The Python Software Foundation on European cybersecurity

Posted Apr 22, 2023 3:18 UTC (Sat) by NYKevin (subscriber, #129325)
In reply to: The Python Software Foundation on European cybersecurity by Vipketsh
Parent article: The Python Software Foundation on European cybersecurity

> The GDPR/Cookie laws. A great idea and something pretty much everyone wants. The problem however is that in practice it seems to have become "do whatever you want with data, as long as you can coax the individual into clicking an 'I agree' button". In the end you have two choices: don't use the internet or agree to everything -- not much of a choice these days. We all know the huge threats of fines here.

Those are two different laws that work in two different ways, but I will focus on GDPR because it is the more comprehensive and important of the two. GDPR *expressly forbids* what you describe. Consent can be a valid basis for data processing under GDPR, but it must be "voluntary" within the meaning of the law - a rather narrow exception that's frankly quite hard to fit into. You can't say to the user "click agree or else you can't use our service" and call that "consent."[1] You would instead have to investigate one of the other valid bases for data processing, and every single one of them has strings attached.[2] There is, quite intentionally, no straightforward way to force a user to provide arbitrary PII in exchange for some arbitrary service - that is simply not a transaction you can enter into in the EU. Anyone who claims they can do this is either lying or unknowingly violating the law.

[1]: https://gdpr-info.eu/art-7-gdpr/
[2]: https://gdpr-info.eu/art-6-gdpr/

The Python Software Foundation on European cybersecurity

Posted Apr 22, 2023 9:47 UTC (Sat) by Wol (subscriber, #4433) [Link]

> There is, quite intentionally, no straightforward way to force a user to provide arbitrary PII in exchange for some arbitrary service - that is simply not a transaction you can enter into in the EU. Anyone who claims they can do this is either lying or unknowingly violating the law.

Compare that to American arbitration. Can't speak for Europe, but in the UK arbitration is never binding on the individual. Companies don't get to write their own law. And the UK definition forbids a conflict of interest for the arbitrator. Companies don't get to appoint their own judges to interpret their own laws.

Cheers,
Wol

The Python Software Foundation on European cybersecurity

Posted Apr 24, 2023 3:37 UTC (Mon) by Vipketsh (guest, #134480) [Link] (4 responses)

Where I guess we will disagree is that I don't believe that just because some law was made the world immediately works the way described in the law. What does matter is what I see of it, and the fact is that GDPR clauses are making their way into contracts I can not change: employment, telco, apartment, etc. Because of the huge risk of fines by GDPR these clauses are as wide as possible.

Let me tell you a little story. Whenever we have government elections candidates need to show some minimal support to be put onto the ballot, which comes in the form of collecting peoples signatures -- personal data that falls under GDPR (or so they claim). So, they make everyone who signs the support thing also sign some GDPR thing, allowing them to handle your data. It's all voluntary of course. What then happened then is that half the country started receiving some weird SMS's relating to the election they definitely didn't want. Turns out:
1, That GDPR thing people signed contained a little more than they thought
2, The "data controller" turned out to be some foreign entity on the other side of the EU
3, To do anything, in a legal sense, you would need lawyers and courts in that small foreign country

This is what I meant by "practically" and "coax": no-one forced any of these people to sign anything -- it was all voluntary and no pressure was applied, yet I'm sure you can understand that it is not a very life-like scene that in an underpass hundreds of people are standing around the booth of some political party meticulously going through dozens of pages of dense legalese. Also realise how the enterprise was setup to make it as difficult and expensive as possible to try to get any sense of justice.

This is why I say that any law which allows "voluntary consent" to nullify parts or all of it (pretty much all EU things) just means that those parts are, in practice, nullified by default.

The Python Software Foundation on European cybersecurity

Posted Apr 24, 2023 9:57 UTC (Mon) by edeloget (subscriber, #88392) [Link] (2 responses)

> 1, That GDPR thing people signed contained a little more than they thought

That should ne be the case. All the various uses of your PII should be stated in a clear and understable language.

> 2, The "data controller" turned out to be some foreign entity on the other side of the EU

This is not relevant. The data controller must follow the rules, whereever it is, as long as it is handling PII from European citizens.

> 3, To do anything, in a legal sense, you would need lawyers and courts in that small foreign country

This is not true. You have to signal the problem to your local authorities (in France, this is the CNIL; in Gerrmany, the BfDI; all European countries have a similar authority). They will act on your behalf. The GDPR never expected individuals to start legal challenges against large companies.

The Python Software Foundation on European cybersecurity

Posted Apr 24, 2023 11:14 UTC (Mon) by Vipketsh (guest, #134480) [Link] (1 responses)

>> 1, That GDPR thing people signed contained a little more than they thought

> That should ne be the case. All the various uses of your PII should be stated in a clear and understable language.

