In Germany it has been illegal for years to embed anything from social media. "Share on..." buttons like tweets or pics. Not because of licensing, but because it will lead to the social media platform tracking the user without consent. Even users that have no account on that social media and never given consent to anything.
Compliant sites show some placeholder in gray typically with appropriate warnings. If the reader wants to reveal the element they need to click first.
Disclaimer: Not a web developer, not living in Germany, but German as a mother tongue.
This is not entirely true (disclaimer: living in Germany, with a German-based business).
You can embed social media.
What you can't do is embed a social media post without disclosing in the cookie notice (that must be approved beforehand) what will happen to the user due to you doing it.
Only if you render the embed before the user accepts which is under the control of the developer/site, even though many don't bother to do that correctly I bet.
I believe the ePrivacy Directive (aka stupid "cookie law") merely required disclosure of cookies but didn't ask for opt-in, so disclosing that you're setting cookies might've been enough.
The GDPR absolutely requires opt-in before setting cookies (or collecting user data in other ways, it isn't specific to cookies even) so the embeds would be in breach. Whether it's the responsibility of the parent website or the embedded element to ask for consent is another matter.
That's interesting...do you know if there's any distinction made between social media embeds and just linking to external resources? I guess you could make a similar tracking argument for images linked from an external site (for example).
As long as the internet is global, but laws governing it are made locally, will not this and similar issues get increasingly messy until we are left with a effed if you do effed if you don't?
Could these laws that are increasingly unfriendly to the cooperation that the internet enables slow down innovation and make it too risky to invest in many kind of online services?
Is it realistic to think that one day in the near future we will get some kind of global law governing these things, and if not what other options are there to resolve these issues?
I first got interested in this subject back in 2001 at the time of https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd. , where a Russian developer who'd made an ebook cracking tool was arrested as soon as he stepped off a plane in the US.
Since then there have been various problematic claims at universal jurisdiction, especially relating to money and gambling (poker sites serving the US, crypto regulation in general).
The situation remains .. stable, but fragmented around the edges. There's going to be a slow tick over of cases like this. I don't think it will affect investment, the "break the law and hope you become big enough to make a political win later" approach of Uber and AirBnB has become popular.
Global law is unlikely unless it's set by the US, and the US terms on privacy (very loose except for finances which are subject to total surveillance) is not in sync with the rest of the world.
GDPR sets a reasonable precedent (in the sense of what to expect, and it's a good thing for users, but also in this context, adds complexity for businesses.)
"The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.
What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website. (See our article explaining what is considered personal data under the GDPR.)
You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis." - https://gdpr.eu/compliance-checklist-us-companies/
For enforcement to have teeth outside their jurisdiction don't they either need assets or revenue streams in the EU which can be confiscated/leveraged, or else good old fashioned extradition treaties?
And don't the latter typically require said crime to be illegal in both jurisdictions?
I don't think the theory is really so complicated. If you want to provide products or services within a country then you need to abide by the laws of that country, if you don't then the legal system of that country has various measures to make doing business in that country prohibitive. At a basic level you could imagine court ordered DNS blocking by ISPs (as is done for the pirate bay in many places), or if you were really naughty then extradition, arrests of key individuals in your org if they try and travel etc.
Most likely though, the foreign company will we operating in some way in the EU country. Even if indirectly, e.g. through PayPal or stripe, the country can probably intervene some billing.
"In theory it could be that the EDPB could place embargoes, on sales of Acme Cola’s products within Europe, but if Acme Cola has a strong voice in the Senate, or indeed in Washington, would the US authorities play ball and encourage them to pay the fines, or would they be lobbied and fall on the side of Acme Cola to say no, we do not accept that US companies should have to adhere to someone else’s law?"
Senators may agree with Acme Cola even without lobbying simply to flex national sovereignty (especially if they have a large America First demographic in their state and it's re-election year). "Your law = your enforcement problem"
With that information I can:
• Say with a lot of confidence that billy69420@cbt.eu is owned by one person, called William.
