.
Rather, they want the right to film commercially on their own property without getting consent of everyone walking by. Many years ago a local casino was being used for a movie shoot, there were signs at the door saying that they're shooting a movie in here, if you're inside the casino it's possible you'll show up in the background of a shot. By entering you agree to this. An apartment can't do something like that because not entering is not a realistic option, so they're putting it in the rental agreement instead.
Oh man if I had a pound for every time I've had a corporate dogsbody try to invent meanings of legal wording that doesn't actually exist and gaslight me...
They are usually so passionate about it too. A simple "ah ok cool so you can add that word to the document" really annoys them.
The other classic is just "it's just standard wording". Well yeah McDonald's is also "standard" food for many people but I massively disagree with that too
If it said so in the contract I would not have any issues, something like "recordings of you are available only to authorized security personnel, can be provided to you upon request for a reasonable price covering filtering and other paperwork, and can be shared solely for security and legal purposes".
Rentals are exactly what I was talking about. Supposedly you can always go to someone else, but we all know in practice we can't just go without housing and if everyone decides you're "difficult," you're SOL.
Earlier this week a potential landlord offered me a lease saying I had already inspected the property and found no issues with it.
I asked for a chance to actually inspect before signing, and even said I would settle for a good quality video walkthrough. They told me the unit was "not available for viewing" because it wasn't finished yet, and by the time it was finished it would likely be taken.
So why did you ask me to sign a contract saying I inspected a property that it's conceptually impossible to inspect??
I asked if they could change that part of the lease. They said they were "unable" due to "demand and interest in the property."
> I asked if they could change that part of the lease. They said they were "unable" due to "demand and interest in the property."
Was it a paper lease? Because you could always cross out that section before signing, not to mention write in your own addendum. They would probably still balk, but you'd be within your rights to do so.
For separate but similar reasons, Washington was forced to add to tenant law the proviso that tenants could not waive certain tenant rights, even if consideration was given.
"There's a clause in here that gives some more time for certain repairs, because we're short-staffed, so we will take $50 off of your rent". Nope.
"There's a clause in here that says that your monthly payment will first be applied to late payments, fees, fines, and then your lease payment in that order." Nope.
I am that person that reads every line of the contracts I sign, including ToS and PP. I appreciate that I can tell who it rubs the wrong way, because it tells me who will shake my hand without intending to honor their word. It changed the way I write these documents as well, the last ToS and PP I wrote can each be read in a single breath.
How do you manage the situation socially? I had a very important document with a very expensive professional booked for about 10 minutes. No way I could actually read it in that time - what would you do?
"I appreciate the opportunity to work on this with you, I need to give this the time that it deserves to make sure I can honor the commitments in the contract."
Always maintain your integrity, a big part of that is honoring your word. Integrity is the only thing you're born with in this life, and if you're lucky you take it with you on the way out. Any person worth getting into contracts with will appreciate the value in that.
That simply isn't possible - you might like to think you read everything but research has shown that simply reading the terms and conditions of the top 100 websites amounts to a colossal amount of time (if you look at Prof. Lorie Cranor's research on this from around 2008, even back then the cost to the US in lost time was to the tune of trillions of dollars - now, they are much much worse than they were 18 years ago.
The terms and conditions for Tetris on Android were longer than the entire works of Tolkien when combined.
So yes, it would be nice to read all of these things, but we simply do not have the time available to do so.
He did say that he read every contract he signs not that he reads every contract some company thinks applies to him without any legal basis whatsoever. You also don't have to use to top 100 websites.
It would be nice if ToS were more like open source licenses in which people commonly standardize or template them (or parts of them). That way there's large chunks which are reduced, and a few diffs for what's unusual. I think the problem with this is the fact that sections are not independent.
Went to a new doctor. As part of the check-in process, I was asked to "sign" a little digital pad, so, as I was told, they could properly use my insurance. I asked to see the hard copy of what I was signing and they couldn't find one. Then, for some reason, they were unable to print one. I gave up and scribbled my sig with my finger and then was seen by a doctor. It's maddening.
I'm sure someone smarter than me has a solution. Those papers you're required to sign are generally the result of regulation. Some law got passed that say "you can't share info unless you get signed permission". The person dreaming up the law thought that would be enough to stop getting them to share info. But, even if they cared about privacy, they don't want to increase all their expenses and run their own IT department so they contract out for 3rd party billing, 3rd party document infra, etc etc. Like if they wanted to store your appointment in MS Word 365 or Google Docs, suddenly the regulation kicks in. They're not going build a document sharing platform to get their job done just so they can meet the regs. They're just going to get you to sign that they can do what they need.
As one example, I went to a doctor, he ordered an x-ray. I went over to the x-ray company then back to my doctor. He pulled up the x-ray immediately. He's only able to do that because I signed that he can share my info with the x-ray company and visa-versa.
Again, I don't have a solution. No regulation = he'd probably share my data. But regulation = he gets me to sign so he can legit provide the service, and still shared my data (Because I signed). So all the regs did is make visiting the doctor more annoying, and add $$$$ to push all the paperwork around.
Becauae "spirit of the law" doesnt exist. It is a saying used by people when they want to do something that isnt in the law. You dont see lawyers, judges or law makers use the phrase.
> New combinations of circumstances — that is, new cases — constantly call for the application, which means in truth the extension of old principles; or, it may be, even for the thinking out of some new principle, in harmony with the general spirit of the law, fitted to meet the novel requirements of the time.
> Becauae "spirit of the law" doesnt exist. It is a saying used by people when they want to do something that isnt in the law. You dont see lawyers, judges or law makers use the phrase.
This is dependent on jurisdiction. Some countries (e.g. the USA) do not consider spirit/intent (anymore), as the judiciary has repeatedly ruled that the letter of the law, as written, is what matters, regardless of whether it meets the intent of what the law was written to achieve.
There are other countries in the world, outside of the USA, that do not work this way.
Intent is expressed through drafter's notes or explanations. "Spirit" is somerhing else, something made up later by people who had nothing to do with th3 creation of the law.
> The letter of the law and the spirit of the law are two ways of interpreting rules or laws. To obey the "letter of the law" is to follow the literal reading of the words of the law, whereas following the "spirit of the law" is to follow the intention of why the law was enacted.
It is always a good sign of modernity and relevance when the half an article's citations are to either the bible or the Talmude. And who can forget the legal touchstone that was the 1975 Systems Engineering Conference ... in Vegas.
Regarding information sharing, not quite. Covered entities (term of art in HIPAA), which include providers (and also payers!) including both the lab and your doctor, do not need your permission to share information between them for the purposes of treatment, payment, or operations (commonly, "TPO"). A BAA between a covered entity and a vendor (like an EHR or PACS [viewer for your imaging]) also does not require any patient consent.
There are sometimes things you might not like hidden in the releases you're signing, beyond the run of the mill acceptance of financial responsibility / assignment of benefits, notice of privacy policy acknowledgment, consent to treat.
I do wish this was an option for some data, but emergency care would be an absolute shit show. People can't even remember passwords let alone keep track of keys and devices.
Zero trust device, with emergency channels pre-trusted. Like, the ambulance service is known to your device and can already suck your blood type and whatnot. And the police your name and emergency contacts. Or whatever schema with a similar idea. There's the technology to do this already, but we're lacking awareness and initiative.
> And the police your name and emergency contacts.
Hell no. The fuzz ain't getting my info without reasonable, articulable suspicion that I have committed, am committing, or am about to commit a crime, or if I'm pressing charges and need to ID for that process.
The parent comment was about an accident where you're unable to give any details yourself. Maybe when you're under a truck you'd like your folks to know what happened to you, right? But again, such are implementation details. First let's have that zero trust device, then we can be negotiate who gets to see what and when.
Are you even legally signing anything if they can't show you the document you are signing?
I am not familiar with the nitty gritty of US law, but under German law that signature would be worthless. Even signing a document you have but are unwilling to read is legally a bit iffy (which is why for things like real estate a notary will read the paperwork to you and ask if you understood it, or why surprising clauses in terms of service are unenforceable). Signing something without being able to know what you are signing would be worth exactly nothing, because you didn't actually knowingly consent to any particular thing, and neither did you have the "meeting of minds" required to form a contract.
It probably would be unenforceable in the US too, given you have no opportunity to know what you're signing, but you'd probably have to drag it before a court to settle that, and US companies know that no* individual is actually going to do that over what ultimately is (likely to only be) a minor inconvenience.
Usually, signing things like this won’t particularly hurt you - largely because your inalienable rights are… inalienable. You can’t sign them away, even if some contract says you have.
The flip side of this however is that it’s a very worthwhile pursuit to know consumer protections and what your rights are in the jurisdiction in which you live - and how to enforce them.
Where I live, I unfortunately quite frequently find myself having to go “ok so you want to do the formal process with the regulator then?”, which usually gets them to reconsider - but not always. Three times in the last month I have threatened regulatory action - and of those three, only one chose that path. I have just reported a government agency here to the domestic and EU regulators for failing to fulfil EU FoM treaty rights - and they were even kind enough to put it in writing that they’re ignoring their own domestic laws.
I have yet to lose a case I have brought before a regulator or justice of the peace, and businesses usually only need to do this once, if at all, as it can quite quickly turn a €1,000 dispute into tens or hundreds of thousands of euro of damages and fines. By doing this, following these processes through, I help not just myself but society as a whole.
So - sign away, but have teeth, and know where to bite.
In general, in the US of A, that consent you sign waives your legislated-to-be-guaranteed HIPAA rights.
Specifically, you're typically giving the office's providers and their marketing "affiliates" and your insurance company and its marketing "affiliates" the right to forward around (through any length chains of agreements) your entire medical history associated with enough (research proven as de-anonymizing) details to retarget you personally. And you're typically doing this by accepting a company insurance (in the US) or the provider's reception counter while you're in need of care.
This effectively forced consent is arguably illegal, but as far as I know, untested, so it's standard across the medical system and across omnibus insurance (e.g. company-provided healthcare "plan").
Of course, every touch point is another place your personal history will get stolen and rolled into modern digitally scripted exploitation of your identity and or targeted forms of phish-mongering (a term I made up meaning marketing so personalized you believe it's necessary to sign up for and pay for).
If you have any relationship with the team at your company that procures employee insurance packages, see if you can persuade them to start with the firm's insurance consultant (high end) or broker (low end) and systematically remove every step in the "we can pass along all your info to our affiliates for our own pinky-swear good reasons like making more money off your private info" chain.
In our experience, this added 3+ months to the procurement process as every single provider balked until interacted with by counsel -- and then instantly capitulated.
Our goal was always to give our employees a top tier benefits package, and we consider it a top tier hard-to-match employee benefit to not have random firms and government agencies pawing through your doctors notes, prescription histories, lab results, and enough biographical data to fake your digital twin.
Sadly, most employees -- though none of them are sheeple -- shrug at that for reasons in this thread: no time to fight such pervasive exploitation, especially when it hits them while needing a service as it hit you, or just plain weary of trying. So much easier, and psychically healthier, to just avoid thinking about it. Everyone is resigned.
If a company you consider working for claims "we take your privacy seriously" ask if they got privacy waivers removed on your behalf from all vendor contracts including payroll (does your salary go to 'work number'?) and insurance providers (can your data leave your doctor's EMR?). Odds are, they do not, in fact, take your privacy as seriously as they could.
What's interesting about those documents you asked to sign, at least at hospitals, it's not a requirement even though it may appear that way by the interaction. I suspect it's the same for other medical professions as well.
Many of them are just "CYA" for the facility/provider. HIPAA allows, for example, providers to share your medical information, for the purposes of treatment, regardless of your consent.
I had a similar experience at a bank some time ago. To sign up, you had to sign a digital pad without seeing what you were signing first. You could get a copy mailed to you later. At that future time, I was told, you could you cancel the agreement if you found it objectionable.
Being a bank, this has nothing to do with HIPAA. Just a dark pattern.
My wife recently gave birth. When we arrived at the hospital her contractions were close enough together for her to be admitted. They proceeded to give my wife a 10 page or so consent form to sign. I can't imagine anyone reading that. I also can't imagine them not admitting someone over it.
I'm a traveling healthcare worker, which means every 3 months is both a new contract for work and a new lease for a rental to stay at.
So if I'm not willing to complete several hours of training modules uncompensated and before the start date of my contract, I'm within my rights to refuse. But this violation of most states' codes is common practice, and when I inform a new workplace that I'm not going to do it, they tell me it's "required," and the part they're careful not to put in writing is that my contract will be canceled if I make a fuss (there is almost always a clause in these contracts saying they can cancel any time for any reason).
So just move onto the next job, right? But the market is very feast-or-famine. It's just not smart to assert my rights during one of the famine periods.
Similarly, if I'm not willing to sign a lease for a rental saying my landlord is entitled to seize and sell all of my property for being even a minute late on rent, I've now considerably limited my housing options, which is not good when I have a new job that starts in two weeks. If that landlord then goes and tells all their landlord friends that I'm "difficult," I could be completely fucked.
This, honestly is what i expected AI to challenge heads-on- because that is what its ideal for- little agents arguing for the consumer, the customer, the citizen. In the government offices, these constant advocates could undo all that damage faster then the companies can pile up anti-service moats.
> The reply I received a few days later did me the favour of putting the violation on the record. Their position, in their own words, was that "in order to receive marketing / offers, it is a condition to be a member of the customer club." That one sentence is the whole case. They had taken a right I am entitled to exercise for free and turned it into the price of admission.
I don’t understand… it would be one thing if it said “receiving marketing/offers is a condition of being a member of the customer club” but that’s not what is being stated above… rather that being a member of the club is required to receive marketing — perhaps something has been misworded or lost in translation?
Yea, I don't get it either. Receiving being a condition on membership means (in my understanding) only that non-members can't (shouldn't) receive anything, not that members will or must receive something. Which sounds perfectly normal and sane to me.
I think the "marketing/offers" means discounts? To be eligible for the discounts or special offers, you have to be a member of the club, and if you are a member of the club you have to be willing to receive the email messages, and somehow under EU law you're entitled to all discounts I guess?
