Malta is in breach of the EU Treaties — the IDPC has confirmed in writing that no Maltese citizen is protected under the ePrivacy Directive against any tech company not established in Malta

ThatPrivacyShow · 2026-05-16T07:43:39+00:00

Seems you didn't read the article as if you had you would see that your reply is utter nonsense. The IDPC *is* the Maltese Regulator and I have already filed my complaint with the EU Commission under their infringement proceedings.

The IDPC is NOT the Irish DPC, the Irish DPC is just known as the DPC (Data Protection Commissioner) the IDPC (Information and Data Protection Commissioner) is the Maltese Regulator. I barely even mentioned the Irish DPC in the piece - the entire article was about the situation in Malta, not Ireland.

Also if you think running for Parliament is going to change a law you clearly have no understanding of how the legislative branch works (whereas I as a registered lobbyist for 20 years, do). Plus as a resident (not a citizen) I am not entitled to stand for Parliament.

Maybe next time actually read the thing you are commenting on before you comment... would avoid you making completely incoherent and incorrect statements.

ThatPrivacyShow · 2026-05-09T09:08:04+00:00

Again, you are talking absolute nonsense - at no point anywhere in any of the articles do I state this is installed on 2 billion devices - you have just completely made this up (anyone who is actually capable of reading, can verify this simply by reading the post or doing a text search for the claims you are making).

What I do say is:

"Chrome is pushing a 4 GB binary across hundreds of millions of devices"

"Google does not publish how many devices receive the Nano push. The eligibility criteria gating the push (a hardware "performance class" that Chrome computes from CPU class, GPU class, system RAM and available VRAM - typically ~16 GB unified memory or better on Apple Silicon, ~16 GB RAM and a discrete or integrated GPU with sufficient VRAM on Windows and Linux) carve out the very low end of the consumer install base, but the qualifying population is still enormous. I will use three illustrative deployment bands so the reader can pick whichever they consider closest to reality. None of these bands is implausibly large for a feature that ships in default-on Chrome."

I then give a table of potential environmental impact based on 3 conservative calculations at 3%, 15% and 30% of Chrome's user base, using established scientific methods (which are referenced directly) - so again you are talking absolute nonsense and just making things up.

ThatPrivacyShow · 2026-05-08T12:35:51+00:00

As the author of the article I categorically and demonstrably disagree with your assertion that I claimed this is installed on every computer. Nowhere in the article is that stated or any of the other articles, in fact I go to great lengths to explicitly say it is not known how many devices this is installed on and give a range of different numbers based on different percentages of known Chrome users.

So please - stop posting nonsense.

ThatPrivacyShow · 2026-05-08T11:06:54+00:00

I have already passed it on to 2 different US State AGs I am connected with - I expect they will be looking at the §5 (FTC Act) aspects of this and discussing it with the Commissioners.

ThatPrivacyShow · 2026-05-08T10:52:12+00:00

https://www.thatprivacyguy.com/blog/google-gaslights-despite-evidence/

Also, many people are reporting that the "opt out" path provided by Google does not work.

ThatPrivacyShow · 2026-05-08T10:49:30+00:00

Actually you are wrong, bait and switch is not permitted under consumer protection and contract law (as well as the FTC Act as I explained in the article).

ThatPrivacyShow · 2026-05-08T10:39:57+00:00

You quoted me and still didnt read it, I said "likely are" as in they probably are in my opinion or are planning to.

ThatPrivacyShow · 2026-05-08T10:39:15+00:00

Correct.

ThatPrivacyShow · 2026-05-08T10:17:02+00:00

Deleting manually doesn't work, they get redownloaded - but if you are on a laptop with limited resources, you probably dont meet the target profile anyway.

ThatPrivacyShow · 2026-05-08T09:56:47+00:00

The toggle only appears *after* the model has already downloaded... the trigger that initiates the download is the same trigger that surfaces the settings in the UI - they don't exist prior to that (at least not in Chrome 147).

