Not So Much Missing The Point As Landing On A Completely Different Continent
Social media is dominated by huge US-headquartered mega-corporations, with mottos such as “Move fast and break things” and an attitude to personal data which can best be summarised as, “Find it, grab it, monetise it.” As a result, they are finding it difficult to adjust to the approach of GDPR, and this is never more obvious than when they circulate updated privacy policies in an effort to give at least a veneer of compliance to their use of personal data.
Relatively innocuously, the covering email began:
Then it went off the rails completely:
Please note that under our updated Terms of Service, users in the European Economic Area must be at least 16 years old in order to use Tumblr.
For some reason, the little “heart” emoji made the farrago of misinformation to which it was attached all the more irritating.
First, a few points to clarify “consent.”
For the purposes of GDPR, personal data may only be processed (which includes all acts of using, storing, deleting etc) on one or more legitimate grounds, exhaustively set out in Article 6 GDPR. Tumblr, like all social media platforms, comes into possession of a vast quantity of personal data which, like all social media platforms, it monetises in various non-transparent ways. Accordingly, its interests in collecting the most data and using it in the most flexible manner are directly at odds with the purposes and effect of the GDPR.
For current purposes, it’s worth noting that the principal ground on which Tumblr can possibly rely for processing personal data is “consent of the data subject” which is defined as
any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her
For consent to be valid, it also has to be as easy to withdraw consent as to give it.
Although it is also possible to process personal data provided that is “necessary” either for the formation or performance of a contract with the data subject, or for the legitimate interests of the data controller, provided a due balance is kept with the rights and freedoms of the data subject, these two bases for processing are narrowly drawn and their use in social media contexts has already attracted adverse comment from the EU’s Article 29 Working Party (“WP29”).
By way of expansion upon the WP29 position, Article 7(4) GDPR provides:
When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
To begin with, it displays complete (and probably intentional) confusion about who Tumblr actually is for the purposes of data sharing:
This indicates there will be data gathering through mobile Apps and that there will be sharing across “Tumblr’s other domains” (unspecified) and possibly with Oath group companies (for reasons unspecified.) In the WhatsApp example, sharing of WhatsApp user data among other members of the Facebook group was particularly criticised by WP29.
Data combination from multiple sources is always an issue, and it is a particular concern where, as here, the data controller is part of a large group of companies (Flickr and Yahoo are also under the Oath umbrella) which also provides email and other services.
Anyone with the fortitude to plough further into the Tumblr policy can find out that this is exactly what is planned:
Because we are a wholly-owned subsidiary, Oath and the rest of our family of companies may receive any information we do, and may share information they have with us.
Furthermore, Tumblr also err in pushing the burden on privacy protection onto the user, and requiring pro-active opt-out rather than opt in:
You can keep yourself fairly anonymous on Tumblr, but remember that your posts, blogs, pages, and username are all visible to the public by default. People that know your email address can also find your blogs. If you’d rather be unlisted, head over to your Account Settings.
There is a twee and rather chilling encouragement against privacy and towards openess:
Reblogs, Likes, and Replies are a matter of public record, so if you’re truly ashamed of your desires it’s best to keep them to yourself. But why? Be proud of who you are. You’re beautiful. We’re looking you in the eyes and telling you how beautiful you are.
Further, the level of technical detail collected appears rather excessive for any legitimate interests Tumblr are prepared to share with its data subjects:
Information About User Content: In some cases, we may collect information about content you provide to the Services. For example, when it’s included as part of your images, we may collect information describing your camera, camera settings, or EXIF information.
Information Related to Your Web Browser: We automatically receive and record information from your web browser when you interact with the Services, such as your browser type and version, what sort of device you are using, your operating system and version, your language preference, the website or service that referred you to the Services, the date and time of each request you make to the Services, your screen display information, and information from any cookies we have placed on your web browser (as described below).
Location Information: In some cases we collect and store information about where you are located, such as by converting your IP Address into a rough geolocation. We may also ask you to provide information about your location, for example permission to use your geolocation information from your mobile device to geotag a post. We may use location information to improve and personalize the Services for you, for example by showing you relevant local content.
Information Related to Your Mobile Device: We may collect and store information related to your mobile device. In some cases, we, or Oath (who we use for mobile analytics and other services), may receive, generate, or assign your mobile device a unique identifier for the purposes described above in “Information Related to Use of the Services.”
The key point about personal data is that the data subject has to be a natural person who is “identified or identifiable” so associating a unique identifier with a vast range of geolocationary and device level information is quintessentially making that data subject identifiable.
Apps which capture contact information (information not from the data subject, but from their contacts included in address books stored on the devices the Tumblr apps can interrogate under the above policy) have become notorious in connection with Facebook and Cambridge Analytica, but this does not seem to deter Tumblr:
We won’t look at (or be able to look at) your contact list unless you ask us to. Why would you ask us to? Because that’s how you would find out if any of your contacts are on Tumblr. We discard this information immediately afterward.
The possibility that people who supply their emails to others for limited business purposes may not necessarily want that being used to search whether they also have a Tumblr account devoted to breeding Belgian hares or dressing up as characters from the Rocky Horror Show seems to have sailed blithely over the heads of whoever crafted this policy.
Furthermore, they seem to regard personal data as very much their asset, not the user’s:
They suffer from the familar delusion that information shared publicly over social media loses its character as personal data:
Information Shared with Other Third Parties: We may share or disclose public, aggregate or depersonalized information with people and entities that we do business with.
They also seem to have watered down the “necessity” test in the “legitimate interests” ground under GDPR for processing personal data almost out of existence and still seem to believe that GDPR restrictions on transferring data around the GDPR must yield to American exceptionalism:
Because Tumblr is a US company, your information will be collected and processed in the US. The United States has different laws on data protection and rules in relation to government access to information, and may not have the same data protection safeguards as your home country. You can choose whether or not you want to use our Services. However, if you want to use our Services, you need to agree to our Terms of Service which set out the terms of the contract between us and you. To the extent that Tumblr is deemed to transfer your information outside the EEA, Tumblr relies on the fact that such a transfer is necessary in order to deliver our Services to you, in accordance with the contract between us.
Reader: I deleted my Tumblr account and reported them to the ICO.The main image used for this article is from: Leeds Art Gallery: She-wolf with Romulus and Remus Mosaic & was used under the terms detailed at the above link on the date this article was first published.