Think The GDPR Only Regulates Big Internet Companies? The EU Says It Regulates You Too.
from the another-threat-to-democratized-speech dept
People tend to think of the GDPR as regulation companies must comply with. But thanks to a decision by the Court of Appeals for the EU earlier this month, there’s particular reason to believe that ordinary Internet users will need to worry about complying with it as well.
In this decision the court found that the administrator of a fan page on Facebook is jointly responsible with Facebook for the processing of its visitors’ data. And, as such, the administrator must comply with applicable data processing regulations ? which necessarily include the GDPR.
The fan page at issue in this case appears to be run by some sort of enterprise, “Wirtschaftsakademie.” But fan pages aren’t always run by companies: as the court acknowledges, they are often run by individuals or small groups of individuals. Yet there doesn’t appear to be anything in the ruling that would exempt them from its holding. Indeed, the court recognizes that its decision would inherently apply to them:
Fan pages are user accounts that can be set up on Facebook by individuals or businesses. To do so, the author of the fan page, after registering with Facebook, can use the platform designed by Facebook to introduce himself to the users of that social network and to persons visiting the fan page, and to post any kind of communication in the media and opinion market user data a processor of the data for visitors to its page, and thus jointly responsible with Facebook for its handling.
The problem is, compliance with data protection regulations like the GDPR is no simple matter. In fact, as this article suggests, the decision also potentially makes it even more complicated and expensive by expanding the jurisdiction of individual member states’ data protection authorities (which was something that EU-wide regulation like the GDPR was actually supposed to minimize).
[Eduardo] Ustaran expressed concern in his 2017 post about the potential for local DPAs? authority to issue decisions that affect companies located in other areas, in this case, Facebook, whose EU representative is in Ireland. He says that this goes against the letter of GDPR?s one-stop shop goal.
But even without this change to the GDPR’s enforcement operation, the burdens of compliance were already a matter of concern. As discussed previously, compliance with the GDPR is difficult and expensive for even well-resourced companies. It’s not something that individual Internet users are going to be able to easily manage, and that’s a problem, because who would want to set up a Facebook fan page if doing so opened yourself up to such a crippling compliance burden?
Which leads to the essential problem here. Some cheer the GDPR because it puts user privacy front and center as a policy priority. In and of itself, there’s nothing wrong with doing so ? in fact, it’s an idea whose time has come. But it doesn’t matter how well-intentioned a law is if instead of merely regulating otherwise lawful activity it ends up suppressing it. And it’s especially problematic when that activity is expressive. Even if chilling expression weren’t the intent, if that’s the effect, then there is something wrong with the regulation.
Furthermore, while it’s bad enough if regulation chills the expressive activity of those well-resourced companies better able to navigate complex and costly compliance requirements, it’s even worse if it chills the lawful and even desirable expressive activity of ordinary individuals. One of the things an Internet platform like Facebook does, and does well, is encourage the casual expression of ordinary people. If you have things to say, these platforms make it easy to say them to other people without you needing to invest in corporate structure or technical infrastructure before doing so. These are tools that help democratize expression, which ordinarily is something places claiming to value the principles of free expression should want to support. In fact, the more the antipathy against big companies, the more they should want to ensure that independent voices can thrive.
But instead we’re seeing how all this regulation targeted at those big companies instead attacks regular people trying to speak online. We’ve seen the same problem with SESTA/FOSTA too, where individual online speakers suddenly find themselves risking legal liability for how they interact with other speakers online. And now it’s happening again in the GDPR context, where the very regulation ostensibly intended to protect people online now threatens to silence them.
Filed Under: data controller, eu, fan pages, gdpr, privacy, social media
Companies: facebook
Comments on “Think The GDPR Only Regulates Big Internet Companies? The EU Says It Regulates You Too.”
What a #&*#$&#!! mess...
I went through mandatory GDPR training a couple months ago, and it’s come up several times in my job so far.
The conclusion I’ve come to is that due to the massive ambiguity and strict requirements, compliance is pretty much completely impossible. Businesses should just resign themselves to the fact that if they annoy the EU or an individual EU government enough, they might be selected for a GDPR prosecution, which the company will almost surely lose.
It’s not a stretch to guess that the EU will favor non-EU companies for enforcement actions, preferably ones with large-enough EU operations that the company can’t afford to just give ’em the finger and cease operating in the EU.
Re: What a #&*#$&#!! mess...
One wonders at what point it becomes more economical to simply deny service to certain countries with overly silly laws…
Re: Re: What a #&*#$&#!! mess...
If we’re not there already, the EU will no doubt pass another law soon that will cross the line. They seem determined to opt themselves out of the internet.
