My initial reaction to GDPR was twofold I simultaneously felt it was marvelous for me as an EU citizen and a monstrosity for me as a webmaster for me to implement. However, getting to grips with it I found it was not as difficult for me as a webmaster as I first imagined. Most of what was required we were already implementing as ‘best practice’. So my overall impression six months later is that it is really brilliant for us as EU citizens.
Not everyone sees it that way and it has resulted in some negative publicity and some sites in the USA attempting to block EU citizens from accessing their sites. Most of the negative posts appear to misunderstand the intentions and operation of GDPR.
As EU citizens
GDPR and website visitors
I recently hit my first GDPR/EU blocked website as a result of a friend from the USA posting a link to an article from the New Hampshire Union Leader (UnionLeader.com). This is the website of a New Hampshire news source provided on a non-subscription (free access) basis to members of the public worldwide, but currently partially blocked in the EU. Having very easily bypassed their block and looking at the site, they actually appear to be very close to GDPR compliant hence the block is bizarre
New Hampshire Union Leader is providing services without payment and hence does fit within the provisions of GDPR — ‘In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.’ GDPR preamble statement number 23
However… although the New Hampshire Union Leader is providing a service without payment as outlined in GDPR preamble statement number 23, it only has offices within the USA and the GDPR is not
GDPR Article 3.3 states that GDPR applies only in relation to public international law: ‘This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.’
Public international law is that which covers relations between nation-states, like treaty law, the law of the sea, international criminal law, the laws of war or international humanitarian law, international human rights law, and refugee law. It is possible that international human rights law might apply, but that would apply with or without GDPR.
As a news
Partially blocking access, means data subjects in the EU can still access it, and data subjects resident in non-EEA member states but who are nevertheless EU citizens can also access it. It is
So what would Union Leader have to do and why would this be onerous rather than best practice?
The services offered of general news service, with a specific emphasis on the New Hampshire region with the data gathering of tracking information about data subjects does not as such make it ‘sensitive’ and therefore the provision for sensitive information does not apply: ‘Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.’ GDPR preamble statement number 51.
Within the context of
Alongside the requirement to ask permission to store information (set cookies, gather Google meta data) the website needs to explain clearly and unambiguously what
Finally within this simple context a data subject may retrospectively ask ‘to be forgotten’ which is a function facilitated within data tracking systems like Google Analytics — ‘A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject.’ GDPR preamble statement number 65
The requirement of communicating data breaches (‘The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.’ GDPR preamble statement number 86) does not apply since although Google meta-cookies do directly link to data subjects it is not possible for Google Analytics users to reverse track that to an individual data subject to inform them of any data breach.
They would also have to explain clearly in non-technical language what they were doing. Again not a burden and simple to implement, and something they already do in their Privacy Statement. In their privacy statement they do not say they are using Google-meta cookies so, assuming
If they used meta cookies like Google Analytics then they would
The right to be forgotten
As we grow older and face death many of us wish to be remembered by our children and grand-children so the idea of the ‘right to be forgotten’ may seem strange to say the least. But the aim of that part of GDPR is not to forget all information about someone but the right for EU citizens to request ‘irrelevant’ or ‘out-of-date’ personal information to be removed.
Daphne Keller in an article for politico.eu headlines the new GDPR right to be forgotten as ‘The new, worse ‘right to be forgotten’‘. This follows on from the 2014 court case where the European Court of Justice ruled that EU citizens had the right to prevent search engines from linking websites carrying ‘irrelevant’ or ‘out-of-date’ personal information. That EU citizens can stop search engines linking to ‘irrelevant’ or ‘out-of-date’ personal information should be seen as a blessing rather than a curse and something we should be thankful for as EU citizens!
Daphne writes ‘the new provision looks like bad news for free expression and information access online‘ and, she claims, ‘It is already far too easy for individuals or companies to raise dubious legal claims against content they disagree
Her belief is that GDPR won’t ‘help the people whose opinions, artwork, news reporting, or other expression vanishes from the Internet‘ due to ‘over-reaching requests‘. One American friend put it as ‘GDPR (is) making it even easier effectively weaponizes litigation to create a media oligarchy.’ Their belief is that this is in part because the EU is left of
Daphne is clearly siding with the data controllers rather than the data subjects in stating ‘If we want to protect culture, commentary
But as EU citizens we need the confidence to know that companies will be forced to comply with requests to remove content when it is ‘irrelevant‘ or ‘