[lloydsparkes]

I am reading through the complaints,

The first one: https://noyb.eu/wp-content/uploads/2018/05/complaint-android...

The User sets up a "new" (non Google) phone, and isn't given an option to decline consent to Googles ToS.

Now how does this work with a physical product? It needs to be compliant on the 25th of May 2018, but the version of Android may be old and not updated (given its Android). Even if there was an update waiting to resolve GDPR related issues, you would need to agree to the ToS to get that update, to enable opt-out?

In that point of view, it seems a rather unfair complaint. I havn't checked the other's yet, but I start to feel that perhaps these have been filed too early, without enough thought and examination, just to get headlines?

[downandout]

In that point of view, it seems a rather unfair complaint

It is an unfair complaint. But to be fair to the regulators, these complaints were filed by users, and may well be dismissed once reviewed by regulators. This type of unfair complaint will be an interesting test to see just how abusive the GDPR enforcers may or may not be.

[leereeves]

The real test is how Google behaves.

Google shouldn't be collecting data from users who agreed to share their data based on outdated ToS that are no longer legally valid.

They should ask for agreement to new GDPR-compliant terms just as they do for users who agreed to the old terms before GDPR was law.

[jve]

Why do you think that previous ToS was outdated and no longer legally valid? Why do you think consent given x years earlyer would not be valid?

[iainmerrick]

Because the new law says the user can’t be assumed to consent, unless the specific parts of the contract are stated more explicitly, are opt-in rather than opt-out, etc. The old ToS become invalid and unenforceable.

If they stop collecting data for those users (at least until they opt in to an updated ToS) that would work around the problem.

[jve]

Anyway, I'm in EU and I received mailon 12th may about updated privacy policy. In my native language that is used only by <2m ppl.

[neffy]

Companies have had two years to get their act sorted out on this.

[itake]

I can still purchase a "new" 2 year old phone. I think that is a valid question.

[jerf]

If a product that was in compliance goes out of compliance due to legal changes, it generally has to be pulled from the shelves. I'm saying this strictly from a legal perspective, not endorsing it per se, and I acknowledge the significant expense involved. But this sort of thing happens pretty frequently in a lot of other industries, and the result is pulled product and often a lot of destruction of unsold product.

In this case, fortunately, the hardware may not necessarily need to be destroyed, but it couldn't be sold until the software stack complies. Or, more likely economical, ship the phones somewhere where they are still legal and ship new stock into the EU with updated software. Or make sure there's an immediate update available for the phones and petition the EU for a variance on the grounds that as long as they update, they'll get compliant software. There's a number of options.

[lloydsparkes]

If google had made software updates available, which gave the correct options and are GDPR compliant.

But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)

[tripzilch]

> But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)

Great question. I have no idea, and with the GDPR having been looming on the horizon for two years now, is something that would be beneficial (and cost-effective) to spend money on getting quality legal advice.

To anyone who has seen the complaints about startups having to spend $20k on a lawyer to explain the GDPR to them, a small startup won't be facing complicated legal questions like these (and those who insist on doing so, have been given ample warning).

A friend of mine has an online business that involves offering/reselling/managing a client's domain registrations (as part of a package of specialised hosting services). Meaning he can't really get around sharing his clients' information with third parties (registrar, other domain shop, I'm not sure). 25th of May approaching. He reads up on the GDPR, makes some adjustments how or what data he stores (because earlier, you know, it was considered good practice to "store all the things" just-in-case), writes a 3-page license agreement (I suppose he took a boilerplate example and adjusted it to his needs), sends it to his clients to agree, and done. Less than a week's work.

[pjc50]

Interesting line of argument; if it was a CE compliance issue it would clearly be the vendor/importer. But the GDPR doesn't talk about devices, it talks about data controllers.

Information commissioners can't require data controllers to do things which cannot reasonably be done. So I think this ends up with "the existing phones are fine for technically necessary data processing, but buying an Android phone cannot be direct marketing consent in and of itself".

[ocdtrekkie]

It's Google's terms, and Google is the one who determined the mandatory flow of that setup as per agreement with the hardware vendor. The EU could absolutely hold them responsible for not having this sorted out with their partners, it isn't like the OEM put the terms on a device and sold it without Google's permission.

