De Rechtbank Midden-Nederland heeft op 22 december een belangrijke uitspraak gedaan. De Kamer van Koophandel (KvK) kan zich niet beroepen op het databankenrecht in het stellen van eisen aan gebruikers van de data uit het Handelsregister.

De KvK had per 1 januari 2021 haar voorwaarden aangepast en daarbij het databankenrecht voor zichzelf geclaimd. Dit was een redelijk verbijsterende stap, die ik zelf interpreteerde als bewust obstructieve handeling vooruitlopend op een mogelijke verplichting tot open data binnen de nieuwe Hergebruiksrichtlijn / Open Data Richtlijn. Die nieuwe Hergebruiksrichtlijn verbiedt namelijk in Artikel 1.6 het gebruik van het databankenrecht door publieke instellingen (zoals ZBO’s als KvK ook) om extra toegangsrestricties te kunnen opleggen behoudens wat is toegestaan in de Hergebruiksrichtlijn zelf. Dat wist de KvK uiteraard ook sinds 2019, en dus was het tevoren een nieuwe status quo proberen te creëren (zodat je die kunt verdedigen tegen de ‘overmatige’ eisen van nieuwe regels) een daad van obstructie in mijn ogen.

Die in 2021 verwachte verplichting is er overigens nog niet. Enerzijds omdat Nederland in gebreke is gebleven bij het aanpassen van de Wet Hergebruik Overheidsinformatie dat afgelopen juli rond had moeten zijn (en daarvoor in het strafbankje is gezet door de EU). Anderzijds omdat de implementatiewet t.a.v. verplichte open data die een jaar geleden al bekend had zullen zijn nog altijd niet gepubliceerd is (waarschijnlijk door politieke onenigheid tussen lidstaten over precies diezelfde handelsregisters.).

Terecht is over de nieuwe gebruiksvoorwaarden een zaak begonnen door een aantal commerciële hergebruikers van informatie uit het Handelsregister. In deze zaak is nu uitspraak gedaan.

Die uitspraak zaagt de stoelpoten onder KvK weg. Waar de Hergebruiksrichtlijn stelt dat het hebben van databankenrecht de werking van de Hergebruiksrichtlijn kan beperken, maar dat overheden zich daar niet op mogen beroepen, stelt de rechter dat de KvK helemaal geen databankenrecht heeft.

In 2009 hadden we al de Landmark zaak tegen de Gemeente Amsterdam waar de rechter uitsprak dat de Gemeente geen producent in de zin van het databankenrecht is omdat de Gemeente niet aan de investeringsvoorwaarde voor toekenning daarvan voldeed.

In de nu gedane uitspraak wordt door de rechter erkend dat de KvK weliswaar flinke inspanningen investeert in het opbouwen van het Handelsregister. Maar omdat er geen enkel financieel risico is voor die investering (wettelijk gedekt door de overheid), en omdat het de uitvoering van een wettelijke taak betreft die de investering noodzakelijk maakt, is er geen economische rechtvaardigingsgrond voor databankenrechten. De KvK is, aldus de uitspraak, geen producent in de zin van de Databankenwet. Daarmee is er een streep getrokken door de obstructieve elementen in de gebruiksvoorwaarden van de KvK die begin dit jaar zijn ingevoerd.

