Reply to a post by Daniel Goldsmith

Reply to:

Post by Icon Daniel Goldsmith
at ascraeus.org/micro/1525556293/

Sebastian, first of all, thank you for your detailed write up on this issue. I think much of your roadmap is worthwhile, and of great interest.

I cannot, however, say that I am convinced by your contentions regarding the effect of GDPR and indieweb sites. In particular, I think your definitions are excessively broad, and you elide much information from both the Regulation itself and the Recitals.

2018-05-05

Daniel, thank you for your elaborate response to my article on “The Indieweb privacy challenge”.

As I explicitly state whenever writing about the GDPR: I am not a lawyer. In recent months, I spent more hours on legal research and debates than many designers ever will, but I always inform readers that I am not formally trained. I put a lot of effort in finding the most reputable sources and put great care in formulating any legal references as the understanding that informed my design work, not universal fact. Therefore, any reader jumping to legal conclusions would be misframing, not me. Alarmism really is not my intention, but I believe it must – especially in the unfortunate absence of definitive rulings – be allowed to explore potentially broad interpretations of the GDPR. Speculative thinking is a powerful tool in design. I, too, see the GDPR as a great opportunity and am excited to see the change it already starts to entail on our society.

From what I have learned, the German judicative’s interpretation of privacy laws has traditionally been always amongst the strictest; maybe that, at least to some degree, can explain why my sources tell a different story than the perspective you present. Could such dogmatic differences be the reason why the latest legal commentaries by senior German experts indeed suggest a very restrictive interpretation of Art 2(2) GDPR (Kühling/Buchner, DS-GVO/BDSG 2. Aufl, Art 2 Rn 23+26) and state that Rec 18 GDPR defines the precondition of complete absence of any relation to professional or economical activity (ibid., Art 2 Rn 23)?

Not citing the second sentence of Rec 18(1) in my post was not with the intent to falsify its message, but because several legal commentaries I have analysed explicitly interpret the “social networks” exception as not applicable if personal data is made accessible to an undefined audience (e.g. ibid., Art 2 Rn 25) and define “personal or household activity” as by nature being the opposite of public, “öffentlichkeitsfeindlich” in German (Gola, DSGVO, Art 2 Rn 21; Paal/Pauly/Ernst, DS-GVO, Art 2 Rn 21). Other commentaries, too, state that publishing on a public website would be beyond the boundaries of what is considered “personal” (in this case referring to the similar exception in pre-2018 German privacy law), no matter the subjectively intended target group; herein reliable access control with a limited audience would be a relevant criterion (Plath, BDSG, §1 Rn 30; Simitis/Dammann, BDSG, §1 Rn 151).

A 2016 article in Germany’s most prestigeous legal weekly NJW (Schantz, NJW 2016 p.1843) appears to be in almost diametral opposition to the position by van Alsenoy re the ECJ in casa Lindqvist and the interpretation of the GDPR trilogue outcome on Rec18: it claims that, despite an explicit “limited audience” requirement to the Art 2(2) “household exception” not finding its way into the final text as desired by the EP, there “are no signs that there was an intention to loosen this interpretation” (paraphrased translation mine).

These are just to highlight that I did not make up any of my assumptions: everything written about the GDPR in the original article is based directly on – in scientific rigour generally more than one – legal professionals’ opinion (being a social scientist myself, I obviously know there are always different schools, but in my world view that does not render one opinion false unless empirically proven). As a lawyer you are no question more qualified to measure these, but neither a legal debate nor legal advice were ever the intent of my article.

I wrote above paragraphs to provide you with some of the requested evidence to support my argumentation (even though unfortunately all German literature, I believe it is good to put out my sources for anybody to verify), and – more importantly – to show that, while we indeed appear to have different standpoints, my presentation is not based on malinformed scaremongering or undue elisions. Admittedly my perspective is potentially biased by chiefly building on German sources only, but I believe to have thoroughly done my homework as far as a non-lawyer possibly needs to, when writing on their design blog and presenting legal assumptions in the subjunctive.