No, the sentence order has nothing to do with it. "It is a condition to be a member of the club (in order) to receive marketing offers" and "In order to receive marketing offers, it is a condition to be a member of the club" mean the same thing. The problem is that the explicit markers of purpose ("in order to...") and requirement ("condition") appear to have been applied to the wrong things. If you rearrange them, they'll still be applied to the wrong things.
He was an Elkjøp/Elgiganten customer club member. He wanted to keep the club membership and discounts/offers, but stop the marketing emails. Elkjøp’s setup told him the only way to stop the marketing was to cancel the club membership altogether.
To me, Elkjop seems perfectly reasonable here. But EU policy disagrees.
According to the article, that is not what Elkjøp told him. You're making the assumption that what the article says must make sense, which is unfounded.
Which is exactly the point - under Article 21 of the GDPR every person has a legal right not to be subjected to direct marketing so any forced direct marketing is unlawful and consent cannot be bundled (it must be specific under the GDPR) so bundling consent to direct marketing along with consent to join the Club is not lawful.
The point in this subthread is that your article says the opposite of what you appear to have meant. You don't provide anything other than what is apparently a very bad English translation. The rest of the article makes it pretty clear that you meant to write something different, but it threw me for a loop when I read it and clearly I am not alone.
This is why, when I'm reporting my translation of something in a foreign language, I tend to include the original text too.
You might well think it is reasonable, but the law doesn't permit this, it is explicit that the person has an absolute right not to be subjected to direct marketing activities (Article 21 of the GDPR) and Article 5 of the GDPR requires that any processing of personal data must comply with all other relevant laws in order to be lawful under the GDPR - ePrivacy Directive (Article 13) governs Direct Marketing in the EU and requires consent - but that consent must meet the requirements of Article 7 under the GDPR in order to be valid (freely given) and any consent which is bundled and is a condition of access to a service where such processing is not necessary to provide that service - is not considered as freely given.
This is not new, we have a lot of case law and regulatory guidance on this.
I think you might gloss over the fact that marketing content implies extensive data collection, sale and sharing of personal data with third parties.
The company was selling the data without checking if buyers would offer similar levels of protection (LOL, in that case). It was found the members weren't properly informed SO the consent was not freely given, they basically extorted and lied to their customers. I'm very happy they were fined.
I'm very happy you're not in charge of privacy laws, but seriously, I don't see how would a consumer ever want more surveillance? Unless you're not a consumer.
It is a translation thing - what they said in Norwegian was that it is required to accept marketing activities if you want to be part of the loyalty club - but the machine translation did it literally instead of changing the structure to match common English.
There's also issue with EU companies forcing candidates to agree to their anti-privacy policies (confusingly named "privacy policies") as a requirement before the job interview.
Those anti-privacy policies will state, that you grant the company and third-parties (so, anyone) permissions to use your data (including voice and image) for any purpose. (Of course, it is stated in a slightly obscure fashion, so a layman may not comprehend it.)
I wonder if there has been any similar action taken against those.
I haven't personally encountered that, but you are free to lodge complaint with your local DPA about it.
That exact language is unlikely to be compliant. If you want to maximize your effect you could make Article 15 request to the company in question, get the list of actual recipients of data (make sure to be ask for this specifically) and then make another request to all of those companies. That will then allow you to possibly make further complaints (e.g. why exactly they didn't send Article 14 information to you, are the legal basis they use actually proper in your case especially if the original one was consent and it was not freely given).
Everyone is free to make a tip to DPA. However DPA is free to decide if they want to start their own investigation based on that unlike when you make Article 77 complaint.
There isn't a lot of case law around the threshold of Article 77. The text says "if the data subject considers that the processing of personal data relating to him or her infringes this Regulation". If read completely alone one could make argument that since you didn't consent no processing occurred -> you do not have right to make an Article 77 complaint.
However when taking the in account the goals and purpose of GDPR as well as recital 141 I would argue otherwise. To be specific recital 141 says "if the data subject considers that his or her rights under this Regulation". CJEU also often refers to GDPR's objective of ensuring high level of protection of fundamental rights and freedoms of natural persons. I feel that ex post requirement would be quite contrary to that.
Due to this my personal stance would be that just offering invalid consent choice where refusal has negative consequences is something that violates data subject's rights even if processing didn't occur and would be eligible for actual Article 77 complaint rather than just tip to DPA.
[EDIT] Also, there is Article 82 path via damages. In your case you could potentially argue that you suffered damages (like lost wages) due to company's invalid consent requirement. This, however, is generally a lot harder and more expensive path. Depending on how legal costs are allocated in your jurisdiction you could also end up with judgement where you need to pay your opponent's legal costs if you lose.
For Article 82 claim you almost definitely will need a lawyer.
Can i withdraw consent later? So, attend the interview (to maximise my chances of being offered the job), and then after the application process withdraw consent?
You can withdraw consent later, but I don't see how that would affect data processed before the withdrawal (except that storage is processing and the data would have to be deleted). I don't imagine a reputable employer would have any other use for the data, so the withdrawal of your consent might not bother them much. If your application were successful and you took the job, I expect that would establish contract, rather than consent, as a legal basis for them to process your data.
In general, I'm not sure a company processing my data on the basis of consent would stop all processing of my data just because I withdraw my consent. Some processing of some of my data might have a different legal basis. Judging by some websites' privacy options, there's a distinction between consent (opt-in), legitimate interest (opt-out) and other legal bases (maybe neither). I'm confused about website forms that have separate reject and object options for each category of data processing and a reject-all button that closes the form. Does clicking "reject all" mean I have or haven't objected?
Our local DPA, who will then proceed to ignore it for years or tell us to take them to court ourselves. [0] As European privacy law including GDPR is a symbolic tool meant to placate and selectively enforce when politically expedient, not to seriously enforce. Understandable, given that near all EU politicians work for corporate interests, as in the US.
I understand where he's coming from, but it is still hilarious that he sued the legal entity that won the case for him, after they found the case in his favor.
What do you mean? It sounds like he is planning to sue company in question and possibly lodging complaint against Swedish DPA. Norwegian DPA is the one who found case in his favor.
Seeing that he influenced the creation of the GDPR, the general sense of hopelessness in the rest of the populace, and the failure of the governing body to do it’s jobs - I suppose he is the only person who would be taking people to account.
Looking at the report from datatilsynet (Norwegian Data Protection Agency), they cite "multiple reports and tips" as the background. I suspect what happened here is that IMY concluded that this laid outside of their authority, submitted the complaint to datatilsynet and either closed the case and forgot to inform Hanff, or they may have never gotten any response from datatilsynet.
I have had several direct discussion with the Norwegian DPA throughout the case, the inspection and investigation were triggered by the IMY cross border case and I have not "sued" the regulator (neither do I say I have) I have filed a complaint against IMY (the Swedish Regulator) for failure to meet their legal obligations under Article 77(2) but then I have already had to file multiple legal complaints against IMY because they are an absolutely terrible supervisory authority that do literally nothing (they send out postcards to Data Controllers for violations saying "Hey do you know what GDPR is?").
So no, I have not sued the Norwegian DPA and actually have a very good relationship with them along with most of the other EU DPAs (I am an advisor to them, I sit in the pool of experts for law and new technologies at the EDPB which includes ALL EU data protection authorities).
Datatilsynet, the Norwegian DPA, from my experience, consistently has the user in mind. It (sadly) takes a long time for things to pass through the system, but they consistently come to good decisions.
5 years?! That's a f*cking joke. Democracy and rule of law does not exist any longer. The politicians get richer, no one challenges them, they pass their offices down within their family, taxes get higher and higher, and services worse and worse.
On the other hand, it is fascinating to be able to watch the destruction of europe and western democracy while it is happening! I imagine that this painful slide is what must have happened during the end of the roman empire. Now we're seeing the end of the european/US empire.
For me it was showing the image and the prompt, but the whole page was unstyled. But when I reloaded the page now, the css loaded also and the prompt is not shown.
I guess the web server was temporarily overwhelmed by traffic resulting in images (like for you) and css files (like for me) not being consistently served to all visitors.
If you click the image, it flips to reveal the prompt and other metadata.
The blog is running on a Mac Mini on a 1Gb/s uplink so when it gets hit with a front page HN post, it does creak a little but I try to be environmentally responsible with my technology (as much as possible) so I am not in a hurry to move it into a datacentre when currently it only pulls 15-25W from the wall during peak traffic.
Sorry, I guess. There were no comments here after a couple of hours and I literally felt bad, so I commented without being very exact in my writing. Regardless, great job, and thank you.
There are currently 22 US States with comprehensive privacy laws with Louisiana being the latest (their Governor signed just last week iirc) and the 23rd is literally a Governor's signature away (just passed the state senate).
Because if, as the regulator, you fail to benchmark what they gained then your laws can be ignored and your fines paid as simply a cost of doing business.
Its why you find the Australian regulator for consumer affairs handing out $200m+ fines to telecommunications companies, for example.
By that logic regulators should lower fines if the action wasn’t profitable. Which creates an expensive legal fight around the net profits of some action were after guilt is determined.
Instead, it’s much better to scale fines based on the scale of the entity involved, which also results in huge fines, but it’s easier to measure revenue. Thus the fines are more broadly effective, and you can still escalate if they don’t stop.
Like in Finland where speeding ticket fines are based on your income. For instance, in one well known case a businessman was fined €121,000 for going 82 km/h in a 50 km/h zone.
And before anyone calls this crazy, note that jail time costs you your time, whatever that's worth. This is the same idea without the physical incarceration.
Rich and retired are very different thing. A CEO can be out hundreds of millions due to a long prison sentence, but most fines don’t scale nearly that far.
That's considerably more than someone near me who was doing 245km/h in a 90 zone (Well 55mph which is 89km/h). I still don't know why that person didn't lose their license (other than the obvious fact that they were rich enough to afford the Lamborghini that they were driving in); it wasn't just any 55 zone, it was one with a reputation for being dangerous.
Damn, it sucks that people are allowed to get away with that kind of speed. Here in Denmark the mandatory minimum for doing over 200 km/h is losing your license for 3 years, confiscation of the vehicle and a ~$2000 fine. Unfortunately punishment isn't enough to get rid of this thing as around 1000 cars are confiscated each year. Some of them are confiscated for other reasons, like driving with a BAC above 0.2%.
I don't think that logic works. In your vein, if I say " If it gets hotter, I'll want it to be colder" that would imply that if it gets colder I'll want it to be hotter. That doesn't necessarily have to be the case thought.
If they made a profit and I want them to pay more than the base fine doesn't mean if they made a loss I want them to pay less than the base fine.
I think the rest of your come t stands though. There is difficulty I proving profit and Hollywood accounting can probably change those numbers.
It's not about what you want nor is it about exacting revenge. The end goal is simply a marketplace where a given behavior isn't happening. Appropriately structured fines should accomplish that.
It's a nice theory, but only works if the company gets caught and fined enough times to make a difference. Even a zillion dollar fine is useless if the law isn't applied. Also, when the fine comes out of corporate coffers, not individuals' pockets, there is less incentive to comply with the law. If you really want results, fines should come out of management's personal bank accounts, not to mention some jail time.
Sure, if the regulator doesn't move to enforce then the law won't have any effect but at least to me that sounds like a problem with the government as opposed to a justification for draconian penalties.
Targeting management seems like a tactic that should only be employed where great urgency exists such as life threatening danger. I don't think marketing material is anywhere close to qualifying.
I hate my inbox being inundated with spam as much as the next guy but that doesn't mean drawing and quartering the perpetrators is justified.
> If they made a profit and I want them to pay more than the base fine doesn't mean if they made a loss I want them to pay less than the base fine.
I’m not saying they would get a rebate just that for this to be meaningful for a mid sized or larger company requires a large portion of a given fine to be based on profits. So a company receiving a fine based on their profits would argue they made less money from the behavior, it’s a legal argument without any risk.
Consider a fine for a mid sized company that’s base 100k + 10m based on profits it ‘goes away’ if they win but it also ‘goes away’ if they drop it by 99%. Thus just as much effort would be spent on how much money they made as is put forth to defend the fine in the first place.
Now obviously you could set the base large enough to offset that, but doing so defeats the point of profit based fines in the first place. Which means inherent to the idea of profit based fines is the concept they largely go away if a major company can argue their profits where non existent.
>By that logic regulators should lower fines if the action wasn’t profitable.
The logic isn't some rigid "make the fine based on the profit".
The logic is based on the intent: make the behavior happen less.
So you can have a base fine of X, even when there's no profit or even if there are losses, and have a scalable fine based on higher profits. This way the company is discouraged to do the bad behavior in general, and is ALSO discouraged to do the bad behavior even if it's profitable.
Nobody is giving people at a government agency the authority to write arbitrary fines, there’s going to be at minimum guidelines.
If the base fine is X, then every actual fine would be X + Y where Y is the profit motive causing the behavior. As such every court case is now also a fight about lowering Y and companies are incentivized to make Y appear lower etc.
Further as companies vary in size generally at large companies Y will be vastly larger than X meaning lowering Y is nearly as valuable at winning.
This entire issue is sidestepped by having graduated fines (which GDPR has). If they keep doing it the amount keeps going up until eventually they go out of business. It really limits the ability to take advantage of the system which hopefully makes it not worthwhile to bother doing.
Up to 4% of turnover. So if they make more than that it is still profitable to keep going.
Not that it is likely that they make that much in profit, but still. There probably shouldn’t be a limit, and there probably should be personal legal consequences such as jail time for repeat offenders.
You can apply a fine multiple times in a year if they don’t stop. As that 4% is based on global revenue you’re eventually going to make it unprofitable.
Huh. Any idea if it's individual fines or total fines that are capped? It never occurred to me before.
Anyway this is all purely academic. 99% of violations aren't going to increase profit by more than the maximum fine (or even anywhere remotely near that) thus it seems to me that the law has sufficiently broad coverage for addressing a behavior that does not directly result in physical injury.
So the parent saying "The fine is only part of the story. They likely spent more money than the fine fighting it over 5 years as fines increase next time if you don’t stop" doesn't invalidate the question of the grandparent, that, "sure, the fine cost them X, but how much they made?"