In deze context is ook de recente (10-12) brief aan de Tweede Kamer van de Minister van EZK over de datavisie van het Handelsregister interessant. Daarin wordt ondermeer ingegaan op problemen die ervaren worden met het Handelsregister. Het gaat dan tegelijkertijd om teveel toegang en hergebruik, als om te weinig toegang en hergebruik. De brief positioneert dat als een tegenstelling tussen privacy en transparantie, maar dat is een vals dilemma. Je kunt gerust beiden maximaliseren.
EZK stelt, terecht, dat het hebben van een betaalmuur geen privacybescherming kan zijn (het betekent hooguit dat alleen mensen met iets meer te besteden je privacy schenden), en stelt ook terecht het maatschappelijk belang van openbare informatie over rechtspersonen centraal (ik schreef er al eerder over, in ruil voor het zichtbaar maken van wie ik ben als ondernemer, zodat anderen kunnen nagaan met wie ze te maken hebben, krijg ik als ondernemer ook bepaalde voordelen en rechtsbescherming die me in mijn ondernemendheid kunnen stimuleren).
Wat niet klopt in de brief van EZK is dat de voorstanders van open data alleen naar de socio-economische opbrengsten zouden kijken, en EZK probeert ook nog eens aan te voeren dat de socio-economische voordelen die met die data elders zijn bereikt misschien door andere oorzaken zijn ontstaan. Hier wordt kennelijk ook verwezen naar het nog niet openbaar gemaakte maar wel gepubliceerde advies over de verplichte open data. Daarin wordt inderdaad bijna niets gezegd over bescherming van persoonsgegevens, omdat dat door de Europese Commissie nadrukkelijk buiten scope van het onderzoek en advies was geplaatst. De AVG is gewoon een gegeven.

Er is volgens mij niemand die de privacy problemen rond het Handelsregister miskent. Zoals bijvoorbeeld dat tweederde van alle rechtspersonen op een woonadres van iemand (zoals ik) staan.

De volgorde van redenering t.a.v. open data begint namelijk met de bescherming van persoonsgegevens:

De AVG beschermt persoonsgegevens en werkt beperkend op de WOB (WOO).
Wat openbaar is wordt geregeld in de WOB (WOO), met persoonsgegevens als uitzonderingsgrond, en een aantal specifieke wetten (bijv Handelsregisterwet, Kadasterwet). Die laatsten, de Handelsregisterwet en Kadasterwet maken een gerichte afweging t.a.v. het maatschappelijk belang van openbaarheid in het economisch verkeer van bepaalde persoonsgegevens versus de bescherming van persoonsgegevens.
De Hergebruiksrichtlijn stelt dat wat openbaar is, herbruikbaar moet kunnen zijn.
De Implementatiewet m.b.t. High Value Data in de Hergebruiksrichtlijn maakt het pro-actief voor hergebruik publiceren van sommige data die herbruikbaar moet kunnen zijn verplicht (waaronder waarschijnlijk het Handelsregister).

De AVG en de Hergebruiksrichtlijn met de Implementatiewet EU High Value Data zijn gelijktijdig van groot maatschappelijk belang voor iedereen, en dat is niet strijdig met elkaar. Ook niet bij het Handelsregister. De bewegende delen zitten in de Handelsregisterwet en de praktische informatiehuishouding van de KvK. Daar moeten de problemen worden opgelost. Niet met pogingen het zo in te richten dat je als KvK vooral zelf niets hoeft te doen door je voorwaarden aan te passen. Het is een herkenbaar patroon dat we ook bij de WOO al zagen. De VNG/Gemeenten vonden voldoen aan de WOO eerst te duur, en kregen toen extra de tijd van Tweede Kamer om e.e.a. te regelen, om vervolgens bij voorbaat al te zeggen dat het nooit gaat lukken. De EU open data verplichting voor het Handelsregister is net zomin als de invoering van de WOO voor gemeenten het probleem. De nieuwe wetten maken alleen heel nadrukkelijk zichtbaar dat de KvK, en m.b.t. de WOO de Gemeenten, hun informatiehuishouding niet op orde hebben. De inspanningen die nodig zijn om te kunnen gaan voldoen zijn namelijk niet de invoeringskosten van die wetten, maar zijn de optelsom van achterstallig onderhoud aan je informatiehuishouding, legacy systemen en als organisatie nalaten vooruit te kijken in je eigen informatievak startend vanuit de positieve impact die je op de omgeving nastreeft. Die optelsom van organisatiegebreken wordt nu slechts voor iedereen, inclusief de KvK zelf, zichtbaar door die nieuwe wetten, omdat je er nu eindelijk iets aan moet gaan doen.

De obstructiepoging van de KvK is met de rechterlijke uitspraak niet alleen terzijde geschoven door bijvoorbeeld te zeggen dat databankenrecht niet mag worden gebruikt om hergebruik te beperken. Sterker, de argumentatie van KvK is geheel ondergraven: de KvK heeft helemaal geen databankenrecht.