[eitally]

But the OEM is responsible for software support for their devices (this is the entire Android model and why Google has been working so hard on the Treble project the past year+). Since the current version of Android doesn't have this problem, I don't see how this is Google's problem.

[sveme]

Aren‘t the ToS pulled from the web when you set it up with a google account? I doubt you‘re agreeing to two year old ToS.

[ldjb]

Possibly, but it still might not be possible for Google to provide a means to decline the ToS without issuing an update (which, as has been pointed out, wouldn't be possible to install anyway without accepting the ToS).

[madez]

Then it's a device that does not comply the regulation and must not be sold.

[whyagaindavid]

Terrible for the environment. Lets apply rules with common sense [1]. As much I am for privacy this kind of interpretation is very bad.

1. https://study.com/academy/answer/summarize-all-about-a-dog-b...

[ldjb]

Sure, that argument could certainly be made. But unless someone is taken to court over this (or at the very least, threats are made), I think people will continue selling such phones. After all, most sellers aren't going to realise their products are in violation of the law.

[ballenf]

If they flag compliant devices, it would be possible on the server side to limit data collected that comes in without the "GDPR-Compliant: true" flag.

[lloydsparkes]

Even if the ToS are pulled from the web, it might just pull the document, not the UI, providing opt-outs, etc

[iainmerrick]

They could replace it with a document saying “There are no conditions of use. Enjoy your new phone!”

[Senderman]

fwiw, the phone in the complaint is from 2018.

[kerng]

Well, think about cars and emission issues that need updates - manufacture does recalls and fixes it for everyone. Not sure what's different here? Why not just pull it from stores and fix it if its violating law?

[dangerface]

"you would need to agree to the ToS to get that update"

If you have to agree to their ToS before you can use the device, it should be before you purchase.

Google intentionally waited until they had your cash to say GOTCHA! We require an additional payment of your soul. Now its biting them in the ass, it is entirely fair.

[y4mi]

That is entirely false.

If you buy from the Google store, you'd have to agree before buying (you can't buy without an account).

If you don't, then the seller had to notify you before your purchase. Google had little influence there.

And your argument doesn't work if you're taking about third party devices, which the parent was.

Android itself is open source. OEMs aren't forced to bundle the Google services with it. This can't be blamed on Google either.

They're probably still violating gdpr, and I'm looking forward to the first real cases. These are just silly

[lukeschlather]

Google has a checklist of things that each OEM has to do in order to distribute the Google Apps, which are not open source. If the OEMs are in compliance with Google's terms for OEM distributors, I would say that it is an issue with Google's terms.

I am curious, I have a Samsung device and I note that I can't uninstall Gmail. Is that Google's choice or Samsung's choice?

[y4mi]

honestly, i think the best choice would be to 'accept', and use the google services, or deny -- and just not get any google apps installed.

this would give privacy oriented people the option to simply opt out of anything google and still uphold the pretty good stock experience.

but this is imo still not google's task. OEMs choose to just flash google's services and apps by default right into their OS. that should only be done after the user said 'yes, i want to tell google everything i do'

[RugnirViking]

If denying would mean that I am denied service of their apps, then that would be a violation of gdpr. That is the point of the regulation.

[haldean]

Android has the ability to push updates to phones that haven't been set up yet; when you first turn on a new phone the first thing it does is ask for wifi so it can check for updates. Google has the ability to update the phone before literally any other part of setup occurs. You do not need to consent to the ToS first; the setup steps on Android are really carefully thought through from a legal perspective.

(I know this because I worked both on the setup system and on one of these "zero-day updates", where we fixed some bugs between when we sent the "final" image to the manufacturer and when we actually shipped devices)

[bitmapbrother]

Google cannot update a phone that uses an OS built by another OEM. Since the OEM cited in this complaint is a low end Huawei phone they're responsible for pushing the update.

[rightos]

I'm pretty sure that's incorrect at least today, it's possible to skip through the initial setup on a stock Android device without adding a Google account or accepting a ToS.