• Infer that, since the e-mail says Billy, but the name says William, the latter is probably what appears on any official documentation.
• Infer that any services signed up to using billy69420@cbt.eu as the e-mail address are more than likely tied to this William person - including any services I run or otherwise have administrative access to.
• Search for billy69420@cbt.eu on various public information repositories and reverse email searches.
• Add an entry to a database using billy69420@cbt.eu as a primary key (e-mail addresses are necessarily unique) to enable me to keep track of my current and future information and inferences, thus building a profile on the person.
I can also understand that the sex and weed references mean that you've probably not given a real e-mail in this example, but if it were real I might be able to infer an age range (or at least a level of maturity) of the user from that, although this would be unreliable as the user could have made the e-mail account some time ago and just still happen to be using it.
You can at scale. Separating bots from real people is a somewhat orthogonal concern, and given a large dataset containing mostly real people, you can safely assume vast majority of the data is not purposefully misleading. Vast majority is good enough for advertising, and mistakes in non-advertising use usually create a problem for the e-mail owner, not the database user.
"If data are inaccurate to the point that no individual can be identified, then the information is not personal data. (e.g. If you refer to “the man who lives at 12 Mulberry Lane had a party last night,” when Mulberry Lane ends at number 10, that’s not personal data.).
I could guess "12" was a mistake and just send spam or visit the man living at number 10.
That's way more dangerous imo than an old skool email address and a first name. Yet it's apparently not considered personal data. That's why I asked, actually, since it confused me.
As a sibling comment said, the notion is "Personal Data".
It is very wide and email address definitely fall within it. Also note IP is personal data, and an identifier like a UUID of the IDFA is personal data. The key point is that it must be related to an identified *or identifiable* data subject, ie even if that information is not enough to identify the person, the fact that it can contribute to it makes it personal data.
The test is whether that information can later be used to link to an individual. You might not have the information, but you might later be able to correlate it against someone who does, and that makes it personally identifiable and under the scope of the GDPR.
Here's a citation:
"If you cannot directly identify an individual from that information, then you need to consider whether the individual is still identifiable. You should take into account the information you are processing together with all the means reasonably likely to be used by either you or any other person to identify that individual."
PII can be anything unique tied to a person. email addresses are definitely PII. even if you have not the full name of a person in the address, such an address usually is unique to a single person and as such one of the best identifiers you will usually have.
> What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR.
In practice almost everyone in and out of the EU violates the GDPR because it is simply not enforced.
Not because it's impossible to hold foreign companies responsible, but because the authorities aren't even trying (except the very occasional headline grabber).
> In practice almost everyone in and out of the EU violates the GDPR because it is simply not enforced.
> Not because it's impossible to hold foreign companies responsible, but because the authorities aren't even trying (except the very occasional headline grabber).
I think this is a fairly cynical take. I think data privacy as a whole is greatly improved since the introduction of GDPR, and difficult questions are being asked of companies doing dodgy things with personal data (e.g. google, facebook).
I have some sympathy for the enforcement authorities who are relatively small organisations trying to enforce large changes across a huge swath of companies. They need to pick their battles, and going after lots of little fish is probably not a great strategy.
Keep in mind too that a lot of company registered to the Irish DPC which is quite... lax. And the rest of the EU enforcement agency and the ECJ are both in a constant fight to close that loophole.
Which they are slowly winning. Ramping up regulations take time, but they work on tax schedule. They will win in the end.
It should have been standardized, so it can be auto-negotiated. Not these dark patern menues, but a popup screen: This site overreaches regarding privacy, in addition what you are usually willing to give - it demands:
- List
Are you willing to give in to the demands:
- Just once
- Fake my data
- Always
- Never
This could and should have been all you see of GDPR. Maybee technical laws should also enforce a standard for consent interfaces.
Honestly, this should be handled at the browser level. You select in your browser what cookies and information you are willing to share with companies and they can only take what you give them.