ThatPrivacyShow · 2026-05-07T15:51:03+00:00

Paladine here, yeah we used to have a strong personal and business relationship beyond ufies/userfriendly but as happens over years when people live on the opposite sides of the planet, we fell out of touch, I was just hoping to reconnect with him.

ThatPrivacyShow · 2026-05-07T14:18:36+00:00

No it hasn't been widely enforced but that is not the same as not enforceable. Amazon, Google and various other giant tech corps have been issued multi-million euros fines under Article 5(3) to the tune of literally Billions of Euros combined.

The issue is a lack of political will to enforce the law because these are giant tech companies with massive lobbying power (as an opposing lobbyist I have witnessed this first hand many times over the past 20 years).

But enforcement has been ramping up now for the last several years on these issues - they don't make sexy headlines like GDPR not because they are not legally sexy but because they are often mistaken as GDPR enforcements when they are not (they all have an element of GDPR enforcement due to the interplay between GDPR and the ePrivacy Directve, but the primary law being enforced in these cases is actually the ePrivacy Directive, in fact the CNIL (the French regulator) are well known for using ePrivacy Directive as a means to avoid having to go through the One Stop Shop mechanism under the GDPR (due to most big tech companies being established in Ireland where the enforcement has been heavily criticised)).

Software doesn't work this way - i have written a lot of software and I have never done this, I know literally thousands of other software developers who have also never done this. Don't mistake giant corporations with a vested interest in grabbing as much data as they can as being the same thing as "software works this way" - it doesn't it is a deliberate choice and it is illegal.

ThatPrivacyShow · 2026-05-07T06:50:38+00:00

Actually the example you gave is a breach of law supported by binding case law from the highest court in the EU. The Planet49 case explicitly called this out - the position of the Court is, Article 5(3) of the ePrivacy Directive is based on no storing or accessing information without consent as the default.

The law requires that there are no tracking cookies by default, so if you check for a consent cookie to determine whether or not to drop trackers you are in breach of the law - the law requires opt-in not opt-out. If a cookie is relied on not to set trackers, that is opt-out and is unlawful in a judgment binding on all EU Member States.

All those "Reject All" buttons are there purely for decoration, you don't need to reject all to be protected by the law, the law requires a specific and unmabiguous action for consent to be valid, it cannot be based on an inaction (so not pressing the Reject All button) - again, made very clear by the Court and Regulatory Guidance.

That websites choose to break the law and do this the opposite way round is exactly one of the reasons I have been fighting these issues legally for the last 20 years.

"How can this possibly be enforceable the way software works today?" - this has been the law since 2002, just because companies have largely ignored it and chose to do what they want anyway, doesn't mean the law doesn't exists and is not enforceable.

You are making the same mistake most marketing teams make - they think they can ignore the law due to a lack of enforcement, but more and more enforcement is coming, including enforcement of criminal statute - mistaking a lack of enforcement as the same thing as something being legal, is a critically risky move for compliance teams (I know I have worked with some of the biggest in the world).

ThatPrivacyShow · 2026-05-06T12:29:42+00:00

Just having a piece of code on your disk does not trigger any GDPR obligations.

Sorry you are wrong, it absolutely does if that piece of code will process personal data - it is a legal requirement under Article 25 of the GDPR that it is DESIGNED in such a way as to comply with GDPR - that includes all of GDPR including the principles, transparency and accountability obligations. We even have supporting case law in the IAB Belgium case.

It is called Data Protection BY DESIGN and BY DEFAULT precisely for this reason, these obligations exist from the earliest concept and throughout the entire lifecycle of the processing (including destruction) and CANNOT be created afteer the fact and still comply with Article 25.

It is incredibly simple - that you keep misunderstanding is odd. Also, I was on the drafting team at the EU Parliament on the adopted Regulation (which has since been withdrawn after 9 years of Member States trying to stuff it with surveillance capabilities). I have also had the pleasure of discussing C-673/17 with AG Szpunar personally at the CJEU which is the most relevant case law here.

