story
However, GDPR has a clause stating that "The data subject shall have the right not to be subject to a decision based solely on automated processing". Which would mean that any EU/EEA citizen should have the right to have the decision reviewed by a human.
Has anyone successfully overturned a banned account using this method?
Now if you don’t believe them then you’d need to take them to court and show why you think that’s not the case.
Which I guess means my question is why don’t you believe them and how likely is it that they are lying when they claim thy appeals are reviewed by a human?
Here's the HN story: https://news.ycombinator.com/item?id=30060405
Screenshots of trying to "appeal" (Request a review) from when I recreated the issue show pretty clearly there is no human involved: https://imgur.com/a/5YHQtLi
This wasn't an account ban, so I don't know how well it fits the GDPR language. Though I'd be surprised if this was somehow the only "fully automated account action" FAANG type companies are doing.
Why would we believe them? It's Google's responsibility to prove their assertion, versus regulators taking them for their (not so good) word. The default should be the assumption that the corporation is being dishonest.
Can just mean some low-paid Amazon Mechanical Turk worker clicked on "Yes".
I could have and maybe should have just let it go, but it really got under my skin. I first tried out of band approaches to contacting somebody there. I didn't reach anybody, and you quickly realize how everybody else on the Internet just assumes you must either be lying or not telling the full story. Maybe it's just acceptable losses while doing business at scale.
So I finally just emailed them a polite GDPR request containing some spiel about Article 15(h), how I have the right to request my personal data, and also have the right to correct any inaccuracies in it, which must be the case since I committed no such fraudulent actions. I also requested a full list of all their data subprocessors, which I couldn't actually find listed anywhere on their site.
I'm not a lawyer, and I don't know if my request hit all the right notes or not. But literally one hour later, I got my account unlocked with a personal apology.
For what it's worth I also let them know that I'm not really looking to circumvent their systems, and I'm sure they have to deal with a lot of bad actors. But there really needs to be a better way to reach somebody to fix things when automated systems go wrong.
I also have the feeling that this approach would fall on deaf ears for big FAANGs, and there really needs to be some high profile ruling to put the fear in them.
I have observed the same. When I evaluate service providers, I'm curious to know how they handle dispute with customers.. it's quite depressing to see that on most online forums, it usually goes straight into victim blaming. You must have violated the TOS, you must be doing something sketchy, you're not telling the whole story, you're just holding a grudge so get over it, you're just entitled, etcetra. There's very little sympathy, and no giving benefit of the doubt.
> But literally one hour later, I got my account unlocked with a personal apology.
Congrats! This is a lovely anecdote, thank you so much for sharing.
And I'd note that I am very very certain that I've made mistakes that stupid over the years.
The regulators are useless (especially the Irish one which seems happy to shield big tech scum from having to comply with the law) which confirms my own experience raising complaints with the ICO (the UK privacy regulator).
Yeah, I definitely ignore that law, and I wish 100% of website owners did. It feels to me like 99% of them follow it.
17 companies were fined for GDPR violations just this month. Last year, Amazon was fined €746,000,000, Google €150,000,000, Facebook €60,000,000.
The 60M Facebook fine is a welcome development but my point still stands - how much did Facebook profit from breaching the regulation for the 4 years since it's been in effect? That fine should've had a few extra zeros at the end to actually serve its role, otherwise it's just a very small cost of doing business.
For example, the author you linked to is demanding a portable copy of all his personal data from all sources, which Facebook has no GDPR obligation to give him. He seems to have been misled by a form letter he found, which incorrectly conflates Article 15 data access (isn't required to be portable) and Article 20 data access (isn't required to include data that he didn't initially provide).
GDPR enforcement has been extremely lacking as demonstrated by the web being littered by non-compliant data processing consent forms. A compliant consent form should make the "decline" option as prominent as the "accept" one - the vast majority of services currently don't comply (including big names like Google or Facebook) and entire businesses such as TrustArc have been built on providing non-compliant consent forms as a service.