Dat is een mooi kerstcadeau voor iedereen.

The spam about GDPR and CCPA I received last week, turns out to be part of a study by the US based Princeton university, with one of the researchers recently having joined the Dutch Radboud University. The more recently sent out mails apparantly had a link to the project page added, I assume in light of feedback received, which then was shared in my Mastodon timeline by someone who as a Mastodon moderator had received these mails.

I sent a mail to the research team explaining my complaint about the mails I received. I also approached the Radboud University’s Digital Security (RU DiS) research group where one of the researchers works, and filed a complaint there.
In the past few days I’ve had e-mail exchanges with the research team, as well as with the RU DiS department head. All those I approached have been very responsive and willing to provide information, which I very much appreciate.

That doesn’t make the mails I received ok though. The research team itself may have come to the same notion, as they informed me they’ve stopped sending out new mails for now. They are also working to add have added a FAQ to the project page. [UPDATE 2021-12-19 Jonathan Mayer, the Principal Investigator in this Princeton research project has now issued an apology. These are welcome words.]

On the research

The research project is interested in how companies have set up their process for responding to requests for data access under the European general data protection regulation (GDPR) and the California Consumer Privacy Act (CCPA). They also intended these requests for organisations who don’t a priori fall within scope of those acts. Both acts are intended to set a norm for those not covered by it. The GDPR is written to export the EU’s norms for data protection to the rest of the world, and the CCPA is set up to encourage companies not active in California to follow its rules regardless. So far I have no issues.

How I ended up in the list of sites approached

My blog is a personal website, so it falls outside of the declared scope of the study (companies). It can’t fall under the CCPA, as it only applies to businesses (that do business in California, with a certain turnover, or selling data). It is less clear if it falls under the GDPR: In my reading of the GDPR it doesn’t, but at the same time have written a personal data protection policy as if it does (out of professional interest). So how did I end up in Princeton’s list of site owners to approach? In my conversation with one of the researchers they indicated that the list of sites to approach was a selection taken out of the Tranco list. That list combines the results from various lists of the 1 million most popular websites. Such as Alexa (soon to be discontinued), Cisco Umbrella, and Majestic Million. My URL is in both the Alexa and the Majectic list. Cisco’s list looks at DNS requests for domains on their hardware, and unsurprisingly I’m not in their current list as it is based on today’s web traffic. The Majestic list seems to use backlinks to a site as a ranking factor. This favors old websites, as they build up a sediment of such backlinks over time. Such as weblogs that are some 20 years old, such as mine. Unsurprising then that blogs like Dave‘s, David‘s, and those of longtime blogging friends feature in the list. In the graph below you see my and their blogs as they rank in the Tranco list.


The relative positions of the blogs of several old time blogging friends and myself in the Tranco list of over 1 million sites.

That I might be on the long list when the Tranco list is used makes sense. However the research group says they used filtering and categorisation to then select the websites to approach. A meaningful selection seems less likely, given that they approached personal sites like mine (and judging by other sites approached as apparent from other online comments on the mails sent).

Still it’s wrong

The research was designed by Princeton’s computer science department, and was discussed with Princeton’s Institutional Review Board (IRB) they say. During this process the team ‘extensively discussed potential risks of our study, and took measures to minimize undue burden on websites, especially websites with less traffic and resources’.
The IRB concluded the research doesn’t constitute human subject research. True, from a design perspective, but as shown by me as a private individual receiving their e-mails not true in practice. Better determination of which sites to approach and not to approach would have been needed for that.

The e-mails sent out for this study are also worryingly problematic in two aspects:
First they pretend to be actual e-mails by individuals, nowhere is made clear it’s research. On top of that the names used for these individuals are clearly fake, and the domains from which e-mails were sent also easily raise suspicion. Furthermore the request lacks any context, an individual with a real request would never use a generic text or use the domain name and not the actual name of a website. This makes it unclear to recipients what the very purpose of the e-mails is. This is not only true for individuals or e.g. small non-profits, this is confusing and suspicious to every recipient even if they had limited their inquiries to major corporations. I’m sure that negatively impacts the results, and thus the validity of conclusions. It also means many recipients will have spent time evaluating, or worse bringing in advice, on how to deal with these suspicious looking requests.

