General Data Protection Regulation (“GDPR”) ⚖

cross-posted from !cash@slrpnk.net : https://slrpnk.net/post/29617623

The linked fedi comment is a bit alarming. In a GDPR region, a prospective mortgage borrower was denied a home loan because the bank knew how much he spent on wine.

The post gets errors as if it were censored, but I can reach it only within a slrpnk.net cache of the comment. I will quote it here in case others also cannot reach the comment:

Anonymity is very important.

Here's a example why, that recently happened to a workmate:

He applied for a mortgage to buy a house. The application was denied 3 times, despite his having been employed at the same place for 20 years, paid all his bills on time and never received so much as a parking ticket. Finally, after insisting heavily and threatening to sue, his bank provided the reason why: his purchasing habits included too much alcohol.

Or said another way: the bank watched what he purchased when doing his groceries for years and quietly classified him as a wino and potential deadbeat.

I can tell you, when I do my groceries, and back when I still smoked, I never paid for alcohol or tobacco with anything other than cash, for that very reason. The only things I pay for with plastic paint the portrait of a boring working stiff with no habits out of the ordinary. For the rest, it's cash-only.

And if you want another example of why anonymity is important: a few years ago, I sought the help of an underground surgeon to perform a certain type of surgery on me that my stupid doctors here refused to perform, despite my quality of life going to shit (it's a long story...)

Guess what: underground surgeons don't take credit cards. The man changed my life for the better but I certainly don't want my local health insurance to know about it. Was it illegal? Hell yes. Was it justified? Hell yes. Legal and right are two different things.

And similarly, I expected many women post Roe v. Wade would like to have the opportunity to get an abortion out of state anonymously without going to jail.

That's why anonymous payments are essential: they are the last rampart between you and unjust laws and prejudice.

This story should really get some serious press. I tried searching the enshitified web for stories similar to this and got no hits. WTF.

How are banks getting such detail as to know what people are buying?

My expectation: the bank should only know the total amount of the grocery store transaction, not an itemised list of what someone buys. WTF is going on here? It’s a data minimisation failure on the part of the grocery store and also on the part of the bank who over-collected data. And most importantly, the payment processor. What possible grounds does the payment processor have to put that data in the protocol and pass it along?

And a transparency failure. On what scale is this happening in the EU?

I hope, at least, that the 3 denials were from the applicants own bank.

(edit: wow that link preview is really garbage when Lemmy references another Lemmy link)

Cash has become compromised by mass surveillance as an instrument for anonymous payments. According to the German article, ATMs read serial numbers of dispensed banknotes and associate them to the person making the withrawal. Then when the serial numbers are read again by the armored car service fetching the cash from wherever you spent it, the central DB links everything together. But because banknote serial numbers are not “personal data”, the GDPR is completely impotent to this concealed form of tracking. Cash users have no idea that they have lost an expectation of privacy.

Consumers are fucked either way. Banking and paying electronically generates a huge digital footprint which pretends to have GDPR protections. The GDPR is essentially an unenforced façade to stage a privacy illusion as a lubricant for digital transformation. The GDPR is most especially unenforced in the banking sector. So the choice is between fake legal protection and slightly better technical protection. You cannot “have your cake and eat it too”.

Cash is realistically the streetwise choice for consumers who know better. But it’s an absolutely unregulated laissez faire free-for-all blank cheque for rampent systemic unchecked unwarranted surveillance. Probably not many consumers will be wise enough to separate their machine-dispensed (tracked) cash from their quasi anonymous banknotes, while treating coins as the ultimate refuge.

Interesting how the IP address your ISP assigns to you is deemed personal data, but the serial numbers associated to you by your ATM withdrawal are not.

The bottom of the post linked to this post has an English translation of the German article.

I have filed several GDPR art.77 complaints. Every,single,complaint → mothballed.

So I must ask: is it just high-profile or high visibility cases submitted by reputable orgs like NoYB that get enforced? Has anyone here personally filed an art.77 complaint as a no-name individual on behalf of yourself and gotten results from the DPA?

For me, the GDPR is essentially non-existent. I believe the EU masses believe they can live fast-and-loose with their digital footprints because they are under an illusion that the GDPR will protect them. I used think the US must be annoyed with the GDPR because it would seem to put tech giants under control. But in fact it apparently creates a false sense of security in Europe that exposes off-guard Europeans to surveillance capitalism to an unexpected extent.

I encourage EU folks to exercise their imaginary GDPR rights (e.g. make access requests and erasure requests). And when a data controller ignores the request submit an art.77 complaint to experience the dysfunction 1st-hand. Some data controllers will simply comply. This is because they are also unaware of the lack of enforcement.