Then they can offer incentives to you to justify you giving them more. That would be non-invasive, privacy centered & make the web a better place.
Compare how many cookie/data processing consent banners are in breach (because the "decline" option - if it even exists - isn't as easy to use as the "accept" option) with the number of fines.
Compare the total fine amount for Facebook to its revenue (of which a sizeable chunk is earned by breaching the GDPR).
Well my first point is that if you compare the amount of breaches vs the amount of enforcement happening, "no enforcement is happening" becomes true unless you want to be pedantic and count 0.1% as enforcement worth talking about.
I feel like the “server test” rule OP talks about doesn’t really matter and shouldn’t. Who cares if the browser downloaded it from Instagram or the site itself. The actual result is the same. It would make sense that embedding is exactly the same as reposting, either allowed or not allowed for both.
A similar situation is that I can listen to music on my phone with Spotify legally but if I plug my phone in to a speaker system and play the music for a large group in public, it’s no longer allowed. But the music actually came from Spotify so how is it different?
Tech people always feel entitled to loopholes in laws like “this file is just a bunch of bits, how can a number be illegal??” But this thinking is not useful for a functional legal system.
> Who cares if the browser downloaded it from Instagram or the site itself.
Can we apply this logic to downloading copyrighted material? I would love it if I could openly and legally download ROMs of all my games and archives of prime time broadcast television.
But since that's not how the legal system works, it's pretty obvious that getting something from the licensed distributor is different from getting a copy made and distributed by someone else, even if it's automated.
> But the music actually came from Spotify so how is it different?
The downloading is still legal. Spotify is still legal. The only problem is the new part you added. This is not analogous to the download vs. download comparison.
> Tech people always feel entitled to loopholes in laws
You know the test came from a highly regarded court, right?
Your spotify comparison does not really match perfectly. Playing for yourself (license permitted) vs playing for the public (license not permitted) is keeping the same content source but changing the end user.
With the photo, you are a single user browsing the photo on either website A or website B. Website A “owns” the photo, and website B has embedded it, but in both cases you are getting the photo from website A.
Since you are the same user both times, and are getting the photo from the same place both times, at first glance I would regard this as not breaking any license terms since the two parties (image host, end user) are the same, but I can accept that this is a point of contention.
I think the license to the copyright material is the important part here. In the instagram embedding example, the uploader (i.e. copyright holder) gives IG a broad license to the content that includes giving people the right to embed the IG post on external sites.
Spotify's license is obviously not going to include permission from the artist to broadcast the work to large audiences.
Seems like Instagram should be on the hook here. They have a legal team, they have a license for the content, and they provide site owners with an easy way to embed content, but they don't provide the proper licensing for actually using it? Seems like some sort of entrapment - although I'm probably using that word incorrectly in the legal sense.
Suppose I put a bowl of cookies on my lawn with a "free cookie" sign. Then I sue anyone who takes a cookie - not for taking the cookie, but for stepping on my lawn. I don't think a court would be willing to accept my stance that I didn't provide a license to enter my property.
Please note that this is about the copyright in the embedded post, not the personal data implications, and by "illegal" they mean "infringing", which is usually a civil matter and not a criminal one most of the time.
I find it strange that merely providing a link to something can be problematic here, when it's the user's browser that follows the link, and Instagram's server that decides what content to serve for it.
Can I get into hot water when the content of the link changes after I link to it?
But then, the judges might not know the tech well, while I don't know much about law. Maybe the intent of the embedder to have the content displayed by embedding a link to it is all that's needed here? Without their embedding, the viewer would not see the copyrighted content.
Interested to hear more knowledgeable perspectives that can elaborate on the legal basis of these decisions.
You know perfectly well what the browser will do when presented to that link, you know the site doesn't follow the law, and you know your user will be harmed on this specific way. I don't see a problem with you being held responsible. (Also, civil laws have a tendency of spreading blame over as many parties as possible when the victim is seen as powerless. That's a very good tradition that the EU started by the way.)
