General Data Protection Regulation (“GDPR”) ⚖

This is a non-commercial podcast discussing data protection. No sponsors or commercial collaborations.

Where should an Article 77 GDPR complaint be sent when a cross-border scenario involves a data subject outside of Germany?

Do data subjects have a choice between the federal agency and the regional?

I could not find any PDF forms for art.77 complaints in Germany. Do they exist?

The list of agencies is on this page:

https://www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html

(update) The data controller refers me to the federal office, but I don’t trust that. I’ll probably contact the regional office, which has their own form.

GDPR Art.5 and other parts try to guarantee data subjects transparency on how their data is processed. The overlooked problem is when a data subject installs a closed-source app, they have no idea how their personal data is being processed inside that black box. And since the processing is performed by the data subject themself, they have no legal mechanism to become informed on how the data is processed.

FOSS solves this. FOSS is a crutch for a GDPR hole. Google’s advocacy is an assault on data protection. Yet they have the audacity to claim closed-source s/w gives a data protection benefit.

(update) Closed-source licenses → extra perverse

The last license agreement I read for a closed-source phone app prohibited studying the app or reverse-engineering it. So not only are data subjects technologically blocked from transparency on how their data is processed, they are also contractually blocked from even trying.

The two situations are kind of similar. Whether a friend is using an “Invite a friend” mechanism or they are syncing their address book, either way their shitty choice of controller is getting my personal data. And in both cases the data controller proactively implements code to facilitate the sharing.

Also seems to reinforce my previous conjecture: E-mail fundamentally incompatible with the GDPR

I suppose the difference is that invite-a-friend is purely a data share, whereas other cases are to facilitate the data subject’s use of the service.

Gem from the article:

Under Article 221, §2 of the Belgian Data Protection Act of 30 July 2018, public bodies are exempt from GDPR fines in Belgium.

So Belgian public services have no incentive to comply with the GDPR.

Yikes. The money taken by fines does not disappear. It would normally move from one public pot to another public pot.

(update) less confusing source: https://eurocloud.org/news/article/no-gdpr-fines-for-public-sector-bodies-at-all-no-discrimination-and-no-problem/

It’s also interesting to see the comment on this case.

When filing a complaint in an agency of a government or ombudsman/mediator, the traditional workplace where everyone is on-site yielded more privacy for complainants because there were more meetings and verbal discussions over the processing. So fewer records were made about complaint processing and decision making.

Now with all the post-pandemic teleworking, most office workers collaborate on cases remotely. Thus more personal data ends up in internal email between case workers. Superficially that’s a detriment to data subjects. Most agencies are Microsoft boot-lickers so MS is needlessly in the loop on your sensitive data. Yikes!

To reduce exposure to MS, I only submit complaints offline on paper. In some cases, MS is at least out of the loop on correspondence to and from me. In other cases, MS sees it anyway because some receptionists are tasked with scanning postal mail then emailing it (indeed, we are fucked in this regard because there is no MS opt-out in those situations).

The advantage we can exploit

There is one little known advantage to this shitshow: when your case or complaint yields an unsatisfying result without rationale or with clumbsy/broken rationale, you can do a GDPR access request for all records. This includes all internal email among case workers and their advisors. It’s a way to gain powerful insight into the REAL reason your case was treated adversely. And that can be used against them.

Snag 1

Privacy policies sometimes give an email address for the DPO but either no offline contact information or the general mailing address for the whole agency. This means your snail mail letter could be internally delivered to your case worker based on your return address. Thus, the staff who fucked you over to begin with sees your request first, which triggers them to delete all email that embarrasses them about the case. Their CMY¹ move likely works. By the time the DPO gets the request on their desk, they have no incentive to assume malice and try to dig up deleted messages (assuming that’s even possible).

¹ CMY: cover my ass

Snag 2

Some orgs wildly interpret what “personal data” is. I’ve known a data controller to deny a GDPR request on the basis that “someone’s email address is not personal data”. So there is not much to stop them from claiming information about a case is not the personal data of the complainant.

cross-posted from !cash@slrpnk.net : https://slrpnk.net/post/29617623

The linked fedi comment is a bit alarming. In a GDPR region, a prospective mortgage borrower was denied a home loan because the bank knew how much he spent on wine.

The post gets errors as if it were censored, but I can reach it only within a slrpnk.net cache of the comment. I will quote it here in case others also cannot reach the comment:

Anonymity is very important.

