>The argument here isn't that Facebook is playing fast and loose with tracking & user data (which would be a legitimate argument), it's that Facebook is allowing people to grant access to their data to third-parties and Facebook should somehow be faulted for that.
Even so you wrote yourself that users shared data about their friends. Why does Facebook allow people to share the data of others who didn't agree to this?
> Why does Facebook allow people to share the data of others who didn't agree to this?
I have names, email addresses, phone numbers, birthdates, email contents, and more for most of my friends. There's no centralized arbiter of this information; I have the ability to share this data in any way I choose.
And I do! I switch email providers, install apps on my phone, use calendaring systems, tell our friends where to meet for surprise birthday parties, etc. I don't need your consent for any of it, because even though the information may be about you, we understand that it's "my" data.
Inserting Facebook in this process doesn't really change the dynamic.
Not really; it's their data, and you're allowed to use it.
> Inserting Facebook in this process doesn't really change the dynamic.
Yes it does, because while you (the individual) are allowed under GDPR to use the personal data of your friends for personal purposes, that doesn't automatically entitle Facebook to use it for their purposes. Only on your behalf for your purposes.
Here in the US, facts are not copyrightable. Your phone number, birthdate, email address, likes on facebook, list of friends, etc are not things that you can "take away" from someone. In theory you could exercise copyright over an email you've written, but I'm not sure that's ever been worked out in court.
Foreplay: I know that you don't like what you read but this is a diction of GDPR, so before you start down-voting, please - Rec.74; Art.24 and read [1]) as the "entity" that obtained the data.
Let me shed some light. Facebook/Google have nothing to do with it except they are breaking the law because of you that have planted data from you friends without their consent.
Following the GDPR, the one who gave personally identifiable information (PII) to the Google/Facebook/whatever, makes HIM/YOU/HER responsible for whatever they do with it.
(Or in other words - if you are gathering the personal data on your website for a 3rd party, you better be sure that the 3rd party has a strong legal bond with you regarding the information you have "traded" to it or you might have troubles.)
Even if "your friend" has given his/hers PII to you, you dont have any consent to share it with whatever 3rd party application you are using and is stealing your data based on "I Agree button". This is making you, as a controller of PII responsible for his PII. If the 3rd party application ("Facebook/Google/...) took it from you for whatever "reason", those information were not yours to share and you have zero comfort in not being given consent. You have decided, for your friend, that you will share his/hers information with 3rd party application. Due to negligence (you didn't read the "I Agree" text, you didn't care (negligence),... whatever. It really doesn't matter.)
You have two troubles here.
- The application was violating GDPR. Clearly. Without any doubt. They slurped in the PII data from your friends which gave no consent. They might argue that you have misleaded them. In this case all guilt is on you. Unless they are well known for their acts. Which against paints a big red text "negligence" over your forehead.
- YOU were violating GDPR by not taking care for PII of your friend and giving it to 3rd party without consent, approval, anything ("Hey I just took his phone number").
Not only can 3rd party application be held guilty of stockpiling PII without consent, in same manner can YOU be guilty of giving them PII data (oh yeah, "I Agree" button) and your "friend" has all the law support in EU to sue you for this - EU wont, they have larger fish to fry but your friend can and might.
[1] - GDPR defines a controller as: >>> the natural <<< or legal person, public authority, agency or other body which, alone or jointly with others, >>> determines the purposes and means of the processing <<< of personal data
> I don't need your consent for any of it, because even though the information may be about you, we understand that it's "my" data.
You do need content though, if I provide my email in a social setting I implicitly give consent to birthday parties etc. I didn't consent to you selling my email as part of a bundle. If people found out you were providing data to random people at least a stern talking to would happen.
Under GDPR it works this way for business too, just because I gave you data for a specific purpose doesn't mean you can do whatever you want with it. I'm not aware of other jurisdictions.
So if I give you my phone number and you store it in Google Contacts, and I later decide I don't want you to have my phone number anymore, under GDPR can I request that Google delete my number from your contacts? After all, I never consented to you sharing my phone number with Google.
