By Operation of Law

Anyone today who wants to run a blog or a private website on a specific topic or even a chat server is faced with extensive and disproportionate legal obligations. I’m writing about how intolerably wrong the current situation is and what concrete points at least need to be changed.

Governments of the industrial world, you tired giants of meat and steel, I come from cyberspace, the new home of the spirit. As a representative of the future, I ask you from the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

So thought John Perry Barlow a little over 20 years ago when he formulated the Declaration of Independence of Cyberspace. There was hope for something of its own, anarchic, not shaped by large industrial corporations.

But in addition to the influence of large international corporations on the private sphere, which today causes us so much concern, we are also faced with adversity from a completely different side.

Private life is being legalized

The so-called [Census Judgment[(https://de.wikipedia.org/wiki/Volksz%C3%A4hlungsurteil#Kernaussage)] of 1983 made it legally clear that informational self-determination is a fundamental right. It was established that the fundamental right guarantees the individual’s right to determine the disclosure and use of his or her personal data. This means that personal data about oneself has become a legal asset.

That sounds good at first. But what does that actually mean? If a legal right must be protected by the legal system, then there must also be the possibility to do so. What this means is that every aspect of my privacy that has a personal connection must now be enforceable with regard to my rights. And, of course, this can only be done with the appropriate means of intervention and control by state bodies, and also with the compulsory documented traceability of my personal data flows.

What was it like before? The requirement of data economy applied. I had to trust everyone to whom I gave my data, for example my telephone number or my date of birth. I had to trust that my personal data would not be used for purposes that I did not want. For example, to set up card indexes for advertising calls on the telephone or to send advertising mail by post.

DSGVO

The DSGVO has been in force since May 2018. It applies to virtually all data storage of personal data, fully or partially automated, and in the absence of automation if the data is recorded in a file system (filing cabinet and pocket calendar) and defines the current state of data protection legislation in Europe. There is only one exception for the exercise of purely personal or family activities (English: “personal or household activity”).

And here comes the big crunch. A right is something to which I, as a natural person, have a right. But a right can only be guaranteed over the conflicting duties. Consequently, all persons who do something with my personal data, as long as it is not purely personal or family, must now be put under the obligation.

If, for example, I write blog articles for the public, it is certainly no longer personal. If I process dynamic IP addresses of my visitors, which are to be evaluated as personal data, this is no longer “personal”. If I have set up a cloud for my family or any other service on the web and someone calls it, it is not personal, even though it has nothing to do with my site and the intended purpose of my processing. IP technology becomes personal data

Communication on the web can only be carried out using IP addresses. Since my family has no fixed IP addresses, but, like most people, dynamically receives changing addresses from the respective provider on a daily basis, I cannot even exclude unwanted visitors by technical means. And even if I could, this would already be a processing of these IP addresses.

But what is the processing of personal data from a legal point of view? The DSGVO says:

processing’ means any operation or set of operations which is carried out with or without the aid of automated processes and which is related to personal data, such as collection, recording, organisation, sorting, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or association, qualification, erasure or destruction;

This means that all processing is concerned. There is no purely personal or family Internet presence (English: “personal or household activity “). No matter whether I want to run a blog, my own website or a chat server, I may process dynamic IP addresses everywhere. If people exchange their personal data with me or call my site, then I am obliged to comply with the data protection legislation.

There are also no exceptions in the law, all-or-nothing. There should probably be exceptions for institutions with fewer than 250 employees, but only with regard to the maintenance of a process directory. But there is another clause in the law, Art. 30 (5), which destroys any hope of discharge:

unless the processing carried out by them entails a risk to the rights and freedoms of the data subjects, the processing being carried out not only occasionally …”.

I can never be sure that there is no risk that the rights and freedoms of the data subjects will not be jeopardised and that data will always be processed, and not just occasionally, on any Internet site. The latter also applies to at least medium-sized companies that always process data, at the latest when they have a website.

What does that mean?

It is said that everyone who operates something on the Web is obliged to comply fully with the legal requirements.

Jan Philipp Albrecht, the “father” of the DSGVO, puts the situation in Interview with Sascha Lobo into perspective by saying that the DSGVO does not differ so much from the previous legal status and furthermore the data protection authorities would not shoot at sparrows with cannons, there would always only be objections, penalties would only exist if nothing moved.

But I am not talking here about the authorities, I am talking here about the law. And also not only about the DSGVO, but also about the previous BDSG or data protection, as it is legally anchored and understood today.