Ireland has their own data protection act which largely mirrors the GDPR. I first have to wonder why. Why rewrite an EU regulation, if not to do something twisted? IIUC, Ireland is part of the EU thus automatically obligated to enforce the full GDPR as-is. (Unlike Great Britain, who left the union but decided voluntarily to keep the GDPR, so they had to mirror it and rewrite some parts that are irrelevant to an EU outsider). Or is Ireland somehow outside the EU too, yet with the Euro?

Art.18, the right to restriction of processing, has been expanded from a ½ page to several pages full of loopholes and exceptions watered down to the point of data subjects not really getting this right.

Art.21, the right to object, has been torn out completely (not mirrored at all), but there is a blurb about removing the right to object specifically giving policians an exemption on election matters, and postal service matters.

If they add a restriction on the right and say nothing more on it, then I suppose that implies the art.21 right is otherwise in force, correct? It’s bizarre because other GDPR sections have been redundantly rewritten to very similarly reflect the GDPR. So I’m trying to make sense of what it means when redundancy is in place sometimes and not others. And what happens when a redundant section of code has a silent omission with no language to explicitly state intent to dishonor the omitted part.

There are some peculiar omissions from the duty of data processors as well.

I have not read it completely but I did not notice any Irish law that strengthens data protection. I only see shenanigans that work against data subjects.

Is it fair to say that tech giants love Ireland and put their HQ there for tax purposes, where the EU’s version of Silicon Valley is expected to be established, which then effectively pressures Ireland to weaken the GDPR as much as possible to maintain that attraction?

If you’re not in Europe, move along. You’re stuffed and this thread can’t¹ help you.

European email self hosters--

Tech giants screw self-hosters over by crudely blocking email on the sole basis of IP address (e.g. if the IP is residential). Before 2016, we were as fucked as everyone (in fact worse b/c European ISPs tend to block² egress port 25).

Post 2016, we have the GDPR which has an Article 22 that gives us rights against Automated Individual Decision Making. It has become unlawful to profile people on a crude discriminatory basis without human intervention. The motherfuckers “predict” that you’re a baddy/spammer based on your personal information, which wholly consists of nothing more than your IP address. It’s as unsophisticated and prejudiced as it gets. They’re not using anything intelligent like spamassassin (as the cheap bastards want to save money for their greedy shareholders by reducing processing power at your expense).

Why let them get away with it? And unless you’re a boot-licker, you don’t dance for them either. Well, to some extent you may have to implement DKIM, SPF, DMARC, etc, but it’s debatable. Either way, you do you, and if in the end MS or Google or whatever imperial tech giant empire blocks you from sending email to their server on the blunt basis of your IP address, consider filing an Art.77 complaint to the relevant DPA citing Art.22 violations.

¹ Exceptionally, some non-EU regions have created their own variant of the GDPR like Brazil and some US states (e.g. CCPA in California). But AFAIK, they are all very watered down, weak and mostly useless. Just there for show. I don’t imagine that Art.22 sentiment has been adopted outside of Europe but plz correct me if I am wrong.
² If egress port 22 is blocked by your ISP, then you’re probably fucked anyway but there are some tricks to get the block disabled (free and non-free).

Art.22 ¶1 declares:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

without stating who is liable for infringements. Paragraph 3 says

the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

That assumes the data controller is aware of and in control of the AIDM. Often data processors implement AIDM without the data controller even knowing. Art.28 ¶1 says:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Of course what happens in reality is processors either make no guarantee or the guarantee is vague with no mention of AIDM. So controllers hire processors blindly. When the controller is some tiny company or agency and the processor is a tech giant like Microsoft or Amazon, it’s a bit rich to put accountability on the controller and not the processor. The DPAs don’t want to sink micro companies because of some shit Amazon did for which the controller was not even aware.

As a data subject I have little hope that a complaint of unlawful AIDM will play out. It’s like not even having protection from AIDM. Article 29 Working Party wrote AIDM guidelines in 2017, but they make no mention of processors.

As I mentioned in another post, many data protection authorities are deadbeats. Knowing that my Art.77 complaints are in vain, my question is how the complaints might be made useful. Suppose we just use the DPA as a prop. We file an Art.77 complaint and CC the data controller a copy of the complaint.

Normally it might be a bad strategy to show the data controller your hand. But when you essentially expect the DPA to be a dead-end anyway, perhaps our best move among shitty options is to use art.77 to get the data controller’s attention on the off chance that the data controller does not know the DPA is a deadbeat.

