Microentry

replying to a post on sebastiangreger.net

Sebastian, first of all, thank you for your detailed write up on this issue. I think much of your roadmap is worthwhile, and of great interest.

I cannot, however, say that I am convinced by your contentions regarding the effect of GDPR and indieweb sites. In particular, I think your definitions are excessively broad, and you elide much information from both the Regulation itself and the Recitals.

Take, for instance, your quotation of Recital 18, which is key to the matters here presented. I note that you have chosen not to quote the Recital in full (despite its brevity) and you use it in support of (imo) a wholly erroneous contention regarding what is and is not personal. For the record, Recital 18, in full, is as follows (emphasis mine)

This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.

It is quite clear, from the highlighted section, that information which is provided in the context of social networking is itself not a subject of the Regulation. I am curious as to why you omitted that second sentence in your article?

I also do not understand your position that German Legal Literature means that any personal website where someone publishes anything regarding an area related to their professional activity automatically becomes a commercial activity for the purpose of GDPR. The GDPR has not, as yet, become law. There is no precedent support for your position in the corpus of the ECJ (nor could there be). There is disputation at all levels of the ECJ on the question of when an activity ceases to be personal activity (Lindqvist, for example, or Rynes) however it is notable that the Working Group regarding GDPR specifically cited the dictum in Lindqvist as incorrect, and both Article 9 and Recitals surrounding same were designed to place restraint on that dictum. The original intention was to broaden the exemption more dramatically, but this was resisted strongly by a curious alliance of authoritarians and anti-governmental fractions in the European Parliament. Nonetheless, the dictum is significantly broader than that which pertained in 1998. (For a more detailed look at this issue, see for example this article by Brendan Van Elsonoy, legal advisor at the Belgian Data Protection Authority.

I would be, naturally, happy to be proven wrong, however I simply cannot accept that your various statements regarding the law of the matter are correct in the absence of evidence to support them. Unfortunately, I don’t speak German, and am unable to comment on Dr. Schwenke’s positions in the podcast. All I can comment on is the statements in your bulleted list.

For example, the first point: “Individuals have to be informed when data about them is pulled in from third sources.”

Informed by whom? By which site? Consent to the viewing, accessing and storage of public data is provided in the Regulation. What is the basis for this claim?

Or the second bullet point: “Pulling “likes” and profile images from Twitter in Indieweb manner (in my opinion precisely described by the show host) requires a statement in the privacy notice and the affected persons have to be informed”

Again - on what basis? Where is the support within the GDPR for this claim?

I’m sorry if this sounds churlish, but as a lawyer I refuse to take such claims as meaningful in the absence of supporting rationale. Like Dr. Schwenke, I’m a practitioner as opposed to an academic of law. Like most such practitioners, I’ve been undertaking GDPR training in the last two years. Not once in any of that training has there been any support for the type of legal minefield you propose. I’ve spoken about Indieweb components, including backfeed, with legal advisors to the Irish, Dutch and Belgian DPAs. None of them have raised objections of the nature mentioned by you as being required by GDPR.

GDPR is scary enough as it is. It is also an incredible opportunity, a moment in which we can look to a future absent the abuse visited upon us all by Corporations with a skewed view of rights and values. I look forward to it for those reasons, and I welcome all efforts to secure that future.

  •  Partly Cloudy  10.3°C •   • 
Have you written a response to this? Let me know the URL:

