GDPR
This article is a stub. You can help the IndieWeb wiki by expanding it.
GDPR is the EU General Data Protection Regulation which sets much tighter guidelines on use of personally identifiable information, and is backed by law, including fines for non-compliance. Enacted on May 25, 2016, organizations were permitted a two-year grace period to bring their processes into compliance. Organisations which are not compliant after May 25, 2018 face penalties of up to 4% of annual global turnover or €20 Million.
The GDPR is similar to California's CCPA, which took effect 2020-01-01.
Does it apply to my Indieweb site?
Perspective 1
Purely personal sites are exempt per Article 2. If on the other hand your website contains paid ads or advertising for your services or products made by you, it is within scope of GDPR.
Perspective 2
Strict interpretations of the law (e.g. in some German legal literature; only future case law may provide a more definitive answer) indicate a potential applicability of the GDPR to personal, non-commercial websites under certain circumstances.
The conditions for exemption of Art. 2(2) lit. c GDPR are formulated very strictly: "by a natural person in the course of a purely personal or household activity". This is further specified by Recital 18(1) GDPR: "This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity."
Strictly read, "no connection" could potentially mean that the GDPR is applicable to a personal website as soon as it has any connection to a professional or commercial activity, hence not only applying to commercial aspects but e.g. to a web professional discussing web technology on their personal site.
Some GDPR concepts
Please note: The Indieweb Wiki is not a legal resource. Information presented herein may not be accurate, or apply to your specific circumstances.
Legal grounds for processing
GDPR always requires a legal basis for data processing, see Art. 6 GDPR:
- Consent
- Contract
- Legal obligation
- Vital interest
- Public task
- Legitimate interest
Each of these come with strict rules as to their preconditions and resulting obligations.
Consent
Consent is one of six possible grounds to justify processing [1]. The Guidelines warn:
- if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.
Data Portability
GDPR also requires data portability – that data can be moved from one service to another in a safe, standard, usable way.
Regarding which data the guidelines (PDF) eg. say:
As an example, the titles of books purchased by an individual from an online bookstore, or the songs listened to via a music streaming service are examples of personal data that are generally within the scope of data portability, because they are processed on the basis of the performance of a contract to which the data subject is a party.
This extends to “posts on social networking websites”, as noted on the official FAQ page. Your data will have to be provided to you “free of charge, in electronic format” [2] and you are allowed to give the data to another website [3]. This could make up for silos not offering native export options.
Data Erasure
Building on the 'Right to be Forgotten' decision in the European Courts, the Regulation for the first time codifies the right to have personal data erased by data processors. There are limits to this right, which must be balanced against freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims.
Extra Territoriality
Unlike the previous law (Data Protection Directive 95/46/e) the GDPR applies to all companies processing the personal data of all persons residing in the European Union, regardless of the company’s location. This is a major shift to the previous law, which required the establishment of a business in a member State of the Union. Furthermore, the previous gap in the law where data was 'processed' outside the EU no longer applies, as it is the subject of the data now has rights.
Articles
- 2018-05-02
Sebastian Greger: The Indieweb privacy challenge (Webmentions, silo backfeeds, and the GDPR) (archived). Leading to the following back-and-forth:
- 2018-05-05
Daniel Goldsmith: Reply to The Indieweb privacy challenge (Webmentions, silo backfeeds, and the GDPR) (archived) - 2018-05-06 Sebastian Greger: Reply to above (archived)
- 2018-05-06 Daniel Goldsmith: Reply to the above reply (archived)
- 2018-05-05
Sessions
Past sessions at IndieWebCamps
See Also
- blockchain criticism: violates GDPR
- http://www.eugdpr.org/
- https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/introduction/
- 2017/Nuremberg/law
- FreeMyOAuth
- Do Not Track
- https://amp.theguardian.com/technology/2017/aug/07/uk-citizens-to-get-more-rights-over-personal-data-under-new-laws
- Is Your Website GDPR Compliant? With extra focus on WordPress and plugins that collect personal data.
- https://www.gdprwp.com/ – We aim to give plugin developers a simple solution to GDPR validate their plugin, and offer Website Administrators the overview and tools to handle the administrative tasks involved with being GDPR compliant.
- https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/
- Advice from mailing list service MailChimp
- GDPR Article 9) (2) e exempts processing relates to personal data which are manifestly made public by the data subject; https://gdpr-info.eu/art-9-gdpr/
- https://blog.acolyer.org/2018/03/21/on-purpose-and-by-necessity-compliance-under-the-gdpr/
- https://twitter.com/blaine/status/992450739518795776
- "Personal Email as used today violates GDPR? Discuss." @blaine May 4, 2018
- Handreichungen für kleine Unternehmen und Vereine (German)
- https://www.earth.li/pipermail/gdpr-discuss/
- https://velocitypartners.com/blog/gdpr-really-means/
- Charlie Stross's GDPR statement for his indie site: https://www.antipope.org/charlie/blog-static/2018/05/gdpr-compliance-notice.html
- https://www.theguardian.com/technology/2018/may/21/gdpr-emails-mostly-unnecessary-and-in-some-cases-illegal-say-experts
- https://twitter.com/fr3ino/status/1000166112615714816
- "Because of #GDPR, USA Today decided to run a separate version of their website for EU users, which has all the tracking scripts and ads removed. The site seemed very fast, so I did a performance audit. How fast the internet could be without all the junk! 🙄
5.2MB → 500KB" @fr3ino May 26, 2018
- "Because of #GDPR, USA Today decided to run a separate version of their website for EU users, which has all the tracking scripts and ads removed. The site seemed very fast, so I did a performance audit. How fast the internet could be without all the junk! 🙄
- 2018-05-12 Doc Searls: GDPR will pop the adtech bubble
- https://wiki.xmpp.org/web/GDPR
- It is not just cookies, GDPR is technology agnostic so any fingerprinting is covered:
[…] under the GDPR “identification” does not require establishing a user’s identity. It is enough that an entity processing data can indirectly identify a user, based on pseudonymous data, in order to perform certain actions based on such identification (for instance, to present different ads to different users, based on their profiles).
- https://www.caprivacy.org/
- privacy
- Privacy vulnerability: 2019-08-09 The Register: Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data
Of the responses, 24 per cent simply accepted an email address and phone number as proof of identity and sent over any files they had on his fiancée.
- GDPR Compliance Notice on Island in the Net by Khürt Williams