There is an exception for data that is required for the functioning of the service. You need your friends email address to use email, but do you really need their birthday or a sentiment analysis of their opinion of cheesecakes?
> but do you really need their birthday or a sentiment analysis of their opinion of cheesecakes
If you go back to the Wild West of the Facebook apps, shortly after platform launch there was an app for everything - apps for fancy birthday cards with birthday reminders, as well as polling apps telling you which one of your friends is the biggest cheesecake lover.
Every piece of data can be spun into being essential.
A polling app building a “psychological compatibility profile” can arbitrarily add new data points, and “streamline” the onboarding process by collecting all of the necessary data with one click (with fully disclosed list of collected data points).
Which is what CA has built.
Not just them - any survey app claiming to help you find out “which Game of Thrones characters you and your friends are” can arbitrarily claim those data points as necessary.
Did people directly add permissions to CA on their accounts? I got the impression they were mislead and wanted to add some different applications with different features.
An app to help you find out "which Game of Thrones characters you and your friends are" can arbitrarily claim those data points, and then use them to discover which Game or Thrones character you and your friends are. On that case, even storing the data looks like a violation, even more sharing it with anyone.
While a surprise birthday party etc. is definitely not a problem for me, if any of my friends considered my address, phone number etc. as his/her data, there'd be a rather serious conversation about it.
Because open Internet principles as understood at the time required that. Facebook used to be heavily criticized (see e.g https://www.google.com/amp/s/www.wired.com/2007/08/open-soci...) for locking data into their platform when it ought to be available on the open web. There was a pervasive sense that you should be able to authorize third parties to do anything you can do through the official webapp; the term “walled garden” was common for platforms that wouldn’t offer this level of control.
Indeed - we should remember that a good chunk of the complaints about Facebook are because they opened up an API to anyone who granted permission, as demanded by power users like us who wanted different services to interoperate seemlessly.
If I put on my blinders against this being Facebook for a moment, supposing that you're on a social network in which your friend is someone you personally trust, then it's not that ridiculous to trust that person with the decision to share your data. In a very limited way, you kind of expect this (your friend giving your number to someone who they think you'll get along with, or whatever).
This goes a bit sideways on Facebook in two main ways, I think:
1. People are way too fast and loose with who they keep as "friends" on Facebook
2. Facebook has way too much data to warrant a blanket "Yeah, please share -all- of that at once" agreement. Something more granular, like "The phone numbers of your friends who have themselves granted permissions for their friends to share their numbers" would be more reasonable.
In a very limited way, you kind of expect this
(your friend giving your number to someone who they
think you'll get along with, or whatever).
I absolutely do not expect this. Nor would I be okay with a friend sharing my number to someone they think I'll get along with. I don't think I'm alone in this either.
The thing here is that "you're on a social network in which your friend is someone you personally trust, then it's not that ridiculous to trust that person with the decision to share your data" does not match the legal expectation. If my friend allows Facebook to give my data to Cambridge Analytica, that does not give Facebook any legal grounds to do that - so as Facebook did it, it would be a violation at least of the current laws (the UK pre-GDPR legislation was more limited). You are required to inform the data subject and, if you use consent as the basis, you're required to get consent from the data subject (or their legal guardian), not some other person, even if that person is their friend or family member. My spouse or parent can't consent to sharing data on my behalf, and any terms and conditions to which they agree can't waive my rights.
Also, it's worth noting that there is a big difference between "your friend giving your number to someone who they think you'll get along with" and your friend sharing your name and number to some company - for GDPR, the first is covered by the "personal activity" clause 2.2(d), and the latter is not, so GDPR applies and the consent of that friend isn't sufficient, i.e. the friend is permitted to click "share", however, that does not necessarily mean that the company is permitted to use the data shared in this manner. So every company that expects EU users to share their phone contact lists had better be very careful on what and how they do it - you can't rely on informing users or getting consent as you're informing someone else and getting someone else's consent.
Even so you wrote yourself that users shared data about their friends. Why does Facebook allow people to share the data of others who didn't agree to this?