Second the wording of the e-mail makes it worse. The mails have a legalese ring to them (e.g. stating it is not a formal data access request at this time though it might still follow, another thing a real individual would not phrase like that). What is worse each mail suggests a legal threat at the end. They say that a response is required within a month based on Article 12 of the GDPR, or within 45 days based on Section 1798.130 of the California Civil Code. Both those statements are lies. Art 12 GDPR sets a response deadline for data access requests, which this mail emphasises it is not, and the same is true for the California Civil Code.

It’s exactly this wording, with false legal threats, and lacking any context to evaluate what the purpose of the e-mails is, that makes people worry, spend time or even money figuring out what they might be exposed to. As an individual I concluded to ignore the mails, others didn’t, but would you if you are a small non-profit, or other business that does not have the inhouse legal knowledge to deal with this? Precisely those who have some knowledge about the GDPR or CCPA but not enough to be fully sure of themselves will spend unnecessary time on these requests. Princeton is thus externalising a burden and cost on website owners. Falsifying the very thing Princeton states about aiming to “minimize undue burden on websites“. Using the word websites obfuscates that every mail will have to be answered by a real person. They could have just mailed me asking me straight up for their research if I have a process for the GDPR in place. I would have replied to them and be done with it.

Filed complaint

Originally I had filed a complaint with the Digital Security research team at Radboud University, as they are named as partners in the study. Yesterday I withdrew my complaint with them, as they weren’t part of the study design, just have recently hired one of the researchers involved. Nevertheless they informed me they have alerted their own ethics board about this, to take lessons from it w.r.t guidelines and good practices, even as the head of department said to me it is now too late to prevent damage. At the same time he wrote, they cannot let it pass because “Even if privacy researchers do these projects with the best of intentions, it doesn’t mean they aren’t required to set them up well”.
It also means that I will refile my complaint with Princeton’s Review Board. Meanwhile this has spilled out online (it’s what you get if you target the 1 million most popular websites…), and I am not the only one filing a complaint judging by the responses of a tonedeaf tweet by one of the researchers.

Others blogging about this study:
Questions About GDPR Data Access Process Spam from Virginia
Free Radical: CCPA Scam
What’s the deal with those weird GDPR emails?
I Was Part of a Human Subject Research Study Without My Consent

Today I learned that on 30 September the EC has initiated infringement procedures against 19 EU Member States because of failing to provide complete information on the transposition in national law of the new Open Data Directive.

Just one day before that announcement I already wrote that transposition was far from complete, but I hadn’t noticed that the day after that turned out to apply to 19 countries or about 70% of Member States.

One of those countries, unsurprisingly, is the Netherlands. Unsurprising because the work on the transposition only started in earnest last February. A year delayed because of shifting priorities due to the pandemic, and much too late to ensure timely compliance, for which the deadline was last July.

My contact on this within the responsible ministry however told me that progress has been made. An internet consultation on the new law should open shortly after New Year, meaning the text of the proposed transposition will be publicly available then. I am eager to read it.

Bookmarked Thoughtware by Paul Bricman

Paul Bricman’s ‘thoughtware’ tool Lexiscore, a nutritional label for food for thought, was mentioned in the Obsidian discord channel on knowledge management. His works seems of general interest to me, so I added his writings to my feed reader. I mailed him with two elements that are important in my information strategies that I don’t immediately see covered by his description. One is: In between individual subscriptions and engagement by the masses (likes, shares) to surface what others curate, there is the level of communities of practice and interest. Subscribing to multiple people within a community and doing so in many communities allows a focus on patterns in what people are talking about (what are Berlin coders ehthusiastic about these days, what’s going on in the [your fav topic here] scene in Argentina?), beyond just focusing on individual pieces of shared content. Two is that being able to see how other people differently describe (in tags e.g.) the same pieces of content that caught my attention, gives me a measure of distance to other groups unknown to me, yet with interesting overlap. They are interested in the same thing but use very different words and language to describe it, representing different view points which is valuable information (Surprise). This is how I used Delicious bookmarking when it still showed you how other people tagged the things I bookmarked as well, and who those other people were. Because tags are not just descriptors but also navigational way points.

