> GDPR: “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable if based on an international agreement…”
That is why international agreements and cooperation is so important.
Agreement with the United States on mutual legal assistance: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=legissum...
Regulatory entities are quite competent and make sure that most common situations are covered. When some new situation arises an update to the treaty will be created to solve it.
Seems like the EU should be less agreeable with these kinds of treaties going forward. Though precedent is already set by the US that international agreements don't matter so arguably the EU should just ignore this.
> Regulatory entities are quite competent and make sure that most common situations are covered.
There's "legitimate interest", which makes the whole GDPR null and void. Every website nowdays has the "legitimate interest" toggled on for "track user across services", "measure ad performance" and "build user profile". And it's 100% legal, even though the official reason for GDPR to exist in the first place is to make these practices illegal.
Exactly. The ECJ flapped a bit in 2019 about this but then last year opined that the current interpretation "legitimate interest" by the Dutch DPA is too strict (on the topic of whether purely commercial interests counts)
It's a farce and just like the US constitution they'll just continuously argue about the meanings of words and erode then over time
None of those use cases are broadly thought of as legitimate interest and explicitly require some sort of consent in Europe.
Session cookies and profiles on logged in users is where I see most companies stretching for legitimate interest. But cross service data sharing and persistent advertising cookies without consent are clearly no bueno.
> But cross service data sharing and persistent advertising cookies without consent are clearly no bueno.
https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd....
"legitimate interest" is a fact about the data processing. It cannot be "toggled on". It also does not invalidate all other protections (like the prevention of data from leaving the EEA).
legitimate interest is, for example - have some way to identify user who is logged in. So keep email address for logged in users. Have some way to identify people who are trying to get account that have been banned, so have a table of banned users with email addresses for example.
none of these others are legitimate interest. Furthermore combining the data from legitimate interest (email address to keep track of your logged in user) with illegitimate goals such as tracking across services would be illegitimate.
"legitimate interest" isn't a carte blanche. Most of those "legitimate interest" claims are themselves illegal
Legitimate interest includes
- Direct Marketing
- Preventing Fraud
- Ensuring information security
It's weasel words all the way down. Having to take into account "reasonable" expectations of data subjects etc. Allowed where the subject is "in the service of the controller"
Very broad terms open to a lot of lengthy debate
None of these allow you to just willy-nilly send/sell info to third parties. Or use that data for anything other than stated purposes.
> Very broad terms open to a lot of lengthy debate
Because otherwise no law would eve be written, because you would have to explicitly define every single possible human activity to allow or disallow.
preventing fraud and info security are legitimate, direct marketing may be legitimate but probably is not.
direct marketing that I believe is legitimate - offers with rebate on heightened service level if you currently have lower service level.
direct marketing that is not legitimate, this guy has signed up for autistic service for our video service (silly example, don't know what this would be), therefore we will share his profile with various autistic service providers so they can market to him.
> preventing fraud
Fraud prevention is literally "collect enough cross-service info to identify a person in case we want to block them in the future". Weasel words for tracking.
> therefore we will share his profile with various autistic service providers so they can market to him.
This again falls under legitimate interest. The user, being profiled as x, may have legitimate interest in services targeting x. But we can't deliver this unless we are profiling users, so we cross-service profile users, all under the holy legitimate interest
> Fraud prevention is literally "collect enough cross-service info to identify a person in case we want to block them in the future". Weasel words for tracking.
You're literally not allowed to store that data for years, or to sell/use that data for marketing and actual tracking purposes.
You would not be allowed if not for legitimate interest.
Websites A and B buy fraud prevention service FPS, website A flags user x as fraudulent, how should FPS flag user x as high risk for website B if consent from user x was required?
Legitimate interest literally allows FPS to track users, build cross-service profiles, process and store their data in case FPS needs that data sometime in the future. Under legitimate interest response to query "What's the ratio of disputed transactions for this user?" is perfectly legal trigger to put all that data to use, even though it is for all intents and purposes indistinguishable from pre-GDPR tracking.
And how funny - I just got an email from Meta about Instagram:
"Legitimate interests is now our legal basis for using your information to improve Meta Products"
Fun read https://www.facebook.com/privacy/policy?section_id=7-WhatIsO...
But don't worry, "None of these allow you to just willy-nilly send/sell info to third parties." !
