Sebastian, first of all, thank you for your detailed write up on this issue. I think much of your roadmap
is worthwhile, and of great interest.
I cannot, however, say that I am convinced by your contentions regarding the effect of GDPR and indieweb sites. In particular, I think your definitions are excessively broad, and you elide much information from both the Regulation itself and the Recitals.
Take, for instance, your quotation of Recital 18, which is key to the matters here presented. I note that you have chosen not to quote the Recital in full (despite its brevity) and you use it in support of (imo) a wholly erroneous contention regarding what is and is not personal
. For the record, Recital 18, in full, is as follows (emphasis mine)
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
It is quite clear, from the highlighted section, that information which is provided in the context of social networking is itself not a subject of the Regulation. I am curious as to why you omitted that second sentence in your article?
I also do not understand your position that German Legal Literature means that any personal website where someone publishes anything regarding an area related to their professional activity automatically becomes a commercial
activity for the purpose of GDPR. The GDPR has not, as yet, become law. There is no precedent support for your position in the corpus of the ECJ (nor could there be). There is disputation at all levels of the ECJ on the question of when an activity ceases to be personal activity (Lindqvist, for example, or Rynes) however it is notable that the Working Group regarding GDPR specifically cited the dictum in Lindqvist as incorrect, and both Article 9 and Recitals surrounding same were designed to place restraint on that dictum. The original intention was to broaden the exemption
more dramatically, but this was resisted strongly by a curious alliance of authoritarians and anti-governmental fractions in the European Parliament. Nonetheless, the dictum is significantly broader than that which pertained in 1998. (For a more detailed look at this issue, see for example this article by Brendan Van Elsonoy, legal advisor at the Belgian Data Protection Authority.
I would be, naturally, happy to be proven wrong, however I simply cannot accept that your various statements regarding the law of the matter are correct in the absence of evidence to support them. Unfortunately, I don’t speak German, and am unable to comment on Dr. Schwenke’s positions in the podcast. All I can comment on is the statements in your bulleted list.
For example, the first point: “Individuals have to be informed when data about them is pulled in from third sources.”
Informed by whom? By which site? Consent to the viewing, accessing and storage of public data is provided in the Regulation. What is the basis for this claim?
Or the second bullet point: “Pulling “likes” and profile images from Twitter in Indieweb manner (in my opinion precisely described by the show host) requires a statement in the privacy notice and the affected persons have to be informed”
Again - on what basis? Where is the support within the GDPR for this claim?
I’m sorry if this sounds churlish, but as a lawyer I refuse to take such claims as meaningful in the absence of supporting rationale. Like Dr. Schwenke, I’m a practitioner as opposed to an academic of law. Like most such practitioners, I’ve been undertaking GDPR training in the last two years. Not once in any of that training has there been any support for the type of legal minefield you propose. I’ve spoken about Indieweb components, including backfeed, with legal advisors to the Irish, Dutch and Belgian DPAs. None of them have raised objections of the nature mentioned by you as being required by GDPR.
GDPR is scary enough as it is. It is also an incredible opportunity, a moment in which we can look to a future absent the abuse visited upon us all by Corporations with a skewed view of rights and values. I look forward to it for those reasons, and I welcome all efforts to secure that future.