Sooo, I just clicked through the link to this article on MPs slamming @ICOnews for not enforcing the GDPR against the UK government.
It IS a problem, @ICOnews and other DPAs not doing their job.
(A thread) https://www.wired.co.uk/article/ico-data-protection-gdpr-enforcement
It IS a problem, @ICOnews and other DPAs not doing their job.
(A thread) https://www.wired.co.uk/article/ico-data-protection-gdpr-enforcement
You know where the @ICOnews has also decided not to do its job?
#adtech https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/05/ico-statement-on-adtech-work/
#adtech https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/05/ico-statement-on-adtech-work/
Which is interesting, because this is the Conde Nast cookie notice I had to work through before I could even access the article about the MP complaint mentioned above.
Lets take a look, shall we?
Lets take a look, shall we?
As a reminder, with very few exceptions the use of cookies requires informed consent signified by an affirmative step (opt-in). Also, controllers must not âbundleâ consents for processing that is necessary to perform a contract, with consents for processing that is not.
Does this cookie notice comply with these requirements? [snorts sarcastically]
It starts promising. This is the default on âstrictly necessaryâ and âperformanceâ cookies. The former (probably covered by an exception) are âalways onâ, while the latter are on by default. If no change is made, this is taken as user consent. Where is the âaffirmative stepâ?
These are the consents for a bunch of other cookies that are clearly not covered by the exemptions. They are off by default, which is good.
Although, if I had taken the easy route and just clicked away the original cookie notice thather than being a pesky nerd, I would presumably have accepted them all in one go. The calculation here is my convenience v my protection.
Convenience here too, because the âAllow allâ button is right at the top, in bright blue for everyone to see, while the âConfirm your settingsâ option is at the bottom (of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying âBeware of the Leopardâ).
Next we are looking at a bunch of âlegitimate interestâ purposes. These are curious, because I can object to them, as the GDPR requires, but I donât know quite how to.
On the right side are the same sliders I used for my cookie consent, but do I switch them on or off to object?
On the right side are the same sliders I used for my cookie consent, but do I switch them on or off to object?
Questions, questions...
But actually, lets try tapping on the âObject to legitimate interestsâ box itself and see what happens.
But actually, lets try tapping on the âObject to legitimate interestsâ box itself and see what happens.
Oh look! It seems like THATâS the way to do it. Or is it? Because the sliders on the right donât change at all. So what are they there for? Have I properly objected now?
OK, but lets assume weâve switched everything off now.
Only we havenât, because right at the bottom is this new fresh hell: the info about cookies set by so-called âIAB vendorsâ. Which is shorthand for the myriad of ad networks that have access to the page.
Only we havenât, because right at the bottom is this new fresh hell: the info about cookies set by so-called âIAB vendorsâ. Which is shorthand for the myriad of ad networks that have access to the page.
And guess what, not all of those can be switched off. Among the ones that are âAlways activeâ is the right of those vendors to âMatch and combine offline data sourcesâ with your online activity âin support of one or more purposesâ. Which sources? What purposes? I have no idea.
I teach data protection law at a Russel Group University and I have worked in this area in HE and as a practicing solicitor for over 15 years. I have written more privacy policies, both for individual clients and as templates for law firms, than you can shake a stick at.
But after I just went through this notice, I have no idea which permissions I have just granted and which I have denied. What processing I have objected to and what I let stand. And if someone like me cannot know this, what chance does anybody else have?
This notice is a prime example of how irregular patterns and contradictory choices can be used to confuse even those of us, who take the time to adjust privacy settings (and who know a little bit about this) into making choices that we never meant to make.
This is on top of the fact that some of those choices are denied us in fairly clear contravention of existing law. Enforcing the law in these circumstances should be a doddle. But it isnât because the regulator has decided that it is not worth their time right now to do that.
. @ICOnews historical inclination to âwork with controllers in an advisory capacityâ rather than take actual steps to stop them from breaking the law has long led to its complete capture by an industry that is just not willing to face the fact ...
... that its business model is incompatible with the protection of data subjectsâ fundamental rights.
We also see this âcosying upâ process with @DPCIreland , which - even after two CJEU decisions - is still reluctant to take on Facebook. https://noyb.eu/en/dpc-has-no-clear-time-line-enforcing-cjeu-judgement
We also see this âcosying upâ process with @DPCIreland , which - even after two CJEU decisions - is still reluctant to take on Facebook. https://noyb.eu/en/dpc-has-no-clear-time-line-enforcing-cjeu-judgement
All kudos to @maxschrems and @NOYBeu , btw, for sticking with it and being a perpetual thorn in @DPCIreland âs side.
But while all of this is playing out, the adtech industry is allowed to put together large dossiers about everybodyâs online behaviour, interests and preferences that can not only be used by them to manipulate our every decision, whether commercial, social or political, ...
... but that also, by virtue of their mere existence, create unwholesome desires in other entities, including law enforcement, national security, public health, researchers and anyone calling themselves âinnovatorsâ. Because âif the data is already thereâ, why not use it?
The GDPR was a massive step in the right direction to prevent a potential future that we have so far only seen in dystopian YA novels ( @doctorow âs âLittle Brotherâ springs to mind).
But the buck ultimately stops with the regulator.
But the buck ultimately stops with the regulator.
So, if DPAs like @iconews or @DPCIreland do not do their job, the best data protection framework in the world is going to be useless. The question, therefore, is not so much âwho guards the guardiansâ, but how do we get the effing guardians to guard us?