Abiding by the law

Post #2 published on by Tobias Fedder

Depending on the jurisdiction, running a website comes with different amounts of legal requirements. In my case I feel there are quite a lot for something I've considered to be a personal website; well, turns out in the legal sense this website isn't personal. That is just one of the many things I found out while I tried to make this website compliant with the laws that apply to it.

Which laws? I am from Germany and run my server here as well. That means there are some local customs I have to obey, while most of you reading this probably don't. So I invite you to read along and pity me, at least during the first part. After that I'll get into some of the laws of the European Union (EU), especially the EU's General Data Protection Regulation (GDPR), which applies to way more scenarios than just running a website in Germany and doesn't even stop at the EU's borders; so in case you run a public website anywhere outside the EU and therefore think GDPR doesn't apply to you… are you sure about that? Of course, the GDPR is not the only law in the world that aims to protect people's information, so there is more to consider.

Before I get into it, let me clarify that I am not a lawyer, and that this is not legal advice. It is just what I — an employed web developer who thought it would be fun to run a website on the side — learned and concluded from reading a bunch of legal texts in order to limit legal trouble.

What is an Impressum?

Have you ever noticed that print media such as books, magazines and newspapers — depending on the jurisdiction, of course — name the author, publisher and some other people who were involved in that publication including their roles and thereby their responsibilities? In some contexts it is known as Imprint and it is often mandatory, in German it is called Impressum. I guess the reason behind this is that people who can publish and thereby spread information and opinions need to be held accountable or something.

Back when the world wide web became a thing German lawmakers assessed that websites are just a new way of publishing and therefore whoever responsible should be required by law to identify themselves to the visitors. And that is why to this day you can find many websites in English, from large, international brands of German origin, that will provide a link to their legal notice, except they call it Imprint instead. 😬 I guess I should stop worrying so much about my English writing skills afterall.

Currently there are two laws in Germany that mandate providing an Impressum to websites. The Telemedia Act (Telemediengesetz, TMG) and the Interstate Media Treaty (Medienstaatsvertrag, MStV). The former regulates running a commercial‐ish website and the latter is concerned with platforming or publishing media — especially editorial or journalistic content.

The TMG and commercial‐ish websites

Imagine a business operating in Germany that has a website telling you that it is the best business in the world, you should buy their products, you should pay for their services and you should definitely partner with them. That website would be a commercial website thus has to provide an Impressum — easy. Or maybe it wouldn't be so easy, if I didn't pick such an obvious example.

§ 5 (1) of the TMG states that service providers must produce an array of information in form of an Impressum, if they provide digital media commercially. For example if they run a website to advertise or offer goods or services that are usually exchanged for payment. § 2 1. states that any natural or juristic person that provides digital media is a service provider in the context of the TMG. So due to this website I'm a service provider now. Is it commercial though? I tend to believe that it isn't at this point, but I'm not sure about that. Advertising is a commercial activity. If I placed ads on this website and got paid in return, that would be commercial, clearly. But the TMG is considering all activities that usually involve payment. Let's hypothesise I write a blog post about a great tool and it reads like a praiseful review. Could that be construed as an ad for that tool? I mentioned that I am a web developer trying to show my passion for the web through this website. Could that be construed as advertising myself to future⁠⸻ Well, no one would think of this weird website as an ad — nevermind.

Since German courts have ruled cases regarding the TMG in a pretty strict manner, I lean to better safe than sorry. On the downside, providing an Impressum is bothering, as I will get into in a bit. But before I lose myself in pondering endlessly about where my website lands on the commercialization spectrum, let's have a look at the other law regarding disclosure.

The MStV and transparent discourse

The MStV is concerned with content made available to the public via broadcasting or digital media. The second section of the MStV regulates digital media in this regard. § 18 of the MStV states that, unless digital media is provided exclusively for personal or family purposes, the provider has to disclose those responsible for the content. It just happens to be the case, that none of my friends or family actually care about web development, but that there is a niche but global potential audience for this. Therefore, according to the MStV, I need to provide my full name and address. A postbox won't do because it has to be a summonable address.