🔖 Bookmarked https://ascraeus.org/micro/1525556293/
Read a post by Daniel Goldsmith (View from ASCRAEUS) Sebastian, first of all, thank you for your detailed write up on this issue. I think much of your roadmap is worthwhile, and of great interest. I cannot, however, say that I am convinced by your contentions regarding the effect of GDPR and indieweb sites. In particular, I think your definitions are excessively broad, and you elide much information from both the Regulation itself and the Recitals. It’s certainly interesting to see some of the replies to Sebastian’s article. It’s definitely stirring up some interesting thought. Daniel’s reply here is primarily to the legal issues at stake more than the design related issues, which have some interesting merit aside from the legal ones. I think I fall somewhere in the middle of the two and see some of the moral and ethical pieces which are more important from a people perspective. I’m not as concerned about the law portion of it for a large variety of reasons. It’s most interesting to me to see the divide between how those in the EU and particularly Germany view the issue and those in the United States which may be looking at regulations in the coming years, particularly after the recent Facebook debacle. As I think of these, I’m reminded about some of the cultural differences between Europe and the United States which Jeff Jarvis has expounded upon over the past several years. Europeans are generally more leery of corporations and trust government a bit more while in America it’s the opposite. Syndicated copies to:
Daniel, thank you for your elaborate response to my article on “The Indieweb privacy challenge”. As I explicitly state whenever writing about the GDPR: I am not a lawyer. In recent months, I spent more hours on legal research and debates than many designers ever will, but I always inform readers that I am not formally trained. I put a lot of effort in finding the most reputable sources and put great care in formulating any legal references as the understanding that informed my design work, not universal fact. Therefore, any reader jumping to legal conclusions would be misframing, not me. Alarmism really is not my intention, but I believe it must – especially in the unfortunate absence of definitive rulings – be allowed to explore potentially broad interpretations of the GDPR. Speculative thinking is a powerful tool in design. I, too, see the GDPR as a great opportunity and am excited to see the change it already starts to entail on our society. From what I have learned, the German judicative’s interpretation of privacy laws has traditionally been always amongst the strictest; maybe that, at least to some degree, can explain why my sources tell a different story than the perspective you present. Could such dogmatic differences be the reason why the latest legal commentaries by senior German experts indeed suggest a very restrictive interpretation of Art 2(2) GDPR (Kühling/Buchner, DS-GVO/BDSG 2. Aufl, Art 2 Rn 23+26) and state that Rec 18 GDPR defines the precondition of complete absence of any relation to professional or economical activity (ibid., Art 2 Rn 23)? Not citing the second sentence of Rec 18(1) in my post was not with the intent to falsify its message, but because several legal commentaries I have analysed explicitly interpret the “social networks” exception as not applicable if personal data is made accessible to an undefined audience (e.g. ibid., Art 2 Rn 25) and define “personal or household activity” as by nature being the opposite of public, “öffentlichkeitsfeindlich” in German (Gola, DSGVO, Art 2 Rn 21; Paal/Pauly/Ernst, DS-GVO, Art 2 Rn 21). Other commentaries, too, state that publishing on a public website would be beyond the boundaries of what is considered “personal” (in this case referring to the similar exception in pre-2018 German privacy law), no matter the subjectively intended target group; herein reliable access control with a limited audience would be a relevant criterion (Plath, BDSG, §1 Rn 30; Simitis/Dammann, BDSG, §1 Rn 151). A 2016 article in Germany’s most prestigeous legal weekly NJW (Schantz, NJW 2016 p.1843) appears to be in almost diametral opposition to the position by van Alsenoy re the ECJ in casa Lindqvist and the interpretation of the GDPR trilogue outcome on Rec18: it claims that, despite an explicit “limited audience” requirement to the Art 2(2) “household exception” not finding its way into the final text as desired by the EP, there “are no signs that there was an intention to loosen this interpretation” (paraphrased translation mine). These are just to highlight that I did not make up any of my assumptions: everything written about the GDPR in the original article is based directly on – in scientific rigour generally more than one – legal professionals’ opinion (being a social