Even if the total cost (fine+fighting it in court) was larger, the question remains: yes, and what's that compared to what they made?
The fine is largely irrelevant, now they have faced enforcement we have a decision to file a Representative Actions Directive (equivalent of a US class action) claim with - the cost of that will be 100-1000x more than the fine and will likely lead to shareholder revolt as well (institutional shareholders will likely sue the parent Currys PLC for breach of fiduciary duty and not disclosing these issues during earnings calls and annual reports.)
So the fine is the first step to a much wider legal action.
The fine also puts other loyalty clubs on notice that if they do this, they are going to face consequences - so it has a much wider impact than simply monetary.
Just for fun I signed up. During the signup they say that by becoming a member you accept that they will send things via email etc, but its optional to accept this, you can still click the signup button but then you don't get membership status, you just get an account. Then on the kundklubb page it says that you are not a member, if you click join it will automatically enable email, sms and phone communication, but you can disable them.
Yes this is the difference, they did not allow you to opt out previously, they explicitly said that if you want to be in the club you have to accept their spam. Now they allow you not to accept their spam.
Now they rely on Soft Opt-In (which again might not be valid in your case, if you signed up to their site but didn't actually buy anything the soft opt-in exemption does not apply) so you may still have an actionable complaint here.
FTA: The reply I received a few days later did me the favour of putting the violation on the record. Their position, in their own words, was that "in order to receive marketing / offers, it is a condition to be a member of the customer club."
I don’t see how that implies “if you’re a member of the club, you must receive marketing / offers”. It only says “only members receive marketing / offers”
Go for it! If nobody reports things they don't get fixed.
I have found this to be true not just when it comes to companies breaking laws, but also to much more benign things. Such as reporting potholes in town or broken microwaves at work. Those can be in need of fixing for an extended period of time, yet when I report them, they usually get fixed within days. I suspect most people can't be bothered or think that surely someone else will report the issue. But that doesn't work if everyone thinks that way.
I would like to see these regulations in place here. I have always felt very uncomfortable with companies like TurnItIn.com getting to train their models off of my work, without compensation, where my consent is assumed and there is no opt-out. I've brought this up before, and the general consensus was that my college enrollment is optional, and therefore my consent is freely given. I should have a right to attend a school I pay for and qualified for, without requiring me to give up other rights.
Hand in your paper when you’re on vacation or even better on a conference in Europe. GDPR will apply. Of course it will take so long that you won’t benefit from a decision for your studies. And one possible outcome is that your college won’t allow submitting from EU and won’t admit EU citizens (similar to US citizens having difficulties opening accounts in EU banks).
I'm sure I am wrong somewhere. But can someone explain to me how this same reasoning would not apply to every advertizing 'supported' business? You can't opt-out off ads on many websites or streaming services and still hsve access.
On most platforms you can usually opt out of targeted/personalized ads that require tracking or collecting personal data, if you do you still get general ads, but that isnt subject to GDPR if they dont use your data for it, I guess.
It's not the ads that are the problem, it's the tracking. If you install something like Privacy Badger it will block all tracking, but not necessarily ads. However, because so many of the ads come bundled with a shit ton of tracking, they are effectively blocked.
There's nothing problematic about having Stihl advertise chainsaws on a page for lumberjack. There is a problem when you collect data from across the internet, conclude that a person might be a lumberjack and serve the chainsaw ads based on that information on a news site.
Sadly the advertising industry is mostly dead, at least online. We're left with online marketing experts that are basically just clicking around in Google and Meta ad-management interfaces. They know nothing about the sites or content, nor do they care. The magical box will find the customers... and if it gets it wrong, no worries, it wasn't their money anyway and you can always just go "Well, advertising isn't an exact science, some of your spending was always going to be wasted, you just don't know which part".
Now we're left with an online advertising industry that can't tell advertising and tracking apart, and it doesn't have the skills or the network to go directly to sites and buy ad-space.
Well John Edwards just resigned yesterday so maybe you will get a real Commissioner this time - although that said, John was hired specifically as someone who would do nothing, so I guess he did what he was paid to do.
He has largely been ostracised by the privacy and data protection community (even at regulatory events) I have seen him wandering around alone and aimlessly at a number of regulatory events, he didn't seem very comfortable and didn't really have a lot of interaction with his peers.
It's always satisfying when customer rights stories have a known positive outcome. The timeline is unfortunately quite slow and bureocractic but I'm glad OP managed to find out about it.
I personally know other people who have filed similar complaints, and the Norwegian Datatilsynet explicitly stated they acted based on many complaints. I don't think they care about a single person's voice in this, even if they "helped create the law".
It's a shame, but it probably says more about Datatilsynet's capacity. Frankly it would be great if you could simply say "this company did something dodgy", provide proof, and immediately get results. But that's not the world we live in.
That's where I put a lot of hope into LLMs, as this is all about natural language that is difficult to parse. It'd be great if LLMs could accelerate enforcements in the digital world, so single individuals with valid claims can finally be heard.
You are making assumptions, I have a very good relationship with the Norwegian DPA and discussed the case with them several times over the past 4 years.
I am glad this was resolved. It’s annoying when companies take things for granted. It’s not just Elkjøp doing it. There are other e commerce companies and some online pharmacies doing it too.
Yep this. They never make you verify your email address on a captive portals. (Since you can’t check your email without an internet connection in the first place).
It's one of those situations that the words lose their meanings but the expression makes you understand a situation better. This is like a manufactured consent that comes with a threat. A similar example would be "coerced confession" or maybe even "forced smile".
I've often wondered what basis companies are using for the "opt-in to tracking or pay to opt out model". It has spread now to even fairly reputable organisations.
This, at least to my understanding, runs contrary to the spirit of the GDPR regulations. Permission has to be freely given which, when the alternative is paying a subscription, it quite obviously isn't.
I am a EU citizen, I bought a (Chinese) robotic lawn mower.
One day, end of April when the grass is growing very rapidly, they presented me with a dialog in the app that basically said.
"We updated the EULA with the explanation "optimized wordings". Please accept."
There was no reference to the new or old EULA, and if I didn't accept I could not start the app and use my new mower. It was bricked.
I am now checking their compliance with GDPR. It is a tedious process because they keep stalling, but I still feel I have all the rights.
And I get a lot of help from chatgpt who works as a patient secretary that translates my "f-fck sake give me my stuff" into formal/friendly legalese with counter questions designed to be difficult to duck.
As of now, 2 months later, they have finally pointed me to "download personal data" in the application which gives me back a PDF with mower model, my email address and some push notification history.
But I know they store much more than that. And I think they know that I know. If nothing else my customer support history. But also for example a map of my garden.
The part about this that's amazing to me is that they still are doing nothing after he noted another GDPR violation [0]. He's obviously both competent and litigious. What does the company expect to happen next??
[0] "Under Article 77(2) of the GDPR a supervisory authority is under a binding legal obligation to keep a complainant informed of the progress and the outcome of their complaint. It is not a courtesy and it is not discretionary - it is written into the law. I filed my complaint with IMY, IMY passed it on, the case ended in a multi-million euro enforcement action, and not one of the authorities involved thought to tell the person who started it."
It's also worth noting that it's not the first time Swedish DPA has been criticized regarding GDPR complaint handling:
https://noyb.eu/en/gdpr-rights-sweden "GDPR Rights in Sweden: Court confirms that authority must investigate complaints. So far, the Swedish IMY has taken the view that users don’t have party rights in GDPR procedures."
https://noyb.eu/en/noyb-takes-swedish-dpa-court-refusing-pro... "IMY frequently just forwards a complaint to the company that illegally processes personal data - and then immediately closes the case without investigating." (no decision on this as far as I know. A bit surprising since it has been almost 2 years)
> the only way to stop the marketing was to cancel my membership of the club altogether
I have experienced this same thing with at least one other big company in Norway.
I could opt out of either SMS or e-mail, but not both, or I would not be able to keep the membership.
Unfortunately, I never made a note of which one that was exactly so I can’t name them and shame them on the spot.
Despite half-hearted attempts at stopping marketing emails now and then by individually logging in and opting out, or clicking unsubscribe links embedded in the email, my email continues to be flooded with marketing both from domestic and foreign companies that I’ve done business with. There is so many companies that even going through a handful of them at a time and unsubscribing there is a seemingly endless amount of companies that remain to unsubscribe from.
It is great to see that someone fights back, and that it is resulting in fines.
Idk about that particular company but the benefit of cheating may be much higher than the 1.8m fine they got.
I personally never specifically consent to anything, yet get a ton of marketing emails. To most companies that send me those emails 1.8m would be a slap on the wrist.
It is not just the fine - they are no longer permitted to conduct the processing activities - so no they don't continue to profit from it, one of the reasons the fine was reduced was specifically because they made changes to bring themselves into compliance during the investigation. This is stated in the Regulator's press release directly.
"guidelines say we should apply fine of 0.4% yearly revenue (400M NOK) at the least, but for whatever reason we decided punishment to be 20x less than that"
I don’t know who you are. I don’t know what you want. If you are looking for ransom I can tell you I don’t have money, but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you.
Thankfully inbox providers are now mandating unsubscribe headers (so the unsubscribe button now sits at email client level, not within the body of the email, as it always should have). Making this entire thing irrelevant.
Going through the hassle of policing individual company behavior is beyond silly and a giant waste of resources when you can literally just force the behavior at client level.
This is also basically the story of why GDPR popups are stupid. Set it at the client (browser) level, not on 100,000,000 individual websites done slightly differently every time and try to setup an enforcement dragnet to have expensive fights over misplaced commas.
This should have always been a browser setting and not a multi-billion dollar Kafka-esque nightmare of lawyers and regulators policing every company on earth, wasting Europe's productivity and resources.
It's like how the US makes you file your own taxes when for 99% of people they already know the amount you owe, and then randomly will decide to fine you if your calculated number doesn't line up with their number. It's giant waste of everyones time.
It can be appealed but because it is cross border it has to be appealed directly at the Oslo Court (rather than the privacy claims board) and also the fact they had the fine reduced for co-operation usually includes a clause that they will not appeal (otherwise they lose the discount which is normally around 30%).
It's really pathetic, isn't it? These guys hate their fellow Americans so much that they think it's better to allow companies to abuse people instead of stepping in to protect them.
I for one was signed up for Elkjøp kundeklubb membership unbeknownst to me. It happened when I was picking up a water cooker. Seller asked if I would like an electronic receipt and asked me for my email. That was in Elkjøp at Solsiden in Trondheim.
The more annoying is that I gave him my regular email address and not a generated alias that I always give to companies.
Was super pissed when spam started landing on my main address.
If I need to buy something at El Giganten (Danish version) I speak English when paying, and tell them I'm a tourist and don't want to give them a phone number or email. They can print a paper receipt.
But I only buy from there if it's the only option. (Other than Amazon, which I refuse to use at all.)
I did, it is easy, you just don't spy on people and have a point of contact and you're good. It becomes hard when you want to spy on people and also remain compliant with the no spying law.
Getting consent in a truly compliant way is basically impossible (it should be opt IN, not opt OUT). Though we've trained people to just accept literally everything now.
Why is opt in "basically impossible". That is the definition of consent. Ask BEFORE you do something. It might sound strange but most people really don't want their data gathered by everyone.
I have read it. It's really easy to be compliant if don't start from a position of extracting the maximum amount of data from every user out there. If you start from the opposite end of the scale, only getting the data you need for the goals you need to achieve in the interest of the user, you barely have to do anything beyond what you would have done anyway.
The cookie consent dialogs were never required in this form.
That was literally just malicious compliance in order to get people mad at the law instead of the companies (at least at first, there's also a huge amount of cargo-culting nowadays). Congrats, you've been psy-opped.
Official EU website, generally speaking, are not bound by GDPR or ePD. Rather EU bodies are bound by EUDPR. I'm not well-versed on that specific thing, but EDPS and courts have previously found that EC has infringed EUDPR so it wouldn't be weird if their cookie banner was breaking the law as well.
They actually are bound by the ePrivacy Directive due to jurisprudence (EU bodies must comply with CJEU rulings).
I actually wrote to the EDPB on 25th May 2018 (the day GDPR came into effect) and forced them to make their own website compliant with the ePrivacy Directive (I still have the email thread, it was quite an interesting discussion).
I also filed a complaint against the Court of Justice on October 1st 2019 within minutes of them publishing their Judgment on the Planet49 case (C-673/17) because their own website didn't comply with the judgment - they fixed it within 18 minutes.
So yes EU institutions get it wrong sometimes, but they generally fix it quickly when they are informed. I currently have a big case ongoing with the EDPS against the European Commission and the European Parliament for hosting live streams directly on social media instead of the official live streaming platform setup for EU bodies (on the basis that forcing people to engage on social media is a breach of fundamental rights because it allows those platforms to infer special category data (political interests and others depending on the topic of the live stream).
EDPS just actually updated me this week that they have concluded their side and are now waiting on the final responses from the Commission and Parliament.
So yes, the rules do work, but you have to be pro-active, armchair activism doesn't work.
I would like to see that thread if possible just out of curiosity.
I looked a bit into EUDPR and the earlier 45/2001 regulation (EUDPR came in effect in December 2018 so a bit later than GDPR). EUDPR explicitly imports Article 5(3) of ePD (via Article 37) and thus whatever case law there is around it. The earlier regulation seems to do this more indirectly (references in recitals), but EDPS view from 2016 is that it effectively does import Article 5(3) as well.
Personally I haven't dealt with EU institutions so far. On general public sector side I did recently seek some clarifications from Finland's Ministry of Justice regarding one of their websites and their responses weren't exactly reassuring.
I asked for the GDPR Article 15(1) information regarding single visit (i.e. information about processing, not actual copies of data) and it took them almost 3 months to give official response. Even after that time they, for example, failed to identify if they are actually the controller or not for some of the processing (Cloudflare challenge). And their stance is that analytics (Matomo) does not need Article 6 legal basis at all, i.e. they seem to think that anonymization step itself is not processing.
The companies made this worse for themselves by continuously trying to skirt around the rules and regulations.
