Ship Your Enemies GDPR

@ouaibou @jerre_baum See https://gdpr-info.eu/?s=reasonab.... The same rule appears in a few sections for different parts of GDPR, and in general says "Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, the supervisory authority may charge a reasonable fee based on administrative costs, or refuse to act on the request". To me, that sounds like you can't automatically charge _everybody_ a fee, but you could easily automatically charge for more than 3 (say) GDPR requests per year per user, or similar.

@jydesign Does anyone sell GPDR-request-insurance?

@jydesign Doubtful. Small companies should have made an easy way for users to export their personal data as required by the GDPR. You could just respond to these requests in a bit of a lazy fashion by sending that export. For many of the questions in this request (from the website), the answers are required to be in a privacy policy, so you could just link to that to cover half of the questions, or just paste the entire thing in the response directly. In summary, Questions 2-9 are all generic and answered with a standard, and proper, privacy policy. Question 1 can be answered with a data export. So you'd be spending... less than 30 seconds per request to deal with this: run a data export, reply with an email with an attachment of the data export + a paste of your entire privacy policy. I'm aware the request asks for specific external services, etc. I can't recall to what extent the GDPR requires detail on some of these matters. Some services provide a detailed list of these in their privacy policy already. Larger companies tend not to. For something like Google, I imagine the list would be so broad they'd have trouble structuring this reasonably (or perhaps even having a comprehensive list of everything). I'd be interested to see how a large data processor would respond to this request.

@mandeep Sorry about that errant earlier reply, the iOS app was behaving oddly. I appreciate these details and realize my initial reply could seem FUD-ish to some. Any time spent responding to or rejecting fake GDPR requests is a waste of time for a company, especially a small one. So, suggesting that 30 second per request is no big deal or is not prohibitive to doing the work a company is actually built to do, seems grossly dismissive of the foolishness of both THIS product existing and the current/future ways in which GDPR may be leveraged to do as much harm as good. The product above even states " designed to waste as much of their time as possible" and in their FAQ state the purpose is "To show that GDPR is fucking stupid". Some are saying that sending a barrage of fake requests will not be crippling, but it's not productive either. 1000 requests at 30 sec per request are about 8.3 hours cumulative. In addition, the presence of these 'spam' requests will have the risk of obscuring the small number of legitimate requests that may also be coming in.

@jydesign are you a GDPR expert? Responding within 30 days can just be "We'll look into. Due to the high volume of requests we'll try our best to provide you with the info in 30 days." No regulator will harm you if you can show case a flood of requests like that.

Please don't send me either though, k? 🙏

@jerre_baum I am not Google's biggest fan but I don't see how them benefiting from it it's an absolute negative. Sure, maybe receiving some of this requests it's a pain but maybe it's reflecting a problem in how the data is handled more than in the legislation. We are going from having nothing to having a process, people are still scrambling, that doesn't mean we cannot strive to do better.

@duiker101 From my experience with the users, most people are more annoyed at having to click all the consent boxes on all the websites and deal with all the offline absurdity (e.g. attendance lists being forbidden, etc.) than they are satisfied with their data being handled differently in any way (in fact they don't notice the latter at all). What you wrote is basically how the people responsible for GDPR pat themselves on the back for the job well done.