We are talking politics here and in politics there is always lots of money and legal expertise on how to screw your opponent over any sliver of wrongdoing. Yet despite the high-profile scandal, *nothing happened* and because of the political angle I can only presume because there was no case. Tell me all legal theory you want but the fact remains that quarter to half a country's worth of people had their data used in a way they did not want and the GDPR did nothing to prevent it. This is a failure however I try to look at it.

>> 2, The "data controller" turned out to be some foreign entity on the other side of the EU

> This is not relevant. The data controller must follow the rules, whereever it is, as long as it is handling PII from European citizens.

In theory maybe not, in practice it very much is. If you believe they are doing something wrong, your first point of contact to even try to figure out what it is, is the entity itself. You may complain to your local authorities but they won't do anything without any evidence (they definitely don't have the capacity to investigate everyone's feelings) -- and one place to even try to get it is that entity you can't communicate with.

The Python Software Foundation on European cybersecurity

Posted Apr 24, 2023 14:47 UTC (Mon) by edeloget (subscriber, #88392) [Link]

>In theory maybe not, in practice it very much is. If you believe they are doing something wrong, your first point of contact to even try to figure out what it is, is the entity itself. You may complain to your local authorities but they won't do anything without any evidence (they definitely don't have the capacity to investigate everyone's feelings) -- and one place to even try to get it is that entity you can't communicate with.

I think you lack some important knowledge about how the GDPR works and how it's enforced by local authorities. The procedure is only two steps:

1/ send a letter stating the issue at hand to the data controller; most national authorities will provide you templates and/or tools to adapt the template to your needs.

2/ if you do not receive any answer after the legal delay (1 month IIRC) you can mandate your local national authority to handle the issue. Of course, it won't be as fast as you want it to be. The point is: if it's difficult or near impossible to discuss with the data controller, they are the ones who are at risk.

Of course, you can have your own grudge against the GDPR. But maybe you can test the procedure before telling the world that it does not work. See https://www.enforcementtracker.com/ for further references.

The Python Software Foundation on European cybersecurity

Posted Apr 24, 2023 13:47 UTC (Mon) by kleptog (subscriber, #1183) [Link]

That's a good story, but the issue is really one of education. Basically, the law with respect to business/consumer relationships is that the default options are the best for the consumer. If a business is trying to get you to sign up to some legalese, there is really no way that can be advantageous to you.

With bigger companies like telcos, energy providers, ISPs, etc their terms of service are generally lodged with the chamber of commerce and consumer organisations are all over them making sure there's nothing crazy in there.

In your story, if all they were doing was collecting signatures to be able to demonstrate support, then they wouldn't need to ask permission under GDPR, because you only need to ask permission for processing that is not required for the service being provided. So the fact they're asking permission is a big red flag saying they're going to do dodgy stuff with your info.

So really, we need to teach people that if someone on the street is trying to get you to read pages of legalese, WALK AWAY! If you're at the checkout of a supermarket and suddenly they pop-up a form agreeing for them to use your payment info, that's a big fat red flag.

With respect for enforcement, I think the EU Small Claims procedure[1] would be appropriate here. It's a purely written procedure, though might get a bit cumbersome if translations are required.

[1] https://europa.eu/youreurope/business/dealing-with-custom...

The Python Software Foundation on European cybersecurity

Posted May 2, 2023 18:50 UTC (Tue) by immibis (subscriber, #105511) [Link]

And yet, every second website does just trick the user into clicking "I agree" and is never punished for it. It seems the great European bureaucracy only has the bandwidth to prosecute the Facebooks and Googles of the world.

It would be neat if, like, every website with only an "I agree" button and no "I disagree" could get a $1000 fine (commercial sites) or $50 (personal sites) with just a few minutes of paperwork, let's say, upon report and maximum once a week. I suspect that would fall afoul of some rules against summary punishment. Now, no Apple or Netflix is going to care about a $1000 fine, but those ones can be fed through the big lumbering bureaucracy... meanwhile, say, Stack Exchange's CEO having to personally respond to a court order every week would be a significant motivation to fix the problem. (just an example - Stack Exchange recently fixed this problem)

The Python Software Foundation on European cybersecurity

Posted May 10, 2023 23:05 UTC (Wed) by callegar (guest, #16148) [Link]

> You can't say to the user "click agree or else you can't use our service" and call that "consent".

Apparently, at least to some extent, cookiewalls are legal and you can say "click agree or else you can't use our service unless you buy a long term subscription to it", because as long as you are offering an alternative, that is consent (even if the alternative is not really equivalent. Maybe you want to use the service just once and not in continuity for a long time as the cost of a subscription assumes). Many online newspapers in Europe use this business model, see https://www.repubblica.it/tecnologia/blog/cyber-law/2022/... (in Italian, Google translate works well enough with it) and https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/... (in French). Key document appears to be the Conseil d’État decision taken on June 2020 https://www.cnil.fr/fr/cookies-et-autres-traceurs-le-cons...