Many data protection authorities are deadbeats. They do the legal minimum, which is to accept complaints, file them, and acknowledge them. Then do nothing. So stale cases just rot.

Data subjects have a right to complain (Art.77) at no cost, but they apparently do not have a right to a free appeal and the art.78 right to sue is not gratis either.

Unlawful inaction can legally be appealed but appeals are costly. DPAs know this, so they enjoy getting away with neglecting to act on Art.77 complaints.

So first I wonder if my legal theory is sound: If we have a right to complain under art.77 at no cost and the DPA neglects to investigate, then by extension we could argue that a right to complain at no cost implies a right to appeal inaction at no cost. Is that a weak argument? Do we need to ask EU lawmakers to specifically guarantee the right to a free appeal of DPA inaction?

This is a copy of page 82 of the annual report by Ireland’s data protection commission:

Use of CCTV in restrooms

Throughout 2023, the DPC received numerous queries and complaints from individuals about organisations’ use of CCTV in restrooms or areas where a high expectation of privacy exists (see Annual Report 2023).

The DPC engaged with these organisations on a one-to-one basis and also updated its guidance on the use of CCTV by data controllers to include a specific section on “The use of CCTV in areas of an increased expectation of privacy”. QR 2 This was aimed at clarifying the position of the use of CCTV in areas where individuals have a heightened expectation of privacy. In addition, the DPC contacted the relevant industry bodies to inform them of the update with the DPC’s guidelines.

As a consequence of this guidance, in 2024 the DPC noted a considerable reduction in concerns raised by the public about CCTV in restrooms or areas where a high expectation of privacy exists.

The DPC intended to engage with small and medium sized enterprises throughout 2025 on similar issues to deliver clear and practical guidelines to assist these organisations in meeting their compliance responsibilities in a proportionate and balanced manner.

Seems bizarre that it would even end up in the DPA’s hands; as if people don’t have enough sense to instantly see the GDPR problem and correct it as fast as possible.

I suppose it could be due to only ~⅓ of complaints getting action from the Irish DPA.

Wow, so that’s bizarre. I wonder why the French DPA would think it’s okay to force customers to reveal their gender. Luckily the CJEU overruled them and made it right in the end. But of course it’s still disturbing when a DPA is working against privacy rights.

Indeed, MS only makes GDPR rights available to people who are willing and able to solve their graphical CAPTCHA. You must execute their JavaScript and have image rendering enabled in your browser.

For sighted people it’s not the more shitty varieties of CAPTCHA. Looks easy. But still fucked up that there is a barrier to exercising GDPR rights.

Many member states a daft when it comes to GDPR enforcement. But there are an exceptional few member states that have a Data Protection Authority that actually does their job. E.g., in principle, I might want to file all Article 77 complaints in Norway. Of course, without living there and having no transaction there, it’s outside of the jurisdiction.

OTOH, what happens when a company like Microsoft or Google abuses your data and violates the GDPR? I think MS has headquarters in multiple countries: France, Finland, Spain, Norway, Germany, etc. If I have zero confidence in the DPA for the country I am in, can it be effective to direct the GDPR to a another country if MS has a headquarters there?

Is there a heirchy of headquarters whereby an ultimate top level headquarters where a corporation is most relevant?

Suppose you have the following parties to an email conversation:

• badDebtorOffice@douchebank.com (alias for bdo@douchebank.mail.protection.outlook.com)
• alice@freedomRespectingProvider…org

Douche Bank¹ manages to collect Alice’s email address either legitimately from her or illegitimately without her consent. DB sends her an email like this:

From: "Douche Bank" 
To: "Alice Marie Smith" 
Subject: Your unpaid debt of €20,000 on account № 354-987-156

Pay up.

Alice did not choose to do business with Microsoft Corporation and does not trust MS in the slightest. Yet Douche Bank has exposed sensitive financial information about Alice to MS, potentially without her consent. She may or may not have supplied an email address to D/B but certainly she opposes MS receiving her sensitive data, which it will then exploit to the fullest for surveillance marketing or otherwise.

Alice has no control over her bank’s choice of email provider. But in principle the GDPR is expected to give her control over her data exposure. If she makes an art.17 request to erase the privacy-abusing email, it’s too late b/c MS already saw it. The bank would not erase it because they have a legit need to track the fact that they sent a payment reminder. The bank /can/ mirror Alice’s art.17 request to MS if they are motivated, but most likely they will not, particularly if the bank is not treating the art.17 request themselves. And most likely MS would ignore it anyway.