Take a guess. Will I rent some expensive office space just for an alternative address, will I use a questionable registered‐office‐as‐a‐service, or will I disclose my private address on the internet, to run a zero-revenue website on the side just for fun? That's right. If I criticise your favorite framework in a future blog post, you'll know where to threaten my family. Thank you German lawmakers, I feel much safer now.

How to Impressum

Both the TMG and the MStV state that the mandatory information needs to be always available, easily recognisable and directly accessible. Courts have ruled that the page containing the Impressum has to be at most two clicks away from every page of a website. In practise there is a link on every page in the top or footer navigation. I prefer the latter for this site.

Considering that the MStV already forces me to provide my address, the remaining requirements for a full‐blown TMG‐compliant disclosure are almost negligible in terms of annoyance. Almost because German lawmakers never disappoint. The TMG demands that the service provider can be contacted via a direct medium of communication in addition to an email address. That can be a phone number or, as a court ruled, a form on the website as long as the service provider responds within 60 minutes. 60 minutes! Insane. I decided to build a static site, so no forms for me. But even for a small or medium sized business, the idea to produce a meaningful response 24/7 within one hour is ridiculous. Otherwise, if it doesn't need to be meaningful, just an automatic "We received your message and get back to you asap.", then there is no advantage over email thus it is pointless. Ridiculous or pointless, well done lawmakers and judges. Luckily it is easier and cheaper to get an additional phone number, than to get another summonable address, so I did.

In case I want to turn this into a commercial website in the future there will be other legal requirements such as starting, registering and managing a business, which I don't intend to do at the moment. So what is the point of an as if Impressum? In short: some highly litigious individuals and shady lawyers like to scrape the web for faulty or incomplete legal notices, while the tax office doesn't. Not having to argue that my Impressum is in fact sufficient for what I do could save me time, while registering a business for no reason is a waste of time.

One last thing on this topic: I don't need to provide an English version despite the fact that parts of this website target an English‐reading audience. It thereby differs from the laws regarding privacy and personal data.

Protecting personal data — in EU fashion

There are many laws that aim to protect personal data around the world. The most significant one — at least in my opinion, because of its strictness and impact — is the EU's GDPR. It goes somewhat like this: If there is data that could be used to possibly identify an individual, then that data and all data related to it is considered personal data. With the exemption of personal or household activities, nobody inside the European Economic Area (EEA) is allowed to process anyone's personal data at all and nobody outside the EEA is allowed to process personal data of residents of the EEA, if collected while they were within the EEA, for offering services/products or for monitoring behaviour.

Somehow many privacy notices, that I read in the past to get an idea on how to structure my own, that belong to organizations located in the EEA, seem to imply, that this law only applies to personal data of EEA residents. Based on my reading of the GDPR, I don't understand where they are getting this from — but I am also not a lawyer, as I said.

GDPR is basically all: deny. But then there are a bunch of rules which might allow you to process some personal data under the right circumstances — it's like a very long conditional allow‐list. The GDPR consists of 99 articles afterall.

I can not run this website without processing personal data, because of the way the web works. A request to a web server has to contain the IP address for the response. It is very likely that on a public facing website such as this one at least some IP addresses belong to the connection of a private household. Meaning that someone, for example their internet service provider (ISP), could possibly identify an individual through the IP address, which is therefore personal data.

Great, new roles for everyone — according to the GDPR I'm a data controller now. You, whose personal data I process, are considered a data subject in this context.

That also means I have some work to do. First of all I need a privacy policy, which means two things: having an actual policy in place in regards to all processing of personal data that relates to this website, as well as providing a clear description of that policy to the readers, including details regarding their rights. Also, once again, I need to put my name on this website, this time as the person responsible for the processing of personal data in compliance with the GDPR.

Principles of the GDPR

The principles relating to processing personal data listed in Article 5 are transparency and lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. The last one means, that the data controller can show the compliance in regards to all of them.

