Prominent YouTuber Claims Brave’s BAT Payments System Violates GDPR
Prominent YouTube personality Tom Scott has accused Brave, the adblock browser, of unethical and possibly illegal behavior by collecting BAT donations on his behalf from viewers without his knowledge or consent. Writing in a Twitter thread posted on December 21, Scott stated that Brave is essentially obtaining money under false pretexts from users because he has not authorized the platform to collect donations on his behalf.
In what could be a major embarrassment for the company which has campaigned against anti-competitive behavior by Facebook and Google, he also alleged that the company may be in violation of the EU’s General Data Protection Requirement (GDPR) by keeping profiles unknown and assigning donations without consent.
This warning is prompted by a company called Brave, who’ve been taking cryptocurrency donations “for me”, using my name and photo, without my consent. I asked them not to, and to refund anyone who’s donated; they said “we’ll see what we can do” and that “refunds are impossible”.
— Tom Scott (@tomscott) December 21, 2018
Scott Goes After Brave
Stating his initial grievance he wrote:
This warning is prompted by a company called Brave, who’ve been taking cryptocurrency donations “for me”, using my name and photo, without my consent. I asked them not to, and to refund anyone who’s donated; they said “we’ll see what we can do” and that “refunds are impossible”. So if you thought you’d donated to me through Brave, the money (or their pseudo-money) will not reach me, and Brave’s terms say they may choose to just keep it themselves. It looks like they’re ‘providing this service’ for every creator on every platform. No opt-in, no consent.
Continuing, Scott said that he asked Brave for an explanation of how the practice of holding profile data on people and assigning donations to them without their knowledge is not in violation of GDPR. At this point he said, the contact person he was speaking to at Brave simply stopped replying to his emails. According to him, Brave believes that enrolling every creator into the BAT system without an opt-out choice and holding donations made to them without their consent is in compliance with privacy laws – a claim he disagrees with.
He also stated that Brave’s basis for this position – that a domain name or YouTube channel URL is not personally identifiable information – is “clearly” contestable because GDPR rules such information as his property. Despite a move by Brave to clarify their policies and consider giving creators the choice to opt in or out, Scott expressed dissatisfaction with the situation because Brave can still obtain and hold donations on behalf of creators like him by default without their permission.
Concluding his thread, Scott revealed that he has sent a formal right-to-be-forgotten request to Brave under GDPR data ownership framework, as well as a request that all records of any donations collected on his behalf are deleted. Both of these requests he said, have been acknowledged by Brave which now has a month to reply under GDPR rules.
Update 12/29: Brave responded to CCN’s request for comment with a lengthy rebuttal of the Scott’s claims. A lightly edited portion of their response is below:
Brave not only complies with the General Data Protection Regulation, it also advocates for privacy standards that go even farther.
The article mistakenly uses the term “personally identifiable information” (PII). PII is not a term of European Data Protection Law, and defines a far narrower set of data than the correct term, which is “personal data”. Discussing PII in the context of the GDPR risks confusing the lower standards of protection with which PII are associated with the higher standard that personal data is associated with.
Regarding domain names (URLs), any that contain names may or may not pass the test of what is personal data in Article 4, paragraph 1, of the GDPR. Even so, Brave will treat them as if they are personal data.
The article mistakenly claims that the “GDPR rules such information as his property”, and refers to a “GDPR data ownership framework”. The article’s reference to “ownership” is incorrect, there is no such “ownership framework.” In fact, personal data are protected under the European Charter as a Fundamental Right. Personal data are not property and cannot be transacted away as mere goods. The GDPR does not assign property rights. Rather, Chapter III of the GDPR provides that a data subject has data rights. This is fundamental to the rights protected by the GDPR.
If you are a creator who has a YouTube or Twitch account, or owns a website, Brave has a function that allows you to automatically receive gifts of BAT from Brave itself, and from your visitors. (You can also see our recent update following feedback, which includes considering switching the default so users cannot tip or donate to unverified creators: https://brave.com/rewards-update/). Brave tallies BAT donations to each website and YouTube channel anonymously. If some of the names of these websites and channels happen to contain people’s names, then we shall treat these URLs as personal data. Brave will delete records of YouTube channels or websites that contain names at the request of their owners. A creator can contact Brave’s data protection officer ([email protected]) if they wish Brave to do this, and stop BAT gifts from Brave and donations from users.
The Brave browser is designed not to know who you are, or what sites you visit. Brave does not record users’ browsing history on its servers. Brave does not write any personal data to the blockchain. Indeed, the only way a user’s data is stored by Brave is if the user has switched on Brave Rewards or Brave Sync. If a user switches on Brave Rewards they are assigned a wallet, and all of their transactions are anonymous. If a user switches on Brave Sync then they save bookmarks and passwords in an encrypted file on a cloud storage service, and the user keeps the sole decryption key.
As stated above, Brave advocates for privacy standards that go even farther than the GDPR. Our open letter to the 28 EU Member State Governments is part of our work to press for enhanced privacy protections in the ePrivacy Regulation.
In recent months, our CEO called on the US Senate in an open letter to propose GDPR-like standards in the United States, and our open letter to the US National Telecommunications and Information Administration makes the case for US federal privacy law that builds on the GDPR.
In Europe, Brave, together with the Open Rights Group, prompted a GDPR investigation by privacy regulators to investigate and end the massive data breach at the heart of adtech.
Featured image from Shutterstock.