Honestly I'd think about several "worse" companies to annoy with such "a test" first than Prusa, but anyway
> A company can list an email address as their official GDPR contact in their privacy policy, and if their own spam filter eats your request, it legally never happened. There is no obligation to check. There is no obligation to ensure delivery. The burden is entirely on you to prove they received it.
My understanding is that GDPR is being strongly reviewed with the goal of modeling it closer to what California did with the CCPA [1], which seems to be a much more effective privacy regulation.
There was a presentation here a while back (last year) about how to avoid getting ignored or played otherwise when submitting those requests. Sadly I cannot find it, but maybe someone else has the link?
While I love the idea of GDPR, and especially local versions like CCPA that benefit me directly, I loathe much about the GDPR.
1. Cookie popups. Enough said.
2. Its extraterratoriality claims. Yes, I know you also want it to apply to companies in, say, Japan. Bummer. Unless they signed a treaty agreeing to abide by it, their they're own sovereign entities and their businesses don't have to comply with remote EU laws.
3. The annual moderation report. I've lost an aggregate of several weeks of my life filling out reports where 99.9% of our moderation actions were to delete link farms, fake drug sales, phishing portals, and cockfighting fliers.
4. The misperception that GDPR means you have to delete everything. Uh, no. If we suspend joe.scammer@gmail.com's account for phishing, we're not obligated to purge every instance of that email address from our systems, especially not the one that gets to decide whether a new user is allowed to register for another account. And if "joe.scammer" deletes his account, we don't have to return "joe.scammer" into circulation so another user can register it, and simply saying that "joe.scammer is not available" is not disclosing sensitive data. And in any case, a company entirely outside the EU isn't compleleled to do it anyway (see #2).
Love the idea, strongly dislike the implementation.
Unfortunate. I've had good success rate with smaller companies, whereas I still have an open email chain with Deezer and Glovo in my inbox because their process required to much back and forward (Deezer was particularly stupid because while I had an active trial they couldn't delete my account).
I think the bigger problem is that the entire process is left up to the invidual, to both deal with the vendors (sometimes having to scavange the privacy policy for an email address, or follow multi step processes) and report to the local DPAs. And the local DPA could have as arbitraty rules for the process, and very involved form fillings.
It doesn't help when institutions smell as corruption, as likely seen in Ireland, where it took them almost 8 years to resolve a complaint against facebook and fine them.
Criticism of the EU always gets down voted here but this on point. The EU does too much trumpet blowing.
Too much gets put into law/regulations and then ignored without any kind of retrospective with regards to undesirable effects and efficacy.
Companies have realised GDPR isn't really anything to be feared in reality. Don't quote issued fines at me - quote fines that have been actually paid at least (you'll find that harder to Google)
Until there is legislation to simply ban data mining/reselling no companies are going to stop. The benefits to selling you out are simply too profitable and ignoring the hand slap laws/fines stops no one.
The biggest hindrance is that there is ZERO government desire to reign this in. Why? Because the government itself is one of the biggest customers of this data.
The government "fines" the company and immediately comes right back around to the checkout line and hands the same company piles of money for the exact same data they just fined them for selling. The company then just raises the price to make up the difference. I don't see any of this changing in the next 50 years.
Are there citizen punishments that can be levied when a company refuses the law?
For example, you put in a GDPR deletion request. Company ignores or otherwise does not comply with the law. Can you sue them directly over that?
In the USA, Ive seen a lot of various laws like CAN-SPAM act. But there are no remedies for citizens who were spammed to get statutory damages for being violated. Having that option to get money for being wronged would solve these sorts of problems.
This kind of failure-to-enforce is endemic to government. Oversight and enforcement are implicitly expected of well-regulated governments, and that costs money that nobody wants to pay. Laws get enacted with little thought to how much it will cost to administer them, and they either get underfunded or added to the list of government bloat.
There is no easy way out. The oversight to ensure that governments do what they're expected to without corruption costs real money. We haven't yet figured out how to balance good government with fiscal efficiency; but it would at least be an improvement if people could be educated on the actual cost of properly implementing a law before it gets voted on.
As usual for cases like this, the only chance for a person to force compliance is to have enough money/resources, putting it out of reach for the general population.
Deletion requests are a bit fuzzy. Withdrawing consent is easy, some deletions are easy but we need to remember that the GDPR have a carve out "for the establishment, exercise or defence of legal claims."
In practice this means that companies will keep data, and are entitled to keep data, for the period a legal claim may be made. For instance in the UK that period is 6 years and so you will find that companies will keep data for 6-7 years.
