[riddleronroof]

Ok but I don’t get how this consent system ran for years? How can one get pre approved? The issue here isn’t that they collected data (it’s own problems), but they they didn’t use the right language! Does this mean it will be a long term of conditions like apple does every time we use a website? ICCL might have made internet worse with this. Not better.

[belorn]

> Does this mean it will be a long term of conditions like apple does every time we use a website?

No. Freely and unambiguous given informed consent means that the users need to actually be able to understand what they consent to. Encrypting the information in a 500 page novel, obfuscating it beyond human ability to understand or interpret it, is not informed consent.

ToS are not currently under the same requirement of Freely and unambiguous given informed consent. They just require consent, which for now has been interpreted to mean basically anything that a lawyer want it to mean. People have given away their spiritual souls and first born child in ToS, through the ability to enforce such contracts is open to debate.

[JackMcMack]

The issue here is larger than using the right language. I'm browsing through the full ruling [0], but C.1. Breaches, pages 115-117 is a good summary.

- "First, the consent of the data subjects is currently not given in a sufficiently specific, informed and granular manner"

- "Second, the legitimate interest of the organisations participating in the TCF is outweighed by the interests of the data subjects, in view of the large-scale processing of the users’ preferences (collected under the TCF) in the context of the OpenRTB protocol and the impact this can have on them."

- "In the absence of systematic and automated monitoring systems of the participating CMPs and adtech vendors by the defendant, the integrity of the TC String is not sufficiently ensured, since it is possible for the CMPs to falsify the signal in order to generate an euconsent-v2 cookie and thus reproduce a "false consent" of the users for all purposes and for all types of partners. As indicated above248, this hypothesis is also specifically foreseen in the terms and conditions of the TCF" - no way to verify consent

- "The Litigation Chamber also finds that the current version of the TCF does not facilitate the exercise of the data subject rights, especially taking into consideration the joint- controllership relation between the publisher, the implemented CMP and the defendant. " - no way to revoke consent, or request your data

As to why the system ran for so long: yes, enforcement is (too) slow.

- Many complaints were made to several European DPAs in 2019.

- Litigation commenced 13 October 2020

- Interim Decision 8 January 2021, amended 23 February 2021

It looks like IAB made a lot of procedural complaints when it became clear their arguments were rejected

[0] https://www.gegevensbeschermingsautoriteit.be/publications/b...

[riddleronroof]

Thanks! This is an informed take.

[foepys]

To this day Twitter is not even trying to comply with GDPR. They have a banner "we track you, deal with it" and that's it. So far nothing happened.

I hope that they get fined billions for keeping it illegal for so long but I doubt it.

[Macha]

The DPAs are not in the business of pre-approving, much like your local court won't pre-approve your pre-nup and so you might have to fight over it in court in an acrimonious divorce.

You can of course retain outside help to advise you but there's no guarantee that they are right and many of the consultancies and providers were incentivized to compete on maximum opt ins. Maybe the CMPs and the adtech companies can fight it out in court over whether the CMPs misled the adtech companies or they just gave the adtech companies options which the adtech companies misused.

The ruling is not just "fix your language", though that's what the industry will be incentivized to try, again. They all bandwagoned on hiding secondary opt out checkboxes under "legitimate interest" and this wrist slap tells them it's not ok:

> Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR)

> Fails to respect the requirement for “data protection by design” (Article 25 GDPR)

The route to complying is clear. Don't track without opt in. Know where the user data is going, not just "whichever vendor happens to be in the winning ad". Don't use dark patterns to encourage the opt in. It's the industry's attempts to bury its head in the sand because it hurts their bottom line and their search for increasingly convoluted workarounds that is making this complicated.

[cornedor]

> Does this mean it will be a long term of conditions like apple does every time we use a website?

I guess it is the opposite. GDRP requires clear and understandable text in privacy policies.

[native_samples]

Ironically, nothing about GDPR itself is clear and understandable, as is evidenced by the fact that everyone keeps discovering years after implementation that some random country disagrees on their interpretation of it.

[foepys]

Let's be real here, IAB Europe knew exactly that what they were doing was borderline illegal. Now it's officially illegal.

[TheCoelacanth]

The only people who misunderstand GDPR are people whose salaries depend on misunderstanding GDPR. The requirements are quite clear, advertiser just don't like them and are trying to avoid complying with them.

[native_samples]

Yeah? So nobody in the EU is using Google Fonts, AWS, GCP, Azure, CloudFlare, Akamai or any other US provider then, given that this ruling is based on the fact that loading the consent settings screen from the shared domain requires "sharing" an IP address? Nobody in the EU runs an online business reliant on advertising? Of course they are.

I'm convinced pro-GDPR views are always ideological in nature. It's impossible to read GDPR or related case law from the perspective of trying to comply with it and not be disgusted. Every single requirement is vague and subjective - words like "appropriate", "necessary", "reasonable", "proportionate" etc aren't just a part of this law, they are the entire essence of it. And even the occasional term that looks precise often has totally unintuitive definitions, like the way they define large random numbers as "personally identifiable" even though there's no database that links these numbers to any actual personal identity.

Even this announcement about a new ruling is a fog of confusion. Why is asking users for consent, a key piece of GDPR compliance previously, suddenly not OK? Why is this being phrased as "freeing users from consent spam"?