When the cookie-law was first instituted I worked for an e-commerce site and was tasked with ensuring that we'd be compliant. It would have been crazy simple to implement, but no, because management, encouraged by the companies selling the tracking and re-targeting solutions kept insisting that I was reading the rules incorrectly. By incorrectly they meant: We want to be able to track and target customers all the time, regardless of the rules. The result was scraping my solution that truly allowed users to opt in, in favour of a commercial solution that just blocked then entire site until you clicked "Okay" and which wouldn't actually stop tracking if you dismissed it somehow.
Yeah, the rules are getting increasingly complicate and to some extend requires experts. That is because of businesses that have failed so miserably in regulating itself.
Absolute nonsense. Any company that was complying with the old Data Protection Directive should have had zero issues upgrading their processes and policies to comply with GDPR there are very few material differences between the two and the previous law existed since 1995 - most of the changes are around accountability (record keeping).
Also cookies literally have nothing to do with GDPR other than the definition of consent - Cookies are governed under and entirely different law which has existed since 2002 (Directive 2002/58/EC).
It bugs me when I see people criticising the law when they actually havent even bothered to research and understand it or even look at the correct law.
That is likely by design. From the article footer:
"Work with Alexander
Thirty years in privacy. Helped shape the GDPR. Advisor to the EDPB, the European Parliament and the European Commission. If you need this kind of analysis applied to your own systems:
Website and App Compliance (£500/mo+)
GDPR Compliance Audits (£3,500+)
DPO-as-a-Service (£1,500/mo+)
Privacy by Design Implementation
It's an interesting story, but I could not help but have my mind skip over it because of the LLMisms. Acts like one of those taboola reels to me. If even just there was a tutorial to get people to write in such a way that it's not obviously LLM text it would be nice because the story is interesting.
I know, it's like complaining about JS etc. but it's like walking into an elevator and smelling very strong perfume. It's hard not to go "whew!"
Gonna need you to expand on that, because I don't see how that sentence is “uniquely LLM” at all. It feels pretty typical for legal people speaking informally.
Lmao at the absolute ego behind that wording
>Gonna need you to expend on that
Sure boss everyone here is just waiting for your commands to meet your every need
Someone with tinnitus hears tones that aren't there, that doesn't make them adept at hearing tones. You will reply some analogous comment about deafness, but here's the thing: tinnitus is much more common than deafness.
They are not written by an LLM lol, I have severe ADHD, this is how I write and there is plenty of my material out there spanning the last 20+ years (long before LLMs existed) to illustrate that.
i sent the article to an AI detection tool and it said that 22% are AI generated. (that tool distinguishes between AI generated, AI assisted, and human) it marks the first few paragraphs as such. i have no idea how accurate that tool generally is. it is clearly failing here. (part of the reason for checking articles is to learn how reliable those tools are, not to gather evidence against a writer)
what could help though is if you could find a way to have your articles proof read by someone else to at least weed out some of the more difficult to read constructs, like this one:
any Consent Management Platform (CMP) which sets a cookie for anything other than cookies which are not strictly necessary that the user has consented to
i would write that as:
any Consent Management Platform (CMP) which sets a cookie that is not strictly necessary but that the user has not consented to
i had to read your version three times to make sure i understood it correctly.
Frankly, this attitude is pathetic. Absolute loser behaviour.
I don't think you should be doing business anywhere if customers being familiar with the law and knowing their rights scares you. Frankly if you are running a business, you should be familiar with the laws and regulations, doing otherwise - especially when someone points out that your behaviour is illegal - is negligence and punishment with a fine is completely appropriate. Welcome to living in a society.
Processing my personal data in such a way (to ban me from your services pre-emptively) would be a breach of the GDPR and in some member states could involve criminal sanctions.
For example, in the UK we have a very famous case (The Consulting Association (TCA)) where building contractors joined together to build a list of construction workers they didn't want to hire - this was determined as a criminal breach of UK data protection law.
I'm glad it all worked out for this individual. I hope more people live their lives like this as the dystopia progresses.
Unfortunately, especially in the US, exercising your rights, or even just reading every paper you're expected to put your name to, not only constantly pisses people off for some reason, but also puts you at a significant disadvantage compared to the people that never push back in the interest of not making waves, or even because "whatever it's fine."
> Unfortunately, especially in the US, exercising your rights, or even just reading every paper you're expected to put your name to, not only constantly pisses people off for some reason
Yup. It's particularly sad seeing other people in this very thread talking about how they would "ban this customer for life" just for knowing their rights.
I think it's pathetic that this has become the culture amongst large swathes of Americans - especially ones who consider themselves patriotic. This country was founded in rebellion and the assertion of our rights, and somehow the exact opposite is now the ideal of many citizens now.
>I think it's pathetic that this has become the culture amongst large swathes of Americans - especially ones who consider themselves patriotic. This country was founded in rebellion and the assertion of our rights, and somehow the exact opposite is now the ideal of many citizens now.
DHS is putting on the domestic terrorists watch list those people who took parts in the protests. Or at minimum threatens to put. And if you google a bit more you'd see that it isn't limited to ICE. Any dissent is perceived by the current government in a similar "terrorism" way. For majority of population that would completely chill any desire to assert rights.
https://www.markey.senate.gov/imo/media/doc/letter_to_dhs_on...
"U.S. Immigrations and Customs Enforcement (ICE) officers and senior Trump administration officials have repeatedly suggested that the Department of Homeland Security (DHS) is building a “domestic terrorists” database comprising information on U.S. citizens protesting ICE’s actions in recent weeks.
...
In recent weeks, DHS personnel and senior officials have repeatedly stated that the agency is engaged in efforts to monitor, catalog, and intimidate individuals engaged in peaceful protests"
Oh I’m well aware.
It’s reprehensible and I am demanding accountability from my elected politicians. The only way we’ll see someone answer for these crimes, though, is if enough Americans give a shit to get off their fucking asses and actually put people into office who will bring change.
The current government? Don't let partisanship blind one to how dumb things are. The Occupy Wallstreet protests were extensively surveilled and harassed [1], and it was a vastly more peaceful protest movement. Had it gained more traction there's a 100% chance Obama would've happily greenlit COINTELPRO [2] 2011. Such actions were already being effectively carried out in any case.
[1] - https://en.wikipedia.org/wiki/Occupy_Wall_Street#Government_...
[2] - https://en.wikipedia.org/wiki/COINTELPRO
Pretty sure nobody is worried about peaceful protests.
I don't know that signing up for a rewards club and then complaining that you're being marketed to is quite the platonic ideal of rebellion you make it out to be.
Once I rented an apartment in US, and the documents said that they can make videos, pictures and audio recordings of me and my family, and use it for their own purposes including commercial. I objected, but their position was that no one is going to involve legal department for me, and I am free to go away.
> and I am free to go away.
This is the crux of the problem when landlords are allowed to form or join an "association" that gets too pervasive.
This was at the heart of the RealPage lawsuits.
Pretty sure that's a violation of fundamental human rights as it's your place of living. Surely that can't be legal, even in the US can it?
It doesn’t mean _inside_ the apartment. It means if they decide to film a commercial and you’re walking your dog in the background, they don’t have to ask you.
Oh right, that's not so bad. Isn't that just being part of modern society? It would be nice to opt to never be recorded but also, it's outside.
That sounds a lot like a rationalization desperately grasping at "surely it's not as insane as it sounds, what it _must_ mean is ... "
I would want to read and perhaps get legal advice before relying on that interpretation - and before finding I signed over rights to my landlord to make candid porn of me and all his other tenants.
Am pretty sure he's right. I rent out my house, and it is very illegal for the landlord to record video inside the house (or even of the driveway). You are infringing the privacy of your tenants and is a huge no-no.
Yeah, if you accidentally recorded families walking through their homes unclothed, this could land a landlord in jail.
The contract terms could very well have actually had a meaning that included filming inside the apartment. The existence of other laws overriding the contract isn't actually the same thing as the contract not having that invasive meaning.
You can’t make a contract that breaks the law, it doesn’t work that way. It’s unenforceable and doesn’t hold up in court.
Otherwise, you could just make contracts anytime you wanted to break the law for any reason.
Contracts don't and can't override laws.
In normal states not. But there you have the very popular political system called fascism, where contracts override laws.
That doesn't even make any sense. Fascism is generally about top-down enforced control, whereas contracts are heavily decentralized. The world where you'd have contracts override laws would be some sort of extreme anarcho-libertarian society, which is rather the opposite of fascism.
That's what you heard in school, defending the US style of fascism as "democratic".
Fascism was a scheme to keep the old aristocrats turning industrialists to keep control of the state, whilst still keeping it under the democratic name. This was devised in the US in the 30ies and then in the old states also. Heavily supported by the US industrialists. Without them the fascism movement had no chance.
The US scheme of fascism came up with cooperate contracts overriding state laws, also pleasing the Chicago crowd, with decentralized control. At the will of the cooperations, who know better than the government of course. That's why Rockefeller could gun down strikers without any repercussions. That's why the Railroad Commission could call state military to gun down independent oil cooperations which undercut prizes of the industrialists. That's not liberalism, that's pure fascism/cooperatism/aristocratism.
"Corporatism" not "cooperatism" though, right?
Nothing wrong with cooperatism I think.
Oops, sure
That's pretty far from the usual views of fascism. Generally fascism can be seen as a form of right wing collectivism organizing all of society into one big hierarchy, with industrialist somewhat below the top and subservient to political leadership. In a fascist society political decrees override both laws and contracts. This means that fascism is inherently centralized and that what companies receive state support depends on who are political favourites at the moment. E.g. a fascist state might support the independent oil companies if it felt the established industrialists were getting too influential, i.e. classical divide and conquer.
By the way, I'm not claiming the things you describe didn't take place for the reasons you claimed. I just don't think it's accurate to describe it as based on fascism.
I call it fascism, even if the US ur-fascist favored the French and German model, over Mussolini. Mussolini was pro-union, and of course all other fascists are contra-union. That's their biggest goal, denying workers rights.
But the US implemented all the subsequent fascist governments until today. If in Europe, Asia or Latin America's.
> This was devised in the US in the 30ies
Fascism first evolved in Italy, where Mussolini and his Partito Nazionale Fascista took power in 1922.
But if laws can override contracts (which presumably they can), then contracts can appear to establish permissions/restrictions that are illegal. At least one contract I've signed includes something about the rest being enforceable if any part of it isn't enforceable. Perhaps that helps to contain actual mistakes, but I assume employers use it to persuade employees that they're bound by illegal non-compete clauses, for example.
> At least one contract I've signed includes something about the rest being enforceable if any part of it isn't enforceable.
Which is funny, because if it worked like that - that any unenforceable demand in it made the whole thing invalid - then presumably the clause asserting the opposite would also be invalid.
No it means that if parts of a contract are found to be unlawful or unenforceable, the rest of the contract still holds.
Edit: in other words, you're not legally bound to unlawful parts of a contract.
This is my understanding, too. Sorry if that wasn't clear in my earlier comment.
However, I also believe that unenforceable parts of a contract have no effect, except in the minds of the parties to that contract. My suspicion is that contracts are sometimes drafted with this in mind.
> before finding I signed over rights to my landlord to make candid porn of me and all his other tenants.
If the law says you cannot do XYZ, your landlord can state otherwise in whatever verbiage but that's all void.
This is why good consumer protection laws exist, in a well functioning society there things you sign are to protect the landlord from bad renters (don't pay, cause a nuisance etc). The law in general should protect you as the tenant from a bad landlord.
If it didn’t say it, it doesn’t mean it.
Thank goodness you read the contract they signed and provided competent legal expertise throughout the process.
That is probably why it is in there, and probably how it would be used in practice. But these types of documents are almost written to be as broad and ask you to give up as many rights as possible.
It does mean on the property and including inside facilities.
Maybe that's at the gym or by the pool, and maybe you're actually not comfortable becoming a swimsuit model.
Well the document didn't say "public spaces". I also think they meant public spaces, but it wasn't in the documents.
Even then, I do not consent to work as an unpaid actor even in public spaces. I'm ok to be it at conferences, organized coworking parties -- no problem. But my living space when I don't suspect it -- hell no.
It isn't really that onerous, they aren't expecting you to do anything.
Rather, they want the right to film commercially on their own property without getting consent of everyone walking by. Many years ago a local casino was being used for a movie shoot, there were signs at the door saying that they're shooting a movie in here, if you're inside the casino it's possible you'll show up in the background of a shot. By entering you agree to this. An apartment can't do something like that because not entering is not a realistic option, so they're putting it in the rental agreement instead.
> It doesn’t mean
Oh man if I had a pound for every time I've had a corporate dogsbody try to invent meanings of legal wording that doesn't actually exist and gaslight me...
They are usually so passionate about it too. A simple "ah ok cool so you can add that word to the document" really annoys them.
The other classic is just "it's just standard wording". Well yeah McDonald's is also "standard" food for many people but I massively disagree with that too
That is already allowed.
This is basic security. Cameras around entrances, exits, and common areas have become critical for safety and preventing mail theft.
There is no version of basic security that extends to commercial use of your likeness in their marketing.
Be reasonable.
If it said so in the contract I would not have any issues, something like "recordings of you are available only to authorized security personnel, can be provided to you upon request for a reasonable price covering filtering and other paperwork, and can be shared solely for security and legal purposes".
I found some shit like that in a gym contract, which I then declined.
I've also read reviews of Greystar properties where the reviewers expressed shock at being forced to consent to such abuse.
Rentals are exactly what I was talking about. Supposedly you can always go to someone else, but we all know in practice we can't just go without housing and if everyone decides you're "difficult," you're SOL.
Earlier this week a potential landlord offered me a lease saying I had already inspected the property and found no issues with it.
I asked for a chance to actually inspect before signing, and even said I would settle for a good quality video walkthrough. They told me the unit was "not available for viewing" because it wasn't finished yet, and by the time it was finished it would likely be taken.
So why did you ask me to sign a contract saying I inspected a property that it's conceptually impossible to inspect??
I asked if they could change that part of the lease. They said they were "unable" due to "demand and interest in the property."
Of course, still not as insane as your story.
Sounds like typical high pressure salesmanship.
> I asked if they could change that part of the lease. They said they were "unable" due to "demand and interest in the property."