That’s essentially what I’ve experienced, call it 'anecdotal evidence.'
I had a long, ongoing, and very upsetting interaction with a bigger German company. Since I have experience in data privacy and GDPR, I eventually started thoroughly crawling their entire online presence for infringements.
I found a significant number of issues and compiled a very extensive report. At first, they were completely dismissive. It was only after I issued formal legal warnings that an actual lawyer contacted me and promised to fix the issues.
Most of the GDPR violations were simply sloppy, though some were genuinely ignorant. It’s wild that we are eight years past 'Year Zero,' and while everyone is constantly talking about data privacy, these gaps still exist.
Some of them eventually has been fixed after my report, silently of course. phhh...
On the "German DPA can only forward it to Czech DPA" there is now regulation (2025/2518) around the cross-border enforcement and as far as I understand it actually has hard deadlines. However it will only start being in effect around May 2027 and will only affect cases which were filed after that. It is still very long process and does require that the original DPA actually initiates things.
The spam filter loophole is unlikely to be legal. It it contrary to other DPA rulings (like Norwegian DPA ruling on Mowi ASA), EDPB guidelines don't strictly define it but I would say tilt towards that excuse not being sufficient & my understanding is that there are also some court cases from Germany and Austria that treat messages routed to spam as recieved (https://www.nospamproxy.de/en/emails-in-spam-folders-are-con...). Of course if you want to actually enforce it you would need to appeal the decision in court, I have no clue how easy or hard that is in Germany.
When my ex-wife just moved to Germany, she was extremely anxious about waste sorting. She spent an hour sorting trash according to video guides on YouTube. Regardless doing everything perfectly, some German neighbor snitched on her to her landlady. Then some other old neighbor was watching through her windows with binoculars (privacy my ass!). Germany is a terrible country, the sick man of Europe once again
As the DPA indeed doesn't function for these kinds of cases, it's also possible to involve the courts and get a legal remedy (i.e. sue them). In The Netherlands that's possible with a 'complaint procedure' in the case of GDPR rights, which is more forgiving on the process (it starts with a not-too-formal letter to the court instead of a summons) and allows for representing yourself. Maximum costs would be somewhere around € 2500 if you lose, € 0 if you win (disregarding all the work and effort that cannot be recouped).
Of course this really isn't something you'd want to do for these kinds of simple cases. But threatening to do so often goes pretty far. The court in the country of the data subject has jurisdiction, so any company operating from another country would need to defend themselves abroad, which can be a strong incentive to cooperate or settle the case.
I've gotten results for GPDR article 20 requests (data portability) multiple times after some strongly worded letters (Spotify [1], NLZiet, AliveCor and Albert Heijn), and have gone to court twice. Once won against Eneco (although that was only about court fees they didn't want to pay without an NDA), and once didn't lose but regrettably didn't win on a quite complicated case against ABN AMRO in which the court just didn't understand what machine readable means despite the clear guidelines by the EDPD.
20 comments
[ 2.4 ms ] story [ 43.6 ms ] thread> A company can list an email address as their official GDPR contact in their privacy policy, and if their own spam filter eats your request, it legally never happened. There is no obligation to check. There is no obligation to ensure delivery. The burden is entirely on you to prove they received it.
That's you being silly. The correct way is to send a letter with a Reception Receipt https://en.wikipedia.org/wiki/Avis_de_r%C3%A9ception which is the way lawyers like to do
[1] https://en.wikipedia.org/wiki/California_Consumer_Privacy_Ac...
No wonder Europe is such a laggard in tech when even software devs write non sense like this.
One one hand they want independence from the evil US hyperscalers but on the other hand they are ready to kill any new company in the EU.
1. Cookie popups. Enough said.
2. Its extraterratoriality claims. Yes, I know you also want it to apply to companies in, say, Japan. Bummer. Unless they signed a treaty agreeing to abide by it, their they're own sovereign entities and their businesses don't have to comply with remote EU laws.
3. The annual moderation report. I've lost an aggregate of several weeks of my life filling out reports where 99.9% of our moderation actions were to delete link farms, fake drug sales, phishing portals, and cockfighting fliers.
4. The misperception that GDPR means you have to delete everything. Uh, no. If we suspend joe.scammer@gmail.com's account for phishing, we're not obligated to purge every instance of that email address from our systems, especially not the one that gets to decide whether a new user is allowed to register for another account. And if "joe.scammer" deletes his account, we don't have to return "joe.scammer" into circulation so another user can register it, and simply saying that "joe.scammer is not available" is not disclosing sensitive data. And in any case, a company entirely outside the EU isn't compleleled to do it anyway (see #2).