Purpose limitation means that for data to be processed, the purpose for which this data is or will be used needs to be clearly defined upfront. It can not be processed for other purposes unless they are well aligned with the original purpose given. Storing data is also considered processing, just so you know. It is not allowed to process data that is unnecessary for the given purpose, that's what data minimisation means. Complementing the previous two, storage limitation means getting rid of personal data as soon as it is no longer needed for the purposes it was collected for.

To comply with the principle of accuracy the data controller has to make sure the personal data is correct or will otherwise be corrected or deleted immediately. Integrity and confidentiality are pretty obvious, there have to be measures in place to prevent unauthorized access or loss of data.

Lastly there are transparency and lawfulness. Transparency means that the description of the privacy policy provided to the data subjects doesn't just say "I care about your privacy, trust me bro", but instead lists every tiny detail regarding the processing of personal data that will occur. Which data is processed? For which purpose? What is the time frame? And, touching on lawfulness, on which lawful basis?

Six lawful bases of processing

All processing of personal data has to be based on at least one of the following, equally valid, lawful bases (Art. 6(1)). These are consent (a) given by the data subject, or where processing is necessary to: set up or fulfill a contract (b) with the data subject, to comply with laws or regulations (c), to protect the vital interest (d) of a natural person — think of a medic taking care of an injured person that is unable to communicate, to fulfill tasks in the public interest (e), and to pursue legitimate interests (f) of the data controller as long as the legitimate interests outweigh the interests or rights of the data subject.

If processing takes place only based on consent (a) or to comply with laws (c), all repurposing is forbidden, even if a new purpose would be well aligned with the original purpose. If processing is based on consent, the data subject can withdraw that consent at any time, which prohibits further processing. Withdrawing consent has to be at least as easy as giving consent.

Legitimate interest (f) may sound like a loophole favoring the data controller, but it's risky to just claim that an interest is legitimate. The data controller should do a legitimate interest assessment (LIA) to ensure that compliance can be demonstrated if needed. In short a LIA should first identify the purpose and all its benefits, second, show the necessity especially the lack of less intrusive alternatives, and third, assess that the risk for the data subject is low and their interests in privacy and safety don't override the interest of the data controller. And even then data subjects, competitors or public authorities might challenge the assessment.

Rights under the GDPR

The page informing about my privacy policy has to list the rights the GDPR grants my visitors. Most of the rights are defined in Chapter 3 spanning from Article 12 to 23. Based thereon I am obligated to inform the data subjects, such as you, about their rights to request from me, the data controller, to show them their personal data that I hold (Art. 15), to rectify that data (Art. 16), to delete that data (Art. 17), to restrict the processing of that data (Art. 18), to transmit that data to them or another data controller in a machine‐readable format (Art. 20), and to object to the processing of that data (Art. 21).

That is an impressive list of rights, although — caveats incoming — the restriction and deletion bits are limited to processing that is in violation of the GDPR anyway; except where the restriction is requested due to a pending objection. Yet objections themselves are limited to the processing on the basis of public or legitimate interest due to the data subject's particular situation. Meaning the data controller can reject the objection, given that their policy, e. g. a LIA, covers the depicted particular situation.

It took me a while to understand why anyone needs rights that only apply when the processing is in violation of the GDPR anyway, for example the right to erasure. The key is that the data subject can request it directly from the data controller, not having to involve further parties, like a lawyer, an interest group or government authorities. Writing of which, you can of course, in fact I also have to inform you about your Right to lodge a complaint with a supervisory authority, that's Article 77.

Which processing do I delegate to who?

Since I am the person responsible for the processing of personal data my role is that of a data controller. I found that term a bit weird at first, but it makes sense. I control the data insofar that instead of doing all the processing on my own, I can choose third parties to do some of the processing for me; these are therefore called data processors.

As you may have already guessed, I have to inform my visitors about all data processors I use and which data they are or will be processing. Furthermore I need to ensure that the data processor acts in compliance with the GDPR as well. That is fairly easy, as long as I pick a data processor based in the EEA, or a jurisdiction that the EU deems to be on par with the EU in regards to protection of personal data. Otherwise it is a bit more work to ensure data protection through additional technical, organizational or contractual measures. Either way a Data Processing Agreement (DPA) between the data controller and the data processor is mandatory (Art. 28).

