General Data Protection Regulation (“GDPR”)

Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.

Is that really necessary? They would probably argue that they need to send notifications that a new invoice has been prepared. I would argue that e-mail should be optional because:

• They could send SMS notifications instead, if a data subject would prefer that.
• They need not send any notification at all, in fact. Reminders is why calendars and alarm clocks exist. A consumer can login and fetch their invoice on a schedule. If a consumer neglects to login during a certain window of time, the data controller could send a paper invoice (which is what they must do for offline customers anyway).

They might argue that they need an email for password resets. But we could argue that SMS or paper mail can serve that purpose as well.

Does anyone see any holes in my legal theory? Any justification for obligatory email address disclosure that I am missing?

Yikes.

“In the adequacy decision, the European Commission estimated that the U.S. ensures a level of protection for personal data transferred from the EU to U.S companies under the new framework that is essentially equivalent to the level of protection within the European Union.” (emphasis added)

Does the EU disregard the Snowden revelations?

And what a missed opportunity. California state specifically has some kind of GDPR analogue, so it might be reasonable if CA specifically were to satisfy an adequacy decision, (still a stretch) but certainly not the rest of the country. Such a move could have motivated more US states to do the necessary.

I must say I’ve lost some confidence and respect for the #GDPR.

People are often told if their data is published, they have no expectation of privacy. But I found an interesting gem in the EDPB Guidelines of 04/2019 which counters that to some degree:

59. Even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that any other controller with access to the personal data may freely process it themselves for their own purposes – they must have their own legal basis.²⁰

²⁰See Case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland no. 931/13.

IMO, that means #AI bots cannot exploit openly public data if it’s data that’s personal to a European or someone residing in Europe.

Just a pro tip if you want to build a case against a data controller: when they ignore your GDPR request, don’t simply send them a reminder. Instead, send them a new Article 15 request demanding records on how your previous request was handled. This way when you build a case against them, you can tack on yet another Article 15 violation when they also ignore your request for information about how they handled your request.

Not that it matters.. the GDPR isn’t really being enforced. When the DPA ignores your complaint, you’re basically stuffed anyway.

cross-posted from: https://sopuli.xyz/post/12558862

So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending.

It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article:

In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it.

What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can say “accept our Microsoft-emailed receipt or fuck off.” If you don’t carry a smartphone that is subscribed to a data plan, and trust a smartphone with email transactions, then you cannot see that you’ve received the email before you leave after paying cash. Even if you do have a data plan and are trusting enough to use a smartphone for email, and you trust all parties handling the email, there is always a chance the sender’s mail server is graylisted, which means the email could take a day to reach you. Not to mention countless opportunities for the email to fail or get lost.

It’s such a fucked up idea to let merchants choose. If it’s a point of sale, then no problem… I can simply walk if they refuse a paper receipt (though even that’s dicey because I’ve seen merchants refuse instant returns after they’ve put your money in the cash register).

But what about creditors? If you owe a debt and the transaction fails because they won’t give you a paper receipt and you won’t agree to info sharing with a surveillance advertiser, then you can be treated as a delinquent debtor.

Google, Facebook, Amazon, and Microsoft must be celebrating these e-receipts because they have been working quite hard to track people’s offline commerce.

It’s obviously an encroachment of the data minimisation principle under the GDPR. More data is being collected than necessary.

¹ This is really shitty wording. Who is /they/? If it’s the customer, that’s fine. But in that case, why did the sentence start with “merchants can choose…”? Surely it can only mean merchants have the choice if they make a request to regulators.

This is a seriously big loophole. Paraphrasing the various positions:

Data Controller:

“data collection is legal because we have a contract with the data subject” (iow, they claim Art.6.1(b) as the legal basis for processing)

Data Subject:

“There is no contract. I did not agree to a contract.”

Supervisory Authority:

“we do not act on contract issues”

EDPB:

“the scope of the GDPR does not include harmonization of national provisions of contract law”

I’m not finding it ATM, but somewhere in the GDPR or EDPB guidelines it says something to the effect of contract law varying across all member states, and therefore the GDPR is not applicable to contract matters and the validity of contracts cannot be assessed.

So, WTF? It’s a blatant abuse flying in the face of the GDPR when a data controller simply falsely claims a contract is in play. Since the SAs opt-out of regulating contract cases, this leaves data subjects with only direct court action.

I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one.

Well this just screwed me because I made an access request and the data controller said: to verify your identity, tell us your date of birth. Fuck me. I didn’t keep track of which fake date I gave them. I didn’t even keep track of whether I gave fake info. So they could treat my otherwise legit request as a breach attempt.

I should have kept track of the birth date I supplied. I will; from now on.

cross-posted from: https://beehaw.org/post/12170575

The GDPR has some rules that require data controllers to be fair and transparent. EDPB guidelines further clarify in detail what fairness and transparency entails. As far as I can tell, what I am reading strongly implies a need for source code to be released in situations where an application is directly executed by a data subject and the application also processes personal data.

I might expand on this more but I’m looking for information about whether this legal theory has been analyzed or tested. If anyone knows of related court opinions rulings, or even some NGO’s analysis on this topic I would greatly appreciate a reference.

#askFedi

This is interesting but quite unfortunate. As individuals we often spot #GDPR infringements in situations where we are not a victim. The GDPR does not empower us to act with any slight expectation of getting results. There is no reporting mechanism and no remedial correction if the complainant’s own personal data was not mishandled. No Article 77 possibility.