Here's a example why, that recently happened to a workmate:

He applied for a mortgage to buy a house. The application was denied 3 times, despite his having been employed at the same place for 20 years, paid all his bills on time and never received so much as a parking ticket. Finally, after insisting heavily and threatening to sue, his bank provided the reason why: his purchasing habits included too much alcohol.

Or said another way: the bank watched what he purchased when doing his groceries for years and quietly classified him as a wino and potential deadbeat.

I can tell you, when I do my groceries, and back when I still smoked, I never paid for alcohol or tobacco with anything other than cash, for that very reason. The only things I pay for with plastic paint the portrait of a boring working stiff with no habits out of the ordinary. For the rest, it's cash-only.

And if you want another example of why anonymity is important: a few years ago, I sought the help of an underground surgeon to perform a certain type of surgery on me that my stupid doctors here refused to perform, despite my quality of life going to shit (it's a long story...)

Guess what: underground surgeons don't take credit cards. The man changed my life for the better but I certainly don't want my local health insurance to know about it. Was it illegal? Hell yes. Was it justified? Hell yes. Legal and right are two different things.

And similarly, I expected many women post Roe v. Wade would like to have the opportunity to get an abortion out of state anonymously without going to jail.

That's why anonymous payments are essential: they are the last rampart between you and unjust laws and prejudice.

This story should really get some serious press. I tried searching the enshitified web for stories similar to this and got no hits. WTF.

How are banks getting such detail as to know what people are buying?

My expectation: the bank should only know the total amount of the grocery store transaction, not an itemised list of what someone buys. WTF is going on here? It’s a data minimisation failure on the part of the grocery store and also on the part of the bank who over-collected data. And most importantly, the payment processor. What possible grounds does the payment processor have to put that data in the protocol and pass it along?

And a transparency failure. On what scale is this happening in the EU?

I hope, at least, that the 3 denials were from the applicants own bank.

(edit: wow that link preview is really garbage when Lemmy references another Lemmy link)

Cash has become compromised by mass surveillance as an instrument for anonymous payments. According to the German article, ATMs read serial numbers of dispensed banknotes and associate them to the person making the withrawal. Then when the serial numbers are read again by the armored car service fetching the cash from wherever you spent it, the central DB links everything together. But because banknote serial numbers are not “personal data”, the GDPR is completely impotent to this concealed form of tracking. Cash users have no idea that they have lost an expectation of privacy.

Consumers are fucked either way. Banking and paying electronically generates a huge digital footprint which pretends to have GDPR protections. The GDPR is essentially an unenforced façade to stage a privacy illusion as a lubricant for digital transformation. The GDPR is most especially unenforced in the banking sector. So the choice is between fake legal protection and slightly better technical protection. You cannot “have your cake and eat it too”.

Cash is realistically the streetwise choice for consumers who know better. But it’s an absolutely unregulated laissez faire free-for-all blank cheque for rampent systemic unchecked unwarranted surveillance. Probably not many consumers will be wise enough to separate their machine-dispensed (tracked) cash from their quasi anonymous banknotes, while treating coins as the ultimate refuge.

Interesting how the IP address your ISP assigns to you is deemed personal data, but the serial numbers associated to you by your ATM withdrawal are not.

The bottom of the post linked to this post has an English translation of the German article.

I have filed several GDPR art.77 complaints. Every,single,complaint → mothballed.

So I must ask: is it just high-profile or high visibility cases submitted by reputable orgs like NoYB that get enforced? Has anyone here personally filed an art.77 complaint as a no-name individual on behalf of yourself and gotten results from the DPA?

For me, the GDPR is essentially non-existent. I believe the EU masses believe they can live fast-and-loose with their digital footprints because they are under an illusion that the GDPR will protect them. I used think the US must be annoyed with the GDPR because it would seem to put tech giants under control. But in fact it apparently creates a false sense of security in Europe that exposes off-guard Europeans to surveillance capitalism to an unexpected extent.

I encourage EU folks to exercise their imaginary GDPR rights (e.g. make access requests and erasure requests). And when a data controller ignores the request submit an art.77 complaint to experience the dysfunction 1st-hand. Some data controllers will simply comply. This is because they are also unaware of the lack of enforcement.