[ldjb]

If there is, they don't make it obvious. Whenever I've tried setting up a stock Android phone, I've looked for a way to do so without adding a Google account, but found no such option.

Perhaps it's possible to do so by pressing or holding some obscure sequence of buttons, but in that case it is reasonable to argue that a 'hidden' option isn't really an option at all. After all, you can't hide microscopic text on a paper contract and expect signees to be bound by it.

There may be stock Android phones out there that do provide a clear option to not use a Google account, but there are certainly many phones that do not.

[plttn]

"Add a google account, enter your email"

On the bottom of that page in grey is a skip button. You do that and you've skipped over it.

[codedokode]

I am using a chinese noname Android phone without a Google Account. It is somewhat useable even without Internet connection and without SIM card. For example, I can use a camera, radio, music player, a dictionary or offline maps.

[beenBoutIT]

China gets your data now.

[codedokode]

That's why I thought about either routing all traffic through my server or replacing proprietary ROM with open source software.

[billysielu]

Good luck downloading apps though. I can't see how it's necessary for Google to track all your stuff, just to permit you to download an app.

[em3rgent0rdr]

You can use third party app repositories like the FOSS-only F-Droid, or even simply download apps directly from individual creators if they release the apk.

[codedokode]

Also there are sites that allow you to download .apk file from Google Play without Google Account.

[OldSchoolJohnny]

Google and the manufacturer had 2 years to ensure this wouldn't be an issue.

[drusepth]

Apparently that didn't work. I think we're all curious what they can/will do now, because it is an issue.

[kowdermeister]

> and isn't given an option to decline consent to Googles ToS

You can turn off the phone and sell it on Ebay

[letsgetphysITal]

Hobson's Choice regarding tracking / data collection consent is specifically a breach of GDPR.

[kowdermeister]

The option to refuse the new terms is there, it's just not explicit. I'm not saying this is nice or good, but OP's comment sounded like there's no option, they just made it less obvious.

[freehunter]

Less obvious and not explicit terms are violations of GDPR.

[dvfjsdhgfv]

If you live in the USA. However, as an European you have more rights, and in the next years we will witness a lot of battles between EU users and American corporations desperately trying to maintain the old status quo.

[taysic]

So far Google and FB has no complaints about GDPR - that was the word from EU regulators. Why would you think they are so desperate?

[tomatotomato37]

I'm actually kinda curious what role the US government will end up playing in all of this

[dvfjsdhgfv]

To downvoters: I'm curious to hear your counter-arguments. Yes, as a European I have more rights related to personal data than Americans. American companies can continue playing the same old tricks on American citizens with no consequences. It's not possible to do the same to Europeans anymore.

[kodablah]

You were probably downvoted for your the absoluteness of your statement. For instance, you do not have more rights as a European business owner. Even as just a user, you have fewer rights to enter agreements now with these tech companies free from government involvement. What you may call rights, others call restrictions and limitations of rights.

[frockington]

Agreed. As an American, reading the term rights associated with increased government control is nonsensical. I understand the European viewpoint, its just much different in America

[gkya]

> As an American, reading the term rights associated with increased government control is nonsensical.

This is nonsensical. You can not have rights w/o government anyways. You may have privileges or power to force others to comply, but "rights" are defined by a third party entity that enforce them.

[dvfjsdhgfv]

This is actually very interesting. It seems to me that many Americans really don't care how their personal data are (ab)used and will happily agree to absurd ToS-es without complaining. In Europe, we have quite different culture of doing things. And yes, the misnomed "right to be forgotten", i.e. the ability to remove my own personal data from a website, is an important right. Not being tracked is an important right. Not being profiled - ditto. It's really shocking to me that the narrative in the USA is that GDPR is evil, whereas many people in Europe consider it a very positive development, in spite of additional work that needs to be done.

[friedButter]

> In that point of view, it seems a rather unfair complaint

Regulations arent necessarily designed to be "fair" though.. if GDPR is written in a way that manufacturers need to recall all stock and update phones, its cost is part of GDPR compliance and a fair tradeoff for its benefits as per EU citizens