Paragraph 2 page 3:

The GDPR does not explicitly define what constitutes a complaint but Article 77 gives a first understanding providing that “every data subject shall have the right to lodge a complaint (…) if the data subject considers that the processing of personal data relating to him or her infringes this Regulation”.

Page 4 examples of non-complaints:

• a suggestion made by a natural person that he or she thinks that a particular company is not compliant with the GDPR as long as he or she is not among the data subjects.

There is a hack but it’s purely the DPA’s discretion whether to act. From page 5:

The supervisory authority may act upon its own motion (ex officio), e.g., after being “informed otherwise of situations that entail possible infringements” 6 (e.g. by the press, another administration, a court, or another private company, a hint by a natural person which is however not a complaint within the meaning of Article 77).

So a natural person can tattle (tip off) the DPA but the DPA can simply ignore it. If the DPA feels like it, they can act on it as their own initiative (not under Art.77), which means the whistle blower can (and likely will) be kept out of the loop and in the dark. So such reports might as well be sent anonymously. And if it’s not a big interesting case (e.g. involving a tech giant), it’s probably unlikely a DPA will act.

Why this is a problem

I often want to engage with a data controller but their procedures demand irrelevant info in violation of data minimisation. In principle I should be able to use a corrective process to make the data controller compliant before I engage them. There is no useful mechanism unless a prospective data subject partakes in subjecting themself to a breach (self harm) before filing an Art.77 complaint.

cross-posted from: https://links.hackliberty.org/post/125466

My credit card issuer apparently never gets to know what I purchased at stores, cafes, & restaurants -- and rightfully so. The statement just shows the shop name, location, and amount.

Exceptionally, if I purchase airfare the bank statement reveals disclosures:

• airline who sold the ticket
• carrier
• passenger name
• ticket number
• city pairs

So that’s a disturbing over-share. In some cases the airline is a European flag carrier, so IIUC the GDPR applies, correct? Doesn’t this violate the data minimization principle?

Airlines no longer accept cash, which is also quite disturbing (and illegal in jurisdictions where legal tender must be accepted when presented for PoS transactions).

Has anyone switched to using a travel agent just to be able to pay cash for airfare?

UPDATE

A relatively convincing theory has been suggested in this other cross-posted community:

https://links.hackliberty.org/comment/414338

Apparently it’s because credit cards offer travel insurance & airlines have incentive to have another insurer involved. Would be useful if this were documented somewhere in a less refutable form.

This is a FOSS tool that enables people to check a website for #GDPR compliance.

#poll

Every 4 years the Commission is willing to hear from individuals as to whether the GDPR is working. It’s obviously not working one bit for those of us who actually attempt to exercise our #GDPR rights.

That link goes to a PDF which contains a link to another PDF which is a questionaire that can be emailed to the Commission. The email address they give is not on a Google or MS server, thus apparently usable.

Note that the questionaire mentions a deadline of 18 November 2023, but that was for feedback from select groups. The deadline for the general public is 8 Feb.

The #GDPR protects everyone inside the EU (regardless of citizenship) + also EU citizens who are outside of the EU.

So what happens when you have:

EU citizen outside the EU → Cloudflare (the closest server) → EU website

?

CF’s closest server would usually not be in the EU in this case. The GDPR generally bans personal data being stored outside the EU. As far as anyone knows this is data in transit not storage. But we really don’t know that. We don’t know what Cloudflare collects and stores.

In principle, European websites that use Cloudflare should have the proxy server restricted to EU locations and under EU regulation. Correct?

In answering this question, this seems to be relevant:

GDPR Art.7(3):

…It shall be as easy to withdraw as to give consent.

^ If you can no longer login to easily withdraw consent because they started blocking your connection, Art.7(3) would apparently be unsatisfied.

EDPB Guidelines 01/2022 pg.21 ¶53:

The EDPB encourages the controllers to provide the most appropriate and user-friendly communication channels, in line with Art.12(2) and Art.25, to enable the data subject to make an effective request.

^ Blockades against platforms, tools, mechanisms that users rely on would seem to be “user-unfriendly”, though it’s unclear if their meaning of “user friendly” is broad enough to have this interpretation.

EDPB Guidelines 01/2022 pg.23 ¶63:

The controllers must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR.

^ Creating new access restrictions would seem to fail to re-use the original authentication procedure.

Data controllers often tend to start blocking Tor and/or VPNs spontaneously without warning. That seems to violate the rules of informed consent. That is, the data subject consented to the processing of their data by website A, but when website A made a significant material change (i.e. blocking Tor/VPNs), it effectively changes the deal the data subject thought they were consenting to. EDPB Guidelines 05/2020 pg.23 ¶110 seem to capture this:

There is no specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context,the scope of the original consent and the expectations of the data subject. If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained.

So IIUC, the data controller must warn you before blocking your access to their service and give you a chance to withdraw your consent. This assumes we can interpret the IT infrastructure of the data controller as part of the “processing operations”.

I get the feeling the EDPB has not exactly nailed the scenario of Tor/VPN blockades, so we are left with picking through scraps somewhat out of context to get an idea of how this would go in court.

Are there any more relevant decisive guidelines from the EDPB that I’ve missed?