This sort of thing wrecks the EU in the eyes of people actually building things. It makes it seem that this is a part of the world without rule of law of any kind. You can invest hundreds of millions into GDPR compliance and years later discover it was all in vain, without any warning whatsoever. You're being constantly trolled in courts by random academics and "civil liberties" organizations who don't seem to care about actual civil liberties issues like mandatory medical interventions but who define advertising cookies as a grave threat. Dealing with the EU gets ever more painful and if this keeps up, people there are gonna discover they're being denied services or simply charged more as a "GDPR litigation premium". And then they'll be stuck, because the home grown EU software industry is stillborn.

[Macha]

> Every single requirement is vague and subjective - words like "appropriate", "necessary", "reasonable", "proportionate"

This is how laws work and why the "law as code" people are not going to succeed. The US leaves this to the enforcement stage, e.g. many tests in US law for ascertaining enforcement include things like the reasonable person test (https://en.wikipedia.org/wiki/Reasonable_person). Proportionality is a well enshrined standard in EU law in particular, and cuts both ways - it's why this ruling is not the maximum fine out the gate.

Or let's take this clause from the DMCA (regarding what is considered obsolete and therefore the library may format shift): "For purposes of this subsection, a format shall be considered obsolete if the machine or device necessary to render perceptible a work stored in that format is no longer manufactured or is no longer reasonably available in the commercial marketplace."

[wspess]

>Why is asking users for consent, a key piece of GDPR compliance previously, suddenly not OK?

Asking for consent is still OK. Just the way how IAB has been doing it is not OK as it was found to not constitute explicit consent.

And before you say that explicit consent is not defined there are easily accessible guidelines from the European Data Protection Board. https://edpb.europa.eu/our-work-tools/our-documents/guidelin...

[wongarsu]

> Does this mean it will be a long term of conditions like apple does every time we use a website

We call that a privacy agreement. But having a proper privacy agreement that lists what data is collected and what happens with it is far from the only part of the ruling

[quocanh]

GDPR enforcement is completely arbitrary (in both senses of the word). People might cheer for the downfall of the tech giants but it's really just a way for the EU to control US companies, extending their power beyond their jurisdiction.

[iamjackg]

If those companies extend their business beyond the US' jurisdiction, why do you feel they shouldn't be subject to some form of control where they operate? I'm legitimately asking. This is about something that was done within the EU to EU citizens. Why shouldn't the EU have a say?

[quocanh]

I don’t feel that, actually. I’m not sure where you got that impression - maybe straw men are easier to debate?

There are laws and then are how laws are enacted. Hint: pay attention to how homegrown EU companies are treated.

EDIT: https://www.enforcementtracker.com/ Look here specifically. Sort by fine amount. Look at the companies that are being fined the hardest. It's not just the US that is being targeted. There's this island nation that recently decided they didn't want to be part of the EU...

[Macha]

The largest fines are to US tech companies, which is expected due to (a) the fines being proportionate to revenue and these being the largest companies in the world and (b) these businesses having a significant involvement in large scale tracking of users.

I think the argument of like "well the law was passed to harm US companies specifically because US companies specifically do this" ignores that this is a undesirable behaviour with significant negative externalities, so this feels a bit like complaining that encouraging green energy at the expense of fossil fuels is discriminating against Russia and the middle east.

Once we get past the tech companies the next biggest fine is for H&M, for surveillance of call center employees, not just at workstations (which is probably also not allowed), but in their private lives, disclosure of that detail with managers, and targeted harassment from that information. This seems pretty egregious, and not political retribution against the UK.

Next up are some Italian companies fined in Italy, UK companies getting fined _by the UK_, and Vodafone subsidiaries getting fined everywhere. You could argue Vodafone is a UK company being unfairly targeted, but from what I remember of coverage of the (Spanish, I think?) ruling, they're a repeat offender in this regard.

[iamjackg]

Sorry, it was not my intention to construct a strawman: maybe I misunderstood what you were saying.

> a way for the EU to control US companies, extending their power beyond their jurisdiction

How are they extending their power beyond their jurisdiction, considering that this is something done in the EU to EU citizens?

[quocanh]

Because judgements are arbitrary and in practice unfairly hurts foreign companies.

There's an analogue that has happened in the U.S. Let's say that my little white town passes a law that forbids jaywalking. Protects pedestrians... Makes it easier to drive... Sensible law right? But in practice, it's the 1940's and the cops ONLY ticket black people. In practice, it's not a law against jaywalking - it's a law to drive out all the black people and make the white town inhospitable to anybody with skin tone.

GDPR claims to protect the people but is used as an economic weapon.

[danaris]

Or maybe the problem is that the US and UK also happen to be places that foster an attitude in their people that everyone else should just bow to them and do things the way they want...?

[goodpoint]

> extending their power beyond their jurisdiction

US companies inject all sort of trackers and spyware into browsers of EU citizens and you talk about jurisdiction?

[nicce]

Or just a way to keep peoples’ data inside EU and not allowing it to leak for-profit companies.

[quocanh]

That is one purpose yes and that’s why it has support of the people. The PATRIOT Act is similar. Its purpose is to protect Americans from terrorism.