this post was submitted on 03 Dec 2023
2 points (100.0% liked)

General Data Protection Regulation (“GDPR”)

49 readers
1 users here now

Everything related to the #GDPR is discussed here. This is the first and only community specifically for GDPR topics which is decentralized and outside of walled-gardens. #EDPB recommendations and guidance can and should also be discussed here.

For the moment, chatter on the similar California Consumer Privacy Act (CCPA) could be discussed at least until the volume of messages compels us to split it into a separate community.

founded 11 months ago
MODERATORS
 

In answering this question, this seems to be relevant:

GDPR Art.7(3):

…It shall be as easy to withdraw as to give consent.

^ If you can no longer login to easily withdraw consent because they started blocking your connection, Art.7(3) would apparently be unsatisfied.

EDPB Guidelines 01/2022 pg.21 ¶53:

The EDPB encourages the controllers to provide the most appropriate and user-friendly communication channels, in line with Art.12(2) and Art.25, to enable the data subject to make an effective request.

^ Blockades against platforms, tools, mechanisms that users rely on would seem to be “user-unfriendly”, though it’s unclear if their meaning of “user friendly” is broad enough to have this interpretation.

EDPB Guidelines 01/2022 pg.23 ¶63:

The controllers must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR.

^ Creating new access restrictions would seem to fail to re-use the original authentication procedure.

Data controllers often tend to start blocking Tor and/or VPNs spontaneously without warning. That seems to violate the rules of informed consent. That is, the data subject consented to the processing of their data by website A, but when website A made a significant material change (i.e. blocking Tor/VPNs), it effectively changes the deal the data subject thought they were consenting to. EDPB Guidelines 05/2020 pg.23 ¶110 seem to capture this:

There is no specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context,the scope of the original consent and the expectations of the data subject. If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained.

So IIUC, the data controller must warn you before blocking your access to their service and give you a chance to withdraw your consent. This assumes we can interpret the IT infrastructure of the data controller as part of the “processing operations”.

I get the feeling the EDPB has not exactly nailed the scenario of Tor/VPN blockades, so we are left with picking through scraps somewhat out of context to get an idea of how this would go in court.

Are there any more relevant decisive guidelines from the EDPB that I’ve missed?

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here