How can I send a GDPR request to Google if I am not a user/patron? How can Google ID me to process my request if I do not want them to have my name or mailing address?

activistPnk@slrpnk.net · 4 days ago

How can I send a GDPR request to Google if I am not a user/patron? How can Google ID me to process my request if I do not want them to have my name or mailing address?

activistPnk@slrpnk.net · 3 days ago

Google is certainly obligated to comply with the GDPR. But I suspect they are shielded if they can call themselves a /data processor/ and not a /data controller/.

It’s certainly a big hole in the GDPR. The GDPR framers did not consider the fact that in some situations you have countless data controllers all using the same giant processor, in which case it’s only reasonable for data subjects to be able to go direct to the data processor rather than playing whack-a-mole with controllers.

red_bull_of_juarez@lemmy.dbzer0.com · 3 days ago

And that’s why I’d like to get a court ruling on this. Would be quite interesting.

activistPnk@slrpnk.net · edit-2 15 hours ago

For a bit more depth on this, the EDPB elaborates on the controller/processor separation and relationship in their 2020/07 guidelines.

It’s a long read, which I just skimmed. It’s mostly grim news. There is even a specific example in that doc stating that an email provider is a processor. But I see an angle:

A data processor has a duty to offer an appropriate level of security to controllers under Art.32. Another finding by the EDPB is that processors who violate the GDPR can be treated as controllers. It could be argued that (unlike protonmail) Google and MS both fail to offer e2ee and simultaneously supplies its insecure email service to controllers who handle sensitive info like lawyers, hospitals, and banks. The violation of art.32 by Google and MS enables them to be treated as controllers.