Goed nieuws. Mijn eenmanszaak krijgt eindelijk een BTW-nummer dat niet mijn BSN-nummer bevat. Dat nummer moet op je website, je brieven en facturen staan, en daarmee geef ik dus gedwongen persoonsgebonden gegevens bloot. Dat is strijdig met de AVG. Per 1 januari 2020 kan ik in externe communicatie een ander nummer hanteren.

20191013_110943

Elizabeth Renieris’ Hackylawyer blog is a very read worthy blog I’ve recently come across and added to my feedreader. This article takes the core principles of the EU GDPR and compares them to how this might play out in blockchain usage, or not. A good reference list for conversations I am bound to end up in with clients.

Read Forget erasure: why blockchain is really incompatible with GDPR by Elizabeth RenierisElizabeth Renieris (Hackylawyer)

The [post] is not meant as a commentary on the suitability of blockchain or GDPR, taking either in isolation. Rather, it is meant as an assessment of blockchain against the GDPR’s core principles. In this way, it is intended to provide a higher-level entry point into the conversation about the compatibility (or incompatibility) of blockchain and the GDPR, as well as a tool for reconsidering bold, an often unfounded, compliance claims.

It sounds to me like Superhuman e-mail service is in permanent breach of the GDPR by collecting the reading behaviour and geolocation of every recipient of an email from one of their users. So that user can get a ‘message read’ signal, except it shows the user every time you opened a mail and your geolocation at that moment. Without the recipient’s knowledge, and thus without explicit consent, which is definitely needed for something like geotracking.

Also: switch off loading remote images in your e-mail client, so tracking pixels and other image based beacons won’t automatically load upon opening your mail.

You’d think the habit would have died out in the last millennium, but apparently not. An Italian business’ platform at which I registered just sent me a friendly email confirmation that contains my name, username and password in plaintext. What better way to start a relationship with a new client than with a security breach, eh?

I mentioned it here six months ago, that US National Public Radio (NPR) provides a GDPR based choice: get tracked or get text.

If you don’t agree to their tracking ….

[We] use cookies, similar tracking and storage technologies, and information about the device you use to access our sites to enhance your viewing, listening and user experience, personalize content, personalize messages from NPR’s sponsors, provide social media features, and analyze NPR’s traffic. This information is shared with social media services, sponsorship, analytics and other third-party service providers.

…then you have the option to see their content in plain text, which is hosted on a separate subdomain, text.npr.org.

I find I only access NPR now through plain text. The pages are made from straight forward HTML, no loading of any other files or snippets, and are therefore as fast as can be. A breath to read, no distraction etc.

NPR’s plain text news page

NPR plain text article

Only HTML, here NPR’s news page in full. No frills, so very fast

The only downside might be that without imagery, self-starting videos, distracting calls to action and ads, you might notice that a lot of news stories are without much informational content. You can’t blame NPR for that, because news itself as a format has worn a bit thin. GDPR and AdTech (not advertising) are at extreme odds. I like the look of AdTech being stripped away, even if it makes the early 1990’s web fashionably Retro.

I wish more sites would offer the ‘get tracked or get text’ option.

After California, now the Washington State senate has adopted a data protection and privacy act that takes the EU General Data Protection Regulation (GDPR) as an example to emulate.

This is definitely a hoped for effect of the GDPR when it was launched. European environmental and food safety standards have had similar global norm setting impact. This as for businesses it generally is more expensive to comply with multiple standards, than it is to only comply with the strictest one. We saw it earlier in companies taking GDPR demands and applying them to themselves generally. That the GDPR might have this impact, is an intentional part of how the EC is developing a third proposition in data geopolitics, between the surveillance capitalism of the US data lakes, and the data driven authoritarianism of China.

To me the GDPR is a quality assurance instrument, with its demands increasing over time. So it is encouraging to see other government entities outside the EU taking a cue from the GDPR. California and Washington State now have adopted similar laws. Five other States in the USA have introduced similar laws for debate in the past 2 months: Hawaii, Massachusetts, New Mexico, Rhode Island, and Maryland.