Maybe in the near future the US will be one of those on par data destinations once again — for a while. At least there is a lot of talk about the Privacy Shield 2.0 being on its way in the last months. But, as the name suggests, there has been a Privacy Shield before, and a Safe Harbour before that one, and so far these agreements were struck down by the EU's highest court due to some US laws. One of them being Section 702 of the Foreign Intelligence Surveillance Act (FISA), which hasn't changed since then, despite the self­‐applauding politicians in the EU and the US. There is also the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), which obligates businesses in the US to provide personal data if requested by US authorities, even if that data is stored outside the US. Therefore I personally don't understand how transferring data to any business which has offices in the US is compatible with the GDPR, so I will stay away for now — but I'm also still not a lawyer.

Regarding this website there are two data processors. One provides me with email services, so people can contact me via email as the laws require. The other is the server hoster, where I got this server that is now also serving this website. Both of them provide pre‐formulated DPAs, as most service providers do. As a data controller you can either accept them as they are or look for another data processor — theoretically you could try to negotiate your own, but I'd assume that is reserved for the contact‐sales‐tier.

Which personal data am I processing for this website?

If someone actually wrote an email to one of the addresses from the Impressum or the privacy policy page, then the email address of the sender, and whatever data they put in, will be processed — kinda obvious.

Except from this — hopefully unlikely — scenario of people writing me emails, what kind of processing is happening through this website? I will process every visitors IP address. There are two purposes. First one: sending a HTTP response to answer a HTTP request. That is how the web works, it couldn't be done without.
What is the time frame?
Until the response has been send.
What is the lawful basis?
Consent. Yes, that is right, you navigating to my website, therefore your browser sending a request with your IP address in it, means you implicitly consent, through your action, to the server processing that IP address to send you a response.

At least that is the case with the server that serves the origin. If my website would embed a resource from a different domain hosted by a third party, for example to easily provide a beautiful web font, then — although technically the browser just sends another HTTP request to a server with the IP address in it — all of a sudden that wouldn't be implicit consent; instead the legal perspective would be that I sent your data to a data processor. But so far I don't intend to do anything like that.

The second purpose is an access log. I like and also need to know, at least roughly, how many different visitors my website gets, and which pages, if any, lead visitors to navigate to other pages. Does my page structure make sense, or are visitors helplessly moving back and forth and then abandoning my website? Are the number of visitors getting close to other regulations' thresholds?
An access log, logging every request to my website, can help me answer these questions, especially if it contains the IP address of every request.

By logging the IP address each log entry is considered personal data. So to be precise I am also processing the URL, the operating system, the browser including its version, and the time of the data subject's HTTP requests. Because of the IP address third parties e.g. the data subject's ISP, or other services that receive the IP address and identify individuals in any way, are able to make that connection. That I as the data controller can't identify someone just from their IP address doesn't change that.

I don't want to identify my visitors, I just use the IP address to differentiate them. I think 24 hours is a reasonable time frame to count visitors. Therefore I rotate the access log daily and anonymize the log entries of the past day right away. I do that by replacing each IP address with an UUID, using the same UUID for all reoccurences of an IP address in that log file. If that IP address also occurs in another log file, it will be replaced with a different UUID. After the IP address has been removed, the data that is left is not sufficient to identify a natural person, therefore it is no longer personal data.

In contrast to sending a HTTP response, having the IP address logged is not something a visitor consents to implicitly. Instead I will do that on the basis of my legitimate interest, to achieve the goals I just mentioned. With that part one of three of the LIA is already done. The other two are demonstrating necessity and ensuring that the data subject's interests and rights do not outweigh my interests.

Since I have no access to other kind of data to get a grasp of the number of visitors, the processing of the IP address, by writing it into an access log, is necessary to achieve the goal of counting my visitors. By using the IP address no additional data is requested of the visitor, since sending the IP address is already part of the overall process. So the necessity is clear.

