Not So Much Missing The Point As Landing On A Completely Different Continent | Susan Hall · IP/ICT Lawyer

Not So Much Missing The Point As Landing On A Completely Different Continent

Leeds Art Gallery: She-wolf with Romulus and Remus Mosaic

Social media is dominated by huge US-headquartered mega-corporations, with mottos such as “Move fast and break things” and an attitude to personal data which can best be summarised as, “Find it, grab it, monetise it.” As a result, they are finding it difficult to adjust to the approach of GDPR, and this is never more obvious than when they circulate updated privacy policies in an effort to give at least a veneer of compliance to their use of personal data.

Tumblr’s revised privacy policy arrived in my inbox recently. Both their introducing email and the accompanying Privacy Policy have a relationship to the General Data Protection Regulation reminiscent of those mediaeval manuscripts or Roman mosaics where a lion or a wolf is drawn by someone who’d never actually seen one, but who had met someone once in a bar who’d mentioned in passing what one looked like. See illustration above for the kind of thing I mean.

Relatively innocuously, the covering email began:

We’re now taking this opportunity to update the Tumblr Terms of Service and European Privacy Policy which outline the rules for using Tumblr and our relationship with you. If you are located in the European Union (EU) or the European Economic Area (EEA), the European Privacy Policy applies to you. We’ve made it available in your preferred language on this page.

The updates are part of our work to comply with the new General Data Protection Regulation. These updates help you better understand how we collect and manage your data. As of 25 May 2018, you will be given the opportunity to more easily control your data. You can learn more about these controls in our European Privacy Policy.

Then it went off the rails completely:

The updated Terms of Service and Privacy Policy go into effect on 25 May 2018. If you continue to use Tumblr on or after 25 May 2018, you are agreeing to the updated Terms of Service and our use of your data as set out in our Privacy Policy. If you don’t want the updated Terms of Service and Privacy Policy to apply to you, you can delete your account and stop using Tumblr.

Please note that under our updated Terms of Service, users in the European Economic Area must be at least 16 years old in order to use Tumblr.


For some reason, the little “heart” emoji made the farrago of misinformation to which it was attached all the more irritating.

First, a few points to clarify “consent.”

For the purposes of GDPR, personal data may only be processed (which includes all acts of using, storing, deleting etc) on one or more legitimate grounds, exhaustively set out in Article 6 GDPR. Tumblr, like all social media platforms, comes into possession of a vast quantity of personal data which, like all social media platforms, it monetises in various non-transparent ways. Accordingly, its interests in collecting the most data and using it in the most flexible manner are directly at odds with the purposes and effect of the GDPR.

For current purposes, it’s worth noting that the principal ground on which Tumblr can possibly rely for processing personal data is “consent of the data subject” which is defined as

any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

For consent to be valid, it also has to be as easy to withdraw consent as to give it.

Although it is also possible to process personal data provided that is “necessary” either for the formation or performance of a contract with the data subject, or for the legitimate interests of the data controller, provided a due balance is kept with the rights and freedoms of the data subject, these two bases for processing are narrowly drawn and their use in social media contexts has already attracted adverse comment from the EU’s Article 29 Working Party (“WP29”).

Before adopting its “take it or leave it” approach (“If you don’t want the updated Terms of Service and Privacy Policy to apply to you, you can delete your account and stop using Tumblr”) Tumblr would have done well to read the correspondence between WhatsApp and WP29, and in particular the letter of 24 October 2017 from the Chair of WP29 to the CEO of WhatsApp, in which the shortcomings of this approach to privacy are laid bare:

As regards the requirement for consent to be ‘freely given’, the WP29 notes the pre-eminence of WhatsApp’s messaging service amongst other similar services, and the extent to which Facebook’s social networking service is embedded into the digital lives of European citizens. The means by which WhatsApp sought to introduce its updated terms of service and privacy policy has, however, effectively resulted in WhatsApp adopting a “take it or leave it” approach in which users either signal their ‘consent’ to the sharing of data or they are unable to avail themselves of WhatsApp’s messaging service: “If you do not agree to our Privacy Policy, as amended, you must stop using our services”. For this reason, and having regard to the particular circumstances of this case, the WP29 considers that consent could not be freely given by WhatsApp users in the absence of sufficiently granular user controls allowing for an appropriate level of control over the sharing of the data.

By way of expansion upon the WP29 position, Article 7(4) GDPR provides:

When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Even a fairly cursory read of the new Tumblr Privacy Policy (which goes on for several thousand repetitive words) shows it to be manifestly unfit for the post 25 May regime, and, for that matter, seriously deficient on current law.

To begin with, it displays complete (and probably intentional) confusion about who Tumblr actually is for the purposes of data sharing:

This policy regarding our privacy practices (the “Privacy Policy”) describes how we treat the information we collect or receive when you visit and use (the “Site”) and/or Tumblr’s other domains, products, advertising products, services, and/or content, including our iOS and Android mobile applications (collectively with the Site, the “Services”). Tumblr, along with Yahoo, is now part of Oath, a digital and mobile media company with more than 50 brands globally, and a member of the Verizon family of companies . The way we handle your information hasn’t changed, so this Privacy Policy still governs when you are on Tumblr, using a Tumblr app or interacting with our products, services or technologies. This Privacy Policy does not apply to the practices of other Oath affiliates or companies which Oath does not own or control.

