[bearblog carnival] my favorite GDPR article
For Kami's Carnival "Bear Blog Carnival: Your favorite ____ in your niche hobby", I'm writing about what my favorite General Data Protection Regulation (GDPR) article is.
Initially, this came up in our Matrix server. I wrote:
"If you ask me my favorite anything, I blank [...]. Except games. And GDPR articles maybe. Food too"
Kami then asked me what my favorite article is, and it is Article 6 (x)!
It's the first thing I think of when I think of the GDPR; it decides so much, as it holds all of the legal bases data processing can have in 6(1). They are easy to remember and understand too: consent, fulfillment of a contract, compliance with a legal obligation, vital interests, public interest, and legitimate interest. Short, sweet, relatively easy to read for laymen. The rest of Article 6 is more about specifying parts of this via an opening clause so Member State law can narrow some of this down.
I just find it so satisfying to have one article to refer to for different routes of legal data processing. Just one "only lawful if" and a nice list. They could have given each of these an article separately, spread out throughout the regulation, with a huge text every time, and it would have sucked. Or it could have been a single wall of text that vaguely describes these 5, which you then have to distill out of the text. Other laws I know are like that, and it's a slog! They infer specific rights and concepts out of a text that can be hard to even detect inside of it, so you learn all that by heart. Not here!
A structure like this (easy to read and remember, collected in a single place, short) makes it so much easier to have definitive guidance and recognize when a right has been violated.
And that's why I said
"Article 6! It's like the heart of the GDPR to me, it's so important, it shows up all the time, it has all the legal bases you can possibly base data processing on. It's short, nicely structured, and even easy for laypeople to understand. It's chefs kiss law"
If you wanna know what the competition is:
Second place in my ranking would be Article 4 (x), which holds all relevant legal definitions for the regulation, meaning: what is processing, what is a controller, etc. I love when laws and regulations (mostly EU-wide ones) do this! It's so rare in the laws I have to learn for my degree (German laws), so I appreciate when I can just look definitions up instead of learning them by heart.
It's also easier to refer people to this official, already included resource, than going "This is the definition I learned, coined by this author in this legal literature, but there are other literature voices that disagree, or have a slightly wider/narrower definition." Less ambiguity and guesswork and "but so and so said so" involved when the definition is already in the law.
The third contender would be Article 7 (x), which sets the conditions for consent. It says consent needs to be demonstrated (= proven), can be withdrawn anytime and should be as easy as giving consent, and you shouldn't be misled into consent by confusing design, conditional linking, or mixing it up with other matters. It needs to be clearly distinguishable, in an intelligible and easily accessible form, using clear and plain language - otherwise it is not binding. Companies and their lawyers love to forget the "plain language" part, and another upcoming blog post of mine will mention a bit about that...
I could also talk about an article or two I don't like, just to offer a bit of contrast.
Article 18 (x) is a super messy affair for me in my head; it's the right to restrict. While it has the same structure as Article 6 and tries its best to explain plainly and shortly the different situations, in the end it's lots of different complex situations lumped together, and it can be hard when you first learn about it to keep it mentally separated from Article 21 (x), which is the right to object. Both intervene in ongoing data processing, but Article 18 temporarily freezes the processing, and Article 21 wants to stop the processing altogether and challenges the legal basis.
I also have started developing a dislike to Article 15 (x; the right to access your data) through no fault of its own, just because soooo many court cases deal with delayed or incomplete responses to these requests, and it bores me at this point. Everyone and their mama has opinions on what needs to be included, what can be left out, what counts as a copy and what doesn't, and whether a request was excessive or not.
Anyway, that's it!
Reply via email
Published