Ireland has their own data protection act which largely mirrors the GDPR. I first have to wonder why. Why rewrite an EU regulation, if not to do something twisted? IIUC, Ireland is part of the EU thus automatically obligated to enforce the full GDPR as-is. (Unlike Great Britain, who left the union but decided voluntarily to keep the GDPR, so they had to mirror it and rewrite some parts that are irrelevant to an EU outsider). Or is Ireland somehow outside the EU too, yet with the Euro?

Art.18, the right to restriction of processing, has been expanded from a ½ page to several pages full of loopholes and exceptions watered down to the point of data subjects not really getting this right.

Art.21, the right to object, has been torn out completely (not mirrored at all), but there is a blurb about removing the right to object specifically giving policians an exemption on election matters, and postal service matters.

If they add a restriction on the right and say nothing more on it, then I suppose that implies the art.21 right is otherwise in force, correct? It’s bizarre because other GDPR sections have been redundantly rewritten to very similarly reflect the GDPR. So I’m trying to make sense of what it means when redundancy is in place sometimes and not others. And what happens when a redundant section of code has a silent omission with no language to explicitly state intent to dishonor the omitted part.

There are some peculiar omissions from the duty of data processors as well.

I have not read it completely but I did not notice any Irish law that strengthens data protection. I only see shenanigans that work against data subjects.

Is it fair to say that tech giants love Ireland and put their HQ there for tax purposes, where the EU’s version of Silicon Valley is expected to be established, which then effectively pressures Ireland to weaken the GDPR as much as possible to maintain that attraction?

If you’re not in Europe, move along. You’re stuffed and this thread can’t¹ help you.

European email self hosters--

Tech giants screw self-hosters over by crudely blocking email on the sole basis of IP address (e.g. if the IP is residential). Before 2016, we were as fucked as everyone (in fact worse b/c European ISPs tend to block² egress port 25).

Post 2016, we have the GDPR which has an Article 22 that gives us rights against Automated Individual Decision Making. It has become unlawful to profile people on a crude discriminatory basis without human intervention. The motherfuckers “predict” that you’re a baddy/spammer based on your personal information, which wholly consists of nothing more than your IP address. It’s as unsophisticated and prejudiced as it gets. They’re not using anything intelligent like spamassassin (as the cheap bastards want to save money for their greedy shareholders by reducing processing power at your expense).

Why let them get away with it? And unless you’re a boot-licker, you don’t dance for them either. Well, to some extent you may have to implement DKIM, SPF, DMARC, etc, but it’s debatable. Either way, you do you, and if in the end MS or Google or whatever imperial tech giant empire blocks you from sending email to their server on the blunt basis of your IP address, consider filing an Art.77 complaint to the relevant DPA citing Art.22 violations.

¹ Exceptionally, some non-EU regions have created their own variant of the GDPR like Brazil and some US states (e.g. CCPA in California). But AFAIK, they are all very watered down, weak and mostly useless. Just there for show. I don’t imagine that Art.22 sentiment has been adopted outside of Europe but plz correct me if I am wrong.
² If egress port 22 is blocked by your ISP, then you’re probably fucked anyway but there are some tricks to get the block disabled (free and non-free).

Art.22 ¶1 declares:

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

without stating who is liable for infringements. Paragraph 3 says

the data controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

That assumes the data controller is aware of and in control of the AIDM. Often data processors implement AIDM without the data controller even knowing. Art.28 ¶1 says:

Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Of course what happens in reality is processors either make no guarantee or the guarantee is vague with no mention of AIDM. So controllers hire processors blindly. When the controller is some tiny company or agency and the processor is a tech giant like Microsoft or Amazon, it’s a bit rich to put accountability on the controller and not the processor. The DPAs don’t want to sink micro companies because of some shit Amazon did for which the controller was not even aware.

As a data subject I have little hope that a complaint of unlawful AIDM will play out. It’s like not even having protection from AIDM. Article 29 Working Party wrote AIDM guidelines in 2017, but they make no mention of processors.

As I mentioned in another post, many data protection authorities are deadbeats. Knowing that my Art.77 complaints are in vain, my question is how the complaints might be made useful. Suppose we just use the DPA as a prop. We file an Art.77 complaint and CC the data controller a copy of the complaint.

Normally it might be a bad strategy to show the data controller your hand. But when you essentially expect the DPA to be a dead-end anyway, perhaps our best move among shitty options is to use art.77 to get the data controller’s attention on the off chance that the data controller does not know the DPA is a deadbeat.

