GDPR protects personal data, which the EU interprets very broadly. When you are working and what you are working on is included, for instance. That's basically a Trello board. Processing of such data (e.g. handing it over to a third party) without explicit consent is subject to major fines.
> GDPR protects personal data, which the EU interprets very broadly.
This isn't accurate. Individual member states can and do interpret the GDPR differently.
For a European company, the country they are "at home to" is the one that will govern them, not the state that the individual belongs to. If the company is not "at home" in the European Union (for example, because it is in the US and has no European offices and does not trade in Europe), then the rules of the individual's member state will apply.
The details matter.
> When you are working and what you are working on is included [as personal data], for instance
No: Not in the UK or Ireland (which I'm most familiar with) and probably not in any other European country.
Personal data is data that identifies a natural person, or that can be used to identify a natural person, not that is produced by a natural person.
The ICO has excellent (English-language) literature on this subject:
It may be that storing (say) your email address on every Trello card would be personal data, but then you can follow the process to have this data identified and removed by sending a letter requesting it be returned to you and destroyed. Trello would not be required to figure this out on their own - you would have to tell them how to identify your personal data.
> Processing of such data (e.g. handing it over to a third party) without explicit consent is subject to major fines
This isn't what the GDPR refers to as processing, and it is absolutely possible to process personal data without explicit consent. For example, the ICO suggests no less than five separate ways that are not explicit consent:
And again, I don't agree that "Trello cards" count as personal data. You can call the ICO (if you want) and ask them if you think otherwise; I have done this several times and they've happily sent me written clarification on any theory I might have (including on something that is similar to this):
Personal data is data that identifies a natural person, or that can be used to identify a natural person, not that is produced by a natural person.
What do you think the new subject access rights, notably the right to data portability, are intended to achieve, if you interpret the definition of personal data so narrowly?
The GDPR actually defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’)...", which is significantly different to what you wrote.
It seems to be widely understood, including acknowledgement in various statements by EU officials, that these provisions were aimed squarely at businesses like social networks to avoid them locking users in by holding the user's data hostage. That seems to be exactly the scenario we're talking about here.
> What do you think the new subject access rights, notably the right to data portability, are intended to achieve, if you interpret the definition of personal data so narrowly?
I am not going to speculate.
> The GDPR actually defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’)...", which is significantly different to what you wrote.
I can't speculate on what you think qualifies as "significantly different". I copied and pasted my definition from the ICO's website, which I also linked to. You can disagree with them, but I suspect strongly, even in the current Brexit climate, that the EU courts would agree with the ICO's interpretation over yours.
You might find the part that follows the "..." useful though. It's in Article 4 § 1, if you're unaware.
> It seems to be widely understood, including acknowledgement in various statements by EU officials, that these provisions were aimed squarely at businesses like social networks to avoid them locking users in by holding the user's data hostage. That seems to be exactly the scenario we're talking about here.
That may be part of your confusion. "We" weren't talking about anything to do with social networks, but whether a GDPR regulator is going to levy a heavy fine to Trello for this behaviour.
I'm well aware of what the GDPR actually says, thanks. I was the one quoting it.
My point is that what it actually says, unlike the definition of personal data you gave, clearly goes beyond just the identifying information.
Moreover, there was also clear intent, reflected in the provisions of the GDPR itself and in statements by officials involved in writing and interpreting it at EU level, for the safeguards on data portability and erasure to cover exactly the sort of data we are talking about with a service like Trello.
I'm not aware of any action so far that has actually tested this, but if a national regulator chose not to penalise flagrant non-compliance with both the letter and the spirit of the GDPR such as we see in this case in response to a genuine complaint, it simply wouldn't be doing its job, since it would essentially be unilaterally deciding that entire articles of the GDPR are pointless.
This certainly isn't beyond the bounds of possibility. Indeed, the vague nature of the GDPR in many respects and the reliance on subjective interpretation by all the different national regulators was one of the big criticisms that I and others made at the time it was introduced. But if that happened here and the regulators chose not to enforce in a situation like this, it really would turn the GDPR into a bit of a joke.