Love the idea, strongly dislike the implementation.
I think the bigger problem is that the entire process is left up to the invidual, to both deal with the vendors (sometimes having to scavange the privacy policy for an email address, or follow multi step processes) and report to the local DPAs. And the local DPA could have as arbitraty rules for the process, and very involved form fillings.
It doesn't help when institutions smell as corruption, as likely seen in Ireland, where it took them almost 8 years to resolve a complaint against facebook and fine them.
Only line I always want to see go up https://www.enforcementtracker.com/?insights
Too much gets put into law/regulations and then ignored without any kind of retrospective with regards to undesirable effects and efficacy.
Companies have realised GDPR isn't really anything to be feared in reality. Don't quote issued fines at me - quote fines that have been actually paid at least (you'll find that harder to Google)
The biggest hindrance is that there is ZERO government desire to reign this in. Why? Because the government itself is one of the biggest customers of this data.
The government "fines" the company and immediately comes right back around to the checkout line and hands the same company piles of money for the exact same data they just fined them for selling. The company then just raises the price to make up the difference. I don't see any of this changing in the next 50 years.
It's hard to imagine a practice more hostile to starting and operating a business than such a policy
For example, you put in a GDPR deletion request. Company ignores or otherwise does not comply with the law. Can you sue them directly over that?
In the USA, Ive seen a lot of various laws like CAN-SPAM act. But there are no remedies for citizens who were spammed to get statutory damages for being violated. Having that option to get money for being wronged would solve these sorts of problems.
There is no easy way out. The oversight to ensure that governments do what they're expected to without corruption costs real money. We haven't yet figured out how to balance good government with fiscal efficiency; but it would at least be an improvement if people could be educated on the actual cost of properly implementing a law before it gets voted on.
As usual for cases like this, the only chance for a person to force compliance is to have enough money/resources, putting it out of reach for the general population.
In practice this means that companies will keep data, and are entitled to keep data, for the period a legal claim may be made. For instance in the UK that period is 6 years and so you will find that companies will keep data for 6-7 years.
I had a long, ongoing, and very upsetting interaction with a bigger German company. Since I have experience in data privacy and GDPR, I eventually started thoroughly crawling their entire online presence for infringements. I found a significant number of issues and compiled a very extensive report. At first, they were completely dismissive. It was only after I issued formal legal warnings that an actual lawyer contacted me and promised to fix the issues.
Most of the GDPR violations were simply sloppy, though some were genuinely ignorant. It’s wild that we are eight years past 'Year Zero,' and while everyone is constantly talking about data privacy, these gaps still exist.
Some of them eventually has been fixed after my report, silently of course. phhh...
The spam filter loophole is unlikely to be legal. It it contrary to other DPA rulings (like Norwegian DPA ruling on Mowi ASA), EDPB guidelines don't strictly define it but I would say tilt towards that excuse not being sufficient & my understanding is that there are also some court cases from Germany and Austria that treat messages routed to spam as recieved (https://www.nospamproxy.de/en/emails-in-spam-folders-are-con...). Of course if you want to actually enforce it you would need to appeal the decision in court, I have no clue how easy or hard that is in Germany.
Of course, who else would complain about this.
When my ex-wife just moved to Germany, she was extremely anxious about waste sorting. She spent an hour sorting trash according to video guides on YouTube. Regardless doing everything perfectly, some German neighbor snitched on her to her landlady. Then some other old neighbor was watching through her windows with binoculars (privacy my ass!). Germany is a terrible country, the sick man of Europe once again
Of course this really isn't something you'd want to do for these kinds of simple cases. But threatening to do so often goes pretty far. The court in the country of the data subject has jurisdiction, so any company operating from another country would need to defend themselves abroad, which can be a strong incentive to cooperate or settle the case.
I've gotten results for GPDR article 20 requests (data portability) multiple times after some strongly worded letters (Spotify [1], NLZiet, AliveCor and Albert Heijn), and have gone to court twice. Once won against Eneco (although that was only about court fees they didn't want to pay without an NDA), and once didn't lose but regrettably didn't win on a quite complicated case against ABN AMRO in which the court just didn't understand what machine readable means despite the clear guidelines by the EDPD.
[1] https://news.ycombinator.com/item?id=24764371