Was it a paper lease? Because you could always cross out that section before signing, not to mention write in your own addendum. They would probably still balk, but you'd be within your rights to do so.
Good luck finding a landlord that would agree to your terms.
Much easier to find one that won't notice the markup, though. You think they read the contracts any more carefully than most people?
And it would be within the landlord’s right to move on to the next renter in their queue.
As long as they responded in writing, you have proof that the other party agrees the clause is false.
I wonder if a judge would keep that clause in the contract in case of litigation.
For separate but similar reasons, Washington was forced to add to tenant law the proviso that tenants could not waive certain tenant rights, even if consideration was given.
"There's a clause in here that gives some more time for certain repairs, because we're short-staffed, so we will take $50 off of your rent". Nope.
"There's a clause in here that says that your monthly payment will first be applied to late payments, fees, fines, and then your lease payment in that order." Nope.
I am that person that reads every line of the contracts I sign, including ToS and PP. I appreciate that I can tell who it rubs the wrong way, because it tells me who will shake my hand without intending to honor their word. It changed the way I write these documents as well, the last ToS and PP I wrote can each be read in a single breath.
How do you manage the situation socially? I had a very important document with a very expensive professional booked for about 10 minutes. No way I could actually read it in that time - what would you do?
Not GP, but probably ask them to send me the contract ahead of time, and explain that you need time to read it.
"I appreciate the opportunity to work on this with you, I need to give this the time that it deserves to make sure I can honor the commitments in the contract."
Always maintain your integrity, a big part of that is honoring your word. Integrity is the only thing you're born with in this life, and if you're lucky you take it with you on the way out. Any person worth getting into contracts with will appreciate the value in that.
That simply isn't possible - you might like to think you read everything but research has shown that simply reading the terms and conditions of the top 100 websites amounts to a colossal amount of time (if you look at Prof. Lorie Cranor's research on this from around 2008, even back then the cost to the US in lost time was to the tune of trillions of dollars - now, they are much much worse than they were 18 years ago.
The terms and conditions for Tetris on Android were longer than the entire works of Tolkien when combined.
So yes, it would be nice to read all of these things, but we simply do not have the time available to do so.
He did say that he read every contract he signs not that he reads every contract some company thinks applies to him without any legal basis whatsoever. You also don't have to use to top 100 websites.
It would be nice if ToS were more like open source licenses in which people commonly standardize or template them (or parts of them). That way there's large chunks which are reduced, and a few diffs for what's unusual. I think the problem with this is the fact that sections are not independent.
Went to a new doctor. As part of the check-in process, I was asked to "sign" a little digital pad, so, as I was told, they could properly use my insurance. I asked to see the hard copy of what I was signing and they couldn't find one. Then, for some reason, they were unable to print one. I gave up and scribbled my sig with my finger and then was seen by a doctor. It's maddening.
I'm sure someone smarter than me has a solution. Those papers you're required to sign are generally the result of regulation. Some law got passed that say "you can't share info unless you get signed permission". The person dreaming up the law thought that would be enough to stop getting them to share info. But, even if they cared about privacy, they don't want to increase all their expenses and run their own IT department so they contract out for 3rd party billing, 3rd party document infra, etc etc. Like if they wanted to store your appointment in MS Word 365 or Google Docs, suddenly the regulation kicks in. They're not going build a document sharing platform to get their job done just so they can meet the regs. They're just going to get you to sign that they can do what they need.
As one example, I went to a doctor, he ordered an x-ray. I went over to the x-ray company then back to my doctor. He pulled up the x-ray immediately. He's only able to do that because I signed that he can share my info with the x-ray company and visa-versa.
Again, I don't have a solution. No regulation = he'd probably share my data. But regulation = he gets me to sign so he can legit provide the service, and still shared my data (Because I signed). So all the regs did is make visiting the doctor more annoying, and add $$$$ to push all the paperwork around.
> They're not going build a document sharing platform to get their job done just so they can meet the regs.
What is so hard in respecting the spirit of the law?
There are many dollars in between.
Like with criminal fraud?
Becauae "spirit of the law" doesnt exist. It is a saying used by people when they want to do something that isnt in the law. You dont see lawyers, judges or law makers use the phrase.
Yes they obviously do use it?
I agree but please, provide citations instead of a question mark, to make what you believe is obvious actually in fact obvious.
I think the question mark is good enough for such an absurd claim. If the author cares they can find quotes with no effort
I don’t see any?
> New combinations of circumstances — that is, new cases — constantly call for the application, which means in truth the extension of old principles; or, it may be, even for the thinking out of some new principle, in harmony with the general spirit of the law, fitted to meet the novel requirements of the time.
Law And Public Opinion In England, page 361 -> https://archive.org/details/in.ernet.dli.2015.40146/page/n38...
> Becauae "spirit of the law" doesnt exist. It is a saying used by people when they want to do something that isnt in the law. You dont see lawyers, judges or law makers use the phrase.
This is dependent on jurisdiction. Some countries (e.g. the USA) do not consider spirit/intent (anymore), as the judiciary has repeatedly ruled that the letter of the law, as written, is what matters, regardless of whether it meets the intent of what the law was written to achieve.
There are other countries in the world, outside of the USA, that do not work this way.
Intent is expressed through drafter's notes or explanations. "Spirit" is somerhing else, something made up later by people who had nothing to do with th3 creation of the law.
> The letter of the law and the spirit of the law are two ways of interpreting rules or laws. To obey the "letter of the law" is to follow the literal reading of the words of the law, whereas following the "spirit of the law" is to follow the intention of why the law was enacted.
https://en.wikipedia.org/wiki/Letter_and_spirit_of_the_law
It is always a good sign of modernity and relevance when the half an article's citations are to either the bible or the Talmude. And who can forget the legal touchstone that was the 1975 Systems Engineering Conference ... in Vegas.
The only relevant part there was the definition, which I quoted to you. If you prefer a different one, have this one.
> the spirit of the law - noun phrase
> the aim or purpose of a law when it was written
https://www.merriam-webster.com/dictionary/the%20spirit%20of...
Regarding information sharing, not quite. Covered entities (term of art in HIPAA), which include providers (and also payers!) including both the lab and your doctor, do not need your permission to share information between them for the purposes of treatment, payment, or operations (commonly, "TPO"). A BAA between a covered entity and a vendor (like an EHR or PACS [viewer for your imaging]) also does not require any patient consent.
There are sometimes things you might not like hidden in the releases you're signing, beyond the run of the mill acceptance of financial responsibility / assignment of benefits, notice of privacy policy acknowledgment, consent to treat.
> do not need your permission to share information between them for the purposes of treatment, payment, or operations (commonly, "TPO")
In fact, for the purposes of treatment, providers can share that information, even if you explicitly refuse, as needed.
Many people now have devices with secure storage with them at all times. Maybe it’s time we owned our data and decided who gets it and when.
Obviously this doesn’t work in all situations and for all people, but it’s a start.
I do wish this was an option for some data, but emergency care would be an absolute shit show. People can't even remember passwords let alone keep track of keys and devices.
Zero trust device, with emergency channels pre-trusted. Like, the ambulance service is known to your device and can already suck your blood type and whatnot. And the police your name and emergency contacts. Or whatever schema with a similar idea. There's the technology to do this already, but we're lacking awareness and initiative.
> And the police your name and emergency contacts.
Hell no. The fuzz ain't getting my info without reasonable, articulable suspicion that I have committed, am committing, or am about to commit a crime, or if I'm pressing charges and need to ID for that process.
The parent comment was about an accident where you're unable to give any details yourself. Maybe when you're under a truck you'd like your folks to know what happened to you, right? But again, such are implementation details. First let's have that zero trust device, then we can be negotiate who gets to see what and when.
The problem is that it creates a vector for illicit access to the information, and if that vector exists, it will be abused.
I'd rather have society deal with the problems that come with not knowing who's under the truck than the problems that come with state surveillance.
Are you even legally signing anything if they can't show you the document you are signing?
I am not familiar with the nitty gritty of US law, but under German law that signature would be worthless. Even signing a document you have but are unwilling to read is legally a bit iffy (which is why for things like real estate a notary will read the paperwork to you and ask if you understood it, or why surprising clauses in terms of service are unenforceable). Signing something without being able to know what you are signing would be worth exactly nothing, because you didn't actually knowingly consent to any particular thing, and neither did you have the "meeting of minds" required to form a contract.
It probably would be unenforceable in the US too, given you have no opportunity to know what you're signing, but you'd probably have to drag it before a court to settle that, and US companies know that no* individual is actually going to do that over what ultimately is (likely to only be) a minor inconvenience.
* Within margin of error
Usually, signing things like this won’t particularly hurt you - largely because your inalienable rights are… inalienable. You can’t sign them away, even if some contract says you have.
The flip side of this however is that it’s a very worthwhile pursuit to know consumer protections and what your rights are in the jurisdiction in which you live - and how to enforce them.
Where I live, I unfortunately quite frequently find myself having to go “ok so you want to do the formal process with the regulator then?”, which usually gets them to reconsider - but not always. Three times in the last month I have threatened regulatory action - and of those three, only one chose that path. I have just reported a government agency here to the domestic and EU regulators for failing to fulfil EU FoM treaty rights - and they were even kind enough to put it in writing that they’re ignoring their own domestic laws.
I have yet to lose a case I have brought before a regulator or justice of the peace, and businesses usually only need to do this once, if at all, as it can quite quickly turn a €1,000 dispute into tens or hundreds of thousands of euro of damages and fines. By doing this, following these processes through, I help not just myself but society as a whole.
So - sign away, but have teeth, and know where to bite.
In general, in the US of A, that consent you sign waives your legislated-to-be-guaranteed HIPAA rights.
Specifically, you're typically giving the office's providers and their marketing "affiliates" and your insurance company and its marketing "affiliates" the right to forward around (through any length chains of agreements) your entire medical history associated with enough (research proven as de-anonymizing) details to retarget you personally. And you're typically doing this by accepting a company insurance (in the US) or the provider's reception counter while you're in need of care.
This effectively forced consent is arguably illegal, but as far as I know, untested, so it's standard across the medical system and across omnibus insurance (e.g. company-provided healthcare "plan").
Of course, every touch point is another place your personal history will get stolen and rolled into modern digitally scripted exploitation of your identity and or targeted forms of phish-mongering (a term I made up meaning marketing so personalized you believe it's necessary to sign up for and pay for).
If you have any relationship with the team at your company that procures employee insurance packages, see if you can persuade them to start with the firm's insurance consultant (high end) or broker (low end) and systematically remove every step in the "we can pass along all your info to our affiliates for our own pinky-swear good reasons like making more money off your private info" chain.
In our experience, this added 3+ months to the procurement process as every single provider balked until interacted with by counsel -- and then instantly capitulated.
Our goal was always to give our employees a top tier benefits package, and we consider it a top tier hard-to-match employee benefit to not have random firms and government agencies pawing through your doctors notes, prescription histories, lab results, and enough biographical data to fake your digital twin.
Sadly, most employees -- though none of them are sheeple -- shrug at that for reasons in this thread: no time to fight such pervasive exploitation, especially when it hits them while needing a service as it hit you, or just plain weary of trying. So much easier, and psychically healthier, to just avoid thinking about it. Everyone is resigned.
If a company you consider working for claims "we take your privacy seriously" ask if they got privacy waivers removed on your behalf from all vendor contracts including payroll (does your salary go to 'work number'?) and insurance providers (can your data leave your doctor's EMR?). Odds are, they do not, in fact, take your privacy as seriously as they could.
What's interesting about those documents you asked to sign, at least at hospitals, it's not a requirement even though it may appear that way by the interaction. I suspect it's the same for other medical professions as well.
Many of them are just "CYA" for the facility/provider. HIPAA allows, for example, providers to share your medical information, for the purposes of treatment, regardless of your consent.
I had a similar experience at a bank some time ago. To sign up, you had to sign a digital pad without seeing what you were signing first. You could get a copy mailed to you later. At that future time, I was told, you could you cancel the agreement if you found it objectionable.
Being a bank, this has nothing to do with HIPAA. Just a dark pattern.
My wife recently gave birth. When we arrived at the hospital her contractions were close enough together for her to be admitted. They proceeded to give my wife a 10 page or so consent form to sign. I can't imagine anyone reading that. I also can't imagine them not admitting someone over it.
Can you cite the especially in the US part? Maybe use Bolivia, Kosovo, and Indonesia as some random global comparisons.
You're right, it would've been better to say "at least far as my experience in the US."
Doesn't the right to free association solve this? Don't patronize companies that do this.
I'm a traveling healthcare worker, which means every 3 months is both a new contract for work and a new lease for a rental to stay at.
So if I'm not willing to complete several hours of training modules uncompensated and before the start date of my contract, I'm within my rights to refuse. But this violation of most states' codes is common practice, and when I inform a new workplace that I'm not going to do it, they tell me it's "required," and the part they're careful not to put in writing is that my contract will be canceled if I make a fuss (there is almost always a clause in these contracts saying they can cancel any time for any reason).
So just move onto the next job, right? But the market is very feast-or-famine. It's just not smart to assert my rights during one of the famine periods.
Similarly, if I'm not willing to sign a lease for a rental saying my landlord is entitled to seize and sell all of my property for being even a minute late on rent, I've now considerably limited my housing options, which is not good when I have a new job that starts in two weeks. If that landlord then goes and tells all their landlord friends that I'm "difficult," I could be completely fucked.
Sure, it's "solved." It sucks anyway.
This, honestly is what i expected AI to challenge heads-on- because that is what its ideal for- little agents arguing for the consumer, the customer, the citizen. In the government offices, these constant advocates could undo all that damage faster then the companies can pile up anti-service moats.
Actual decision (Norwegian): https://www.datatilsynet.no/contentassets/c8d0551d2a64403285...
Machine translation of overview & 5.1 which is what the blog post is about (covers some other things as well): https://chatgpt.com/share/6a34732c-0fa4-83e8-aae1-95c25dd117...
[EDIT] Oh, there was actually official English decision available as well: https://www.datatilsynet.no/contentassets/59addbef9c1b48a28f...
