GDPR marvelous or monstrosity?

By in ,
GDPR marvelous or monstrosity?

My initial reaction to GDPR was twofold I simultaneously felt it was marvelous for me as an EU citizen and a monstrosity for me as a webmaster for me to implement. However, getting to grips with it I found it was not as difficult for me as a webmaster as I first imagined. Most of what was required we were already implementing as ‘best practice’. So my overall impression six months later is that it is really brilliant for us as EU citizens.

Not everyone sees it that way and it has resulted in some negative publicity and some sites in the USA attempting to block EU citizens from accessing their sites. Most of the negative posts appear to misunderstand the intentions and operation of GDPR.

As EU citizens is GDPR blessing or curse? Does it, as one writer put it, ‘look like bad news for free expression and information access online‘? Is it, in effect, creating an online content war between the EU and USA?

GDPR and website visitors

I recently hit my first GDPR/EU blocked website as a result of a friend from the USA posting a link to an article from the New Hampshire Union Leader ( This is the website of a New Hampshire news source provided on a non-subscription (free access) basis to members of the public worldwide, but currently partially blocked in the EU. Having very easily bypassed their block and looking at the site, they actually appear to be very close to GDPR compliant hence the block is bizarre to say the least. The reason for some people’s concern is what they consider to be the wider implications of GDPR’s ‘right to be forgotten’. We will come to that later.

New Hampshire Union Leader is providing services without payment and hence does fit within the provisions of GDPR — ‘In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.GDPR preamble statement number 23

However… although the New Hampshire Union Leader is providing a service without payment as outlined in GDPR preamble statement number 23, it only has offices within the USA and the GDPR is not law of the USA hence there is no method for someone in the EU to take action against this company! Where services (or goods sold) are to EU data subjects for payment then the EU member states can ban the goods or services based on that payment as penalty, if the entity is not directly trading within the EU, or impose punitive penalties on entities trading within the EU. Because New Hampshire Union Leader is neither charging for services nor trading within the EU it falls outside of any method EU member states or EU citizens have of imposing penalties on it.

GDPR Article 3.3 states that GDPR applies only in relation to public international law: ‘This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.’ 

Public international law is that which covers relations between nation-states, like treaty law, the law of the sea, international criminal law, the laws of war or international humanitarian law, international human rights law, and refugee law. It is possible that international human rights law might apply, but that would apply with or without GDPR.

As a news organisation they may be concerned not about the storage of tracking information but that data subjects might object to the content of news articles written about them. However, GDPR Article 17.3a specifically absolves data controllers from the right to be forgotten ‘for exercising the right of freedom of expression and information’. Any claims about the accuracy of the information published would be covered by existing international copyright law (like the Berne Convention) or libel law which is jurisdiction restricted and therefore civil actions needed to be taken within the country or state concerned. Not so obviously for search engines such as Google who do trade within the EU.

Partially blocking access, means data subjects in the EU can still access it, and data subjects resident in non-EEA member states but who are nevertheless EU citizens can also access it. It is therefore a knee-jerk reaction to something that is easy to comply with. 

So what would Union Leader have to do and why would this be onerous rather than best practice?

Firstly the core way that GDPR applies to websites is in the use of cookies and meta cookies, especially the Google meta cookie. As such a website needs to gain consent from visitors to use those cookies and that ‘Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.GDPR preamble statement number 32

The services offered of general news service, with a specific emphasis on the New Hampshire region with the data gathering of tracking information about data subjects does not as such make it ‘sensitive’ and therefore the provision for sensitive information does not apply: ‘Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms.’ GDPR preamble statement number 51.

Within the context of meta-cookies it does require explicit permission  — ‘The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.GDPR Article 22.1

Alongside the requirement to ask permission to store information (set cookies, gather Google meta data) the website needs to explain clearly and unambiguously what is is doing — ‘The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used.’ GDPR preamble statement number 58

Finally within this simple context a data subject may retrospectively ask ‘to be forgotten’ which is a function facilitated within data tracking systems like Google Analytics — ‘A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject.’  GDPR preamble statement number 65

The requirement of communicating data breaches (‘The controller should communicate to the data subject a personal data breach, without undue delay, where that personal data breach is likely to result in a high risk to the rights and freedoms of the natural person in order to allow him or her to take the necessary precautions.GDPR preamble statement number 86) does not apply since although Google meta-cookies do directly link to data subjects it is not possible for Google Analytics users to reverse track that to an individual data subject to inform them of any data breach.

In other words New Hampshire Union Leader would need to ask permission to store cookies on a visitors computer and only do so if the visitor accepts it. This is relatively trivial to do so and has been common best practice for many years.

They would also have to explain clearly in non-technical language what they were doing. Again not a burden and simple to implement, and something they already do in their Privacy Statement. In their privacy statement they do not say they are using Google-meta cookies so, assuming there statement is accurate, they are actually GDPR compliant already and would need to do nothing except ask permission to store that cookie, though on that there is ambiguity as it doesn’t directly link to a data subject like a Google meta-cookie.

If they used meta cookies like Google Analytics then they would however need to keep a list of meta-cookies that have accepted their terms. This is less trivial but really not onerous. We are a whole lot smaller than the New Hampshire Union Leader and have implemented it without difficulty. And if someone asks to be forgotten remove their meta data information from their Google Analytics account. This very, very rarely happens and is therefore not onerous.

The right to be forgotten

As we grow older and face death many of us wish to be remembered by our children and grand-children so the idea of the ‘right to be forgotten’ may seem strange to say the least. But the aim of that part of GDPR is not to forget all information about someone but the right for EU citizens to request ‘irrelevant’ or ‘out-of-date’ personal information to be removed.

Daphne Keller in an article for headlines the new GDPR right to be forgotten as ‘The new, worse ‘right to be forgotten’‘. This follows on from the 2014 court case where the European Court of Justice ruled that EU citizens had the right to prevent search engines from linking websites carrying ‘irrelevant’ or ‘out-of-date’ personal information. That EU citizens can stop search engines linking to ‘irrelevant’ or ‘out-of-date’ personal information should be seen as a blessing rather than a curse and something we should be thankful for as EU citizens!

Daphne writes ‘the new provision looks like bad news for free expression and information access online‘ and, she claims, ‘It is already far too easy for individuals or companies to raise dubious legal claims against content they disagree with, and pressure private Internet platforms to take it down.’

Her belief is that GDPR won’t ‘help the people whose opinions, artwork, news reporting, or other expression vanishes from the Internet‘ due to ‘over-reaching requests‘. One American friend put it as ‘GDPR (is) making it even easier effectively weaponizes litigation to create a media oligarchy.’ Their belief is that this is in part because the EU is left of centre and media sources like the New Hampshire Union Leader are right of centre. In reality, GDPR follows the EU principle of providing a ‘level playing field’.

Daphne is clearly siding with the data controllers rather than the data subjects in stating ‘If we want to protect culture, commentary and creativity online, private Internet companies need the confidence to resist right to be forgotten requests that have no basis in European law.’

But as EU citizens we need the confidence to know that companies will be forced to comply with requests to remove content when it is ‘irrelevant‘ or ‘out-of date‘. This is one of the rights we have as EU citizens!

0 0 votes
Article Rating
(0 votes. Average 0 of 5)
Notify of
Inline Feedbacks
View all comments