Lastly, there is the balance of interests. The processing of the IP address when using the web is unavoidable, the logging of it is common practice. The processing for the purpose of counting visitors is not unusual, if it is done in other ways, then these are usually more intrusive. Being counted as a visitor is expected when visiting a usual website, that is not concerned with sensitive topics. This website does not cover sensitive topics, its content is innocuous. The data will be anonymized, within 24 hours. The data won't be provided to any third party. It will remain on the server processing the requests until anonymization. Only in exceptional cases the data could be momentarily displayed on other devices, through and controlled by the data controller, when accessing the server for the purpose of troubleshooting the processing. Therefore there is no impact on the data subjects during intended processing.
In the unlikely event of unauthorized access to the current access log, the unauthorized entity could only conclude at which time which page had been accessed by an individual, if that entity is also capable of identifying that individual through the IP address. Due to the innocuous content of this website, the impact on the data subject in this unlikely scenario would be low.

Hereby I consider my legitimate interest assessed. If you — e.g. due to extraordinary reading skills — remember that any processing based on legitimate interest grants the data subject the right to object to the processing, you might be wondering how will I deal with such objections, given that I can not identify an individual through the IP address. Well, Article 11 covers this. It states that a data controller doesn't need to collect or store additional personal data for the sole purpose of complying with the GDPR. But, if possible, the data controller needs to inform the data subject, that the processing takes place, without the data controller being able to identify an individual. So I add that to the page as well.

In case someone objects to the processing, they have to provide a strong argument proving my assessment wrong for their particular situation and evidence of them actually being the individual behind the IP address, that they object to be processed.
The result will be, that I have to process more of their personal data for longer, because I have to be able to demonstrate compliance and therefore need to record the interaction for potential legal claims. The objection might be even more pointless, in case it takes me longer than 24 hours to deal with it, and that isn't unreasonable, the data might be already gone due to anonymization, yet the handling of the objection and all the personal data associated with it will stay.
What I am trying to convey is: in case you disagree with your IP address being processed for the purpose of counting visitors: leave, wait 24 hours, and never come back.

Protecting personal data — rest of the world

As I mentioned, the EU's GDPR applies to entities outside the EEA in certain circumstances. Laws that are imposed beyond their sovereign's borders are called extraterritorial laws. That quality is quite common in laws regarding the protection of personal data. So let's see what else I should account for.

Starting with EU GDPR copycats, the first one that comes to mind is the UK GDPR. Actually, it isn't even fair to call this one a copycat, it was the EU GDPR until Brexit happened. Most of the changes consist of replacing the word Union with United Kingdom.

Another law in Europe protecting personal data is the new Federal Act on Data Protection (nFADP) from Switzerland. It has been updated this year, copying some provisions from the GDPR and getting closer to it overall. These changes are likely motivated by the goal of being considered to be on an adequate level in terms of data protection. The nFADP is surprisingly less strict than the GDPR in many ways, despite privacy being of great importance to the Swiss in general, all rights and obligations seem to be covered when complying with GDPR.

A recent reinterpretation of the GDPR, being introduced in the summer of 2023, is the Nigeria Data Protection Act (NDPA). It also reads like a copy of the GDPR. Sure, the chapters are shuffled around, there is the introduction of a commission and its commissioner, their powers and funding, which are declared before the obligations and rights. But the obligations and rights themselves are almost exactly the same, many sentences even word for word. So I consider that one covered as well.

Another country in Africa with a strong privacy law is South Africa. The Protection of Personal Information Act (POPIA), also reads like the GDPR. There I am a responsible party instead of a data controller, and data processors are called operators. My favorite: the head of the supervisory authority is called the Information Regulator. But in effect it is very much the same — covered.

The next one is the Brazilian General Data Protection Law (LGPD) amended in 2019. An Englisch translation I found is very similar to the GDPR, with some notable exceptions. In Article 4 it states that it doesn't apply to non‐economic purposes, so as of now, it doesn't apply to this website. Something that surprised me was Article 5 with a generous definition of anonymized data, it seems to include what I'd call strong pseudonymization. Once again, I consider it covered the same way as with the NDPA.

