14

Service providers like Google and Facebook are pretty much part of people's lives.

Like how the law has provisions for 'well known brands' (eg. generic trademarks and common carriers), does the law have provisions for 'well known service providers' when it comes to privacy terms?

What is the point of privacy laws if a dominant service provider like Google/Facebook can simply deny service if one does not want to accept its data collection policy? They can also change their policy from time to time.

This question is general, I do not want to restrict this to any jurisdiction. But if a jurisdiction is asked, can the answer be confined to the EU? Data protection laws are most stringent there.

Improve this question
16
  • 10
    I don't see why Google cannot deny you the use of there service for any reason they see fit. You have no right to use the IP of any company.
    – Neil Meyer
    Commented Sep 27, 2021 at 17:49
  • 4
    @NeilMeyer - in Europe this would be strictly illegal.
    – Davor
    Commented Sep 27, 2021 at 19:08
  • 12
    "Service providers like Google and Facebook are pretty much part of people's lives." there's the flaw in your logic right there. You are reasoning that once a service crosses a threshold of popularity, this results in a "loss of rights" - or what we call a "taking" a-la eminent domain. There is no such threshold, and such a "taking" would be problematic.
    – Harper - Reinstate Monica
    Commented Sep 27, 2021 at 21:12
  • 4
    @JörgWMittag no they don't. A "generic trademark" is one that has "lost its power" by falling into general use, diminishing or completely destroying the owner's ability to sue for infringement.
    – hobbs
    Commented Sep 27, 2021 at 23:06
  • 12
    Do you actually want to live in a world where Facebook is considered as essential to life as heat and water?
    – hobbs
    Commented Sep 28, 2021 at 2:02

5 Answers 5

Reset to default
30

The point of privacy laws is to set basic standards that apply to everyone, whether or not they have a privacy policy. A privacy policy that is inconsistent with privacy laws cannot be enforced. Breaches of privacy law can be punished even if the conduct is permitted by a privacy policy.

Article 7 of the GDPR illustrates this by making special provision for the nature of "consent" to the processing of personal data. Consent must be freely given, and a "written declaration" as to consent, like the acceptance of a privacy policy, "shall not be binding" to the extent that it infringes the GDPR.

The $5 billion penalty obtained by the FTC in United States v. Facebook, Inc (19-cv-2184) demonstrates that privacy laws can have a practical impact when a service provider "subvert[s] users’ privacy choices to serve its own business interests." Facebook was penalised even though its users agreed to Facebook sharing "information about the App User and the App User’s Facebook Friends" with third-party developers.

Whether a service provider has breached privacy law is a complex, fact-specific question, but if the service is "pretty much part of people's lives," that will generally affect both the application of privacy law and the likelihood of an investigation by the regulators.

Improve this answer
1
  • 2
    This makes a lot of sense now. Good you pointed out the Facebook violation. Basically the bigger they are, the harder they will be investigated on.
    – user1034912
    Commented Sep 27, 2021 at 12:24
18

GDPR doesn't generally expect “agreement”, so it's not necessary to prevent access by people who don't “agree”. A privacy policy is not a contract, but a unilateral notice about how personal data will be processed. This processing is either legal, or it is not. The GDPR contains various conditions and parameters that determine what is legal. In particular, every processing of personal data needs a clear purpose that is covered by a legal basis. Legal bases can include legal obligations, contracts with the data subject, but also consent (opt-in) or a legitimate interest (balancing test with opt-out).

Large service providers like Google or Facebook have the legal resources to defend themselves, and have a lot to gain from more flexible interpretations of data protection law. So they often end up doing stuff that's not entirely legal.

For example, Facebook is arguing that they're not processing personal data for advertising purposes because they want to – they argued that they have a contract with the user, and they have an obligation under this contract to show ads. So it's really the user's fault, and Facebook is just carrying out the user's wishes. If that is the case, then Facebook would not need consent. It is not yet clear whether this is legal (noyb is currently litigating this “consent bypass” technique).

My assumption is that Facebook's standpoint won't prevail: while parties are generally free to enter whatever contract they like, pre-formulated contracts / contracts of adhesion are generally subject to additional regulation and can't sneak in surprising extra terms. A pre-formulated contract about providing a social media or messaging platform cannot contain non-necessary terms about data use. Instead, consent would be a more appropriate legal basis.

And at least under the GDPR, consent is subject to substantial conditions. Consent must be specific, informed, and freely given. Access to a service cannot generally be made conditional on unrelated consent, since this would make it impossible for a user to freely decide (Art 7 GDPR). (However, it might be OK to give the user a choice between consent and a reasonable payment.) GDPR consent must involve an unambiguous action, and cannot be implied by an unspecific action like “by continuing to use this site, you agree …” or by checking a button “I have read and understood the privacy policy”. If consent was obtained in an invalid manner (such as by pressuring the data subject, or making it impossible to decline), then data processing activity that was covered by the consent legal basis is illegal, risking fines under the GDPR.

Improve this answer
2
  • 1
    again, think it's important to note that facebook/google et al have an "opt out of targeted ads" button - this means that they'll stop using your data for advertising. there's been a lot of arguing about how prominent this button has to be, if it can be ticked on by default, etc,etc. The requirement to have it is as part of the "consent must be freely given" - they can't stop you from using their service if you opt out of having your data used for ads, because that would be coercion to keep allowing them to use your data
    – lupe
    Commented Sep 27, 2021 at 15:26
  • 1
    @lupe: An " opt-out" button is ticked by default. That's literally what opt-out means. An unticked-by-default button is referred to as "opt-in". The GDPR specifically requires opt-in consent.
    – MSalters
    Commented Sep 28, 2021 at 10:05
2

By using their service, you have to agree to their conditions. So yes, if you don't agree, you can't use their services. There are alternatives, although of course they may have limitations in functionality or reach (there's a reason many people think google is the best search engine).