> The reply I received a few days later did me the favour of putting the violation on the record. Their position, in their own words, was that "in order to receive marketing / offers, it is a condition to be a member of the customer club." That one sentence is the whole case. They had taken a right I am entitled to exercise for free and turned it into the price of admission.
I don’t understand… it would be one thing if it said “receiving marketing/offers is a condition of being a member of the customer club” but that’s not what is being stated above… rather that being a member of the club is required to receive marketing — perhaps something has been misworded or lost in translation?
sounded exactly like translation error from a German-related lang.
e.g. "to receive offers...is a condition to be in..."
Yea, I don't get it either. Receiving being a condition on membership means (in my understanding) only that non-members can't (shouldn't) receive anything, not that members will or must receive something. Which sounds perfectly normal and sane to me.
I think the "marketing/offers" means discounts? To be eligible for the discounts or special offers, you have to be a member of the club, and if you are a member of the club you have to be willing to receive the email messages, and somehow under EU law you're entitled to all discounts I guess?
Even if you opt out of marketing emails, they can still collect information about you, which is useful
That's pretty disingenuous thing to say.
The company was also processing, transferring and selling private data without doing as much as informing their customers.
It's perfectly possible to offer discounts to customers without egregious violations of law and privacy.
Yeah sounds like it's backwards , and should be "in order to be a member of the customer club, it is a condition to receive marketing / offers ."
Yes this is the logical sentence order, at least in English.
No, the sentence order has nothing to do with it. "It is a condition to be a member of the club (in order) to receive marketing offers" and "In order to receive marketing offers, it is a condition to be a member of the club" mean the same thing. The problem is that the explicit markers of purpose ("in order to...") and requirement ("condition") appear to have been applied to the wrong things. If you rearrange them, they'll still be applied to the wrong things.
He was an Elkjøp/Elgiganten customer club member. He wanted to keep the club membership and discounts/offers, but stop the marketing emails. Elkjøp’s setup told him the only way to stop the marketing was to cancel the club membership altogether.
To me, Elkjop seems perfectly reasonable here. But EU policy disagrees.
According to the article, that is not what Elkjøp told him. You're making the assumption that what the article says must make sense, which is unfounded.
While we cannot be sure what Elkjøp exactly told him, the Norwegian DPA's findings included following:
* Published benefits: https://web.archive.org/web/20220613175535/https:/www.elkjop... (e.g. "Rabatt på en rekke av våre tjenester utført i varehus", i.e. something like "Discount on a number of our services performed in warehouses")
* Conditions to join, i.e. to receive the benefits (DPA's translation):
* You may be contacted electronically (e.g via SMS and e-mail), via phone and mail with personal offers and other relevant information
* Collect and analyse information about you and your customer relationship.
* Create a customer profile, in order to provide more relevant information and a better service.
* You have to be minimum 15 years old and you can choose to leave the customer club at any time.
So to get the discount you would need to consent to being contacted for "personal offers and other relevant information".
Which is exactly the point - under Article 21 of the GDPR every person has a legal right not to be subjected to direct marketing so any forced direct marketing is unlawful and consent cannot be bundled (it must be specific under the GDPR) so bundling consent to direct marketing along with consent to join the Club is not lawful.
Which is why my next step is litigation.
> Which is exactly the point
The point in this subthread is that your article says the opposite of what you appear to have meant. You don't provide anything other than what is apparently a very bad English translation. The rest of the article makes it pretty clear that you meant to write something different, but it threw me for a loop when I read it and clearly I am not alone.
This is why, when I'm reporting my translation of something in a foreign language, I tend to include the original text too.
You might well think it is reasonable, but the law doesn't permit this, it is explicit that the person has an absolute right not to be subjected to direct marketing activities (Article 21 of the GDPR) and Article 5 of the GDPR requires that any processing of personal data must comply with all other relevant laws in order to be lawful under the GDPR - ePrivacy Directive (Article 13) governs Direct Marketing in the EU and requires consent - but that consent must meet the requirements of Article 7 under the GDPR in order to be valid (freely given) and any consent which is bundled and is a condition of access to a service where such processing is not necessary to provide that service - is not considered as freely given.
This is not new, we have a lot of case law and regulatory guidance on this.
I think you might gloss over the fact that marketing content implies extensive data collection, sale and sharing of personal data with third parties.
The company was selling the data without checking if buyers would offer similar levels of protection (LOL, in that case). It was found the members weren't properly informed SO the consent was not freely given, they basically extorted and lied to their customers. I'm very happy they were fined.
I'm very happy you're not in charge of privacy laws, but seriously, I don't see how would a consumer ever want more surveillance? Unless you're not a consumer.
Alternative approximate translation: while I urinate on you tell me it's raining.
It is a translation thing - what they said in Norwegian was that it is required to accept marketing activities if you want to be part of the loyalty club - but the machine translation did it literally instead of changing the structure to match common English.
can you fix it?
There's also issue with EU companies forcing candidates to agree to their anti-privacy policies (confusingly named "privacy policies") as a requirement before the job interview.
Those anti-privacy policies will state, that you grant the company and third-parties (so, anyone) permissions to use your data (including voice and image) for any purpose. (Of course, it is stated in a slightly obscure fashion, so a layman may not comprehend it.)
I wonder if there has been any similar action taken against those.
I haven't personally encountered that, but you are free to lodge complaint with your local DPA about it.
That exact language is unlikely to be compliant. If you want to maximize your effect you could make Article 15 request to the company in question, get the list of actual recipients of data (make sure to be ask for this specifically) and then make another request to all of those companies. That will then allow you to possibly make further complaints (e.g. why exactly they didn't send Article 14 information to you, are the legal basis they use actually proper in your case especially if the original one was consent and it was not freely given).
Wouldn't you have to "consent" first?
What if you didn't and did not proceed with the process? Can you complain still?
As in - if you didn't give your consent there's no violation has occurred and they don't have your data, so nothing to ask for?
That's a bit more complex.
Everyone is free to make a tip to DPA. However DPA is free to decide if they want to start their own investigation based on that unlike when you make Article 77 complaint.
There isn't a lot of case law around the threshold of Article 77. The text says "if the data subject considers that the processing of personal data relating to him or her infringes this Regulation". If read completely alone one could make argument that since you didn't consent no processing occurred -> you do not have right to make an Article 77 complaint.
However when taking the in account the goals and purpose of GDPR as well as recital 141 I would argue otherwise. To be specific recital 141 says "if the data subject considers that his or her rights under this Regulation". CJEU also often refers to GDPR's objective of ensuring high level of protection of fundamental rights and freedoms of natural persons. I feel that ex post requirement would be quite contrary to that.
Due to this my personal stance would be that just offering invalid consent choice where refusal has negative consequences is something that violates data subject's rights even if processing didn't occur and would be eligible for actual Article 77 complaint rather than just tip to DPA.
[EDIT] Also, there is Article 82 path via damages. In your case you could potentially argue that you suffered damages (like lost wages) due to company's invalid consent requirement. This, however, is generally a lot harder and more expensive path. Depending on how legal costs are allocated in your jurisdiction you could also end up with judgement where you need to pay your opponent's legal costs if you lose.
For Article 82 claim you almost definitely will need a lawyer.
Can i withdraw consent later? So, attend the interview (to maximise my chances of being offered the job), and then after the application process withdraw consent?
You can withdraw consent later, but I don't see how that would affect data processed before the withdrawal (except that storage is processing and the data would have to be deleted). I don't imagine a reputable employer would have any other use for the data, so the withdrawal of your consent might not bother them much. If your application were successful and you took the job, I expect that would establish contract, rather than consent, as a legal basis for them to process your data.
In general, I'm not sure a company processing my data on the basis of consent would stop all processing of my data just because I withdraw my consent. Some processing of some of my data might have a different legal basis. Judging by some websites' privacy options, there's a distinction between consent (opt-in), legitimate interest (opt-out) and other legal bases (maybe neither). I'm confused about website forms that have separate reject and object options for each category of data processing and a reject-all button that closes the form. Does clicking "reject all" mean I have or haven't objected?
Our local DPA, who will then proceed to ignore it for years or tell us to take them to court ourselves. [0] As European privacy law including GDPR is a symbolic tool meant to placate and selectively enforce when politically expedient, not to seriously enforce. Understandable, given that near all EU politicians work for corporate interests, as in the US.
[0] https://noyb.eu/en/project/dpa/dpc-ireland - 80% of complaints pending a reply for more than 1.5 years
I grated a bit at an EU company's use of https://www.crosschq.com/ recently.
I understand where he's coming from, but it is still hilarious that he sued the legal entity that won the case for him, after they found the case in his favor.
What do you mean? It sounds like he is planning to sue company in question and possibly lodging complaint against Swedish DPA. Norwegian DPA is the one who found case in his favor.
Yes, he doesn't have a problem with the Norwegian DPA but with the Swedish DPA which are the ones that should be in contact with him.
Seeing that he influenced the creation of the GDPR, the general sense of hopelessness in the rest of the populace, and the failure of the governing body to do it’s jobs - I suppose he is the only person who would be taking people to account.
Looking at the report from datatilsynet (Norwegian Data Protection Agency), they cite "multiple reports and tips" as the background. I suspect what happened here is that IMY concluded that this laid outside of their authority, submitted the complaint to datatilsynet and either closed the case and forgot to inform Hanff, or they may have never gotten any response from datatilsynet.
I have had several direct discussion with the Norwegian DPA throughout the case, the inspection and investigation were triggered by the IMY cross border case and I have not "sued" the regulator (neither do I say I have) I have filed a complaint against IMY (the Swedish Regulator) for failure to meet their legal obligations under Article 77(2) but then I have already had to file multiple legal complaints against IMY because they are an absolutely terrible supervisory authority that do literally nothing (they send out postcards to Data Controllers for violations saying "Hey do you know what GDPR is?").
So no, I have not sued the Norwegian DPA and actually have a very good relationship with them along with most of the other EU DPAs (I am an advisor to them, I sit in the pool of experts for law and new technologies at the EDPB which includes ALL EU data protection authorities).
Datatilsynet, the Norwegian DPA, from my experience, consistently has the user in mind. It (sadly) takes a long time for things to pass through the system, but they consistently come to good decisions.
5 years?! That's a f*cking joke. Democracy and rule of law does not exist any longer. The politicians get richer, no one challenges them, they pass their offices down within their family, taxes get higher and higher, and services worse and worse.
On the other hand, it is fascinating to be able to watch the destruction of europe and western democracy while it is happening! I imagine that this painful slide is what must have happened during the end of the roman empire. Now we're seeing the end of the european/US empire.
The image isn't loading for me, all I see is the prompt used to generate it - which is genuinely preferable.
For me it was showing the image and the prompt, but the whole page was unstyled. But when I reloaded the page now, the css loaded also and the prompt is not shown.
I guess the web server was temporarily overwhelmed by traffic resulting in images (like for you) and css files (like for me) not being consistently served to all visitors.
If you click the image, it flips to reveal the prompt and other metadata.
The blog is running on a Mac Mini on a 1Gb/s uplink so when it gets hit with a front page HN post, it does creak a little but I try to be environmentally responsible with my technology (as much as possible) so I am not in a hurry to move it into a datacentre when currently it only pulls 15-25W from the wall during peak traffic.
Is it a prompt or accessibility description for screen readers?
The website labels it as a prompt, so probably a prompt
mildly amusing that the model was instructed to generate it in the style of a "wide angle film still" but it seems to have gone for a painting instead
This is extremely cool reading! I'm impressed that they actually fined Elkjøp (as they should!) but very surprised that they didn't keep you informed!
Thank you for sharing!
It was not their responsibility to keep me informed, it was the responsibility of IMY (the Swedish Regulator) to keep me informed.
Sorry, I guess. There were no comments here after a couple of hours and I literally felt bad, so I commented without being very exact in my writing. Regardless, great job, and thank you.
Excellent outcome. I wish we had these rights in the USA! Too bad justice took 5 years though.
There are some state laws - California, Virginia and Colorado, a bunch of others. And the SECURE Data Act currently in Congress. https://statescoop.com/house-subcommittee-secure-data-act-pr...
There are currently 22 US States with comprehensive privacy laws with Louisiana being the latest (their Governor signed just last week iirc) and the 23rd is literally a Governor's signature away (just passed the state senate).
And how much did it make them over those 5 years?
The fine is only part of the story. They likely spent more money than the fine fighting it over 5 years as fines increase next time if you don’t stop.
And how much did it make them over those 5 years?
You don't know how much it did cost them. Why would you care about how much they gained ? You can't compare something when you have neither value.
Because if, as the regulator, you fail to benchmark what they gained then your laws can be ignored and your fines paid as simply a cost of doing business.
Its why you find the Australian regulator for consumer affairs handing out $200m+ fines to telecommunications companies, for example.
By that logic regulators should lower fines if the action wasn’t profitable. Which creates an expensive legal fight around the net profits of some action were after guilt is determined.
Instead, it’s much better to scale fines based on the scale of the entity involved, which also results in huge fines, but it’s easier to measure revenue. Thus the fines are more broadly effective, and you can still escalate if they don’t stop.
Like in Finland where speeding ticket fines are based on your income. For instance, in one well known case a businessman was fined €121,000 for going 82 km/h in a 50 km/h zone.
And before anyone calls this crazy, note that jail time costs you your time, whatever that's worth. This is the same idea without the physical incarceration.
Most rich people still make money when they're in jail. Only people who work for a living stop making money.
Rich and retired are very different thing. A CEO can be out hundreds of millions due to a long prison sentence, but most fines don’t scale nearly that far.
That's considerably more than someone near me who was doing 245km/h in a 90 zone (Well 55mph which is 89km/h). I still don't know why that person didn't lose their license (other than the obvious fact that they were rich enough to afford the Lamborghini that they were driving in); it wasn't just any 55 zone, it was one with a reputation for being dangerous.
Damn, it sucks that people are allowed to get away with that kind of speed. Here in Denmark the mandatory minimum for doing over 200 km/h is losing your license for 3 years, confiscation of the vehicle and a ~$2000 fine. Unfortunately punishment isn't enough to get rid of this thing as around 1000 cars are confiscated each year. Some of them are confiscated for other reasons, like driving with a BAC above 0.2%.