For GDPR enforcement to be considered serious, the fines amounts should be higher than the profits of companies built on abusing user data. If we look at https://www.enforcementtracker.com/?insights we can see that 1,6 billion euros has been handed out so far over a period of 4 years across the entire EU. How much does Google or Facebook profit in a year?
The entire experience of reporting violations is also a major problem and suggests the regulators (at least the UK one) aren't actually interested in enforcing the regulation. The process with the ICO requires that you first get in touch with the company and try to resolve your concern. This takes time & admin work on your behalf and a malicious actor can drag out the process for months. But let's assume that after you've done that and haven't gotten anywhere, escalating to the ICO merely results in them sending a letter. And when the company ignores that too, guess what happens? Another letter which they will promptly ignore too.
This sets the example that breaching the GDPR does pay, because not only reporting a violation requires so much commitment that the vast majority of people won't bother, but even once the violation is reported, the response from the ICO isn't actually an effective deterrent either.
> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Emphasis mine. This would not include the vast majority of automated bans. It's more meant as a way to prevent e.g. automated police action via algorithmic selection.
One example of a legal effect is cancellation of a contract. Examples of significant effect include automatic refusal of an online credit application, and e-recruiting practices without any human intervention.
Advertising is in scope too: "For example, someone known or likely to be in financial difficulties who is regularly targeted with high interest loans may sign up for these offers and potentially incur further debt."
Pricing is in scope too: "Automated decision-making that results in differential pricing based on personal data or personal characteristics could also have a significant effect if, for example, prohibitively high prices effectively bar someone from certain goods or services."
Finally, there's an example of profiling reducing a credit card limit. "This could mean that someone is deprived of opportunities based on the actions of others."
Anecdotally, getting kicked out of my email account has had far bigger effects on me than being rejected my credit card application.
While not tested by the courts, there is a plausible argument that "similarly significantly affects him or her" might apply to bans that impact your ability to earn a living. So streamers getting banned from YouTube, or AdWords bans for businesses where that's their main source of revenue. Bans that are lower-stakes than that get harder to justify under Article 22.
Even hashes of your email address or payment data should be something you should be able to request they must delete.
If a person revokes consent for their personal data to be used, the data must be deleted if "there is no other legal ground for the processing". But if a data processor has an overriding "legitimate interest" in storing data about you, then they have legal grounds to do so without your consent. The details of this will vary depending on the situation (and the jurisdiction) but, for example, fraud prevention is explicitly called out as a legitimate interest.
https://law.stackexchange.com/questions/37882/google-adwords...
Mostly I’m scared of ‘multifactor’ where email access is considered a form of identity, but I’m not sure what else
I was trying to get my matchmaking data out of Activision Blizzard and they flat out refused, saying my data was their property
their exact response was:
> "the information requested are trade secret and/or intellectual property needed to preserve our game integrity"
I complained to the regulator, who agreed with my assessment, but to enforce it I'd have to go to court
seems the GDPR is basically useless
1. Arguably your matchmaking data is someone else's as well. Meaning, they'd be potentially exposing other people's data to you.
2. Arguably you don't own the matchmaking data. You only own the initial request for matchmaking. The end result is actually a product of their proprietary algorithm. You didn't generate it.
Perhaps it might be a good idea getting in to touch with a privacy campaigner, or if the European equivalent of ACLU exists, and have them test this in court because it affects two different and important aspects.
it's privacy theatre, nothing more
> Paragraph 1 shall not apply if the decision...is necessary for...performance of, a contract between the data subject and a data controller
Which I can see applying as they probably have something in the ToS to enforce here.
It also allows automated decision making to comply with EU law. I don't know EU copyright law well enough, maybe Google has a responsibility to take down that data under copyright law and so this exception applies too.
Lots of leeway for FAANG/BigCo management to wriggle out of that one. "Sure, Jones in Legal gets an email notification every time an account is banned and has the option to review it."
I can only imagine the lobbying and "negotiation" that takes place to have legislators water down the requirement for real human beings to review or respond to such bans.
