Weaponising Europe’s General Data Protection Regulations

by Liam Campbell

What Is GDPR?

GDPR is a European legal framework intended to protect personal data, provide greater data transparency, and give people greater control over their data. It requires any group that stores or processes data to follow strict policies to ensure security. It also entitles individuals to request personal data reports and deletion, both of which must be completed within 30 days by any group holding the data.

Who does GDPR apply to?

At minimum, GDPR applies to any group or company which stores the data of EU citizens or residents, in practice it applies primarily to data processing entities based in the EU. This can include corporations, political parties, activist groups, and even individuals.

What are the consequences of negligence?

Violation reports are investigated, a warning is usually issued, data may be deleted, data processing may be restricted, and continued violations can result in fines up to €20,000,000 or 4% of revenue, whichever is greater. The consequences are significant enough to even warrant serious concern among large corporations.

What is a personal data request?

Anyone can submit a request for a comprehensive report on any data which relates to them, and these reports must include all data and a list of systems which store or process that data. Requests must be fulfilled in under 30 days. This is relatively easy for big businesses who have invested in compliance software, but intermediate businesses have much more difficulty, and small groups or individuals struggle the most. Processing a data request manually can take 30+ minutes per request because all systems must be checked.

What is a deletion request?

Anyone in the EU can request that their data be deleted from some or all systems. The data must be permanently deleted and all systems must be checked for data. This can also take 30+ minutes to complete per request, depending on the systems.

How do you weaponise GDPR?

Opposition groups and companies which perpetuate ecocide can be easily flooded with GDPR requests. Each individual email address warrants a separate request. If someone has 3 email addresses and a request template, they can consume 1-3 hours of a company, group, or individual’s time and resources by investing a few minutes. If the request is not completed in 30 days, or if the report is incomplete, they can report the offense for investigation. Additionally, any company, group, or individual that does not have GDPR compliant opt-in features and privacy statements can also be reported, even without a 30 day waiting period.

Strategic mass reporting can consume significant resources among medium sized targets, and can be devastating for smaller targets. This is a tactic which requires minimal training, is highly asymmetric, and can be very disruptive when targets are selected intelligently. I recommend identifying candidates like: climate science denial groups, fossil fuel lobbyists, regional oil and gas distributors, politicians, logging companies, and opposition movements.


Leave a Reply

Your email address will not be published. Required fields are marked *