If you think they do more with your data than what you agreed to, you may file a complaint with the GDPR representative, but this must be very well justified. Note that the GDPR does not prevent that data be collected. It only requires companies to inform you what they do with it and why.

Improve this answer
17
  • 2
    @user1034912 A company can "force" you to do anything to receive the product as long as it's legal, such as "forcing" to pay $5/mo. If the mailing list terms are legal, then that's fair game. An illegal example would be offering the service in exchange for, say, heroin. The website you're on right now didn't allow you to make that post until you were "forced" to make an account.
    – Clay07g
    Commented Sep 27, 2021 at 18:42
  • 5
    This is factually incorrect. GDPR literally spells out this situation and calls it illegal. You can not predicate access to your service on consent to process PII, and you cannot process PII without consent (or one of the exceptions that are not applicable here).
    – Davor
    Commented Sep 27, 2021 at 19:11
  • 1
    @user1034912 - pretty much, yes. They can force you to accept terms like "I wont upload illegal content", but they can't force you to accept "I give my PII in exchange for using the service". That much be optional, and false by default.
    – Davor
    Commented Sep 28, 2021 at 8:55
  • 3
    @PMF - GDPR Article 7 (gdpr-info.eu/art-7-gdpr) spells out that you can't condition the access to your service on access to PII. And you don't need to store IP addresses to process requests, and most services don't. We usually store partial IPs for logging purposes, and those are not required either.
    – Davor
    Commented Sep 28, 2021 at 9:03
  • 1
    @user1034912 - yes, exactly my point. Using anonymized data ike partial IP or hash of an IP is fine because it doesn't identify a person. We used those to block people, for example. We don't know who the people are, or even what their IP is, we just know that if their IP hashes to XXXXXX, we should reject their requests from API.
    – Davor
    Commented Sep 28, 2021 at 9:54
2

A privacy policy is generally not an agreement or a contract, it is a statement of the provider's actions in connection with the acquisition and retention of personal information (PI) and other privacy issues. Various laws may require a provider to hae a current and accurate privacy policy displayed, including the GDPR, the CCPA, HIPPA, and various industry-sepcific laws in the US.

(see also https://law.stackexchange.com/a/73222/17500)

Thus there is generally no need for a user to agree to or accept a privacy policy, as there often is to a "terms and conditions" or "end-user agreement" document.

While laws can and sometimes do treat large firms differently than small ones, i don't know of any law tht makes privacy rules less strict for large firms. In fact the CCPA only applies some of its rules to services with more than a certain number of users, I think 10 million.

A service can impose privacy policies with no consent provided that they are within what the applicable law permits.

Accepting a privacy policy or a user agreement does not allow a service to impose terms or use practices forbidden by law (unless the law permits such an exception, and most do not in this area).

Improve this answer
1

does the law have provisions for 'well known service providers' when it comes to privacy terms?

No, the law (generally) doesn't make a provider's rights worse when it crosses a certain size threshold. And even where those restrictions exist, they can be gamed around.

Suppose you "break up AT&T" as it were. Four brothers form corporations: Gryffindor, Hufflepuff, Ravenclaw and Slytherin, and they socially incentivize social media users to spread out evenly among all 4, so none are a monopoly and they dodge the law. Then they tightly link each site's experience to the others using OAuth, embedding under the guise of open systems, but really they close it via tough contractual commitments outsiders are unlikely to tolerate. Same difference in the end, just now it's a cartel.

What is the point of privacy laws if a dominant service provider like Google/Facebook can simply deny service if one does not want to accept its data collection policy? They can also change their policy from time to time.

The laws apply to all providers. They can't change their privacy policy to contradict laws. If you want a privacy policy to be guaranteed, you need to talk to your representatives and get it baked into a law.

And citizens can always "vote with their feet". Consider the fate of Google Plus... Myspace... Friendster... Livejournal... AOL... Prodigy... Facebook may seem like the ten ton gorilla today, but I remember when it was AOL and people were talking about anti-monopoly action against them.

All of them lived by the social effect of "all your friends are there"... and died by it too.

An offensive privacy policy is simply likely to cause a mass exodus. StackExchange itself had a setback two years ago after spectacularly botching an internal discussion amongst mods and staff about personal pronouns, for Pete's sake, which goes to reflect how easy it is to take a fall. That could have snowballed into social abandonment of the platform, had an appealing alternative been up and running.

Improve this answer
4
  • 4
    This seems more like an opinion piece than an answer. Even as opinion, I can't make sense of it. There's precedent in the U.S. for putting special restrictions on corporations that are de facto monopolies due to the high cost of entry for competition – and you even mention an example – yet your answer is written as though you think OP is foolish to suggest such a thing.
    – benrg
    Commented Sep 27, 2021 at 22:53
  • @benrg where does it infer I think OP is foolish for suggesting such a thing? And what case of high cost of entry for competition did I mention? I'm happy to fix such a blunder, but I am responsible for what I write, and it seems like you are making a lot of inferences that don't look like my work.
    – Harper - Reinstate Monica
    Commented Sep 27, 2021 at 23:07
  • 4
    The EU does have a specific threshold for large companies. It's called a "dominant market position", and Facebook has it. The EU puts up extra restrictions for companies with a dominant market position. It is entirely possible to imagine additional privacy requirements for such companies, even if they don't exist today. Thus, "the law applies to everyone" is not meaningful in the EU.
    – MSalters
    Commented Sep 28, 2021 at 10:13
  • @benrg well 2 people seem to agree with you. shrug I tried to remove what I'm guessing you're after, but you tell me. Please, tell me.
    – Harper - Reinstate Monica
    Commented Sep 28, 2021 at 19:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .