> and EU law isn't applied by some overarching entity.
It is. EU law as a whole is ultimately applied by an entity, the Court of Justice of the European Union. It is overarching, over national courts, over national governments, and over EU bodies.
Then within EU law, you have several branches and distribution of who has authority etc. Primary EU law is the foundational basis (some would say a "constitution" effectively even though the word has been a political minefield) and does provide some "overarching entity" in some areas.
Then within Secondaru EU law, you have regulations, orders, directives, etc. Many regulations and orders have an EU overarching entity, and in many cases the European Commission has a central role.
> On a technical level, each country ratifies and applies their own laws in their own ways.
That is a gross mischaracterisation and overgeneralization of EU Directives.
EU Directives as a general rule* don't have "direct effect" in a Member State. They set a goal agreed at the EU level, and the Member State are bound to implement the means in their national laws to reach the goal. That usually (but not always) means at a national level the adoption of a legal act by national Parliament.
*as a general rule because as always there are exceptions.
B modifies X (becomes X.1) and because B has been well advised by lawyers, B knows that modification of software is an act restricted under copyright law, and so B went to go read the LICENSE file and found Section 13 of AGPL. As a result because he/she is diligent, B ensures that the source code of X.1 can be accessed by putting a link to a server in X.1's user interface.
See Section 13 of AGPL:
B's "modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge ..."
B distributes X.1 to C
C runs X.1 which is a version that already offers all users a way to get the source code.
The analysis is wrong even if we accept the flawed premise presented (whether in US or French law).
Section 13 of the AGPL which is the one the author says is ineffective starts:
"Notwithstanding any other provision of this License, if you modify the Program, your modified version must ..."
The obligation starts from "modification" of the software, and modification of software is an act protected under copyright law. Hence you need an authorisation for it (without prejudice to fair use and copyright exceptions of course).
Random post on the internet by what seems a a nonlawyer. Be careful.
"The AGPL, like the GPL, is a copyright licence, not a contract" actual authoriative legal source needed. For what it's worth, this is plain wrong under French law (and I'm a lawyer and there is actual case law in France to support the view that GPL is a contract).
There are no personalised ads or no ads at all in WhatsApp, are there?
What got rejected is using the data for "service improvement" and "security" - in particular how WhatsApp used personal data for these purposes, and how in the opinion of Europea data protection authorities this was not necessary for Meta to perform the contract.
So many wrong things in this comment, which is generally uncalled for given the article is quite good (which cannot be said of all GDPR related coverage).
So, duty calls[1]:
> This decision is from the Irish data privacy regulator, DPC. They are "in charge" of this investigation because Facebook's EU subsidiary is in Ireland. They are not a "lead" regulator in any sense of the word.
The DPC are officially acting on this case as the "lead supervisory authority" as defined in the GDPR ("Article 56 - Competence of the lead supervisory authority").
> In fact, this decision does not come from the DPC.
In fact it actually does come from the DPC. The process is:
- DPC issues draft decision, after conducting an investigation, etc.
- Other authorities in impacted countries ("concerned supervisory authorities" in the official terms of the GDPR) chime in, provide comments, and possibly disagree with the draft decision (they raise "objections")
- The authorities try to aree, and if they don't, they have a dispute that gets resolved at the European Data Protection Board
- The EDPB takes a binding decision, which is imposed on the DPC (and the other concerned authorities)
- The DPC takes notes of the decision, and issue their sanction accordingly.
In the end, it is indeed a decision formally issued by the DPC against WhatsApp. That's why Meta need to appeal against the DPC in Irish Courts - and why Meta cannot appeal direclty in the European General Court against the EDPB.
> The DPC's decision was to pussy out and issue a smaller fine, and rubber-stamp several of Facebook's arguments. Their authority to do so was overturned by the regulators for other countries, and by the EDPB (EU-level agency). The EDPB is also requiring the DPC to do more investigations which will probably eventually result in even more fines.
> GDPR fines tend to be about specific issues related to specific complaints. [...] There has NOT been a general "is Whatsapp in its entirety compliant with GDPPR" investigation yet.
> The EDPB-mandated investigation is creeping closer to that.
Actually, the EDPB's request is also specific: it is asking the DPC to look precisely about the part of the complaint on WhatsApp's use of sensitive data ("special categories" under GDPR Article 9).
> [...] we felt it necessary to state unequivocally that this post does not reflect the reality of the facts and contradicts the verdict by the Berlin Labour Court.
> The court judgement of 19 November 2020 (reference number 42 Ca 5723/20) did not acknowledge any factual basis to the assertions. Furthermore the judges concluded that our former employee's own statements prove that she “neither experienced hostility, nor was she offended, nor in another form intimidated or demeaned”. Additionally they found, she received equal treatment, and that “the boundaries of socially acceptable conduct” were “not exceeded”.
> Until the end of the proceedings, we do not wish to comment any further [...]
Start at page 28 if you want to skip the recap of EU law, or start at page 35 if you want to skip the details of US law and surveillance programs as recap by the Irish court who referred the ruling.
The UK data protection authority (ICO) has also announced huge fines against British Airways and Marriott - but these fines are not in effect yet - unsure how high they will be exactly if any.
