The User sets up a "new" (non Google) phone, and isn't given an option to decline consent to Googles ToS.
Now how does this work with a physical product? It needs to be compliant on the 25th of May 2018, but the version of Android may be old and not updated (given its Android). Even if there was an update waiting to resolve GDPR related issues, you would need to agree to the ToS to get that update, to enable opt-out?
In that point of view, it seems a rather unfair complaint. I havn't checked the other's yet, but I start to feel that perhaps these have been filed too early, without enough thought and examination, just to get headlines?
In that point of view, it seems a rather unfair complaint
It is an unfair complaint. But to be fair to the regulators, these complaints were filed by users, and may well be dismissed once reviewed by regulators. This type of unfair complaint will be an interesting test to see just how abusive the GDPR enforcers may or may not be.
Because the new law says the user can’t be assumed to consent, unless the specific parts of the contract are stated more explicitly, are opt-in rather than opt-out, etc. The old ToS become invalid and unenforceable.
If they stop collecting data for those users (at least until they opt in to an updated ToS) that would work around the problem.
If a product that was in compliance goes out of compliance due to legal changes, it generally has to be pulled from the shelves. I'm saying this strictly from a legal perspective, not endorsing it per se, and I acknowledge the significant expense involved. But this sort of thing happens pretty frequently in a lot of other industries, and the result is pulled product and often a lot of destruction of unsold product.
In this case, fortunately, the hardware may not necessarily need to be destroyed, but it couldn't be sold until the software stack complies. Or, more likely economical, ship the phones somewhere where they are still legal and ship new stock into the EU with updated software. Or make sure there's an immediate update available for the phones and petition the EU for a variance on the grounds that as long as they update, they'll get compliant software. There's a number of options.
> But the OEM, Network don't approve / supply those updates, is Google at fault? (In this case its a non-Google phone running Android)
Great question. I have no idea, and with the GDPR having been looming on the horizon for two years now, is something that would be beneficial (and cost-effective) to spend money on getting quality legal advice.
To anyone who has seen the complaints about startups having to spend $20k on a lawyer to explain the GDPR to them, a small startup won't be facing complicated legal questions like these (and those who insist on doing so, have been given ample warning).
A friend of mine has an online business that involves offering/reselling/managing a client's domain registrations (as part of a package of specialised hosting services). Meaning he can't really get around sharing his clients' information with third parties (registrar, other domain shop, I'm not sure). 25th of May approaching. He reads up on the GDPR, makes some adjustments how or what data he stores (because earlier, you know, it was considered good practice to "store all the things" just-in-case), writes a 3-page license agreement (I suppose he took a boilerplate example and adjusted it to his needs), sends it to his clients to agree, and done. Less than a week's work.
Interesting line of argument; if it was a CE compliance issue it would clearly be the vendor/importer. But the GDPR doesn't talk about devices, it talks about data controllers.
Information commissioners can't require data controllers to do things which cannot reasonably be done. So I think this ends up with "the existing phones are fine for technically necessary data processing, but buying an Android phone cannot be direct marketing consent in and of itself".
It's Google's terms, and Google is the one who determined the mandatory flow of that setup as per agreement with the hardware vendor. The EU could absolutely hold them responsible for not having this sorted out with their partners, it isn't like the OEM put the terms on a device and sold it without Google's permission.
But the OEM is responsible for software support for their devices (this is the entire Android model and why Google has been working so hard on the Treble project the past year+). Since the current version of Android doesn't have this problem, I don't see how this is Google's problem.
It's Google's terms for an agreement with Google. How could any reasonable person make the claim it is not Google's problem? Especially considering they had two years to prepare, and 2018 phones still have this problem.
Presumably, if moderately recent phones were compliant, Google could ensure that outdated/invalid consent forms were only tentatively accepted until Play Services updated within the first day or so of activation, and then presented a remedial consent form which was GDPR compliant. The EU would very likely accept this solution as a technical best effort method to ensure older devices were respecting people's rights.