I don't think that logic works. In your vein, if I say " If it gets hotter, I'll want it to be colder" that would imply that if it gets colder I'll want it to be hotter. That doesn't necessarily have to be the case thought.
If they made a profit and I want them to pay more than the base fine doesn't mean if they made a loss I want them to pay less than the base fine.
I think the rest of your come t stands though. There is difficulty I proving profit and Hollywood accounting can probably change those numbers.
It's not about what you want nor is it about exacting revenge. The end goal is simply a marketplace where a given behavior isn't happening. Appropriately structured fines should accomplish that.
It's a nice theory, but only works if the company gets caught and fined enough times to make a difference. Even a zillion dollar fine is useless if the law isn't applied. Also, when the fine comes out of corporate coffers, not individuals' pockets, there is less incentive to comply with the law. If you really want results, fines should come out of management's personal bank accounts, not to mention some jail time.
Sure, if the regulator doesn't move to enforce then the law won't have any effect but at least to me that sounds like a problem with the government as opposed to a justification for draconian penalties.
Targeting management seems like a tactic that should only be employed where great urgency exists such as life threatening danger. I don't think marketing material is anywhere close to qualifying.
I hate my inbox being inundated with spam as much as the next guy but that doesn't mean drawing and quartering the perpetrators is justified.
> If they made a profit and I want them to pay more than the base fine doesn't mean if they made a loss I want them to pay less than the base fine.
I’m not saying they would get a rebate just that for this to be meaningful for a mid sized or larger company requires a large portion of a given fine to be based on profits. So a company receiving a fine based on their profits would argue they made less money from the behavior, it’s a legal argument without any risk.
Consider a fine for a mid sized company that’s base 100k + 10m based on profits it ‘goes away’ if they win but it also ‘goes away’ if they drop it by 99%. Thus just as much effort would be spent on how much money they made as is put forth to defend the fine in the first place.
Now obviously you could set the base large enough to offset that, but doing so defeats the point of profit based fines in the first place. Which means inherent to the idea of profit based fines is the concept they largely go away if a major company can argue their profits where non existent.
> By that logic regulators should lower fines if the action wasn’t profitable
No? You don’t need to adjust the floor, only the ceiling.
The goal is to prevent businesses from pricing fines into their margins.
>By that logic regulators should lower fines if the action wasn’t profitable.
The logic isn't some rigid "make the fine based on the profit".
The logic is based on the intent: make the behavior happen less.
So you can have a base fine of X, even when there's no profit or even if there are losses, and have a scalable fine based on higher profits. This way the company is discouraged to do the bad behavior in general, and is ALSO discouraged to do the bad behavior even if it's profitable.
Nobody is giving people at a government agency the authority to write arbitrary fines, there’s going to be at minimum guidelines.
If the base fine is X, then every actual fine would be X + Y where Y is the profit motive causing the behavior. As such every court case is now also a fight about lowering Y and companies are incentivized to make Y appear lower etc.
Further as companies vary in size generally at large companies Y will be vastly larger than X meaning lowering Y is nearly as valuable at winning.
This entire issue is sidestepped by having graduated fines (which GDPR has). If they keep doing it the amount keeps going up until eventually they go out of business. It really limits the ability to take advantage of the system which hopefully makes it not worthwhile to bother doing.
Up to 4% of turnover. So if they make more than that it is still profitable to keep going.
Not that it is likely that they make that much in profit, but still. There probably shouldn’t be a limit, and there probably should be personal legal consequences such as jail time for repeat offenders.
You can apply a fine multiple times in a year if they don’t stop. As that 4% is based on global revenue you’re eventually going to make it unprofitable.
Huh. Any idea if it's individual fines or total fines that are capped? It never occurred to me before.
Anyway this is all purely academic. 99% of violations aren't going to increase profit by more than the maximum fine (or even anywhere remotely near that) thus it seems to me that the law has sufficiently broad coverage for addressing a behavior that does not directly result in physical injury.
Well, isn't that my point exactly?
So the parent saying "The fine is only part of the story. They likely spent more money than the fine fighting it over 5 years as fines increase next time if you don’t stop" doesn't invalidate the question of the grandparent, that, "sure, the fine cost them X, but how much they made?"
Even if the total cost (fine+fighting it in court) was larger, the question remains: yes, and what's that compared to what they made?
The fine is largely irrelevant, now they have faced enforcement we have a decision to file a Representative Actions Directive (equivalent of a US class action) claim with - the cost of that will be 100-1000x more than the fine and will likely lead to shareholder revolt as well (institutional shareholders will likely sue the parent Currys PLC for breach of fiduciary duty and not disclosing these issues during earnings calls and annual reports.)
So the fine is the first step to a much wider legal action.
The fine also puts other loyalty clubs on notice that if they do this, they are going to face consequences - so it has a much wider impact than simply monetary.
Did Elgiganten change how it works yet?
Just for fun I signed up. During the signup they say that by becoming a member you accept that they will send things via email etc, but its optional to accept this, you can still click the signup button but then you don't get membership status, you just get an account. Then on the kundklubb page it says that you are not a member, if you click join it will automatically enable email, sms and phone communication, but you can disable them.
Yes this is the difference, they did not allow you to opt out previously, they explicitly said that if you want to be in the club you have to accept their spam. Now they allow you not to accept their spam.
Now they rely on Soft Opt-In (which again might not be valid in your case, if you signed up to their site but didn't actually buy anything the soft opt-in exemption does not apply) so you may still have an actionable complaint here.
FTA: The reply I received a few days later did me the favour of putting the violation on the record. Their position, in their own words, was that "in order to receive marketing / offers, it is a condition to be a member of the customer club."
I don’t see how that implies “if you’re a member of the club, you must receive marketing / offers”. It only says “only members receive marketing / offers”
Good to know that this is illegal. One of my email providers also does this, maybe I’ll also have to try reporting them and see what happens.
Go for it! If nobody reports things they don't get fixed.
I have found this to be true not just when it comes to companies breaking laws, but also to much more benign things. Such as reporting potholes in town or broken microwaves at work. Those can be in need of fixing for an extended period of time, yet when I report them, they usually get fixed within days. I suspect most people can't be bothered or think that surely someone else will report the issue. But that doesn't work if everyone thinks that way.
EU only though. You can get away with pretty much anything outside of EU.
Or the UK, which is still in alignment for privacy regulation as far as I know.
I would like to see these regulations in place here. I have always felt very uncomfortable with companies like TurnItIn.com getting to train their models off of my work, without compensation, where my consent is assumed and there is no opt-out. I've brought this up before, and the general consensus was that my college enrollment is optional, and therefore my consent is freely given. I should have a right to attend a school I pay for and qualified for, without requiring me to give up other rights.
Hand in your paper when you’re on vacation or even better on a conference in Europe. GDPR will apply. Of course it will take so long that you won’t benefit from a decision for your studies. And one possible outcome is that your college won’t allow submitting from EU and won’t admit EU citizens (similar to US citizens having difficulties opening accounts in EU banks).
I'm sure I am wrong somewhere. But can someone explain to me how this same reasoning would not apply to every advertizing 'supported' business? You can't opt-out off ads on many websites or streaming services and still hsve access.
It's my understanding that those websites are in violation of the gdpr for doing so.
On most platforms you can usually opt out of targeted/personalized ads that require tracking or collecting personal data, if you do you still get general ads, but that isnt subject to GDPR if they dont use your data for it, I guess.
It's called "pay-or-okay" and there hasn't been many decisions on it yet which has led noyb to sue German DPAs: https://noyb.eu/en/years-inactivity-pay-or-ok-cases-noyb-sue...
There is one case where DPA ruled in favor of the company, but it's currently being appealed: https://noyb.eu/en/pay-or-ok-der-spiegel-noyb-sues-hamburg-d...
Another one ruled against company and court agreed: https://noyb.eu/en/court-decides-pay-or-okay-derstandardat-i...
It's not the ads that are the problem, it's the tracking. If you install something like Privacy Badger it will block all tracking, but not necessarily ads. However, because so many of the ads come bundled with a shit ton of tracking, they are effectively blocked.
There's nothing problematic about having Stihl advertise chainsaws on a page for lumberjack. There is a problem when you collect data from across the internet, conclude that a person might be a lumberjack and serve the chainsaw ads based on that information on a news site.
Sadly the advertising industry is mostly dead, at least online. We're left with online marketing experts that are basically just clicking around in Google and Meta ad-management interfaces. They know nothing about the sites or content, nor do they care. The magical box will find the customers... and if it gets it wrong, no worries, it wasn't their money anyway and you can always just go "Well, advertising isn't an exact science, some of your spending was always going to be wasted, you just don't know which part".
Now we're left with an online advertising industry that can't tell advertising and tracking apart, and it doesn't have the skills or the network to go directly to sites and buy ad-space.
This fills my heart with joy. If only ICO in the UK would do the same.
Well John Edwards just resigned yesterday so maybe you will get a real Commissioner this time - although that said, John was hired specifically as someone who would do nothing, so I guess he did what he was paid to do.
He has largely been ostracised by the privacy and data protection community (even at regulatory events) I have seen him wandering around alone and aimlessly at a number of regulatory events, he didn't seem very comfortable and didn't really have a lot of interaction with his peers.
ICO bothers to whine and plead sometimes!
But usually even the extensive evidence is indeed met with "eh, mate, can't you just ask them again?"
Yep, pretty much the definition of a toothless regulator.
Love to see this, and love our privacy and data handling laws!
It's always satisfying when customer rights stories have a known positive outcome. The timeline is unfortunately quite slow and bureocractic but I'm glad OP managed to find out about it.
Badass. Hope this keeps happening to all of those abusive "take it or leave it" corporations.
I personally know other people who have filed similar complaints, and the Norwegian Datatilsynet explicitly stated they acted based on many complaints. I don't think they care about a single person's voice in this, even if they "helped create the law".
It's a shame, but it probably says more about Datatilsynet's capacity. Frankly it would be great if you could simply say "this company did something dodgy", provide proof, and immediately get results. But that's not the world we live in.
That's where I put a lot of hope into LLMs, as this is all about natural language that is difficult to parse. It'd be great if LLMs could accelerate enforcements in the digital world, so single individuals with valid claims can finally be heard.
You are making assumptions, I have a very good relationship with the Norwegian DPA and discussed the case with them several times over the past 4 years.
I am glad this was resolved. It’s annoying when companies take things for granted. It’s not just Elkjøp doing it. There are other e commerce companies and some online pharmacies doing it too.
Lol. Brookfield Place wifi had an OPT IN for their wifi to receive marketing.
If you unclicked it, the 'connect to wifi' button greyed out and a notification appears saying that Opt In is required for wifi.
Type the email address of somebody you dislike
There's always a@a.com
My go-to is always their domain, if it works.
Yep this. They never make you verify your email address on a captive portals. (Since you can’t check your email without an internet connection in the first place).
Then you could put in anything that looks like a valid email rather than the email of someone you dislike.
THATS EXACTLY WHAT I DID mwahahaha
yomomma@example.com works for me, most of the time. Some of the places that like to spam their users no matter what filter example.com out.
Put their own email in there, ceo@that-dumb-company.com
Hmm, probably beats my default: abuse@$COMPANY.com
The term "forced consent" is an oxymoron. It shouldn't take much more critical thinking than reading that term to know it makes no sense.
Agreed. It’s an idiotic euphemism.
It's one of those situations that the words lose their meanings but the expression makes you understand a situation better. This is like a manufactured consent that comes with a threat. A similar example would be "coerced confession" or maybe even "forced smile".
I've often wondered what basis companies are using for the "opt-in to tracking or pay to opt out model". It has spread now to even fairly reputable organisations.
This, at least to my understanding, runs contrary to the spirit of the GDPR regulations. Permission has to be freely given which, when the alternative is paying a subscription, it quite obviously isn't.
The only basis they have is the low chance of enforcement. It is absolutely contrary not only to the spirit but also the letter of the law.
I am a EU citizen, I bought a (Chinese) robotic lawn mower.
One day, end of April when the grass is growing very rapidly, they presented me with a dialog in the app that basically said.
"We updated the EULA with the explanation "optimized wordings". Please accept."
There was no reference to the new or old EULA, and if I didn't accept I could not start the app and use my new mower. It was bricked.
I am now checking their compliance with GDPR. It is a tedious process because they keep stalling, but I still feel I have all the rights.
And I get a lot of help from chatgpt who works as a patient secretary that translates my "f-fck sake give me my stuff" into formal/friendly legalese with counter questions designed to be difficult to duck.
As of now, 2 months later, they have finally pointed me to "download personal data" in the application which gives me back a PDF with mower model, my email address and some push notification history.
But I know they store much more than that. And I think they know that I know. If nothing else my customer support history. But also for example a map of my garden.
Sounds like a clear case.
Yeah, doesn't always help of course.
But EU countries have authorities for this that helps filing issues they find legitimate. e.g. https://www.imy.se/en/news/administrative-fee-against-spotif...
But also the Norwegian twin mentioned in TFA.
As of now I am mostly collecting data to probe their compliance.
The part about this that's amazing to me is that they still are doing nothing after he noted another GDPR violation [0]. He's obviously both competent and litigious. What does the company expect to happen next??
[0] "Under Article 77(2) of the GDPR a supervisory authority is under a binding legal obligation to keep a complainant informed of the progress and the outcome of their complaint. It is not a courtesy and it is not discretionary - it is written into the law. I filed my complaint with IMY, IMY passed it on, the case ended in a multi-million euro enforcement action, and not one of the authorities involved thought to tell the person who started it."
As I understand it, this second complaint is not against the original company, but against the government authority that handled his case.
There's two government authorities here, the one he reported it to (Swedish), and the one that the first one forwarded it to (Norwegian).
The former is the one he seems to be currently taking to task for failing to follow the law, the latter is the one that meaningfully handled the case.
It's also worth noting that it's not the first time Swedish DPA has been criticized regarding GDPR complaint handling:
https://noyb.eu/en/gdpr-rights-sweden "GDPR Rights in Sweden: Court confirms that authority must investigate complaints. So far, the Swedish IMY has taken the view that users don’t have party rights in GDPR procedures."
https://noyb.eu/en/noyb-takes-swedish-dpa-court-refusing-pro... "IMY frequently just forwards a complaint to the company that illegally processes personal data - and then immediately closes the case without investigating." (no decision on this as far as I know. A bit surprising since it has been almost 2 years)
Ah, I got confused by the name and acronyms.
> the only way to stop the marketing was to cancel my membership of the club altogether
I have experienced this same thing with at least one other big company in Norway.
I could opt out of either SMS or e-mail, but not both, or I would not be able to keep the membership.
Unfortunately, I never made a note of which one that was exactly so I can’t name them and shame them on the spot.
Despite half-hearted attempts at stopping marketing emails now and then by individually logging in and opting out, or clicking unsubscribe links embedded in the email, my email continues to be flooded with marketing both from domestic and foreign companies that I’ve done business with. There is so many companies that even going through a handful of them at a time and unsubscribing there is a seemingly endless amount of companies that remain to unsubscribe from.
It is great to see that someone fights back, and that it is resulting in fines.
komplett.no
Idk about that particular company but the benefit of cheating may be much higher than the 1.8m fine they got.
I personally never specifically consent to anything, yet get a ton of marketing emails. To most companies that send me those emails 1.8m would be a slap on the wrist.
It is not just the fine - they are no longer permitted to conduct the processing activities - so no they don't continue to profit from it, one of the reasons the fine was reduced was specifically because they made changes to bring themselves into compliance during the investigation. This is stated in the Regulator's press release directly.
how was 1.8M calculated?
has any calculations been made on how much actual profit was made by these unlawful actions?
Page 33. Fine is calculated from annual worldwide revenue from previous year for the company.
https://www.datatilsynet.no/contentassets/59addbef9c1b48a28f...
"guidelines say we should apply fine of 0.4% yearly revenue (400M NOK) at the least, but for whatever reason we decided punishment to be 20x less than that"
okay then...
I wish America had real privacy laws like Norway.
I don’t know who you are. I don’t know what you want. If you are looking for ransom I can tell you I don’t have money, but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you.
Fuck them with a rusty chainsaw dipped in manure.
I’m imagining an agentic solution in everyone’s inbox that automates GDPR fines and updates
Hahaha, the sticker looks really funny, but I like it.
GDPR is a godsend.
Thankfully inbox providers are now mandating unsubscribe headers (so the unsubscribe button now sits at email client level, not within the body of the email, as it always should have). Making this entire thing irrelevant.
Going through the hassle of policing individual company behavior is beyond silly and a giant waste of resources when you can literally just force the behavior at client level.
This is also basically the story of why GDPR popups are stupid. Set it at the client (browser) level, not on 100,000,000 individual websites done slightly differently every time and try to setup an enforcement dragnet to have expensive fights over misplaced commas.
This should have always been a browser setting and not a multi-billion dollar Kafka-esque nightmare of lawyers and regulators policing every company on earth, wasting Europe's productivity and resources.
It's like how the US makes you file your own taxes when for 99% of people they already know the amount you owe, and then randomly will decide to fine you if your calculated number doesn't line up with their number. It's giant waste of everyones time.
Eveyone getting very excited but on what date did the company actually pay the fine to the EU?
> This decision can nevertheless be challenged before Norwegian courts in accordance with Article 78(1) of the GDPR. [0]
Time will tell I guess?
[0] https://www.datatilsynet.no/contentassets/59addbef9c1b48a28f...
It can be appealed but because it is cross border it has to be appealed directly at the Oslo Court (rather than the privacy claims board) and also the fact they had the fine reduced for co-operation usually includes a clause that they will not appeal (otherwise they lose the discount which is normally around 30%).
"Integritetsskyddsmyndighetensffsf"
Bro, you alright?
I'm so glad the GDPR never took hold in the US. Little Karens getting companies fined millions of dollars over what amounts to nothing.
You can always not use their service. Plenty of alternatives out there.
How depressingly unamerican.
It's really pathetic, isn't it? These guys hate their fellow Americans so much that they think it's better to allow companies to abuse people instead of stepping in to protect them.
I for one was signed up for Elkjøp kundeklubb membership unbeknownst to me. It happened when I was picking up a water cooker. Seller asked if I would like an electronic receipt and asked me for my email. That was in Elkjøp at Solsiden in Trondheim.
The more annoying is that I gave him my regular email address and not a generated alias that I always give to companies.
Was super pissed when spam started landing on my main address.
So no, not plenty alternatives here.
If I need to buy something at El Giganten (Danish version) I speak English when paying, and tell them I'm a tourist and don't want to give them a phone number or email. They can print a paper receipt.
But I only buy from there if it's the only option. (Other than Amazon, which I refuse to use at all.)
Norway has in practice only two big box electronics chains. Not always "pleny of alternatives out there"
All this regulatory overhead won't help competition.
Dropping these regulations won't help the competition either.
I wonder if anyone who are cheering this fine, actually read and tried to implement GDPR. It is a nightmare to be fully compliant for small companies.
It is mostly just a theater (like endless cookie consent dialogs in anonymous browsing), to employ more experts and bureaucrats.
EU is now pushing privacy laws that severely undermine privacy.
> EU is now pushing privacy laws that severely undermine privacy.
Even if it’s most just theater, you don’t make the case at all how it undermines privacy.
I did, it is easy, you just don't spy on people and have a point of contact and you're good. It becomes hard when you want to spy on people and also remain compliant with the no spying law.
You can even spy if you want to, just ask for consent
Getting consent in a truly compliant way is basically impossible (it should be opt IN, not opt OUT). Though we've trained people to just accept literally everything now.
Why is opt in "basically impossible". That is the definition of consent. Ask BEFORE you do something. It might sound strange but most people really don't want their data gathered by everyone.
I agree!!
To be clear, if you ask for consent in a way that is actually legal, almost nobody will actually consent.
Yes. It’s very easy actually. People think it’s hard only because they’ve built revenue streams on unethical behavior.
I have read it. It's really easy to be compliant if don't start from a position of extracting the maximum amount of data from every user out there. If you start from the opposite end of the scale, only getting the data you need for the goals you need to achieve in the interest of the user, you barely have to do anything beyond what you would have done anyway.
The cookie consent dialogs were never required in this form.
That was literally just malicious compliance in order to get people mad at the law instead of the companies (at least at first, there's also a huge amount of cargo-culting nowadays). Congrats, you've been psy-opped.
When the official EU websites use the same kinds of annoying dialogs, how is this true?
Official EU website, generally speaking, are not bound by GDPR or ePD. Rather EU bodies are bound by EUDPR. I'm not well-versed on that specific thing, but EDPS and courts have previously found that EC has infringed EUDPR so it wouldn't be weird if their cookie banner was breaking the law as well.
They actually are bound by the ePrivacy Directive due to jurisprudence (EU bodies must comply with CJEU rulings).
I actually wrote to the EDPB on 25th May 2018 (the day GDPR came into effect) and forced them to make their own website compliant with the ePrivacy Directive (I still have the email thread, it was quite an interesting discussion).
I also filed a complaint against the Court of Justice on October 1st 2019 within minutes of them publishing their Judgment on the Planet49 case (C-673/17) because their own website didn't comply with the judgment - they fixed it within 18 minutes.
So yes EU institutions get it wrong sometimes, but they generally fix it quickly when they are informed. I currently have a big case ongoing with the EDPS against the European Commission and the European Parliament for hosting live streams directly on social media instead of the official live streaming platform setup for EU bodies (on the basis that forcing people to engage on social media is a breach of fundamental rights because it allows those platforms to infer special category data (political interests and others depending on the topic of the live stream).
EDPS just actually updated me this week that they have concluded their side and are now waiting on the final responses from the Commission and Parliament.
So yes, the rules do work, but you have to be pro-active, armchair activism doesn't work.
I would like to see that thread if possible just out of curiosity.
I looked a bit into EUDPR and the earlier 45/2001 regulation (EUDPR came in effect in December 2018 so a bit later than GDPR). EUDPR explicitly imports Article 5(3) of ePD (via Article 37) and thus whatever case law there is around it. The earlier regulation seems to do this more indirectly (references in recitals), but EDPS view from 2016 is that it effectively does import Article 5(3) as well.
Personally I haven't dealt with EU institutions so far. On general public sector side I did recently seek some clarifications from Finland's Ministry of Justice regarding one of their websites and their responses weren't exactly reassuring.
I asked for the GDPR Article 15(1) information regarding single visit (i.e. information about processing, not actual copies of data) and it took them almost 3 months to give official response. Even after that time they, for example, failed to identify if they are actually the controller or not for some of the processing (Cloudflare challenge). And their stance is that analytics (Matomo) does not need Article 6 legal basis at all, i.e. they seem to think that anonymization step itself is not processing.
I wrote this 5 years ago, hopefully it will clear up some of the misconceptions around cookie banners:
https://www.linkedin.com/pulse/truth-behind-cookie-banners-a...
Stop spying on people.
The companies made this worse for themselves by continuously trying to skirt around the rules and regulations.
When the cookie-law was first instituted I worked for an e-commerce site and was tasked with ensuring that we'd be compliant. It would have been crazy simple to implement, but no, because management, encouraged by the companies selling the tracking and re-targeting solutions kept insisting that I was reading the rules incorrectly. By incorrectly they meant: We want to be able to track and target customers all the time, regardless of the rules. The result was scraping my solution that truly allowed users to opt in, in favour of a commercial solution that just blocked then entire site until you clicked "Okay" and which wouldn't actually stop tracking if you dismissed it somehow.
Yeah, the rules are getting increasingly complicate and to some extend requires experts. That is because of businesses that have failed so miserably in regulating itself.
Absolute nonsense. Any company that was complying with the old Data Protection Directive should have had zero issues upgrading their processes and policies to comply with GDPR there are very few material differences between the two and the previous law existed since 1995 - most of the changes are around accountability (record keeping).
Also cookies literally have nothing to do with GDPR other than the definition of consent - Cookies are governed under and entirely different law which has existed since 2002 (Directive 2002/58/EC).
It bugs me when I see people criticising the law when they actually havent even bothered to research and understand it or even look at the correct law.
That is likely by design. From the article footer:
"Work with Alexander
Thirty years in privacy. Helped shape the GDPR. Advisor to the EDPB, the European Parliament and the European Commission. If you need this kind of analysis applied to your own systems:
Book a free consultation See all services"
This article reads like “jurisprudence fetishist gets off on technicality!”
How refreshingly European.
How is "you must let customers opt-out of marketing spam" a technicality?
Tell me it’s raining, huh? America is used to yellow rain.
It's an interesting story, but I could not help but have my mind skip over it because of the LLMisms. Acts like one of those taboola reels to me. If even just there was a tutorial to get people to write in such a way that it's not obviously LLM text it would be nice because the story is interesting.
I know, it's like complaining about JS etc. but it's like walking into an elevator and smelling very strong perfume. It's hard not to go "whew!"
> LLMisms
The word is “cliches”, and they existed long before LLMs.
Haha they are cliches, yes. But a specific type of cliche that is unique to current language models.
> That one sentence is the whole case
This example, for instance, is more uniquely LLM than mere common cliche.
> cliche that is unique to current language models
If it's something humans don't do and unique to certain programs, then "cliche" is probably not the correct term.
"I read the article, but it was full of improperly-escaped HTML entity references, how cliche."
Gonna need you to expand on that, because I don't see how that sentence is “uniquely LLM” at all. It feels pretty typical for legal people speaking informally.
Lmao at the absolute ego behind that wording >Gonna need you to expend on that Sure boss everyone here is just waiting for your commands to meet your every need
Cliches in general did, llms created new ones even though you may not be adept at recognising them
Lmao at the absolute ego behind that wording
Someone with tinnitus hears tones that aren't there, that doesn't make them adept at hearing tones. You will reply some analogous comment about deafness, but here's the thing: tinnitus is much more common than deafness.
They are not written by an LLM lol, I have severe ADHD, this is how I write and there is plenty of my material out there spanning the last 20+ years (long before LLMs existed) to illustrate that.
i sent the article to an AI detection tool and it said that 22% are AI generated. (that tool distinguishes between AI generated, AI assisted, and human) it marks the first few paragraphs as such. i have no idea how accurate that tool generally is. it is clearly failing here. (part of the reason for checking articles is to learn how reliable those tools are, not to gather evidence against a writer)
what could help though is if you could find a way to have your articles proof read by someone else to at least weed out some of the more difficult to read constructs, like this one:
any Consent Management Platform (CMP) which sets a cookie for anything other than cookies which are not strictly necessary that the user has consented to
i would write that as:
any Consent Management Platform (CMP) which sets a cookie that is not strictly necessary but that the user has not consented to
i had to read your version three times to make sure i understood it correctly.
If I did business in the EU, I would be banning this chap from my services on the basis that the risk he poses to the business is too great...
You would do no such thing, because if you tried, you wouldn't have a business in the EU anymore.
Frankly, this attitude is pathetic. Absolute loser behaviour.
I don't think you should be doing business anywhere if customers being familiar with the law and knowing their rights scares you. Frankly if you are running a business, you should be familiar with the laws and regulations, doing otherwise - especially when someone points out that your behaviour is illegal - is negligence and punishment with a fine is completely appropriate. Welcome to living in a society.
In other words, you'd ban someone because they might notice that you are doing illegal stuff and you might get caught.
Follow the laws and it isn't an issue. I'm pretty sure banning someone for that stuff is probably illegal, too.
Just awoid some jurisdictions. Bulgaria is in EU, has all the same access, and has no time for this BS.
You can see the fines the Bulgarian regulator has handed out here:
https://www.enforcementtracker.com/
The risk of getting caught doing business illegally? You really don't give a damn about the illegal part, just getting caught?
We don't want your business in the EU if this is your attitude to things like this.
Processing my personal data in such a way (to ban me from your services pre-emptively) would be a breach of the GDPR and in some member states could involve criminal sanctions.
For example, in the UK we have a very famous case (The Consulting Association (TCA)) where building contractors joined together to build a list of construction workers they didn't want to hire - this was determined as a criminal breach of UK data protection law.
So have at it, I love a challenge...