Examples from life

The current legal situation means for all EU citizens a considerable legalisation and bureaucratisation of their normal daily communication behaviour. Everyone has the right not only at home, but also as an entrepreneur, to pass on their personal data to others, WITHOUT requiring them to handle it in any special way and WITHOUT being informed in detail about its further use. In short, every human being has the right to freely express himself or herself in any media and through any channels, without this process being restricted or made impossible by the duties of others. An expression of opinion can also be restricted in its freedom by the fact that my counterpart is obliged to do many things to me.

Art. 5 Basic Law:

Everyone has the right to express and spread his opinion freely in word, writing and picture …

and not

Everyone has the right to freely express and disseminate his or her opinion in word, writing and image, provided that I have been informed by my platform/forum/network about my rights as a data subject and about the purpose, the legal basis, the storage period of the processing, the name of the data controller, whether the provision of my personal data is required by law or contract or is necessary for the conclusion of a contract, whether I am obliged to provide my personal data, and what possible consequences the non-availability would have and and and and and and

Yeah, that sounds a little brought up now. It is, but:

  • For example, in distributed networks, should I sign a contract with each communications partner I follow, or sign a privacy policy and terms of use that determine what I can do with his or her data and what he or she can do with my data? Especially since they are usually public anyway?
  • Does everyone I call have to ask permission to save my phone number and name and tell me exactly for what purpose and until when?
  • May no one hack my business card into his office computer without informing me when he will delete it and what he is doing it for? Consent in handing over the card does not mean that I do not need to be informed!
  • Am I not allowed to take a photo of any club meeting anymore, I am not talking about the publication, but about the survey, without having a written and verifiable explanation from each individual as to when I will keep the photos, what I will do with them, for what purpose I will use them, etc… Especially when I am standing in front of them?

The DSGVO assumes that data is delimited and erasable. But is that really the case? Can I really retrieve a video that has once made the round by deleting it on Youtube? When exchanging data in peer-to-peer networks, i.e. when benevolent citizens make a part of their network capacity available to others for transmission purposes, can I determine which private computer shares my data? And above all, if I don’t care what happens to my data, how can I free my communication partners from all the legal obligations? I can’t do it at all.

My criticism is that the DSGVO considers personal data as if they were packages that are given from one hand to another. Each time with delivery note, confirmation, … But in times of the Internet it does not necessarily make sense to think of data in the form of individual processing operations. The Internet is not a virtual filing cabinet. Data are not things. Data is something abstract.

A matter of definition

Personal data is legally defined as:

any information relating to an identified or identifiable natural person;

But data never relates to individuals. Data are zeros and ones. “Referencing” is a verb, that is, it is a process. And this takes place exactly when this data is read and a person has the opportunity to make a reference. The human being therefore relates the data to a person if he has corresponding reference points.

Example 1: If an administrator sees a dynamic IP address, he knows that this can possibly be a person-related date. However, he is missing the reference point because he simply does not have this assignment from the provider. Example 2: A European reads a Chinese name. But he doesn’t know that this is a name and therefore person-related, because he doesn’t speak Chinese. Example 3: Data is encrypted. Although it may be “personal data”, no reference can be made.

I can also say it differently: Personal data is always only if the personal reference has been established. Non-decrypted data cannot be said to be personally identifiable.

In my opinion, the term is currently much too broad, since almost all information can be related to individuals in some way. A sheep’s wool carpet? Mr Mayr likes that, the photo could be from his apartment: personal reference.

Is everything bad?

No, it’s not all bad - it’s never all bad. But the current legislation has a clear focus on companies and has completely forgotten the small people and organizations. I can say that because I run my own servers and websites, as well as working in a non-profit organisation, in which we need a data protection officer due to our size, who currently costs us 250 € per month with all services (with an organisation size of 15 employees!!!).

In addition, making us fit has cost us hundreds of hours for data protection - exclusively for training in data protection topics and the DSGVO, written processes, documentation (e.g. procedure index and TOMs) and information, such as a correct data protection declaration tailored to our specific processing. Our privacy policy has been accessed 87 times in the last quarter, presumably mainly by me writing and changing and by our privacy officer. With your permission, a farce. Hardly anyone reads that. A right to information that hardly anyone notices.

Taking responsibility for our actions is very important, especially in the age of the Internet. However, freedom cannot only be restricted by prohibitions and regulations, but also by the legalisation of our natural behaviour.