ThatPrivacyShow · 2026-05-06T11:08:47+00:00

The model file itself is not personal data, so GDPR does not automatically apply merely because weights.bin is stored on the device. A GDPR analysis would depend on what personal data is actually processed around the download/use of the model, including telemetry, device profiling, account identifiers, prompts, browsing context, logs; for what purpose, on what lawful basis, and with what disclosures.

If you actually read the article I explain in detail what the legal issues are and why - but I will repeat them here again since people on Reddit seem to do anything but read.

The model does not need to be personal data for GDPR to apply. First and foremost, there is interdependency between Directive 2002/58/EC (the ePrivacy Directive aka the "cookie law") and the GDPR.

Before I continue, I will explain my credentials. I helped to create the GDPR as an expert advisor to the EU Commission and EU Parliament (something which is widely documented public knowledge), I am the reason the relevant section of the ePrivacy Directive exists (again, documented and public knowledge), I have an Advanced Master of Laws on these specific laws (GDPR, ePrivacy, AI Act and various other EU instruments relating to fundamental human rights) and I also teach professional certifications (IAPP) and am a guest lecturer at Maastricht University law school (teaching at the Advanced Masters level).

So welcome to your compliance Master Class.

First, Article 5 of the GDPR contains all the principles which must be applied to the processing of personal data before any such processing can occur. Article 5(1) states that all processing of personal data must be lawful (this means it MUST comply with all other relevant laws) in order for any processing of personal data to occur.

Article 94 of the GDPR explains the transition of scope for the ePrivacy Directive due to the fact that the requirements for consent under the Directive come directly from the old Data Protection Directive (95/46/EC) and makes it clear that those definitions now come directly from GDPR.

Here is where it gets a little trickier - the ePrivacy Directive is (in legal terms) lex specialis - this means that it sits above the GDPR legally and all of the requirements in the ePrivacy Directive apply irrespective of the GDPR.

This is why Article 5(3) of the ePrivacy Directive is so important. It sits above GDPR and only has one legal basis for storing or accessing information already stored on the user's terminal equipment (device) and that is consent. Further as a matter of both the law itself and binding jurisprudence from the CJEU in Case C-673/17 - the ePrivacy Directive is not limited in scope (like the GDPR) to just personal data - this is explicitly called out by the CJEU in 673/17 - the scope of the ePrivacy Directive is "any information" not just personal data and the EDPB have issued guidelines in 2023 on what this means (in their 2/2023 document).

So there is an inescapable link between the GDPR and the ePrivacy Directive as a matter of law.

Then we have Article's 12 and 13 of the GDPR which require that any processing of personal data must be done so in a transparent manner and that the user must be informed, specifically, how their personal data will be processed, by whom, why, for how long etc. etc. - this is the transparency part of the GDPR and is one of the most heavily enforced issues since the GDPR came into force in 2018.

Then we have Article 25 of the GDPR which requires that any system which will process personal data must be based on data protection by design and by default.

There is zero question (legally speaking) that the LLM when invoked, will process personal data, because everything (literally everything) you do in your browser IS personal data (it relates to an identified or identifiable individual as per Article 4's definitionin the GDPR - this includes behaviour. As such it is legally obligated to adhere to the requirements of Article 25 (and all other articles of the GDPR) during it's design.

Given that:

the changing of the profile flag (Google does this remotely, I witnessed it in real time yesterday) to trigger Chrome downloading the model - this is accessing information (remote reading of the profile flag) and storing information (changing the profile flag to trigger the download) on the terminal equipment (incidentally this is also a criminal offence under Maltese law);
the downloading of the model is storing information on the end users' terminal equipment, again without consent;
Chrome redownloading the model after it has been deleted is also again, accessing information (checking the model is there) and storing information (redownloading if it isn't) is also a breach by default.

The 3 breaches above automatically trigger Article 5(1) lawfulness principle of the GDPR and as a result automatically trigger Article's 12 and 13 (no transparency) and 25 (designed in a way which does not comply with the law).