Another recent one is the Digital Personal Data Protection Act (DPDP Act) passed by the Parliament of India in 2023, interestingly, as the name implies, limited to data processed digitally. There are similarities to the GDPR, for example defining almost the same roles but naming them differently. There are also differences, of course, but all in all, it seems to me that compliance with GDPR covers those obligations just fine. Another thing that stuck out to me was that there are examples called illustrations between the clauses of the law, explaining when or how they apply — pretty neat.

Let's have a look at North America where lawmakers prefer the expression personal information, but don't find it necessary to define that term. Starting with Canada: it's complicated. There aren't one or two laws regarding personal information, there are way more, spread across many provinces and complemented by local and national laws. In effect it results in Canadians having a level of control regarding their personal information that is similar to the effects of the GDPR, which led to the EU considering Canada on a par with the GDPR, meaning personal data from the EEA can be processed in Canada without additional measures, as if it were processed within the EEA. In contrast to the GDPR it seems to me, that there isn't a list of lawful bases for processing. Instead there is processing that is necessary in terms of contracts, laws etc. which might be objected to, and then there is processing based on consent, which can be withdrawn anytime. I consider the rights Canadians have regarding their personal information covered by the rights granted through the GDPR, but I admit that this is a somewhat loose assumption.

In the US it isn't that complicated as of today. But I assume it will get messy in the future. So far five of the fifty states have enacted laws regarding personal information. These laws have some overlap but also differ in many ways. Now imagine forty‐five more of these. 💀

First mover in the US has been California. Due to the California Consumer Privacy Act (CCPA), in its current form after the Califoria Privacy Rights Act (CPRA) amended it, a consumer has the right to request that a business provides which personal information is collected about them, to correct or delete any personal information about them, to opt‐out of the sale or sharing of their personal information, and limit the use of sensitive personal information. Again, nothing that I would consider going beyond the rights according to the GDPR. And let me emphasize the scope again: consumers have these rights to request from businesses, more precisely for‐profit businesses that either have a gross annual revenue larger than $25,000,000, or trade personal information of at least 100,000 California residents, or make at least 50% of their revenue from selling California consumers' personal information. So guess who doesn't need to worry about that law.

Following California, the Virginia Consumer Data Privacy Act (VCDPA), the Colorado Privacy Act (CPA), the Utah Consumer Privacy Act (UCPA), and the Connecticut Data Privacy Act (CDPA) protect personal information of residents of these states in some cases. All of them have similar conditions and thresholds to apply at all — not to this website. Although they grant slightly different rights and set somewhat different obligations, none of them seem to go further than the GDPR in any way.

Now, towards the end of my list, there is China's Personal Information Protection Law (PIPL). An English translation I found seems very similar to the GDPR, providing the same principles and lawful bases, requiring consent for most cases of processing of sensitive personal information. The differences in terms of authority structures are enormous though. Once again I think GDPR compliance covers the requirements from the PIPL.

Furthest away from where I am, at least in terms of spatial distance, are Australia and New Zealand. Yet not so far away in terms of privacy regulation. In fact, both countries are among the few that already realized the importance of protecting personal information across the board in the last century. Australia's Privacy Act from 1988, last amended this year, and New Zealand's Privacy Act 2020, building on top of the Privacy Act 1993, set principles regarding the processing of personal information. The processing has to be limited to defined purposes and durations, data minimisation is required. In either country the citizens have rights they can exercise directly with the entity that is processing their data, for example to be informed about which data of them is being processed for which purpose. If an entity violates these principles or rights, they may lodge a complaint with the commissioner. Neither of those two laws goes beyond the GDPR in any way I noticed, so I consider these covered as well, due to my GDPR compliance.

I hope I didn't miss any laws that I therefore unknowingly violate, but being GDPR compliant makes me confident to be on the safe side. Finally I need to write an English and a German privacy notice and place one of them in the footer depending on the documents language.

Own your content, just publish your thoughts on your own website, they said. It's not that hard, they said. Just start, they said. Couldn't be easier, they said. 💀