I Filed a DSAR with NoybEU. Here's Why.
At some point though, a thought came to me -- what does a good tech stack look like? What kind of benchmark or best practice should I advise clients on? How can data controllers do things in a privacy-preserving way? And so I asked Noyb, CNIL and the Aust
First a little history:
The transparency and accountability principles of Article 5 are important ones. Among them, personal data must be
processed lawfully, fairly and in a transparently;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
adequate, relevant and limited.
These are part of the obligation of the controller. Also, under Art. 28, controllers have an affirmative duty to ensure that their processors are also follow Article 5 principles (amongst other things). These obligations apply to all controllers governed by the GDPR.
Data subjects have an affirmative right under Article 15 GDPR to ask for access to their personal information (as well as details on how the controller is honoring their obligations under the Regulation).
Okay, so many of you know this, and may be asking: Okay, why is she telling me this?
It's simple: I'm looking for accountability and transparency. In this case, from NoybEU.
101 Lawsuits
In August 2020, Noyb filed 101 model complaints against the largest controllers in the EU, on the grounds that these controllers were using Google Analytics and Facebook Connect, and were transferring personal data (notably identifiers and IP addresses) about EU data subjects without a lawful basis and without adequate safeguards in place to prevent against US government interference. Since then, decisions have come down from the Austrian and French data protection authorities, stating that such transfers did indeed violate the law.
While Noyb may have noble aims, I think this approach (and the follow-on decisions) will have disastrous consequences for the internet at large. These decisions (and Noyb's objectives in the 101 complaints approach) are short-sighted and fail to understand the complexities and technical realities of the internet.* And more importantly, this approach is likely to metastasize to include critical infrastructure and core features of the internet. Yes, we can all do away with Google Analytics and Facebook Connect, but many other systems share IP addresses and 'identifiers'. They are not always easily replaced.
Rather than rehash that here, I wanted to point readers to my recently-published piece in GRC World Forum.
A Twitter Query That Touched a Nerve
After the article was posted, it led to a fascinating discussion by many smart folks (and Noyb) over my interpretation and assessment. Some folks agreed; some didn't. I took it in stride and actually learned a lot. At some point though, a thought came to me -- what does a good tech stack look like? What kind of benchmark or best practice should I advise clients on? How can data controllers do things in a privacy-preserving way? And so I asked Noyb, CNIL and the Austrian DSB if they would, in the interests of transparency, share their tech stacks and best practices:
I also looked at Noyb's privacy notice (haven't gotten around to CNIL and Austria yet!), and identified a few of the processors they used. And then I looked at their privacy notices, and had some questions.
I was careful not to accuse Noyb of anything. My aim was only to see if, as a champion of data protection, Noyb and the regulators had some guidance and advice (and accountability) for what they themselves use. It was a reasonable request. At the time, I also filled a separate Data Subject Access Request to Noyb, as up and until December 2021, I had been a supporter and donor to Noyb.
This, unsurprisingly touched a nerve, and Max Schrems (of the eponymous Schrems decisions, accused me of bad faith, ill-intent, and generally getting it all wrong. [he has since deleted most of these tweets] He also alluded a few times to the fact that I wasn't being candid and disclosing the whole story -- which referred to my DSAR. Hence this post.
And so, in the interests of transparency and openness, I wanted to share the DSAR I filed -- or as Max calls it, the 'whole story'. NB: I have redacted email addresses, and the name of the person I corresponded with. I also didn't include the earlier email (which discloses my request to cancel my membership at Noyb). I have not changed anything beyond these redactions.
My DSAR Request
<Redacted>
I am requesting details on all personal data Noyb maintains about me. This includes, but is not limited to: personal information sent to your payment processor, SIX Payment Services Austria GmbH, as well as any information you have stored about me or the following email addresses and Twitter handles in your email systems (,dialog-Mail eMarketing Systems GmbH), helpdesk (Zammad.com), collaboration and/or chat platforms.
In addition to my name, the relevant email addresses and Twitter profile are:
<redacted email>
<redacted email>
<redacted email>
@privacat
To facilitate this process, I have included our past email correspondence from December 2021 as a means to help verify my identity. I can also confirm that I have been a member since October 2020.
I am also requesting information on Noyb's data processing practices, in line with Article 15(1) GDPR and details on whether any personal data of mine is transferred to a third country.
Thanks and have a lovely weekend.
Carey Lening
*I originally had a few vague 'they' statements there. I have corrected this graf to reflect my actual view -- I didn't mean to impugn Noyb as an organization, but the end-goals they're trying to achieve in this case - CL