WingNews logo WingNews
top | item 30139489

(no title)

latk | 4 years ago

This argument was tried in the Fashion ID case. A company had inserted Facebook Like buttons on the web page, and argued that it was not responsible for the ensuing disclosure of personal data (such as IP addresses or possible tracking cookies) to Facebook. See, it was the browser and not the website operator that disclosed the data, and the website operator never had access to the data in the browser in the first place!

The European Court of Justice did not buy this argument. By coding the website in a particular way, the website operator was responsible for causing the user's browser to act in a particular way, so it was the “data controller” for the collection an transmission of personal data by the Facebook Like button, though Facebook is of course jointly responsible for what their code does.

The underlying argument is that someone is a data controller and thus responsible for GDPR compliance when they determine the “purposes and means” of processing, alone or jointly with others. Embedding the code for the button was an exercise of this power to determine purposes and means. In contrast, the website operator is not a data controller for whatever Facebook does with the collected data on its servers, because it cannot control what FB does.

The given case from Munich is a very straightforward extension from the Fashion ID judgement, though the website operator didn't even claim that they weren't responsible. Instead, they argued that they had a “legitimate interest”in loading fonts from Google servers, which the court rejected. While I consider it probable that Google does not use data from Fonts servers for tracking, the judgement correctly points out that Google is well-known for tracking – but this doesn't matter anyway, since already the disclosure of personal data without a legal basis is a problem.

discuss

order

asiachick|4 years ago

That seems on the surface to be a ridiculous argument.

I can go "bash < somefile" and I can go "csh < somefile" and I can go "cat < somefile". It's my choice to use bash, csh, or cat. somefile will have data in it, that data will be interpreted by MY choice of program to read the data. If I don't want the contents of somefile interpreted as commands I shouldn't be passing it to something that runs commands based on its content. replace somefile with `curl someURL` and nothing changes. If I don't want my computer to connecte to other computers based on what content comes back from `curl someURL` that's my responsibility.

Maybe a better example. It type `npm -i somepackage`. npm then looks in somepackage and sees dependencies and downloads them. By the same logic as the judgement npm or `somepackage` is responsible for leaking PPI based on the dependencies listed. Not the user for running npm in the first place.

The same with `apt update` and `apt upgrade` etc...

The ruling would apply in tons of places that seem like they'd make it hard for things to keep working.

phkahler|4 years ago

Thanks, that was a very good explanation with legal backing.