Replied to:
Sebastian, first of all, thank you for your detailed write up on this issue. I think much of your roadmap is worthwhile, and of great interest. I cannot, however, say that I am convinced by your contentions regarding the effect of GDPR and indieweb sites. In particular, I think your definitions are excessively broad, and you elide much information from both the Regulation itself and the Recitals.
Daniel, thank you for your elaborate response to my article on “The Indieweb privacy challenge”.
As I explicitly state whenever writing about the GDPR: I am not a lawyer. In recent months, I spent more hours on legal research and debates than many designers ever will, but I always inform readers that I am not formally trained. I put a lot of effort in finding the most reputable sources and put great care in formulating any legal references as the understanding that informed my design work, not universal fact. Therefore, any reader jumping to legal conclusions would be misframing, not me. Alarmism really is not my intention, but I believe it must - especially in the unfortunate absence of definitive rulings - be allowed to explore potentially broad interpretations of the GDPR. Speculative thinking is a powerful tool in design. I, too, see the GDPR as a great opportunity and am excited to see the change it already starts to entail on our society.
From what I have learned, the German judicative’s interpretation of privacy laws has traditionally been always amongst the strictest; maybe that, at least to some degree, can explain why my sources tell a different story than the perspective you present. Could such dogmatic differences be the reason why the latest legal commentaries by senior German experts indeed suggest a very restrictive interpretation of Art 2(2) GDPR (Kühling/Buchner, DS-GVO/BDSG 2. Aufl, Art 2 Rn 23+26) and state that Rec 18 GDPR defines the precondition of complete absence of any relation to professional or economical activity (ibid., Art 2 Rn 23)?
Not citing the second sentence of Rec 18(1) in my post was not with the intent to falsify its message, but because several legal commentaries I have analysed explicitly interpret the “social networks” exception as not applicable if personal data is made accessible to an undefined audience (e.g. ibid., Art 2 Rn 25) and define “personal or household activity” as by nature being the opposite of public, “öffentlichkeitsfeindlich” in German (Gola, DSGVO, Art 2 Rn 21; Paal/Pauly/Ernst, DS-GVO, Art 2 Rn 21). Other commentaries, too, state that publishing on a public website would be beyond the boundaries of what is considered “personal” (in this case referring to the similar exception in pre-2018 German privacy law), no matter the subjectively intended target group; herein reliable access control with a limited audience would be a relevant criterion (Plath, BDSG, §1 Rn 30; Simitis/Dammann, BDSG, §1 Rn 151).
A 2016 article in Germany’s most prestigeous legal weekly NJW (Schantz, NJW 2016 p.1843) appears to be in almost diametral opposition to the position by van Alsenoy re the ECJ in casa Lindqvist and the interpretation of the GDPR trilogue outcome on Rec18: it claims that, despite an explicit “limited audience” requirement to the Art 2(2) “household exception” not finding its way into the final text as desired by the EP, there “are no signs that there was an intention to loosen this interpretation” (paraphrased translation mine).
These are just to highlight that I did not make up any of my assumptions: everything written about the GDPR in the original article is based directly on - in scientific rigour generally more than one - legal professionals’ opinion (being a social scientist myself, I obviously know there are always different schools, but in my world view that does not render one opinion false unless empirically proven). As a lawyer you are no question more qualified to measure these, but neither a legal debate nor legal advice were ever the intent of my article.
I wrote above paragraphs to provide you with some of the requested evidence to support my argumentation (even though unfortunately all German literature, I believe it is good to put out my sources for anybody to verify), and - more importantly - to show that, while we indeed appear to have different standpoints, my presentation is not based on malinformed scaremongering or undue elisions. Admittedly my perspective is potentially biased by chiefly building on German sources only, but I believe to have thoroughly done my homework as far as a non-lawyer possibly needs to, when writing on their design blog and presenting legal assumptions in the subjunctive.
In addition, I want to point out that Germany is the country where a website owner can already get into trouble for a malformed “Impressum” imprint (not its absence, even just omitting f.ex. their snail mail address or publishing their e-mail address as an image file rather than screenreader-accessible HTML text). It is likely only a question of time until the originally well-intended, but today commonly misused, instrument of the “Abmahnung” will be utilized by a certain breed of lawyers to abuse unsuspecting website owners as cash cows starting May 25. This, among other reasons, is why I believe it is not alarmist but only sensible to discuss potentially overseen design-inherent risks with my (to a good share German) blog audience - always with my disclaimer, never sensationalist, but as a worst-case scenario to speculatively assess. Since the imprint requirement of §5 TMG has a (to my knowledge largely similar, though I did not look into the details), “private/household” exception, a pessimist could imply that any website owner who so far considered themselves needing an Impressum might also be subject to the rules of the GDPR - on German Indieweb sites, the Impressum is almost a staple feature, precisely out of fear of the costs incurred by such “Abmahnung”.
Ultimately, while I genuinely appreciate that you point out your disagreement with my line of argumentation, above discussion leads - and I take from your intro that you are aware of that - pretty far off the main point of my article: the central question raised is one of ethics and design. And while the GDPR at this point indeed lacks precedents in case law or the ECJ corpus to definitively determine its applicability, the Indieweb community can today start to discuss about ideas to tackle certain implicit, opaque or surprising aspects of the Webmention and backfeed mechanisms. As a designer and concerned citizen, I see the GDPR primarily as a formal manifestation of the universal human right to privacy: its ethical underpinnings should be motivation for everybody to review how we deal with personal data. As the Indieweb community is shaping universal building blocks for the social web of the future, I believe that constructively questioning the “what we do is entirely private” argument is an imperative.
Thank you once again for your comments, I appreciate and respect your point of view. That said, if you have an opportunity, I for my part would be very interested to read about the assessments you mention to have received from the various DPAs regarding Webmentions and backfeed, as that could introduce a welcome specificy to this debate.