But note from the article that Florida’s law is almost useless due to being exteremly narrow in the scope of who must comply. It only applies to tech giants, generally. E.g., generally must “Derive 50 percent of its global gross annual revenue from the sale of advertisements online”. That gets a lot of data abusers off the hook. It is said to be modeled after Virginia.

This Florida rule might be interesting:

Mandatory Disclosures for Search Engines. The FDBR requires search engines to provide easily accessible descriptions of the main parameters used to determine the rankings of search results, "including the prioritization or deprioritization of political partisanship or political ideology in search results." In addition, search engines must disclose the relative importance and influence of the main parameters on the search results.

So I wonder if you VPN tunnel to Flor

I read somewhere that GDPR requests for restricted processing (Art.18) cannot be combined with any other topic or request. E.g. If you request that they not use your e-mail for marketing purposes.

WTF. Yes, I understand the idea is that if the request stands on its own, it cannot be overlooked. But #GDPR requests are ignored so often that I deliberately combine a GDPR request with another request that is more difficult to ignore. That way when they ignore the GDPR request but treat the non-GDPR request from the same letter, it proves that the data controller received my letter. When a GDPR request is made on its own, they can more easily claim the letter never came and shift the proof-of-delivery burden onto me.

Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.

Is that really necessary? They would probably argue that they need to send notifications that a new invoice has been prepared. I would argue that e-mail should be optional because:

• They could send SMS notifications instead, if a data subject would prefer that.
• They need not send any notification at all, in fact. Reminders is why calendars and alarm clocks exist. A consumer can login and fetch their invoice on a schedule. If a consumer neglects to login during a certain window of time, the data controller could send a paper invoice (which is what they must do for offline customers anyway).

They might argue that they need an email for password resets. But we could argue that SMS or paper mail can serve that purpose as well.

Does anyone see any holes in

Yikes.

“In the adequacy decision, the European Commission estimated that the U.S. ensures a level of protection for personal data transferred from the EU to U.S companies under the new framework that is essentially equivalent to the level of protection within the European Union.” (emphasis added)

Does the EU disregard the Snowden revelations?

And what a missed opportunity. California state specifically has some kind of GDPR analogue, so it might be reasonable if CA specifically were to satisfy an adequacy decision, (still a stretch) but certainly not the rest of the country. Such a move could have motivated more US states to do the necessary.

I must say I’ve lost some confidence and respect for the #GDPR.

People are often told if their data is published, they have no expectation of privacy. But I found an interesting gem in the EDPB Guidelines of 04/2019 which counters that to some degree:

59. Even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that any other controller with access to the personal data may freely process it themselves for their own purposes – they must have their own legal basis.²⁰

²⁰See Case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland no. 931/13.

IMO, that means #AI bots cannot exploit openly public data if it’s data that’s personal to a European or someone residing in Europe.

Just a pro tip if you want to build a case against a data controller: when they ignore your GDPR request, don’t simply send them a reminder. Instead, send them a new Article 15 request demanding records on how your previous request was handled. This way when you build a case against them, you can tack on yet another Article 15 violation when they also ignore your request for information about how they handled your request.

Not that it matters.. the GDPR isn’t really being enforced. When the DPA ignores your complaint, you’re basically stuffed anyway.

cross-posted from: https://sopuli.xyz/post/12558862

So here’s a disturbing development. Suppose you pay cash to settle a debt or to pay for something in advance, where you are not walking out of the store with a product. You obviously want a receipt on the spot proving that you handed cash over. This option is ending.

It’s fair enough that France wants to put a stop to people receiving paper receipts they don’t want, which then litter the street. But it’s not just an environmental move; there is a #forcedDigitalTransformation / #warOnCash element to this. From the article:

In Belgium: since 2014, merchants can choose to provide a paper or digital receipt to their customers, if they¹ request it.

What if I don’t agree to share an email address with a creditor? What if the creditor uses Google or Microsoft for email service, and I boycott those companies? Boycotting means not sharing any data with them (because the data is profitable). IIUC, the Belgian creditor can

This is a seriously big loophole. Paraphrasing the various positions:

Data Controller:

“data collection is legal because we have a contract with the data subject” (iow, they claim Art.6.1(b) as the legal basis for processing)

Data Subject:

“There is no contract. I did not agree to a contract.”