This indicates there will be data gathering through mobile Apps and that there will be sharing across “Tumblr’s other domains” (unspecified) and possibly with Oath group companies (for reasons unspecified.) In the WhatsApp example, sharing of WhatsApp user data among other members of the Facebook group was particularly criticised by WP29.

Data combination from multiple sources is always an issue, and it is a particular concern where, as here, the data controller is part of a large group of companies (Flickr and Yahoo are also under the Oath umbrella) which also provides email and other services.

Anyone with the fortitude to plough further into the Tumblr policy can find out that this is exactly what is planned:

Because we are a wholly-owned subsidiary, Oath and the rest of our family of companies may receive any information we do, and may share information they have with us.

Furthermore, Tumblr also err in pushing the burden on privacy protection onto the user, and requiring pro-active opt-out rather than opt in:

You can keep yourself fairly anonymous on Tumblr, but remember that your posts, blogs, pages, and username are all visible to the public by default. People that know your email address can also find your blogs. If you’d rather be unlisted, head over to your Account Settings.

There is a twee and rather chilling encouragement against privacy and towards openess:

Reblogs, Likes, and Replies are a matter of public record, so if you’re truly ashamed of your desires it’s best to keep them to yourself. But why? Be proud of who you are. You’re beautiful. We’re looking you in the eyes and telling you how beautiful you are.

Further, the level of technical detail collected appears rather excessive for any legitimate interests Tumblr are prepared to share with its data subjects:

Information About User Content: In some cases, we may collect information about content you provide to the Services. For example, when it’s included as part of your images, we may collect information describing your camera, camera settings, or EXIF information.

Information Related to Your Web Browser: We automatically receive and record information from your web browser when you interact with the Services, such as your browser type and version, what sort of device you are using, your operating system and version, your language preference, the website or service that referred you to the Services, the date and time of each request you make to the Services, your screen display information, and information from any cookies we have placed on your web browser (as described below).

Location Information: In some cases we collect and store information about where you are located, such as by converting your IP Address into a rough geolocation. We may also ask you to provide information about your location, for example permission to use your geolocation information from your mobile device to geotag a post. We may use location information to improve and personalize the Services for you, for example by showing you relevant local content.

Information Related to Your Mobile Device: We may collect and store information related to your mobile device. In some cases, we, or Oath (who we use for mobile analytics and other services), may receive, generate, or assign your mobile device a unique identifier for the purposes described above in “Information Related to Use of the Services.”

The Privacy Policy displays a mastery of giving with one hand, and taking away with the other:

Our cookies do not, by themselves, contain information that directly identifies you, and we don’t combine the general information collected through cookies with other such information to tell us who you are. However, we do use cookies to identify that you have logged in, and that your web browser has accessed the Services, and we may associate that information with your Account if you have one. We may also store unique or near-unique identifiers that we associate with your Account in our cookies.

The key point about personal data is that the data subject has to be a natural person who is “identified or identifiable” so associating a unique identifier with a vast range of geolocationary and device level information is quintessentially making that data subject identifiable.

Apps which capture contact information (information not from the data subject, but from their contacts included in address books stored on the devices the Tumblr apps can interrogate under the above policy) have become notorious in connection with Facebook and Cambridge Analytica, but this does not seem to deter Tumblr:

We won’t look at (or be able to look at) your contact list unless you ask us to. Why would you ask us to? Because that’s how you would find out if any of your contacts are on Tumblr. We discard this information immediately afterward.

The possibility that people who supply their emails to others for limited business purposes may not necessarily want that being used to search whether they also have a Tumblr account devoted to breeding Belgian hares or dressing up as characters from the Rocky Horror Show seems to have sailed blithely over the heads of whoever crafted this policy.

Furthermore, they seem to regard personal data as very much their asset, not the user’s:

Should we happen to get acquired (again!) or go out of business (no way), the transfer of assets from us to our buyer may very well include user information. They are allowed to use it only in the ways outlined here, in the Privacy Policy you are reading right now.

They suffer from the familar delusion that information shared publicly over social media loses its character as personal data:

Information Shared with Other Third Parties: We may share or disclose public, aggregate or depersonalized information with people and entities that we do business with.

They also seem to have watered down the “necessity” test in the “legitimate interests” ground under GDPR for processing personal data almost out of existence and still seem to believe that GDPR restrictions on transferring data around the GDPR must yield to American exceptionalism:

Because Tumblr is a US company, your information will be collected and processed in the US. The United States has different laws on data protection and rules in relation to government access to information, and may not have the same data protection safeguards as your home country. You can choose whether or not you want to use our Services. However, if you want to use our Services, you need to agree to our Terms of Service which set out the terms of the contract between us and you. To the extent that Tumblr is deemed to transfer your information outside the EEA, Tumblr relies on the fact that such a transfer is necessary in order to deliver our Services to you, in accordance with the contract between us.

Reader: I deleted my Tumblr account and reported them to the ICO.

The main image used for this article is from: Leeds Art Gallery: She-wolf with Romulus and Remus Mosaic & was used under the terms detailed at the above link on the date this article was first published.