But it sounds like they never really put in the effort. What version of Android is GDPR compliant? 8.1?
Possibly, but it still might not be possible for Google to provide a means to decline the ToS without issuing an update (which, as has been pointed out, wouldn't be possible to install anyway without accepting the ToS).
Sure, that argument could certainly be made. But unless someone is taken to court over this (or at the very least, threats are made), I think people will continue selling such phones. After all, most sellers aren't going to realise their products are in violation of the law.
Well, think about cars and emission issues that need updates - manufacture does recalls and fixes it for everyone. Not sure what's different here? Why not just pull it from stores and fix it if its violating law?
"you would need to agree to the ToS to get that update"
If you have to agree to their ToS before you can use the device, it should be before you purchase.
Google intentionally waited until they had your cash to say GOTCHA! We require an additional payment of your soul. Now its biting them in the ass, it is entirely fair.
Google has a checklist of things that each OEM has to do in order to distribute the Google Apps, which are not open source. If the OEMs are in compliance with Google's terms for OEM distributors, I would say that it is an issue with Google's terms.
I am curious, I have a Samsung device and I note that I can't uninstall Gmail. Is that Google's choice or Samsung's choice?
honestly, i think the best choice would be to 'accept', and use the google services, or deny -- and just not get any google apps installed.
this would give privacy oriented people the option to simply opt out of anything google and still uphold the pretty good stock experience.
but this is imo still not google's task. OEMs choose to just flash google's services and apps by default right into their OS. that should only be done after the user said 'yes, i want to tell google everything i do'
Android has the ability to push updates to phones that haven't been set up yet; when you first turn on a new phone the first thing it does is ask for wifi so it can check for updates. Google has the ability to update the phone before literally any other part of setup occurs. You do not need to consent to the ToS first; the setup steps on Android are really carefully thought through from a legal perspective.
(I know this because I worked both on the setup system and on one of these "zero-day updates", where we fixed some bugs between when we sent the "final" image to the manufacturer and when we actually shipped devices)
Google cannot update a phone that uses an OS built by another OEM. Since the OEM cited in this complaint is a low end Huawei phone they're responsible for pushing the update.
I'm pretty sure that's incorrect at least today, it's possible to skip through the initial setup on a stock Android device without adding a Google account or accepting a ToS.
If there is, they don't make it obvious. Whenever I've tried setting up a stock Android phone, I've looked for a way to do so without adding a Google account, but found no such option.
Perhaps it's possible to do so by pressing or holding some obscure sequence of buttons, but in that case it is reasonable to argue that a 'hidden' option isn't really an option at all. After all, you can't hide microscopic text on a paper contract and expect signees to be bound by it.
There may be stock Android phones out there that do provide a clear option to not use a Google account, but there are certainly many phones that do not.
I am using a chinese noname Android phone without a Google Account. It is somewhat useable even without Internet connection and without SIM card. For example, I can use a camera, radio, music player, a dictionary or offline maps.
You can use third party app repositories like the FOSS-only F-Droid, or even simply download apps directly from individual creators if they release the apk.
The option to refuse the new terms is there, it's just not explicit. I'm not saying this is nice or good, but OP's comment sounded like there's no option, they just made it less obvious.
If you live in the USA. However, as an European you have more rights, and in the next years we will witness a lot of battles between EU users and American corporations desperately trying to maintain the old status quo.
To downvoters: I'm curious to hear your counter-arguments. Yes, as a European I have more rights related to personal data than Americans. American companies can continue playing the same old tricks on American citizens with no consequences. It's not possible to do the same to Europeans anymore.
You were probably downvoted for your the absoluteness of your statement. For instance, you do not have more rights as a European business owner. Even as just a user, you have fewer rights to enter agreements now with these tech companies free from government involvement. What you may call rights, others call restrictions and limitations of rights.
Agreed. As an American, reading the term rights associated with increased government control is nonsensical. I understand the European viewpoint, its just much different in America
> As an American, reading the term rights associated with increased government control is nonsensical.
