ava's blog

2017 - 2020

My journey into data protection began around 2017, over the privacy route. Starting from that point, I would delete my social media one by one, and I would be more interested in maintaining basic privacy. What got me started were Reddit communities around privacy, and websites like Privacytools.io.

I kept it realistic - I am not a journalist, not a regime dissenter or criminal, so my threat level was low. I just didn't want to continually give away vast amounts of data for social media giants to make money off of, influence me and show me ads. I didn't want what I said in supposedly private chats to be leaked and cause harm or be used against me, even if it was ultimately harmless and just embarrassing at worst. That's when I got into paying more attention to service's Privacy Policies, EULA's, Terms of Service and I started caring for encryption and other privacy features. Through my involvement in NoSurf back then, I was more aware of dark patterns and scandals like Cambridge Analytica as well.

2020 - 2024

By 2020, I was off of social media and WhatsApp, using Signal instead. I had a brief stint on Tumblr, but ditched it again. I also switched from Windows to Linux in 2023.
Through coming into contact with laws during my traineeship and later full time job, I noticed I really like learning about law. I didn't want to become a lawyer, but I did want to pursue something officially, so I enrolled into a parttime LL.B. in 2021, which means I can finish it with only a Bachelor thesis and not the two Staatsexamen you would otherwise need. And I was right: While some exam phases are definitely hard and make me think about quitting, I have a great GPA so far and I find it very interesting and beneficial.

Getting deeper into law, I got more of a sense of wanting to hold the big players accountable with what tools we are given that work on a large scale (law), not just playing the defense as a single person, trying to thwart the attempts to entice me into yet another service to reveal more about myself and track me all the time. Retrospectively, the issues back in 2017 that got me into privacy paled in comparison to what we were dealing with now.

It seemed like social media was involved in far more scandals and issues than just data harvesting and data loss now; ranging from traumatizing workers in content moderation, to spreading fake news, political manipulation and enabling genocide, radicalizing people, causing body image issues and depression, dark and addictive patterns becoming worse, malicious ad targeting, harmful AI slop, unrestricted porn and gore and many more things. I became more interested in laws like the GDPR as well as more localized laws like the BDSG in Germany or the CCPA in the US (California), and how they can be leveraged to protect yourself and fight back. Data is how these companies operate and earn money, so threatening to seal off the data pipe and make them lose money is in my eyes, their weak spot. Becoming a data protection officer and interested in the laws that would remove the power over data they have is one way to attack it.

2024 - 2025

As it seems like these companies now have a huge grip on society and culture - and in the US via Elon Musk and the few others who kissed the ring at the inauguration in hopes of deregulation, a huge grip on US politics - using products by these tech giants has transformed from being simply a thing I don't want to do to something I cannot do in a way that aligns with my values and that I can't do ethically. It has proven to be a power that has gotten way too huge, out of control, and unsafe. I feel like our safety, freedom, and democracy are in danger. I feel compelled to act and to do my best in calling out unsafe and user-unfriendly, downright illegal and immoral practices, and I hope for more legislation around dark patterns, addictive design, misuse of cookie banners, non-consensual deepfake porn and taking people's voice and face to replace them or scam people, and the scraping by AI bots without consent. That's why I am very interested in seeing the AI Act do its thing and evolve. Even if it's just putting rocks and sticks into their path, it's better than nothing.

As a data protection officer, I want to do something on a small scale by helping to stop companies and the government organizations from buying into the latest hype (whether it's blockchain or AI or something else) and following it with reckless abandon to the best of my abilities. The duties and responsibilities of a data protection officer are set in Articles 37, 38 and 39 and Recital (97) of the GDPR and involve informing and advising the controller or processor and employees of their obligations under data protection law and monitor compliance of the organization with all legislation in relation to data protection, including in audits, awareness-raising activities as well as training of staff involved in processing operations. They also provide advice and act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights. In practice, I want to help CEO's and the leaders of government organizations to not throw caution in the wind about the data of their employees, users, and citizens just because building healthcare data AI sounds cool right now and because the IT department is full of people who want new toys to play with and idolize Musk. I'm not ruling out working for a DPA one day, either.

As for personal goals and wishes, I want European cloud alternatives, which means in practice our own AWS or Azure, our own services like SharePoint or Microsoft Office365, so our companies and governments become independent from US services. I want us to move on from Windows onto Linux alternatives, such as what EU OS envisions and could be. I want our own protocols, I want more open source and continuous auditing. I want European social media alternatives that are selfhosted and/or owned publicly, and aren't privatized/for profit. I want the GDPR to be accordingly updated to keep things in check as new things are developed.

now

In March 2025, I've handed in my exam of the data protection law class I enrolled in in my LL.B. that semester. Separately, in November 2024 I applied for a 1.5 year certificate course to become a certified data protection officer and was accepted, and it has begun in April 2025. I plan to pass all necessary exams within one semester, shortening it to 6 months. When I finish that, I can officially call myself a data protection officer and have to take a refresher every 4 years to keep the title. I am aware that there are 2 week crash courses and the like, but I am not merely an IT employee in a company worried about fulfilling a legal requirement of having one with necessary qualifications on paper, I am serious about it career-wise and personally invested and passionate, so that was out of the question for me.
I have also met up with the data protection officer at my workplace a couple times to build connections, see the work in practice and have a sort of mentor.

In the future on this blog, I am planning to write more about data protection laws, too. One such post is about fighting for trans rights with data protection law and more will be in the data protection tag. This is from the perspective of someone who is learning, so it is not legal advice. However, I will always try my best to explain data protection concepts to you if you ask and break them down into more laymen terms, and I'm always happy to point you to official resources, guidelines, templates and other help in regard to Privacy Policies, cookie banners and more. Not only do you learn, but I get to practice and research, too.

links

✧ GDPR - The General Data Protection Regulation text in multiple languages
✧ DSGVO - My favorite site to use to see the GDPR text in German; nice display of text and chapter select
✧ BDSG - Same site, but for the Bundesdatenschutzgesetz in Germany
✧ AI Act - AI Act text with the same nice chapter select; German version
✧ TÜV Datenschutz Fachportal - recent data protection news, infos and checklists in German
✧ Noyb - donation-funded NGO based in Vienna, Austria working to enforce data protection laws EU-wide - please donate :)
✧ GDPRhub - wiki with GDPR-related decisions and knowledge, enabling anyone to find and share GDPR insights across Europe, by Noyb
✧ My contributions to GDPRhub - my user profile on GDPRhub.
✧ YourDigitalRights - Service to get your data deleted from organnizations; has a wide variety of supported laws and locations, and is done by the non-profit Conscious Digital
✧ Create your own privacy notice by the ICO UK - UK service to generate a Privacy Policy/Notice compliant with UK GDPR (copy of EU GDPR)
✧ Mindmap of opening clauses and flexibility in the GDPR for Member States by Winfried Veil
✧ German Data Protection Archive

If you know more useful links, let me know!