scientist myself, I obviously know there are always different schools, but in my world view that does not render one opinion false unless empirically proven). As a lawyer you are no question more qualified to measure these, but neither a legal debate nor legal advice were ever the intent of my article. I wrote above paragraphs to provide you with some of the requested evidence to support my argumentation (even though unfortunately all German literature, I believe it is good to put out my sources for anybody to verify), and – more importantly – to show that, while we indeed appear to have different standpoints, my presentation is not based on malinformed scaremongering or undue elisions. Admittedly my perspective is potentially biased by chiefly building on German sources only, but I believe to have thoroughly done my homework as far as a non-lawyer possibly needs to, when writing on their design blog and presenting legal assumptions in the subjunctive. In addition, I want to point out that Germany is the country where a website owner can already get into trouble for a malformed “Impressum” imprint (not its absence, even just omitting f.ex. their snail mail address or publishing their e-mail address as an image file rather than screenreader-accessible HTML text). It is likely only a question of time until the originally well-intended, but today commonly misused, instrument of the “Abmahnung” will be utilized by a certain breed of lawyers to abuse unsuspecting website owners as cash cows starting May 25. This, among other reasons, is why I believe it is not alarmist but only sensible to discuss potentially overseen design-inherent risks with my (to a good share German) blog audience – always with my disclaimer, never sensationalist, but as a worst-case scenario to speculatively assess. Since the imprint requirement of §5 TMG has a (to my knowledge largely similar, though I did not look into the details), “private/household” exception, a pessimist could imply that any website owner who so far considered themselves needing an Impressum might also be subject to the rules of the GDPR – on German Indieweb sites, the Impressum is almost a staple feature, precisely out of fear of the costs incurred by such “Abmahnung”. Ultimately, while I genuinely appreciate that you point out your disagreement with my line of argumentation, above discussion leads – and I take from your intro that you are aware of that – pretty far off the main point of my article: the central question raised is one of ethics and design. And while the GDPR at this point indeed lacks precedents in case law or the ECJ corpus to definitively determine its applicability, the Indieweb community can today start to discuss about ideas to tackle certain implicit, opaque or surprising aspects of the Webmention and backfeed mechanisms. As a designer and concerned citizen, I see the GDPR primarily as a formal manifestation of the universal human right to privacy: its ethical underpinnings should be motivation for everybody to review how we deal with personal data. As the Indieweb community is shaping universal building blocks for the social web of the future, I believe that constructively questioning the “what we do is entirely private” argument is an imperative. Thank you once again for your comments, I appreciate and respect your point of view. That said, if you have an opportunity, I for my part would be very interested to read about the assessments you mention to have received from the various DPAs regarding Webmentions and backfeed, as that could introduce a welcome specificy to this debate.
thank you so much for writing this, Daniel! there’s obviously a ton of informed opinion, well intended speculation, concerns, and downtown FUD around the GDPR. there’s also a lot of overthinking, especially in the indieweb. i appreciate that we have someone with your experience and level head around!
Another (less doom-and-gloom perspective) on GDPR vs. Indieweb: ascraeus.org/micro/15255562…
Der 25. Mai 2018 hat sich ein bisschen so angefühlt wie der 2000er Jahreswechsel: Man wusste nicht, ob es ruhig bleibt oder ob einem alles um die Ohren fliegt. Menschen schalteten panisch ihre Blogs ab und in den Medien wurde rauf und runter diskutiert. Inzwischen ist es etwas stiller geworden, was darauf hindeuten könnte, dass es wirklich nicht so schlimm war, zumindest für den kleinen Blogger. Eine gute Gelegenheit also mal zu rekapitulieren, was hier so passiert ist.Ich muss zugeben: Es war schon nicht wenig Arbeit. Aber ich habe die Gelegenheit gerne genutzt, um mal wieder bei meinen Blogs unter die Motorhaube zu sehen und ein paar alte Spinnweben wegzuwischen. Und auch größere, richtig fette Spinnenfamilien. Ich predige ja gerne Minimalismus und lebe die Close-To-Core-Philosophie des Palasthotels. Und auch beim Filmschnitt hat es mir immer am meisten Spaß gemacht, noch ein paar Sekündchen mehr wegzuschneiden als die anderen im Team ertragen wollten. Was konnte man also hier im Blog tun?Diese Features sind nun GeschichteZuerst habe ich mich schlau gemacht, welche Elemente eines WordPress-Blogs denn problematisch sind. Ein Artikel von Tobi war dabei ein guter Einstieg für mich. Und nun ja, im Palasthotel hat man auch die ein oder andere Minute mit dem Thema verbracht. 