In addition, I want to point out that Germany is the country where a website owner can already get into trouble for a malformed “Impressum” imprint (not its absence, even just omitting f.ex. their snail mail address or publishing their e-mail address as an image file rather than screenreader-accessible HTML text). It is likely only a question of time until the originally well-intended, but today commonly misused, instrument of the “Abmahnung” will be utilized by a certain breed of lawyers to abuse unsuspecting website owners as cash cows starting May 25. This, among other reasons, is why I believe it is not alarmist but only sensible to discuss potentially overseen design-inherent risks with my (to a good share German) blog audience – always with my disclaimer, never sensationalist, but as a worst-case scenario to speculatively assess. Since the imprint requirement of §5 TMG has a (to my knowledge largely similar, though I did not look into the details), “private/household” exception, a pessimist could imply that any website owner who so far considered themselves needing an Impressum might also be subject to the rules of the GDPR – on German Indieweb sites, the Impressum is almost a staple feature, precisely out of fear of the costs incurred by such “Abmahnung”.

Ultimately, while I genuinely appreciate that you point out your disagreement with my line of argumentation, above discussion leads – and I take from your intro that you are aware of that – pretty far off the main point of my article: the central question raised is one of ethics and design. And while the GDPR at this point indeed lacks precedents in case law or the ECJ corpus to definitively determine its applicability, the Indieweb community can today start to discuss about ideas to tackle certain implicit, opaque or surprising aspects of the Webmention and backfeed mechanisms. As a designer and concerned citizen, I see the GDPR primarily as a formal manifestation of the universal human right to privacy: its ethical underpinnings should be motivation for everybody to review how we deal with personal data. As the Indieweb community is shaping universal building blocks for the social web of the future, I believe that constructively questioning the “what we do is entirely private” argument is an imperative.

Thank you once again for your comments, I appreciate and respect your point of view. That said, if you have an opportunity, I for my part would be very interested to read about the assessments you mention to have received from the various DPAs regarding Webmentions and backfeed, as that could introduce a welcome specificy to this debate.

Responding with a post on your own blog? Submit the URL as webmention (?)
  • Hi again Sebastian,

    Thank you for providing the links and information in your followup. I’ve had a long careful look at them, and offer the following response.

    Firstly, I can’t see that the German Telemedia Act, even as initially produced, is in compliance with the EU Charter of Fundamental Rights. I cannot see that the extensive powers which the German Courts appear to have given themselves based on the Act are in any way compatible with the Charter, being a grave interference by the State on the right to impart and receive information and ideas.

    I find it incredible that the Telemedia Act, as enacted, claimed to be an implementation of Directive 2000/31/EC - the e-commerce directive - and yet appears to primarily be in use as a method of rent-seeking by unscrupulous individuals. The scope of the Directive (and thus the intended scope of implementing laws) is on the sale and supply of goods and services in the online sphere.

    Secondly, and having said the above, I still do not agree with your initial contention. It is my opinion that the hugely restrictive German definition of personal and household activity (doubtless emanating from the critical overreach of the Telemedia and the Abmahnung) is not one which has any reasonable prospect of being adopted widely by other DPAs or by the ECJ. The ECJ has given no support to the idea that website takes on the characteristics of a commercial activity merely by being related to the site-owners profession. Nor has the ECJ given any support to the idea that merely publishing to a publicly-accessible website would be beyond the boundaries of what is considered “personal”; if this were the case, then why provide a personal activity exemption at all?

    In short, and without labouring the point, I feel that the trend of ECJ precedent is towards a generally liberal interpretation of “personal” activity, with clear emphasis on the professional or commercial activity being an actual, as opposed to imaginary/hypothetical, delivery of goods and/or services. Having spoken with DPAs and advisors working with DPAs, I feel that this trend has widespread support among non-German DPAs, who feel strongly that the requirements of the GDPR fall most heavily on e-commerce and e-advertising sites, and not on personal weblogs1.

    Of course, this is all still quite moot at this point, and I await developments in the law with keen interest.

    I would note that this would be predicated on the absence of advertising on any such personal weblog.
    [return]

    2018-05-06