Sorry that it's not clear. Happy to take suggestions for clearer language. Maybe this part should just be removed as it is maybe a bit off topic.
I am trying to lay out what principle Richard Stallman is advocating for exactly, when he says that it is never okay to collect data for the purpose of improving efficiency of a system.
The principle that RMS is pushing for here, seems to be that only “legitimate” purposes should be allowed. And RMS seems to think that “improving efficiency” is not a legitimate purpose.
So, I added this part in the post because in all fairness, if RMS thinks that we should consider that improving a system is an illegitimate purpose, then I think we finally found an actual critique of GDPR that is actually advocating for something not already in the GDPR.
But honestly, I think this is just too radical. I think that, provided the right protections are in place, the goal of improving a system has nothing illegitimate per se. I actually prefer to interact with improved systems, and if some personal data may be necessary for that, let's allow it and put the right safeguards.
Update: just "Improving a system." without more explanation is not very "explicit" - it should be put in context and more detailed, and information about the explicit purpose must be disclosed to users (see Art 5(1) and 13 of the GDPR).
The points in the post are really about GDPR basics. I'm not actually trying to explain or interpret anything. Instead, I am mostly paraphrasing, if not merely quoting the GDPR directly (and linking to the authoritative source - check for yourself).
The more blatant example is probably the first one, about "data use" v. "data collection".
There's just no way that the statements about GDPR "missing the point of data collection" can be characterized as a misunderstanding of the text itself. The text has explicit references to data collection all over, including in the definition of the most important word, i.e. "processing".
So I think that, as these examples show, it's not really about misunderstanding on the other side of the Atlantic. I think it's more about baseless misconceptions and myths being thrown out here and there. Ask yourself: Why?
That's because the newspaper and the search engine have very different kinds of activities when it comes to processing data.
In 2014, this is how the Court explains it (my emphasis):
"35 In this connection, it should be pointed out that the processing of personal data carried out in the context of the activity of a search engine can be distinguished from and is additional to that carried out by publishers of websites, consisting in loading those data on an internet page.
36 Moreover, it is undisputed that that activity of search engines plays a decisive role in the overall dissemination of those data in that it renders the latter accessible to any internet user making a search on the basis of the data subject’s name, including to internet users who otherwise would not have found the web page on which those data are published.
37 Also, the organisation and aggregation of information published on the internet that are effected by search engines with the aim of facilitating their users’ access to that information may, when users carry out their search on the basis of an individual’s name, result in them obtaining through the list of results a structured overview of the information relating to that individual that can be found on the internet enabling them to establish a more or less detailed profile of the data subject."
[...]
"80 It must be pointed out at the outset that, as has been found in paragraphs 36 to 38 of the present judgment, processing of personal data, such as that at issue in the main proceedings, carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him. Furthermore, the effect of the interference with those rights of the data subject is heightened on account of the important role played by the internet and search engines in modern society, which render the information contained in such a list of results ubiquitous (see, to this effect, Joined Cases C‑509/09 and C‑161/10 eDate Advertising and Others EU:C:2011:685, paragraph 45)."
This comes from a [EU Court 2014 Ruling][1] based on Spain's implementation of European Union Directive 95/46 from 1995 which has nothing to do with what you're talking about.
And the 2014 ruling, as this ruling, are clear that there is no absolute right to "erase" the result on a name.
It is not a wildcard to erase every bit of relevant data about anyone, and Google regularly denies requests to de-list result on this basis.
As the 2014 ruling provides:
"Whilst it is true that the data subject’s rights protected by those articles also override, as a general rule, that interest of internet users, that balance may however depend, in specific cases, on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information, an interest which may vary, in particular, according to the role played by the data subject in public life. (§81 of 2014, Case C-131/12)"
And for example the court provides that "for particular reasons" the right does not apply. Such reasons include "the role played by the data subject in public life" that would be "justified by the preponderant interest of the general public in having, on account of inclusion in the list of results, access to the information in question. (§97)"
As always, the actual ruling is much more nuanced and balanced than many media reports or corporations would have you believe.
> My problem is that they want to enforce this law worldwide
The point really is: how to protect or remedy against the privacy infringement felt by someone in France's jurisdiction? And what the EU Court is saying at point 72 is: EU law does not prohibit the French judge from finding that it is necessary to have a stringent measure, i.e. to order a search engine to really prevent infringement even if coming from outside the EU.
We live in a global, connected world. This goes both ways if you want effective protection of rights of individuals. The only concern here really is to protect an individual's right to have a bit of control over the information about themselves that are so easily made available by serach engines.
> Hypothetically, if EU law says their ruling applies worldwide and Google stops doing business in the EU, does that mean they would be exempted? Can they then show all results or does the EU still try to charge them with breaking their law?
The rules are different between the previous law and the GDPR. The GDPR will apply to a company which has no business in the EU, if the data processing activity relates to:
"(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
"(b) the monitoring of their behaviour as far as their behaviour takes place within the Union."
I don't really think France's judges power really has an influence on what's stopping, or not stopping, China.
China is not waiting for this ruling to try to do just that. It's up to operators like Google to decide whether they want to do business in China or whether they prioritise human rights.