My research is focused on extending human thinking with artificial ways of thinking. An important part of this venture is bringing to life actual tools which incorporate the artificial affordances I’m designing, and then taking them for a spin. I call this family of tools thoughtware

Paul Bricman

This is quite something to read. The Irish data protection authority is where most GDPR complaints against US tech companies like Facebook end up, because the European activities of these companies are registered there. It has been quite clear in the past few years how enormously slow the Irish DPA has been in dealing with those complaints. Up to the point where the other DPA’s complained about it, and up to the point where the European DPA intervened in setting higher fine levels than the Irish DPA suggested when a decision finally was made. Now noyb publishes documents they obtained, that show how the Irish DPA tried to get the other national DPA’s to accept a general guideline they worked out with Facebook in advance. It would allow Facebook to contractually do away with informed consent by adding boiler plate consent to their TOS. This has been the FB defense until now, that there’s a contract between user and FB, which makes consent unnecessary. I’ve seen this elsewhere w.r.t. to transparency and open data in the past as well, where government entities tried to prevent transparency contractually. Contractually circumventing and doing away with general legal requirements isn’t admissable however, yet that is precisely what the Irish DPA attempted to make possible here through a EU DPA Guideline.

Reading this, the noticeable lack of progress by the Irish DPA seems not to be because of limited resources (as has been an issue in other MS), but because it has been actively working to undermine the intent and impact of the GDPR itself. Their response to realising that adtech is not workable under the GDPR seems to be to sabotage the GDPR.

The Irish DPA failed to get other DPA’s to accept a contractual consent bypass, and that is the right and expected outcome. That leaves us with what this says about the Irish DPA, that they attempted it in the first place, to replace their role as regulator with that of lobbyist:

It renders the Irish DPA unfit for purpose.

Bookmarked Meta’s failed Giphy deal could end Big Tech’s spending spree (by Ars Technica)

This is indeed a very interesting decision by the UK competition and markets authority. I recognise what Ars Technica writes. It’s not just a relevant decision in its own right, it’s also part of an emergent pattern. A pattern various components of which are zeroing in on large silo’d market players. In the EU the Digital Markets Act was approved in recent weeks by both the council of member state ministers and the European Parliament, with the negotation of a final shared text to be finished by next spring. The EU ministers also agreed the Digital Services Act between the member states (the EP still needs to vote on it in committee). The DMA and DSA make requirements w.r.t. interoperability, service neutrality and portability, democratic control and disinformation. On top of the ongoing competition complaints and data protection complaints this will lead to new investigations of FB et al, if not to immediate changes in functionality and accessibility of their platforms. And then there’s also the incoming AI Regulation which classifies manipulation of people’s opinion and sentiment as high risk and a to a certain extent prohibited application. This has meaning for algorithmic timelines and profile based sharing of material in those timelines. All of these, the competition issues, GDPR issues, DMA and DSA issues, and AI risk mitigation will hit FB and other big platforms simultaneously in the near future. They’re interconnected and reinforce each other. That awareness is already shining through in decisions made by competent authorities and judges here and now. Not just within the EU, but also outside it as the European GDPR, DMA, DSA and AI acts are also deliberate export vehicles for the norms written down within them.

….the strange position taken by Britain’s competition watchdog in choosing to block Meta’s takeover of GIF repository Giphy. Meta, the UK’s Competition and Markets Authority (CMA) ruled, must now sell all the GIFs—just 19 months after it reportedly paid $400 million for them. It’s a bold move—and a global first. ……regulators everywhere will now be on high alert for what the legal world calls “killer acquisitions”—where an established company buys an innovative startup in an attempt to squash the competition it could pose in the future.

Morgan Meaker, wired.com / Ars Technica