Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
mytailorisrich a day ago

> Their attempt to obtain freely given consent is because their purpose is not actually necessary, else they could use that on its own as the basis for the processing.

Why would the GDPR even describe consent and consent in relations to contract, then?

> The idea that "it is necessary for our balance sheets to sell your data" would be sufficient for any and all processing seems the most extreme one to me.

That's an obviously disingenuous interpretation of my point.

> GDPR doesn't prevent you from opting to receive targeted ads if you really do freely give your consent (with no detriment if you were to decline).

This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.

Again, this is all extreme and ideological. That's the big issue with both the GDPR and its interpretation. And we're right back to my initial point that the issue is in the hands of militants.

More broadly, this is a strange take in the EU: The same people that are happy to have to carry ID cards, to have "free speech" controlled, to have this, to have that, are up in arms at the thought of targeted ads. My hypothesis is that this is because, at the core, the issue is not "privacy" or targeted ads, but commercial companies making money, i.e. bad capitalists (c.f. previous paragraph), which is a political angle that we're seeing very often in Europe, along with the idea that people are allowed free will as long as they make the "right" choices...

yladiz a day ago | parent | next [-]

> This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.

What do you mean the latter isn’t reasonable? It is perfectly reasonable to make your website only accessible to paying users.

> More broadly, this is a strange take in the EU: The same people that are happy to have to carry ID cards, to have "free speech" controlled, to have this, to have that, are up in arms at the thought of targeted ads.

Ignoring the obvious geopolitical spin to this: The EU considers privacy a right, i.e. something you can’t sell away in a contract, so I don’t see the issue with people being upset about their right to privacy being affected.

mytailorisrich a day ago | parent [-]

> The EU considers privacy a right, i.e. something you can’t sell away in a contract

You can sell your privacy in a contract in the EU. This actually highlights the incoherence here, and my point to some extent.

And there is no geopolitical spin since I am an EU citizen myself. It is just that I think that the EU is going to shit a little more every day.

yladiz a day ago | parent [-]

Why is sell in quotes? What do you mean by sell here?

Ukv a day ago | parent | prev [-]

> Why would the GDPR even describe consent and consent in relations to contract, then?

Freely given consent is a lawful basis, allowing for processing even if it's not necessary for legal/contractual reasons that would qualify the processing for another basis (or a mix of necessary and unecessary).

But here they're clearly not meeting the "allow separate consent to be given to different personal data processing operations" requirement, and if they only met the second requirement (can't make performance of contract dependant on the consent to processing beyond what's necessary) by nature of all of their processing being necessary (which I feel is highly doubtful) then it seems like they would've already been covered by the "processing is necessary for the performance of a contract" basis. Though as before I'm not a lawyer.

> That's an obviously disingenuous interpretation of my point.

Necessity for the performance of a contract is a lawful basis for processing under the GDPR, and to my understanding you're suggesting "necessity for the performance of a contract" should be interpreted loosely to include a kind of "financial necessity" that permits selling personnal data to adtech companies.

To me it seems like that same justification could be used for any selling of personal of data (maybe I go too far by saying any processing, since it wouldn't necessarily justify non-commercial processing). If you don't think that's a consequence of your interpretation, I'd be interested to hear why.

> This implies a right to access commercial websites for free, which cannot be reasonable, or only a choice between no access and payment, which also cannot be reasonable.

Websites can use most forms of monetization they always have - just not selling of personal data (unless the user freely gives consent). Regular ads, selling an ad-free version, upsell nags, all the badges/superchats/cosmetics/etc. are all still fine.

mytailorisrich a day ago | parent [-]

> Freely given consent is a lawful basis, allowing for processing even if it's not necessary for legal/contractual reasons that would qualify the processing for another basis (or a mix of necessary and unecessary).

Again, this is all a narrow and militant interpretation of "necessary for contractual reason", not least when all data show that the people are fine with it. In a contract, a form of quid pro quo is necessary, if targeted ads are the form of "payment" asked and if there is no imbalance of power or coercion (and it's hard to see how being refused access to a random website any sort of coercion or serious negative consequence) then there should be no issue and the "deal" is actually the main aspect of the contract. Any other outcome is either that the GDPR is badly drafted or that this is an ideological agenda at play (obviously I favour the latter).

Ukv a day ago | parent [-]

> Again, this is all a narrow and militant interpretation of "necessary for contractual reason",

Given "necessary for contractual reason" is on its own a lawful basis, I don't see how your interpretation (that selling your data to ad companies is "necessary") wouldn't effectively nullify much of the GDPR, allowing pretty much any use of customer data to be justified so long as the company makes money from it.

The European Data Protection Board, whose purpose is to ensure consistent application of the GDPR, has written:

> > If there are realistic, less intrusive alternatives, the processing is not ‘necessary’. Article 6(1)(b) will not cover processing which is useful but not objectively necessary for performing the contractual service [...] even if it is necessary for the controller’s other business purposes.

> > A controller can rely on the first option of Article 6(1)(b) to process personal data when it can [... establish ...] processing is necessary in order that the particular contract with the data subject can be performed. [Emphasis in original]

> > does not cover situations where the processing is not genuinely necessary for the performance of a contract

> > it is required that the processing is objectively necessary for a purpose that is integral to the delivery of that contractual service

> > Example 2: The same online retailer wishes to build profiles of the user’s tastes and lifestyle choices based on their visits to the website. Completion of the purchase contract is not dependent upon building such profiles. Even if profiling is specifically mentioned in the contract, this fact alone does not make it ‘necessary’ for the performance of the contract. If the on-line retailer wants to carry out such profiling, it needs to rely on a different legal basis.

(https://www.edpb.europa.eu/sites/default/files/files/file1/e...)

> not least when all data show that the people are fine with it.

Doesn't appear to be the case when the case when it's actually a freely given choice (as low as 0.1% when it's opt-in) - which is why companies fight so hard to manipulate user choice with dark patterns and obfuscation, or outright breaking the regulation.