This is nonsensical. You can not have rights w/o government anyways. You may have privileges or power to force others to comply, but "rights" are defined by a third party entity that enforce them.
You have those backward. Natural rights, at least, are considered to exist before and outside of government. Enumerated rights may derive from government, as do privileges. The "lege" in privilege literally means "law".
Enumerated rights are the rights the GP was talking about. These are defined in law, though may derive from natural rights.
Yeah, good luck enforcing that natural rights w/o any entity to protect you from those who are stronger than you and keen on violating your "rights" for their own good. If I have a gun and you don't, and nobody can enforce your right to life, the chances are that I can kill you and your right to life with a single movement of a finger any time I want. And because not everybody can become warlords, w/o any organisation to enforce those natural rights, they'll only belong to those with more guns. And such organisation, in one form or another, is some sort of government. Calling some rights "natural rights" and believing that they "exist before and outside of government" are just naivety in the least, if you don't have nobody to make sure nobody violates them. We don't live in philosophical wonderlands, unfortunately. In our lands some A. Nix guy can easily acquire data of 50million people in a country and put that to use of unlawful, evil organisations. And just like everybody will kill everybody if you don't have jails to put killers in, these companies will continue on forming and exploiting until there are grave consequences to doing so.
This is actually very interesting. It seems to me that many Americans really don't care how their personal data are (ab)used and will happily agree to absurd ToS-es without complaining. In Europe, we have quite different culture of doing things. And yes, the misnomed "right to be forgotten", i.e. the ability to remove my own personal data from a website, is an important right. Not being tracked is an important right. Not being profiled - ditto. It's really shocking to me that the narrative in the USA is that GDPR is evil, whereas many people in Europe consider it a very positive development, in spite of additional work that needs to be done.
Put simply: Americans prefer corporate overreach to government overreach. The latter is seen as only needed in extreme circumstances because there is often no going back. It's why you see hate for things like the cloud act and GDPR... it doesn't matter where they are enacted, some people don't want the government involved on these things at this point.
Genuine question: So Americans actually prefer the corporate Black Mirror-esque tracking and profiling that has become endemic and out of control over what I would consider a reasonable update to the old DPA?
How is it overreach and how is it solved without regulation? Equally, how is there any going back from the corporate overreach without?
You have deviated into the absolutist approach I mentioned before. You don't even have to do without regulation, just not more and larger. Among solutions there includes: education, enforcement of existing statutes, reduced scope legislation until enforcement catches up, promotion of alternative approaches, tacit support for technical defenses, etc, etc. There are so many more. Adopting this large sweeping legislation is a myopic approach taken by those who think they wield a toolbox with only one tool in it. Sometimes even, if the unfortunate choice is corporate or government overreach, we should not be so hasty to counteract the former with the latter. Work towards it.
GDPR really isn't that much more than the previous DPA which was in place 20 years without problem. Businesses and startups were still formed.
To stick to the general. Who pays for education and promotion of alternatives against industries spending billions? Either it's coming out of tax or a regulation is required to force educational messages and disclaimers. If neither it just seems a way to assert the status quo as any interested party or user rights group that does get a little visibility will be immediately advertised against by those with a financial interest but far deeper pockets.
Regulation might not be perfect, but seems to be the only viable way left to limit the problems that come with unrestricted commerce.
I think anti social media PSAs are as reasonable as any other PSAs. It's ok to encourage people to go outside instead of play video games or encourage people to not talk on the phone while driving. The video game and phone industries are big too. It's ok to give grants to projects that already have other players in the industry. It's ok to suggest people use ad block. There's no need to be so defeatist assuming nothing will work. We can't even really discuss these types of solutions if everything but law is assumed to not work for internet privacy issues when law is the only one that has been shown not to work. Absolutist phrases like "unrestricted commerce" (as though that exists) "regulation [...] only viable way left" are the reason nobody can see alternatives. It's like self-imposed blinders.
It's OK but ineffectual when up against industries spending orders of magnitude more. It can never be a level playing field.
