Sebastian, first of all, thank you for your detailed write up on this issue. I think much of your roadmap is worthwhile, and of great interest.
I cannot, however, say that I am convinced by your contentions regarding the effect of GDPR and indieweb sites. In particular, I think your definitions are excessively broad, and you elide much information from both the Regulation itself and the Recitals.
I think I fall somewhere in the middle of the two and see some of the moral and ethical pieces which are more important from a people perspective. I’m not as concerned about the law portion of it for a large variety of reasons. It’s most interesting to me to see the divide between how those in the EU and particularly Germany view the issue and those in the United States which may be looking at regulations in the coming years, particularly after the recent Facebook debacle.
As I think of these, I’m reminded about some of the cultural differences between Europe and the United States which Jeff Jarvis has expounded upon over the past several years. Europeans are generally more leery of corporations and trust government a bit more while in America it’s the opposite.
Sebastian, first of all, thank you for your detailed write up on this issue. I think much of your
roadmap
is worthwhile, and of great interest.I cannot, however, say that I am convinced by your contentions regarding the effect of GDPR and indieweb sites. In particular, I think your definitions are excessively broad, and you elide much information from both the Regulation itself and the Recitals.
Take, for instance, your quotation of Recital 18, which is key to the matters here presented. I note that you have chosen not to quote the Recital in full (despite its brevity) and you use it in support of (imo) a wholly erroneous contention regarding what is and is not
personal
. For the record, Recital 18, in full, is as follows (emphasis mine)It is quite clear, from the highlighted section, that information which is provided in the context of social networking is itself not a subject of the Regulation. I am curious as to why you omitted that second sentence in your article?
I also do not understand your position that German Legal Literature means that any personal website where someone publishes anything regarding an area related to their professional activity automatically becomes a
commercial
activity for the purpose of GDPR. The GDPR has not, as yet, become law. There is no precedent support for your position in the corpus of the ECJ (nor could there be). There is disputation at all levels of the ECJ on the question of when an activity ceases to be personal activity (Lindqvist, for example, or Rynes) however it is notable that the Working Group regarding GDPR specifically cited the dictum in Lindqvist as incorrect, and both Article 9 and Recitals surrounding same were designed to place restraint on that dictum. The original intention was to broaden theexemption
more dramatically, but this was resisted strongly by a curious alliance of authoritarians and anti-governmental fractions in the European Parliament. Nonetheless, the dictum is significantly broader than that which pertained in 1998. (For a more detailed look at this issue, see for example this article by Brendan Van Elsonoy, legal advisor at the Belgian Data Protection Authority.I would be, naturally, happy to be proven wrong, however I simply cannot accept that your various statements regarding the law of the matter are correct in the absence of evidence to support them. Unfortunately, I don’t speak German, and am unable to comment on Dr. Schwenke’s positions in the podcast. All I can comment on is the statements in your bulleted list.
For example, the first point: “Individuals have to be informed when data about them is pulled in from third sources.”
Informed by whom? By which site? Consent to the viewing, accessing and storage of public data is provided in the Regulation. What is the basis for this claim?
Or the second bullet point: “Pulling “likes” and profile images from Twitter in Indieweb manner (in my opinion precisely described by the show host) requires a statement in the privacy notice and the affected persons have to be informed”
Again – on what basis? Where is the support within the GDPR for this claim?
I’m sorry if this sounds churlish, but as a lawyer I refuse to take such claims as meaningful in the absence of supporting rationale. Like Dr. Schwenke, I’m a practitioner as opposed to an academic of law. Like most such practitioners, I’ve been undertaking GDPR training in the last two years. Not once in any of that training has there been any support for the type of legal minefield you propose. I’ve spoken about Indieweb components, including backfeed, with legal advisors to the Irish, Dutch and Belgian DPAs. None of them have raised objections of the nature mentioned by you as being required by GDPR.
GDPR is scary enough as it is. It is also an incredible opportunity, a moment in which we can look to a future absent the abuse visited upon us all by Corporations with a skewed view of rights and values. I look forward to it for those reasons, and I welcome all efforts to secure that future.
What if you trust neither because each represents an asymmetric use and flow of information and power?