Many data protection authorities are deadbeats. They do the legal minimum, which is to accept complaints, file them, and acknowledge them. Then do nothing. So stale cases just rot.

Data subjects have a right to complain (Art.77) at no cost, but they apparently do not have a right to a free appeal and the art.78 right to sue is not gratis either.

Unlawful inaction can legally be appealed but appeals are costly. DPAs know this, so they enjoy getting away with neglecting to act on Art.77 complaints.

So first I wonder if my legal theory is sound: If we have a right to complain under art.77 at no cost and the DPA neglects to investigate, then by extension we could argue that a right to complain at no cost implies a right to appeal inaction at no cost. Is that a weak argument? Do we need to ask EU lawmakers to specifically guarantee the right to a free appeal of DPA inaction?

This is a copy of page 82 of the annual report by Ireland’s data protection commission:

Use of CCTV in restrooms

Throughout 2023, the DPC received numerous queries and complaints from individuals about organisations’ use of CCTV in restrooms or areas where a high expectation of privacy exists (see Annual Report 2023).

The DPC engaged with these organisations on a one-to-one basis and also updated its guidance on the use of CCTV by data controllers to include a specific section on “The use of CCTV in areas of an increased expectation of privacy”. QR 2 This was aimed at clarifying the position of the use of CCTV in areas where individuals have a heightened expectation of privacy. In addition, the DPC contacted the relevant industry bodies to inform them of the update with the DPC’s guidelines.

As a consequence of this guidance, in 2024 the DPC noted a considerable reduction in concerns raised by the public about CCTV in restrooms or areas where a high expectation of privacy exists.

The DPC intended to engage with small and medium sized enterprises throughout 2025 on similar issues to deliver clear and practical guidelines to assist these organisations in meeting their compliance responsibilities in a proportionate and balanced manner.

Seems bizarre that it would even end up in the DPA’s hands; as if people don’t have enough sense to instantly see the GDPR problem and correct it as fast as possible.

I suppose it could be due to only ~⅓ of complaints getting action from the Irish DPA.

Wow, so that’s bizarre. I wonder why the French DPA would think it’s okay to force customers to reveal their gender. Luckily the CJEU overruled them and made it right in the end. But of course it’s still disturbing when a DPA is working against privacy rights.

Indeed, MS only makes GDPR rights available to people who are willing and able to solve their graphical CAPTCHA. You must execute their JavaScript and have image rendering enabled in your browser.

For sighted people it’s not the more shitty varieties of CAPTCHA. Looks easy. But still fucked up that there is a barrier to exercising GDPR rights.

Many member states a daft when it comes to GDPR enforcement. But there are an exceptional few member states that have a Data Protection Authority that actually does their job. E.g., in principle, I might want to file all Article 77 complaints in Norway. Of course, without living there and having no transaction there, it’s outside of the jurisdiction.

OTOH, what happens when a company like Microsoft or Google abuses your data and violates the GDPR? I think MS has headquarters in multiple countries: France, Finland, Spain, Norway, Germany, etc. If I have zero confidence in the DPA for the country I am in, can it be effective to direct the GDPR to a another country if MS has a headquarters there?

Is there a heirchy of headquarters whereby an ultimate top level headquarters where a corporation is most relevant?

Suppose you have the following parties to an email conversation:

• badDebtorOffice@douchebank.com (alias for bdo@douchebank.mail.protection.outlook.com)
• alice@freedomRespectingProvider…org

Douche Bank¹ manages to collect Alice’s email address either legitimately from her or illegitimately without her consent. DB sends her an email like this:

From: "Douche Bank" 
To: "Alice Marie Smith" 
Subject: Your unpaid debt of €20,000 on account № 354-987-156

Pay up.

Alice did not choose to do business with Microsoft Corporation and does not trust MS in the slightest. Yet Douche Bank has exposed sensitive financial information about Alice to MS, potentially without her consent. She may or may not have supplied an email address to D/B but certainly she opposes MS receiving her sensitive data, which it will then exploit to the fullest for surveillance marketing or otherwise.