If you didn't know that the linked site would misbehave, or what the browser would do, then you shouldn't be blamed. Still, if the victims are seen as very powerless compared to you, it's not rare for laws to still place you as an intermediary and require that you go settle your damages down with the other party. I think the GDPR shouldn't do that, but I don't know if it does.
> You see, the “server test” comes from the 9th Circuit, and is binding law in California, where most of the tech companies are.
This is a misunderstanding that has to stop: judicial opinions are not law! Judicial opinions represent a judge's interpretation of the law, and courts take such precedents into account, but precedent can be and is overturned. There are all manner of precedents that are clearly, absolutely wrong, and which have never happened to be reconsidered by another court in a similar case --- but that's no reason to allow yourself to be bound by them in your life. To change what is or is not legal, legislatures have to change laws.
The same, but less so, applies to mandates and orders issued by executive officials or agencies, at whatever level; they may be supported by law, but they are not themselves law, and since often the people making and enforcing those mandates and orders are not elected representatives, they do not have the authority that popular representation gives to actual laws.
IP has tumbled, stumbled and bumbled to its current state by way of haphazard precedents and half assed legislation. To the extent that it's intentionally tweaked (designed is too strong a word), it's adapted to protect high value industry or companies. What we're left with makes no sense.
Concepts like freedom of expression, the public domain, rights of artists and such have a part in IP's history, and rhetoric... but I can't think of any legislation, reform or regulatory/enforcement actions that actually set out to defend these.
I don't know if there's a one paragraph solution, but IP is central to a lot of centralisation phenomenon one way or another. The economic and legal dynamics of copyright, for example, centralize control over music revenues and often discovery. That's spotify now. It was record companies at one point. The first step in any commercial music endeavor, before a single note is played, is to separate artists from control and ownership of the music.
What the hell is the public benefit of giving social media sites these rights over content? If we accept T&C click throughs as valid contracts, the whole concept of determining content usage rights by agreement is absurd in practice.
I agree. It is a mess. Worse than that. It creates a very avoidable burden and it takes away some interesting products from us. We were going over Zune case in our last MBA class and one of the things that clearly sunk the product ( as opposed to the Ipod ) was the way it attempts to please IP-holders resulting in god awful experience for the user ( https://answers.microsoft.com/en-us/musicandvideo/forum/all/... ). I am admittedly not an Apple fan, but I personally thought Zune was otherwise quite nifty and would have otherwise seen some adoption. IP craziness crushed it.
It wouldn't be Instagram suing you. It would be the owner of the photo that uploaded it to Instagram. By uploading it to Instagram, they're granting Instagram a license, but they aren't granting you a license. People can still claim copyright over the images they've uploaded to Instagram. Instagram has the right to sublicense content that has been uploaded, but they've explicitly said that they aren't doing that.
It can be argued that by uploading the photo to a public website they have granted everyone a license to instruct computers to display that photo (that's literally what embeds do)?
Also, since Instagram has an embed feature, surely they have something in their ToS that ask the user to grant a license to Instagram to display the content not just on the main website but on any website that embeds the Instagram-hosted content?
Your intuition about fairness matches a principle recognized by courts. The term for the applicable legal doctrine here is "estoppel". There's a strong argument to be made that if Instagram didn't make its (fairly unorthodox) position on embeds clear beforehand, then Newsweek's original use was reasonable and non-infringing (but not something that it can rely on indefinitely, esp. after Newsweek was notified that it did not have permission). There's another argument to be made, though, that the absence of an explicit prohibition is not necessary, due to copyright being an automatic negative right—that the burden is on Newsweek to obtain a clear license, not on anyone else to do any work explaining to Newsweek that it can't use it. This is a strong, argument, too, but probably weaker than the argument from estoppel.
Compliant sites show some placeholder in gray typically with appropriate warnings. If the reader wants to reveal the element they need to click first.
Disclaimer: Not a web developer, not living in Germany, but German as a mother tongue.