You give using a phone while driving as an example. UK tried PSAs for years before ultimately outlawing it. Enough were seen ignoring that law that they doubled the penalty some years later. From the occasional piece I've seen on US sites that mention the issue I get the impression that distraction from phones is a disappointing but accepted facet of modern driving.
The older I get the more agreeable I feel to more regulation and adequate enforcement. Without it companies large and small, and individuals, are too inclined to be abusive - of pollution, of privacy, of financial misselling and so on. All to make that sale or commission. Caveat emptor works when it's a consumer against the local greengrocer, or taking a survey before house purchase. Not so much when it's a consumer against multi-nationals employing psychologists and so forth which is why most UK consumer regulation has been steadily moving away from that model for years.
As a European I can look as the US, who prefer minimal regulation, and see it as providing much confirmation that I don't want to do it that way. I'm a little disappointed that UK governments frequently do wish to adopt a US-lite approach.
Americans for the most part hates being told what to do by the government. For me, I hate it because government intervention tends to cripple economic growth. I value economic growth > social welfare (used in the non derogatory way, in America "welfare" has an immediate negative connotation). I am also aware of this and can understand why other cultures would reverse that equation
That's correct: government intervention stifles economic growth, be it GDPR or the Paris Agreement. The point is, these laws are proposed where self-regulation fails, and the corporate greed lead us to the situation that is worse to the society as a whole than without it.
> In that point of view, it seems a rather unfair complaint
Regulations arent necessarily designed to be "fair" though.. if GDPR is written in a way that manufacturers need to recall all stock and update phones, its cost is part of GDPR compliance and a fair tradeoff for its benefits as per EU citizens
I think this article misses a key point about fairness that seems to be ignored (I have not read the underlying paper, so perhaps its bad journalism)
In this scenario:
"In the first scenario, participants had to decide if they wanted to transfer two coins from person A (who already had four coins) to person B (who had one). Researchers note the “transfer would reduce inequality,” (as there’s less of a gap between them), but person B would end up one coin richer than person A, reversing their status."
"Just 45% accepted the redistribution when it changed the hierarchy."
They have focused on changing the hierarchy, and this is where fairness comes in.
Should people who have "wealth" be forced to a redistribution mechanism, where that person ends up poorer than everyone else? - Its one thing to redistribute for to reduce or eliminate inequality, its another to make them poorer than everyone else (even if the overall equality is reduced)
So I don't think its about maintaining the hierarchy, but a sense of fairness in the redistribution
I'm thinking about doing a similar setup and I like the smaller form factor because I can attach it to the back of a monitor and not even have to look at it.
Take a look at the Antec ISK-110. Not as small as the NUCs, but lets you build your own machine on the cheap, and still designed to be attached to the back of a monitor.
(Won't fit a standalone GPU, but I don't think anything that can be attached to a monitor can)
If speed was a priority at restaurants, nobody would ever eat anything but McDonalds. Apparently speed is not the highest priority for food, at least for most people most of the time.
At more traditional retail, the cost of going to Target retail store is fifteen minutes rounding up the kids, sitting in the car for thirty minutes round trip, wandering thru parking lots and aisles for a half hour, waiting in line fifteen minutes, after ninety minutes of time a couple seconds at payment are a rounding error. If I'm in a hurry and not willing to invest ninety minutes to buy a frying pan, I can pull my phone out and amazon can deliver it with an investment of perhaps three minutes.
Contactless solves A problem, unfortunately its the wrong problem.
It does save you some time, but is this time worth the security downgrade?
I guess it is up to each person to answer this question.
The main issue I have with this is that no one gave me a choice : I received my card with this feature turned on and absolutely no way to have a card without it (I asked at the bank).
I changed banks about things like this. My bank once thought that i have to have Online Banking with my account, while all i wanted (and still do) is absolutely no remote access except with the debit card. They also told me that their eTan is much safer than the classic Tan system via post so they stopped it.
I really think less is more when it goes about the safety of my money.
