Re: GDPR Explained: Part 1 – Linux Liaison

Re: GDPR Explained: Part 1

An audio version of this post exists here.

Recently a friend of mine, pseudonym @h4ck3r9, has begun a series about the GDPR. This crazy person  has decided to read the full 88-page document (not that crazy, they’re still pretty cool), in order to give a little bit of a summation and explanation on the articles (law terminology) present in the regulation description. Now, they’re refraining from including their opinion on the principle of presenting data in objective manner, but I’m gonna go a little more into the interpretive side of things.

You all know that I love storytelling so there’s going to be a little bit of that involved in this post. There are some unintended repercussions that the GDPR affords and so I’ll be delving a little bit into those, using @h4ck3r9’s first GDPR post as a kicking-off point.

Let’s start with a few points that @h4ck3r9 made:

  1. [The creator of the data] believe[s] that they will retain rights to that data regardless of where it is stored.
  2. [The GDPR] effectively gives the EU government [and member states] a monopoly on data collection, which some may see as a good thing and others may see as quite sinister.
  3. The basic breakdown of the scope is any data processors/collectors in the world that manipulate the protery rights of any EU resident. That includes foreign residents and natural residents. If an EU citizen is in, say, China, their rights cannot be legally protected by this law.
  4. The data collector and processor must be transparent and state a specific purpose for the collection/processing of data. They must also limit the collection/processing to “what is necessary” for their specific purpose.

In regards to the first point, US copyright law states the following:

“Literary works” are works, other than audiovisual works, expressed in words, numbers, or other verbal or numerical symbols or indicia, regardless of the nature of the material objects, such as books, periodicals, manuscripts, phonorecords, film, tapes, disks, or cards, in which they are embodied.

From my interpretation, the EU copyright law states something similar, giving protection to ‘literary works’ according to this same definition. The expectation is that the data that a user creates, which is then collected by third-parties, is perpetually the creator’s…unless they agree to a terms of service that signs away those rights.

This, of course, is the case for those using services like Facebook, Apple, Google, or Amazon (FAGA). What the GDPR is changing here, ultimately, is the language used in such ToS or EULAs. Pre-GDPR they’ve either been convoluted or heavily laden with legalese intended to create confusion. These things are literally written by FAGA lawyers (the distinction between FAGA lawyers and regular ones being that they’re well-versed in and veterans of corporate fuckery).

Before I dig too deep into that first point, let’s move onto the second one, because it’s a biggie.

From what I understand about this point, the EU has effectively reserved the right to collect any and all data, making them exempt from the obligation of immediately providing a specific purpose for data collection and how the data they’re collecting fulfills that purpose. What I don’t see is where the buck stops.

My interpretation here is that the EU (and member states) have the right to collect whatever data, at whatever time, regardless of the purpose, and that they have the ability to extend these rights to whomever they see fit. What’s to stop them from giving these sort of far-reaching and irresponsible rights to a third-party, such as the NSA or FAGA, in a perpetual manner. Realistically, they are indeed the ones making the laws here so, they decide what they want but this is still a matter of being responsible with the laws that are put into effect.

Let’s go a little further. Since member states seem to possess the same abilities, can they also willy-nilly assign these far-reaching rights to external governments? I mean, this seems to be a huge flaw and I’m hoping that I’ve just misunderstood something gravely, because maybe the EU and member states can even dole out this assigning abilities to third-parties!

Onto the third point.

Basically, any time FAGA, the like, and any other entity manipulating/collecting data of anyone currently physically or virtually (VPN) residing in the EU must adhere to the regulations as set forth by the GDPR. While this certainly does provide a huge benefit, it has also resulted in some nasty repercussions in regards to incidental censorship.

While some media companies in the US have chosen to give netizens of the EU the choice as to whether they want their data collected or not, and still allow access if they don’t, others have chosen to outright restrict access to their website, regardless of the respective EU netizen’s privacy decision (go here for more fun!).

I’m sure that EU netizens aren’t missing out on much when it comes to some of these news outlets blocking access, it just goes to show that even the media outlets are potentially using the information collected for nefarious purposes if they’re so afraid of the GDPR hammer coming down. What could they have been doing with the data that could get them in so much trouble? What kind of data did they intend to collect in the first place? What use is any of the data apart from being of interest for their advertisers?

I’ve been saving the best point for last. Let’s rehash it here for juxtaposition:

The data collector and processor must be transparent and state a specific purpose for the collection/processing of data. They must also limit the collection/processing to “what is necessary” for their specific purpose.

I wonder how successful the articles defining this will be at achieving the goal of protecting the rights of EU netizens in regards to their data. As noted before, FAGA lawyers are well-versed in fuckery. Luckily, when providing users with their specific reasons for data collection, they must also do so in “clear and plain language” according to Article 12, §1. (sorry @h4ck3r9, I needed this right now), of the GDPR.

In the future, we’re going to see a lot of precedence set in the court of law regarding interpretations of the GDPR. Hold onto your hats future lawyers, some of you might want to specialize in interpretations of this strenuous and far-reaching regulation.

I hope you’ve learned at least a little and can glean some more of your own opinions thanks to what I’ve written here. If you want to read @h4ck3r9’s post, you can find it on his blog here.

My blog is hosted on Digital Ocean. If you want to sign up for Digital Ocean’s VPS services I’d like to ask you to graciously use this referral link: . You’ll get $10 in free credit and once you’ve spent $25 of your own money, I’ll receive $25 myself, meaning that you’ll be indirectly supporting my blog.

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.