Re: What a #&*#$&#!! mess...
This “GDPR regulates you too” stuff only applies to Europeans. If you’re an American in Idaho running a fan page for Harry Potter and you have no physical presence in Europe, you do not have to abide by all this nonsense, especially considering a lot of it runs counter to the 1st Amendment protections enjoyed by Americans in America.
Maybe a stupid question
If I were to put a disclaimer on my websites terms of service that specifically said that ‘membership to this site is for non EU individuals’. Would that cover me from liability if a EU citizen signed up?
This is not a theoretical question. We have a site that markets to very small geographic locations in the US. It would be very difficult, but not impossible for a EU citizen to sign up although it would not be possible for the EU citizen to receive any benefits from joining.
Re: Maybe a stupid question
You are strongly urged to retain the services of a competant attorney licensed in your jurisdiction in order to obtain professional advice tailored to your circumstances.
Re: Re: Maybe a stupid question
You are assuming that the sites income is more than enough to be able to pay the attorney.
Re: Re: Re: Maybe a stupid question
One way to mitigate the issue is to apply an IP filter to your firewall that blocks all non-US IP addresses. This is not 100%, but it will make an impact without high costs.
Re: Re: Re:2 Maybe a stupid Firewall
If this is a serious suggestion, I am not familiar with the IP range of Europe, or how to firewall a website.
Re: Re: Re:3 Maybe a stupid Firewall
Therein lies one of the major issues. An individual may be liable, but genuinely have no idea of how to avoid liability without hiring the services of a professional – services which they may not be able to afford, so choose to not speak rather than risk liability.
As for your question, it genuinely depends on which software you’re using and how thorough you want to be. There are ways to blacklist, software like WordPress provides plugins which make it easy, else you might be better off asking your hosting provider. All details you need are easy to search for if you are running your own platform.
The biggest problem with doing this is that IP geolocation data is not always accurate, so you might inadvertently ban some non-EU members. Plus, of course, users can always fake their IP or use a VPN and I’m not sure what the implications are if they do that – I presume you’d not be liable if a user is lying to you or you collect data while they’re physically in the US, but you never know with this kind of thing.
Re: Maybe a stupid question
The ability of the EU govt to enforce an EU regulation against a company with nobody and nothing in the EU to sue or seize is pretty limited.
Say it with me class…
Power causes a form of brain damage.
The like to pretend the internet is subject to their rule & only they have the right to say what is right or wrong.
Maybe if they spent less time trying to police the internet & more time looking at the chaos they are causing their citizens they would be afraid of being replaced.
Re: Re:
As the Internet is the means by which people could organize themselves to replace those in power, they want to be able to police it to prevent that happening.
Premise is all sites get personal info -- only true if mercenary
Meaning want MONEY. You can put out your views for free and not gather any info at all, without least trouble.
BUT as one comment nearly got to: when you expect to gain money from the site and collect personal info of "users" in order to gain money, even indirectly from your "friend" Google splattering advertising all over everyone’s screen and tracking them over teh internets, then you become a business, and deserve to be regulated.
Money changes everything.
Re: Premise is all sites get personal info -- only true if mercenary
Thanks for getting the government to regulate everybody, blue boy. Because of your precious copyrights.
You jackass.
“Why would anyone set up a Facebook page…”
I really don’t know, placing your business in the hands of a 3rd party, helping zuckerbergs Man in the Middle attack on the internet.
Oh in the context of GDPR, well the text says it applies to personal data about EU natural persons. Why would it matter the treason you collect data, it’s still there and still needs protecting (from poor storage or from being sold).
How does GDPR work against human memory and the right to be forgotten?
e-mail / phone contact-lists too
Now the GDPR also applies to your contact-lists in your phone and mail-reader.
Everyone in the EU needs to get all your friends, collegues and others in to give their permission to retain their phone-number and/or e-mail adress.
On the plus-side, it will bring down the percentage of webtraffic that is spam (slightly 😉
Re: e-mail / phone contact-lists too
On the plus-side, it will bring down the percentage of webtraffic that is spam (slightly 😉
Or not.
Don’t you know? All Internet spam is sent by wealthy Nigerian princes.
Wow, what a huge mess. I’m fairly sure the always well intended law makers in the EU didn’t expect this outcome. It will be delightful to see the shitshow the GDPR will produce. Maybe then it’ll serve as a case-study of why we should 1- think of unintended consequences before “doing something”, 2- listen to all those who may be affected positively or negatively to have a balanced set of viewpoints and 3- think about “what if I were in the receiving end of this law because privacy/accepted speech/societal norm was not my own or I didn’t agree with?”.