The GDPR is legally convenient, in case you are a private person, and want the illusion of control over data gathered from you.
However, when considering its actual impact, and looking at it from different perspectives, it can appear strange, and perhaps even scary.
I had doubts about certain data being labeled "personal", such as IP addresses. Sometimes, people share an Internet connection, which means they would share an IP address.
But according to Article 4, "‘personal data’ means any information relating to an identified or identifiable natural person". This means an IP address is personal data, even if a processor can't by itself identify a user.
This definition is very broad. Perhaps one can use the shoe size to identify a person (say, pinpoint someone from a household). This means shoe size can be personal data, and you are liable if you share your friends' shoe sizes!
If you record the phone numbers of your friends, say, on your phone, then you are processing personal data.
Fortunately, according to Article 2, the GDPR does not apply to you, if you are a "natural person" and you process the data "in the course of a purely personal or household activity".
There are two relevant court cases about this which I found here:
- One may not record a public space with a webcam, as a "purely personal or household" activity
- One may not transmit the name or contact details of other people as a "purely personal or household" activity either
You can search for more cases on the CURIA website by clicking on "Search form" at the top, then removing the "ECLI:EU:" field, then filling in your terms in the "Text" field.
So, suppose you want to introduce two friends over the phone (they are not physically near you). There are two ways to do this:
- Give friend A's number to friend B -> sharing friend A's number is not "purely personal" (because friend B is an outsider).
- Give friend B's number to friend A -> sharing friend B's number is not "purely personal" (because friend A is an outsider).
The only way to make this legal is to ask for one of the friends' permission (as per Art. 6 1. (a)) to share their number, and to keep the required records for a processor and controller (you are both, in this case).
This is ridiculous. Laugh, I tell you!
Article 6 says processing is lawful when 1. f):
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
This pits the "legitimate interests" of the controller against the "fundamental rights" of the data subject. These two rights are contradictory.
Suppose it is in my interest to identify scammers on the Internet. This necessarily infringes the scammer's right to privacy. What is "legitimate"? That's a word on which the entire GDPR rests on, but it's quite vague.
Here is a long exploration someone else made on the subject. But it's not very conclusive.
Fines can be whichever is higher between €20M and 4% of financial turnover.
- If a small company got a fine, they might get a fine greater than their company's worth, putting them out of business.
- If a very large company got a fine, then the 4% limit would apply: say, of Facebook's €50 billion, they would only lose 4% (or €2 billion). This would be a slap on the wrist for them, and would let them keep most of the money resulting from the most egregious of infringements.
As you can see, the Big Tech lobbying worked. They have arranged so that newcomers and smaller competitors are exterminated. Justice much? (See the last point here.)
Edit 2019-11-18: Implementation and impact
Technically, any site can embed content from any other site, say, from Google.
Your browser then sends Google a request, perhaps with personal data in the HTTP Referrer, and you typically don't get a say in this.
This results in a blatant violation of your privacy. Clearly, this law is enforced only for some players. Sure, Google got a fine as well, but €50 million is a slap on the wrist, compared to their net income in the billions. Also, where is Facebook on this list, with their Like buttons plastered on every site, collecting data without consent? Where is Amazon, hosting tons of sites on their S3 servers, more than likely analyzing their data?
Luckily, you might still get the impression of privacy, with every cookie warning pestering you on every tiny site, EVEN IF you know how to turn off cookies IN YOUR BROWSER, because YOU KNOW HOW TO BROWSE THE WEB.
In this post, you can find tips for keeping your data to yourself.
What you can do
Ask the GDPR authority in your country before you do something with other people's data. If you do not get a response within 30 days, tell the Ombudsman / People's Advocate, and/or the media.
Hopefully pestering the GDPR authority will give you at least an idea of what they expect.
An alternative to the above is to perform civil disobedience: risk fines in exchange for demonstrating the absurdity of laws.
Do pester other people with this post!