“Privacy advocate Alexander Hanff has filed a complaint with the Irish Data Protection Commission (DPC) challenging YouTube’s use of JavaScript code to detect the presence of ad blocking extensions in the browsers of website visitors,” writes long-time Slashdot reader Dotnaught. “He claims that under Europe’s ePrivacy Directive, YouTube needs to ask permission to run its detection script because it’s not technically necessary. If the DPC agrees, it would be a major win for user privacy.” The Register reports: Asked how he hopes the Irish DPC will respond, Hanff replied via email, “I would expect the DPC to investigate and issue an enforcement notice to YouTube requiring them to cease and desist these activities without first obtaining consent (as per [Europe’s General Data Protection Regulation (GDPR)] standard) for the deployment of their -spyware- detection scripts; and further to order YouTube to unban any accounts which have been banned as a result of these detections and to delete any personal data processed unlawfully (see Article 5(1) of GDPR) since they first started to deploy their -spyware- detection scripts.”
Hanff’s use of strikethrough formatting to acknowledges the legal difficulty of using the term “spyware” to refer to YouTube’s ad block detection code. The security industry’s standard defamation defense terminology for such stuff is PUPs, or potentially unwanted programs. Hanff, who reports having a Masters in Law focused on data and privacy protection, added that the ePrivacy Directive is lex specialis to GPDR. That means where laws overlap, the specific one takes precedence over the more general one. Thus, he argues, personal data collected without consent is unlawful under Article 5(1) of GDPR and cannot be lawfully processed for any purpose.
With regard to YouTube’s assertion that using an ad blocker violates the site’s Terms of Service, Hanff argued, “Any terms and conditions which restrict the legal rights and freedoms of an EU citizen (and the point of Article 5(3) of the ePrivacy Directive is specifically to protect the fundamental right to Privacy under Article 7 of the Charter of Fundamental Rights of the European Union) are void under EU law.” Therefore, in essence, “Any such terms which restrict the rights of EU persons to limit access to their terminal equipment would, as a result, be void and unenforceable,” he added.