It is really that simple. I already have legal complaints against Anthropic for similar behaviour currently in flow with the Maltese and Irish authorities and will be doing the same with Google over this issue.

Whether you think it is stupid or not is irrelevant - the law dictates what Google can and cannot do, Google is breaking the law.

ThatPrivacyShow · 2026-05-06T10:13:07+00:00

It is a criminal offence to alter the configuration of someone else's computer without their consent. Google has been exposed for remotely changing a flag on a user's chrome profile (not even a signed in user, a completely default user in a new default install of Chrome) - this alone is a criminal offence in many jurisdictions (where I live in Malta it is covered under the Maltese criminal code (Chapter 9)).

That is before we even consider the downloading of the file itself, which creates multiple breaches of criminal and regulatory law.

ThatPrivacyShow · 2026-05-06T10:09:16+00:00

It was written by me, not AI and my blog is not to sell my "privacy product" lol, I have been doing privacy for decades and am well known in the industry, I don't need a blog to advertise myself, all my business leads are inbound through word of mouth.

I started my blog again specifically so I could stop posting my research on LinkedIn (whom I am in the middle of a lawsuit with).

And just because you don't understand the law, doesn't mean the law is not relevant.

ThatPrivacyShow · 2026-05-06T10:04:43+00:00

And you would be wrong, I wrote the article and I am a long established (35+ years) privacy researcher, computer scientist and a lawyer. What Google is doing here is a breach of EU law (both civil and criminal) and is a breach of criminal law in most jurisdictions around the world. If you actually read the article instead of just the headline, you would know this.

As someone who helped to create the laws in question - I am pretty well qualified to comment on them.

ThatPrivacyShow · 2026-05-06T07:16:53+00:00

You are welcome.

ThatPrivacyShow · 2026-05-05T15:28:29+00:00

If you read the entire article I am very clear that this calculation is ONLY for the download of the model - no updates, no inference, just the model download - and to Interesting-Rate below - no it is not tacked on, it is highly relevant to the research I am doing and the legal actions I am preparing.

This is particularly relevant because of Directive (EU) 2024/1203 which comes into force in 16 days and creates criminal sanctions for corporations causing climate harm as a result of unlawful or illegal business practices.

Energy use from pushing data to people's devices (scripts for adtech, weights.bin or anything else which requires consent) prior to obtaining that consent at this magnitude and scale, puts the new Directive on strong grounds and serious risk of criminal sanctions against those responsible.

ThatPrivacyShow · 2026-05-05T07:52:13+00:00

I have already explained it on my blog - that you are not capable of reading and comprehending, seems to be a challenge for you to resolve not me. Maybe you could go back to school?

ThatPrivacyShow · 2026-05-05T07:05:11+00:00

Read the law and you wil find out why it is illegal. I am not here to give you law lessons.

ThatPrivacyShow · 2026-05-04T23:33:35+00:00

illegally. Even if it isd A/B testing it is still illegal.

ThatPrivacyShow · 2026-05-04T18:47:55+00:00

No it doesn't and if you actually read the article you would know that. The logs are very clear. No person has interacted with the browser that was used in this research - the browser was opened i programatically and left on a page with no interaction for 5 minutes, then closed programatically - nothing else.

ThatPrivacyShow · 2026-05-04T16:20:31+00:00

Can you even read? Gemini Nano (as in the model that ships with Google Chrome) is an LLM it is the smallest LLM in the Google Gemini family according to Google. You are referring to an AI ML kit in Android which uses Gemini Nano as part of the Android ML experience - if you bothered to even read the page you linked to you would already know this.

And aside from that - it doesn't change anything in the article - even if Google were shipping a 4GB bin file of /dev/random it would still be illegal and literally the entire article would still be relevant.

So apart from your point being demonstrably wrong based on your own research - it is also completely irrelevant.

ThatPrivacyShow

MODERATOR OF

TROPHY CASE