Supervisory Authority:

“we do not act on contract issues”

EDPB:

“the scope of the GDPR does not include harmonization of national provisions of contract law”

I’m not finding it ATM, but somewhere in the GDPR or EDPB guidelines it says something to the effect of contract law varying across all member states, and therefore the GDPR is not applicable to contract matters and the validity of contracts cannot be assessed.

So, WTF? It’s a blatant abuse flying in the face of the GDPR when a data controller simply falsely claims a contract is in play. Since the SAs opt-out of regulating contract cases, this leaves data subjects with only direct court action.

I often give fake info as an extra measure of data protection. If I don’t need the data controller to have my date of birth, I give a fake one.

Well this just screwed me because I made an access request and the data controller said: to verify your identity, tell us your date of birth. Fuck me. I didn’t keep track of which fake date I gave them. I didn’t even keep track of whether I gave fake info. So they could treat my otherwise legit request as a breach attempt.

I should have kept track of the birth date I supplied. I will; from now on.

cross-posted from: https://beehaw.org/post/12170575

The GDPR has some rules that require data controllers to be fair and transparent. EDPB guidelines further clarify in detail what fairness and transparency entails. As far as I can tell, what I am reading strongly implies a need for source code to be released in situations where an application is directly executed by a data subject and the application also processes personal data.

I might expand on this more but I’m looking for information about whether this legal theory has been analyzed or tested. If anyone knows of related court opinions rulings, or even some NGO’s analysis on this topic I would greatly appreciate a reference.

#askFedi

This is interesting but quite unfortunate. As individuals we often spot #GDPR infringements in situations where we are not a victim. The GDPR does not empower us to act with any slight expectation of getting results. There is no reporting mechanism and no remedial correction if the complainant’s own personal data was not mishandled. No Article 77 possibility.

Paragraph 2 page 3:

The GDPR does not explicitly define what constitutes a complaint but Article 77 gives a first understanding providing that “every data subject shall have the right to lodge a complaint (…) if the data subject considers that the processing of personal data relating to him or her infringes this Regulation”.

Page 4 examples of non-complaints:

• a suggestion made by a natural person that he or she thinks that a particular company is not compliant with the GDPR as long as he or she is not among the data subjects.

There is a hack but it’s purely the DPA’s discretion whether to act. From page 5:

The superv

This is a FOSS tool that enables people to check a website for #GDPR compliance.

#poll

Every 4 years the Commission is willing to hear from individuals as to whether the GDPR is working. It’s obviously not working one bit for those of us who actually attempt to exercise our #GDPR rights.

That link goes to a PDF which contains a link to another PDF which is a questionaire that can be emailed to the Commission. The email address they give is not on a Google or MS server, thus apparently usable.

Note that the questionaire mentions a deadline of 18 November 2023, but that was for feedback from select groups. The deadline for the general public is 8 Feb.

The #GDPR protects everyone inside the EU (regardless of citizenship) + also EU citizens who are outside of the EU.

So what happens when you have:

EU citizen outside the EU → Cloudflare (the closest server) → EU website

?

CF’s closest server would usually not be in the EU in this case. The GDPR generally bans personal data being stored outside the EU. As far as anyone knows this is data in transit not storage. But we really don’t know that. We don’t know what Cloudflare collects and stores.

In principle, European websites that use Cloudflare should have the proxy server restricted to EU locations and under EU regulation. Correct?

In answering this question, this seems to be relevant:

GDPR Art.7(3):

…It shall be as easy to withdraw as to give consent.

^ If you can no longer login to easily withdraw consent because they started blocking your connection, Art.7(3) would apparently be unsatisfied.

EDPB Guidelines 01/2022 pg.21 ¶53:

The EDPB encourages the controllers to provide the most appropriate and user-friendly communication channels, in line with Art.12(2) and Art.25, to enable the data subject to make an effective request.

^ Blockades against platforms, tools, mechanisms that users rely on would seem to be “user-unfriendly”, though it’s unclear if their meaning of “user friendly” is broad enough to have this interpretation.

EDPB Guidelines 01/2022 pg.23 ¶63:

The controllers must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR.

^ Creating new access restrictions would