If Alice sends a GDPR request direct to MS to erase MS’s copy of the email, MS would naturally respond with something like ”who are you? You are not our customer. Therefore we cannot properly identify you in accordance with GDPR rules. Also, we are just a “data processor” not a “data controller”. Sorry.. you can fuck off now.” (in so many words)

If Alice were to complain to the Data Protection Authority of Germany (where MS is headquartered), they would be helpless in this situation. I mean, there is Art.32 which requires processing to be secure, but most data controllers seem to be ignoring Art.32 w.r.t Art.77 requests. EDPB said in their “Contribution of the EDPB to the report on the application of the GDPR under Article 97” report:

“fines were imposed … for failure to comply with the obligations with regard to the rights of the data subjects (Article 12 to 22 GDPR),”

IOW, infringements on Articles outside the Art.12-22 range are not considered by the EDPB as “rights of the data subjects”. I’ve seen a similar sentiment expressed in other places.

¹fictitious name inspired by Deutche Bank/Bank of America

But note from the article that Florida’s law is almost useless due to being exteremly narrow in the scope of who must comply. It only applies to tech giants, generally. E.g., generally must “Derive 50 percent of its global gross annual revenue from the sale of advertisements online”. That gets a lot of data abusers off the hook. It is said to be modeled after Virginia.

This Florida rule might be interesting:

Mandatory Disclosures for Search Engines. The FDBR requires search engines to provide easily accessible descriptions of the main parameters used to determine the rankings of search results, "including the prioritization or deprioritization of political partisanship or political ideology in search results." In addition, search engines must disclose the relative importance and influence of the main parameters on the search results.

So I wonder if you VPN tunnel to Florida to perform a search, how many search engines give this info which they perhaps withhold outside FL?

I read somewhere that GDPR requests for restricted processing (Art.18) cannot be combined with any other topic or request. E.g. If you request that they not use your e-mail for marketing purposes.

WTF. Yes, I understand the idea is that if the request stands on its own, it cannot be overlooked. But #GDPR requests are ignored so often that I deliberately combine a GDPR request with another request that is more difficult to ignore. That way when they ignore the GDPR request but treat the non-GDPR request from the same letter, it proves that the data controller received my letter. When a GDPR request is made on its own, they can more easily claim the letter never came and shift the proof-of-delivery burden onto me.

I’ve noticed that the data protection authorities are deadbeats for the most part. None of my reports have ever lead to any action in the slightest -- not even a warning to the offender. Sometimes reports are rejected for frivilous reasons.

So knowing that the GDPR is merely symbolic in my experience, I have quit trusting the marketplace. Quit paying for things electronically, quit buying things online, quit sending email, quit sharing my email address with others, cut way back on electronic transactions, reach orgs the old fashioned way (by paper letter), etc.

Anyone else practicing data minimisation like this? It seems like the world around me is entirely unaware that the GDPR is mostly unenforced. Sure, they enforce a few token cases against Google and the like just for appearances. But the GDPR is failing to protect actual people whose rights are undermined.

I was winging over the fact that the CJEU ruled that victims of GDPR offenses cannot claim their legal costs (particularly the lawyer’s fees) when they win a case, which kills lawsuits as a viable option in most GDPR situations. At the same time, data protection authorities are deadbeats -- not enforcing most cases. So the GDPR is mostly just symbolic for most of us.

A brit said they use the court and it only costs them £30 to file a paper with no need for a lawyer. I’m surprised because that’s even cheaper than typical small claims courts in the US. And the other thing is, small claims courts (in the US) only handle money disputes. A US small claims court can only order someone to pay for damages. If a CCPA case were brought to a small claims court in California, it would be unable to order someone to take an action such as to erase info from a DB.

So I’m curious about this UK option. Do UK small claims courts have the power to order a data controller to erase data? Or would it be a higher court?

To be clear, the brit said they do not get their £30 back (unlike what would happen in a US small claims court). So Brits are still at a loss, but perhaps still worthwhile in some cases.

Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.

Is that really necessary? They would probably argue that they need to send notifications that a new invoice has been prepared. I would argue that e-mail should be optional because:

• They could send SMS notifications instead, if a data subject would prefer that.
• They need not send any notification at all, in fact. Reminders is why calendars and alarm clocks exist. A consumer can login and fetch their invoice on a schedule. If a consumer neglects to login during a certain window of time, the data controller could send a paper invoice (which is what they must do for offline customers anyway).

They might argue that they need an email for password resets. But we could argue that SMS or paper mail can serve that purpose as well.