Alice has no control over her bank’s choice of email provider. But in principle the GDPR is expected to give her control over her data exposure. If she makes an art.17 request to erase the privacy-abusing email, it’s too late b/c MS already saw it. The bank would not erase it because they have a legit need to track the fact that they sent a payment reminder. The bank /can/ mirror Alice’s art.17 request to MS if they are motivated, but most likely they will not, particularly if the bank is not treating the art.17 request themselves. And most likely MS would ignore it anyway.

If Alice sends a GDPR request direct to MS to erase MS’s copy of the email, MS would naturally respond with something like ”who are you? You are not our customer. Therefore we cannot properly identify you in accordance with GDPR rules. Also, we are just a “data processor” not a “data controller”. Sorry.. you can fuck off now.” (in so many words)

If Alice were to complain to the Data Protection Authority of Germany (where MS is headquartered), they would be helpless in this situation. I mean, there is Art.32 which requires processing to be secure, but most data controllers seem to be ignoring Art.32 w.r.t Art.77 requests. EDPB said in their “Contribution of the EDPB to the report on the application of the GDPR under Article 97” report:

“fines were imposed … for failure to comply with the obligations with regard to the rights of the data subjects (Article 12 to 22 GDPR),”

IOW, infringements on Articles outside the Art.12-22 range are not considered by the EDPB as “rights of the data subjects”. I’ve seen a similar sentiment expressed in other places.

¹fictitious name inspired by Deutche Bank/Bank of America

But note from the article that Florida’s law is almost useless due to being exteremly narrow in the scope of who must comply. It only applies to tech giants, generally. E.g., generally must “Derive 50 percent of its global gross annual revenue from the sale of advertisements online”. That gets a lot of data abusers off the hook. It is said to be modeled after Virginia.

This Florida rule might be interesting:

Mandatory Disclosures for Search Engines. The FDBR requires search engines to provide easily accessible descriptions of the main parameters used to determine the rankings of search results, "including the prioritization or deprioritization of political partisanship or political ideology in search results." In addition, search engines must disclose the relative importance and influence of the main parameters on the search results.

So I wonder if you VPN tunnel to Florida to perform a search, how many search engines give this info which they perhaps withhold outside FL?

I read somewhere that GDPR requests for restricted processing (Art.18) cannot be combined with any other topic or request. E.g. If you request that they not use your e-mail for marketing purposes.

WTF. Yes, I understand the idea is that if the request stands on its own, it cannot be overlooked. But #GDPR requests are ignored so often that I deliberately combine a GDPR request with another request that is more difficult to ignore. That way when they ignore the GDPR request but treat the non-GDPR request from the same letter, it proves that the data controller received my letter. When a GDPR request is made on its own, they can more easily claim the letter never came and shift the proof-of-delivery burden onto me.

Utility companies, telecoms, and banks all want consumers to register on their website so they do not have to send paper invoices via snail mail. When I started the registration process, the first demand was for an e-mail address.

Is that really necessary? They would probably argue that they need to send notifications that a new invoice has been prepared. I would argue that e-mail should be optional because:

• They could send SMS notifications instead, if a data subject would prefer that.
• They need not send any notification at all, in fact. Reminders is why calendars and alarm clocks exist. A consumer can login and fetch their invoice on a schedule. If a consumer neglects to login during a certain window of time, the data controller could send a paper invoice (which is what they must do for offline customers anyway).

They might argue that they need an email for password resets. But we could argue that SMS or paper mail can serve that purpose as well.

Does anyone see any holes in my legal theory? Any justification for obligatory email address disclosure that I am missing?

Yikes.

“In the adequacy decision, the European Commission estimated that the U.S. ensures a level of protection for personal data transferred from the EU to U.S companies under the new framework that is essentially equivalent to the level of protection within the European Union.” (emphasis added)

Does the EU disregard the Snowden revelations?

And what a missed opportunity. California state specifically has some kind of GDPR analogue, so it might be reasonable if CA specifically were to satisfy an adequacy decision, (still a stretch) but certainly not the rest of the country. Such a move could have motivated more US states to do the necessary.

I must say I’ve lost some confidence and respect for the #GDPR.

People are often told if their data is published, they have no expectation of privacy. But I found an interesting gem in the EDPB Guidelines of 04/2019 which counters that to some degree:

59. Even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that any other controller with access to the personal data may freely process it themselves for their own purposes – they must have their own legal basis.²⁰

²⁰See Case of Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland no. 931/13.

IMO, that means #AI bots cannot exploit openly public data if it’s data that’s personal to a European or someone residing in Europe.