The clearest example is probably the Swedish “intercourse contract”, whether verbally or in writing, without having sex with each other since mid-2018 in Sweden rape!!! is, also in marriage. Where is there trust in people and in the fact that they can behave appropriately even without law and punishment? Should the most intimate area between two people in this form be the subject of a legal regulation? Does an oral yes help - and because no, does a written regulation protect anyone? And before what? It is madness that something like this can happen.

If I give someone personal data and they have to inform me about many aspects of the use of my data and inform me about my rights, isn’t that almost the same?

What would be important?

Below I suggest some changes that could ensure that the current unsustainable situation could change for the better without throwing the baby out with the bathwater:

  • Clear legally defined relief for non-commercial organisations (associations, NGOs, …) and non-commercial acting individuals in terms of bureaucratic duties and costs. This also includes a precise definition of what “commercial action” means.
  • Definition of a few general protection requirement classes defined by law, instead of only “personal” and “special protection requirements”. Graduated legal information and documentation obligations according to classification instead of all-or-nothing.
  • Particularly clear definition of what “public” or “published” personal data are. Processings which exclusively process such data are excluded as far as possible from information and documentation obligations, but not from the “right to oblivion”.
  • Within the framework of informational self-determination, every person must also be able to determine that his or her personal data should not be protected and that, consequently, such personal data that cannot be protected should not be subject to any legal obligations on the part of processors. He must also be able to determine this aspect of his information himself.
  • Extension of special provisions, e.g. telecommunications through state laws, to other areas, e.g. social networks or web server operation. It is not clear why telecommunications companies are allowed to pass on personal data without consideration, but why the receipt of a dynamic IP address on a network server represents processing.
  • Special handling of data encrypted with strong cryptographic means. Most data transfers of personal data are encrypted today. Encrypted data that cannot be read by the processor must be treated differently from data that is disclosed.
  • Change in the treatment of dynamic IP addresses as personal data, if applicable via an exception. Virtually no one except telecommunications companies can find out who this person is by means of an IP address, and it is precisely this current legal classification that makes any network technology suitable for data processing, even without logging.
  • An abolition of the clause of the German BDSG by stipulating that a data protection officer must be appointed as soon as more than 10 employees constantly process personal data. The fact that employees have IP phones, work on the screen and answer emails is certainly not a significant factor in determining whether an organization should appoint a privacy officer or not. It is completely disregarded what data it is in terms of quality and quantity. A thoroughly inadequate and arbitrary rule.
  • And above all, don’t do data protection, but do the legal obligations in such a way that you can clearly determine whether you have fulfilled them or not.

Conclusion

I can take a positive view that the DSGVO has brought a public awareness of data protection, in particular through the “public impact” of the high penalty threats. What I particularly like about the DSGVO is that it is easy to read. Much better than, for example, the old and new BDSG.

My personal euphoria has vanished in the associated bureaucracy and the clear awareness that all the hundreds of hours of effort and costs involved in fulfilling legal requirements have only increased the security of our systems by a few cents. And this was more specifically the removal of trackers that we unconsciously used and a privacy training course that I gave. In half a year, we had a single person who had a comment on our privacy statement.

All further security measures were carried out completely independently of the DSGVO, encryptions and certificates checked, systems made more fail-safe, backups set up and tested, deployments automated, threatened suicides reported to the police - by the way without any written process.

I am for truthfulness. If we say that tracking people and profiling them is not good, then it should be forbidden. Prohibiting is easy and it has power. It shows a position. To say it’s bad, but you can’t patronize people and everyone has to be able to agree in doubt that he sells his data for services, such as certain health insurance companies, I find that hypocritical. Anyone who is not completely retarded and who uses Facebook today knows that he will not get this service for free and will pay with his data. Have endless privacy statements changed anything about this?

I am also in favour of truthfulness, as I greatly appreciate the right to informal self-determination. But informal determination is not informal self-determination. Why do I have to inform a person about his or her rights and thus assume state responsibilities if every other law applies, even if I don’t know it?

Has the DSGVO changed anything about the lessons learned from Snowden’s leaks on Privacy Shield? Has the German state enforced legal certainty by denouncing Privacy Shield? People, the DSGVO is now over three years in force!

Does the DSGVO with Privacy-by-Default prevent our Minister of the Interior Seehofer from dreaming of an arbitrary possibility of reading along with messengers and language assistants?

But last but not least: Has our carefully elaborated data protection declaration or the DSGVO led to more people loving data protection and making it their mission? I leave the answer open.