Sidebar
General Data Protection Regulation (“GDPR”)
I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one. Well this just screwed me because I made an access request and the data controller said: to verify your identity, tell us your date of birth. Fuck me. I didn’t keep track of which fake date I gave them. I didn’t even keep track of whether I gave fake info. So they could treat my otherwise legit request as a breach attempt. I should have kept track of the birth date I supplied. I will; from now on.
cross-posted from: https://beehaw.org/post/12170575 > The GDPR has some rules that require data controllers to be fair and transparent. EDPB guidelines further clarify in detail what fairness and transparency entails. As far as I can tell, what I am reading strongly implies a need for source code to be released in situations where an application is directly executed by a data subject and the application also processes personal data. > > I might expand on this more but I’m looking for information about whether this legal theory has been analyzed or tested. If anyone knows of related court opinions rulings, or even some NGO’s analysis on this topic I would greatly appreciate a reference. > > #askFedi
This is interesting but quite unfortunate. As individuals we often spot #GDPR infringements in situations where we are not a victim. The GDPR does not empower us to act with any slight expectation of getting results. There is no reporting mechanism and no remedial correction if the complainant’s own personal data was not mishandled. No Article 77 possibility. Paragraph 2 page 3: > The GDPR does not explicitly define what constitutes a complaint but Article 77 gives a first understanding providing that “every data subject shall have the right to lodge a complaint (…) if the data subject considers that the processing of personal data relating to him or her infringes this Regulation”. Page 4 examples of non-complaints: > - a suggestion made by a natural person that he or she thinks that a particular company is not compliant with the GDPR as long as he or she is not among the data subjects. There is a hack but it’s purely the DPA’s discretion whether to act. From page 5: > The supervisory authority may act upon its own motion (ex officio), e.g., after being “informed otherwise of situations that entail possible infringements” 6 (e.g. by the press, another administration, a court, or another private company, a hint by a natural person which is however not a complaint within the meaning of Article 77). So a natural person can tattle (tip off) the DPA but the DPA can simply ignore it. If the DPA feels like it, they can act on it as their own initiative (not under Art.77), which means the whistle blower can (and likely will) be kept out of the loop and in the dark. So such reports might as well be sent anonymously. And if it’s not a big interesting case (e.g. involving a tech giant), it’s probably unlikely a DPA will act. Why this is a problem --- I *often* want to engage with a data controller but their procedures demand irrelevant info in violation of data minimisation. In principle I should be able to use a corrective process to make the data controller compliant before I engage them. There is no useful mechanism unless a prospective data subject partakes in subjecting themself to a breach (self harm) before filing an Art.77 complaint.
This is a FOSS tool that enables people to check a website for #GDPR compliance.
ec.europa.eu
Every 4 years the Commission is willing to hear from individuals as to whether the GDPR is working. It’s obviously not working one bit for those of us who actually attempt to exercise our #GDPR rights. That link goes to a PDF which contains a link to another PDF which is a questionaire that can be emailed to the Commission. The email address they give is not on a Google or MS server, thus apparently usable. Note that the questionaire mentions a deadline of 18 November 2023, but that was for feedback from select groups. The deadline for the general public is 8 Feb.
The #GDPR protects everyone inside the EU (regardless of citizenship) + also EU citizens who are outside of the EU. So what happens when you have: EU citizen outside the EU → Cloudflare (the closest server) → EU website ? CF’s closest server would usually not be in the EU in this case. The GDPR generally bans personal data being stored outside the EU. As far as anyone knows this is data in *transit* not *storage*. But we really don’t know that. We don’t know what Cloudflare collects and stores. In principle, European websites that use Cloudflare should have the proxy server restricted to EU locations and under EU regulation. Correct?
In answering this question, this seems to be relevant: GDPR Art.7(3): > …It shall be as easy to withdraw as to give consent. ^ If you can no longer login to easily withdraw consent because they started blocking your connection, Art.7(3) would apparently be unsatisfied. EDPB Guidelines 01/2022 pg.21 ¶53: > The EDPB encourages the controllers to provide the most appropriate and user-friendly communication channels, in line with Art.12(2) and Art.25, to enable the data subject to make an effective request. ^ Blockades against platforms, tools, mechanisms that users rely on would seem to be “user-unfriendly”, though it’s unclear if their meaning of “user friendly” is broad enough to have this interpretation. EDPB Guidelines 01/2022 pg.23 ¶63: > The controllers must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR. ^ Creating new access restrictions would seem to fail to re-use the original authentication procedure. Data controllers often tend to start blocking Tor and/or VPNs spontaneously without warning. That seems to violate the rules of *informed* consent. That is, the data subject consented to the processing of their data by website A, but when website A made a significant material change (i.e. blocking Tor/VPNs), it effectively changes the deal the data subject thought they were consenting to. EDPB Guidelines 05/2020 pg.23 ¶110 seem to capture this: > There is no specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context,the scope of the original consent and the expectations of the data subject. **If the processing operations change or evolve considerably** then the original consent is no longer valid. If this is the case, then new consent needs to be obtained. So IIUC, the data controller must warn you before blocking your access to their service and give you a chance to withdraw your consent. This assumes we can interpret the IT infrastructure of the data controller as part of the “processing operations”. I get the feeling the EDPB has not exactly nailed the scenario of Tor/VPN blockades, so we are left with picking through scraps somewhat out of context to get an idea of how this would go in court. Are there any more relevant decisive guidelines from the EDPB that I’ve missed?