😏 Um den Aufwand möglichst gering zu halten, habe ich letztendlich alle mehr oder weniger problematischen Features rausgeworfen. Wie sich herausstellte, habe ich die meisten eh nicht benutzt. Außerdem hasse ich Cookie-Popups. Ich will keine Cookie-Popups auf meinen Seiten! Konsequenz: Es darf keine Cookies geben. Nun denn, schauen wir mal etwas ins Detail: Plugin: Social Networks Auto Poster Erzeugt viel zu viel Aufwand. Man muss sich um eine Facebook-App kümmern, die mit dem WordPress verknüpfen, sich in Abhängigkeit des Plugins begeben, alle paar Wochen auf Error-Mails von Facebook reagieren, weil da wieder irgendwas in der App kaputt gegangen ist… So selten wie ich blogge, kann ich die Posts auch kurz manuell abschicken. Kleiner Nebeneffekt der Aktion: Leider sind die alten Posts auf der greatestview-Facebook-Seite mit der Löschung der App ins digitale Nirvana verschwunden. Nun ja, kann man leider nix machen. Plugin: FeedStats Ich weiß ehrlich gesagt gar nicht mehr, wann ich mir das letzte Mal Statistiken angeschaut habe. Interessiert mich ehrlich gesagt auch gar nicht, daher weg damit. Google Analytics … nimmt vermutlich den größten Teil in den Datenschutzerklärungen ein und erzeugt die hässlichsten Popups. Auch hier gilt: Hab ich die letzten Jahre nie reingesehen und interessiert mich eigentlich auch nicht. Außerdem hat es was nettes, wenn ein Blog die Besucher ausnahmsweise mal nicht trackt. Plugins: IndieWeb, Web Mentions, etc. Das hat ehrlich gesagt etwas geschmerzt, weil die Idee hinter IndieWeb schon sehr nett ist und ich damals einiges an Aufwand in die Integration gesteckt habe. Aber ich sehe auch ein, dass es datenschutztechnisch merkwürdig ist, Social-Media-Kommentare ohne Einwilligung öffentlich auf einem Blog zu posten. Und sich dabei auf einen Dritt-Service zu verlassen, dessen Betreiber selbst nicht sicher ist, ob das ganze DSGVO-konform ist.  Hier sei auf einen Artikel von Sebastian Greger verwiesen, der das ähnlich sieht, und auf einen von Daniel Goldsmith, der das weniger so sieht. Abgesehen davon wurde der Facebook-Support inzwischen eingestellt. Aber auch der Aufwand war eigentlich nicht mehr zu rechtfertigen. Die Plugins zerschießen bei Updates gerne mal das HTML und müssen so jedes Mal besonders unter die Lupe genommen werden, sehr anstrengend. Kurz: Ich hab etwas aufgeräumt, jetzt sieht man wieder nur noch klassische Blog-Kommentare. WordPress Emojis Telefonieren nach Hause und braucht man nicht. Gravatar Profilbilder sind nett, eine Tracking-Quelle weniger ist noch netter. Hier bin ich mir noch nicht sicher, ob ich die Bilder irgendwann mal wieder einführen werde. Google Fonts Die von mir eingesetzten WordPress-Themes sind so schon ziemlich veraltet, fehlende Google Fonts machen die auch nicht hässlicher. Außerdem hat man so eine bessere Ladezeit, also weg damit. Da stecke ich die Energie doch lieber in den nächsten Relaunch. Hardening WordPress Ein 100%ig sicheres WordPress/Drupal/xy wird es zwar nie geben, es schadet aber nicht, sich hier und da etwas intensiver Gedanken um die Sicherheit zu machen, vor allem wenn man verpflichtet ist, Nutzerdaten bestmöglich abzusichern. WordPress selbst liefert dazu eine Anleitung, die ich von oben bis unten durchgearbeitet habe. WordPress-Dateistruktur aufräumen Mein Webroot sah schon recht chaotisch aus, was einerseits an diversen Miniprojekten liegt und andererseits an der Natur von WordPress, alles in den Root zu packen und den Core nicht von Custom-Elementen sowie Konfiguration zu trennen. Da habe ich mir lange und intensiv Gedanken zu gemacht, das Ergebnis gibts demnächst in einem eigenen Blogartikel. Git Deployment automatisieren Wie auch im Palasthotel setze ich für meine Blogs auf ein Git-Deployment. Das ganze hat sehr viele Vorteile, aber auch einen entscheidenen Nachteil: Die WordPress-Auto-Updates funktionieren so natürlich nicht. Dazu habe ich mir auch etwas feines überlegt, mehr dazu später. HTTPS Oh ja, auch beim Hoster hat sich was getan! Bisher war meine Not-Lösung Cloudflare einzusetzen, da dort im Gegensatz zu meinem bisherigen Hoster SSL-Zertifikate kostenlos dabei sind. Dafür schickt man natürlich alle seine Daten über Server eines US-Unternehmens, was zumindest in Hinblick auf die DSGVO nachdenklich macht. Aber es gibt nun eine schöne Lösung, dazu ebenfalls später mehr. So sieht das ganze doch gleich etwas übersichtlicher aus.
{{ page.reacji }}
hah! I was just about to ask for the correct link :-)