Does anyone see any holes in my legal theory? Any justification for obligatory email address disclosure that I am missing?

Yikes.

“In the adequacy decision, the European Commission estimated that the U.S. ensures a level of protection for personal data transferred from the EU to U.S companies under the new framework that is essentially equivalent to the level of protection within the European Union.” (emphasis added)

Does the EU disregard the Snowden revelations?

And what a missed opportunity. California state specifically has some kind of GDPR analogue, so it might be reasonable if CA specifically were to satisfy an adequacy decision, (still a stretch) but certainly not the rest of the country. Such a move could have motivated more US states to do the necessary.

I must say I’ve lost some confidence and respect for the #GDPR.

People are often told if their data is published, they have no expectation of privacy. But I found an interesting gem in the EDPB Guidelines of 04/2019 which counters that to some degree:

59. Even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that any other controller with access to the personal data may freely process it themselves for their own purposes – they must have their own legal basis.²⁰

²⁰See Case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland no. 931/13.

IMO, that means #AI bots cannot exploit openly public data if it’s data that’s personal to a European or someone residing in Europe.

Just a pro tip if you want to build a case against a data controller: when they ignore your GDPR request, don’t simply send them a reminder. Instead, send them a new Article 15 request demanding records on how your previous request was handled. This way when you build a case against them, you can tack on yet another Article 15 violation when they also ignore your request for information about how they handled your request.

Not that it matters.. the GDPR isn’t really being enforced. When the DPA ignores your complaint, you’re basically stuffed anyway.

cross-posted from: https://sopuli.xyz/post/12558862

So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending.

It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article:

In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it.

What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can say “accept our Microsoft-emailed receipt or fuck off.” If you don’t carry a smartphone that is subscribed to a data plan, and trust a smartphone with email transactions, then you cannot see that you’ve received the email before you leave after paying cash. Even if you do have a data plan and are trusting enough to use a smartphone for email, and you trust all parties handling the email, there is always a chance the sender’s mail server is graylisted, which means the email could take a day to reach you. Not to mention countless opportunities for the email to fail or get lost.

It’s such a fucked up idea to let merchants choose. If it’s a point of sale, then no problem… I can simply walk if they refuse a paper receipt (though even that’s dicey because I’ve seen merchants refuse instant returns after they’ve put your money in the cash register).

But what about creditors? If you owe a debt and the transaction fails because they won’t give you a paper receipt and you won’t agree to info sharing with a surveillance advertiser, then you can be treated as a delinquent debtor.

Google, Facebook, Amazon, and Microsoft must be celebrating these e-receipts because they have been working quite hard to track people’s offline commerce.

It’s obviously an encroachment of the data minimisation principle under the GDPR. More data is being collected than necessary.

¹ This is really shitty wording. Who is /they/? If it’s the customer, that’s fine. But in that case, why did the sentence start with “merchants can choose…”? Surely it can only mean merchants have the choice if they make a request to regulators.

This is a seriously big loophole. Paraphrasing the various positions:

Data Controller:

“data collection is legal because we have a contract with the data subject” (iow, they claim Art.6.1(b) as the legal basis for processing)

Data Subject:

“There is no contract. I did not agree to a contract.”

Supervisory Authority:

“we do not act on contract issues”

EDPB:

“the scope of the GDPR does not include harmonization of national provisions of contract law”

I’m not finding it ATM, but somewhere in the GDPR or EDPB guidelines it says something to the effect of contract law varying across all member states, and therefore the GDPR is not applicable to contract matters and the validity of contracts cannot be assessed.

So, WTF? It’s a blatant abuse flying in the face of the GDPR when a data controller simply falsely claims a contract is in play. Since the SAs opt-out of regulating contract cases, this leaves data subjects with only direct court action.

I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one.

Well this just screwed me because I made an access request and the data controller said: to verify your identity, tell us your date of birth. Fuck me. I didn’t keep track of which fake date I gave them. I didn’t even keep track of whether I gave fake info. So they could treat my otherwise legit request as a breach attempt.

I should have kept track of the birth date I supplied. I will; from now on.

cross-posted from: https://beehaw.org/post/12170575

The GDPR has some rules that require data controllers to be fair and transparent. EDPB guidelines further clarify in detail what fairness and transparency entails. As far as I can tell, what I am reading strongly implies a need for source code to be released in situations where an application is directly executed by a data subject and the application also processes personal data.

I might expand on this more but I’m looking for information about whether this legal theory has been analyzed or tested. If anyone knows of related court opinions rulings, or even some NGO’s analysis on this topic I would greatly appreciate a reference.

#askFedi