A short guide to how the European Union’s General Data Protection Regulation (GDPR) affects personal websites such as blogs.
This text will assume that you are the owner of a small personal website and will explore some ways that EU’s General Data Protection Regulation (GDPR) affects you. The GDPR is large and complicated, so this blog post will by necessity only show you the tip of the iceberg. As we all know, more dangers may lurk below the surface.
Make sure to seek out official information or hire a lawyer if you ever need to comply with the GDPR and please point out any errors that you discover here so that I can correct them. Don’t take my word. For that reason, I will provide plenty of references and links throughout.
Personally, I have an interest in law since long back. I studied to become a Swedish lawyer for a year back in 2007 (before I switched area) and I try to stay at least a bit up-to-date, especially as it relates to the software industry. I’ve read a few short books about the GDPR, several books about EU law (including university education), and I have read through the legal text.
What is the GDPR?
The GDPR is the major data privacy protection legislation within the European Union since it went into force1 on 25 May 2018. Few have likely missed the intense media coverage at the time as companies struggled to comply with the new rules.2 The GDPR itself is an EU regulation from 2016 named Regulation (EU) 2016/679.3 See the link for the official source in all EU languages (no language has precedence)4.
The goals of the GDPR are to give EU citizens better control over their personal data and to harmonise rules across the EU to simplify for businesses.5 EU has several types of legislation. As an EU regulation6, the GDPR is directly binding across the EU.
The right to privacy is not a new concept. It’s already expressed as Article 8 in the European Convention on Human Rights and Article 12 in the United Nation’s Universal Declaration of Human Rights. There are similar legislation across the world too, such as PIPEDA in Canada and CCPA in California. One thing to keep in mind here is that it’s far from obvious how legislation interacts across borders.
The European Commission provides an official website about Data protection in the EU with their own overview.
GDPR and the EU cookie law
The GDPR is not the only privacy legislation in the EU. There’s also the ePrivacy Directive (Directive 2009/136/EC), which is sometimes called simply the “cookie law”7. The GDPR didn’t repeal this directive and there’s a new proposed regulation to replace it, so it seems to be here to stay in some form too.
This blog post will focus only on the GDPR.
There are a couple of definitions8 that are necessary to know before we continue. Note how some definitions are much wider in the context of the GDPR than in common language use, which provides a potential trap unless we pay close attention to the terms.
- Personal data
- Information that is related to an identified or identifiable natural person (the data subject).
- Natural person
- A natural person is the same as a physical person, i.e. an individual human being. Compare to legal person, such as a company.9
- Identifiable natural person
- A natural person who can be identified, directly or indirectly, for
example by reference to either:
- An identifier such as a name, an identification number, location data, or an online identifier.
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person.
- Anything done with personal data, automatically or manually, such as collecting, storing, retrieving, adapting, using, or similar.
- A natural person or organisation that controls and determines the purpose of processing of personal data.
- A natural person or organisation that processes personal data on behalf of the controller.
- Personally identifiable information (PII)
- Synonymous to what the GDPR calls personal data.10 Useful and common term used elsewhere, but not within the GDPR itself.
When does the GDPR apply?
To avoid getting bogged down in details, I will simplify the rules here to make them easier to comprehend. I won’t cover all exceptions or special cases, even as it relates to personal websites.
The GDPR applies to:
- Processing of personal data, whether automated or not.11
- Given that either:12
- The controller or processor is located in the European Union.
- The data subject is located in the European Union.
If the controller or processor is not located in the EU, the GDPR is only applicable for data processing related to:
- Offering goods or services, whether paid or free.
- Monitoring of the data subject’s behaviour within the EU.
So far, it’s clear that more or less all processing of personal data within the EU (even by controllers or processors outside of the Union) is within scope.
Processing of personal data
To determine if the GDPR applies, it’s necessary to figure out what activities it considers to be processing of personal data. As we’ve seen above, processing means almost any activity related to data (especially if automated). It’s still important to determine who is responsible for the processing, i.e. the controller.
Identifying personal data requires more consideration. The scope is extensive and almost all websites will process at least some personal data. Note that it’s enough that a natural person related to the data could be identified even indirectly by putting together different pieces of data for it to be personal data.
Examples of personal data include:13
- Full name
- Home address
- E-mail address of an individual
- IP address
- Cookie identifier
- Advertising identifiers on phones
- Location data
To avoid data being personal data, it needs to be fully anonymised. Pseudonymisation where additional data could be used to identify the data subject is still personal data.14
Since almost all web servers keep access logs with IP addresses, to be able to avoid abuse and deal with outages, even a fully static website typically processes some personal data. This leads me to believe that the GDPR applies to some extent to basically all websites.
Exceptions to the scope
There are some exceptions to the GDPR’s scope:15
- Activities that fall outside the scope of EU law. In other words, it only covers what it can cover.
- Processing of personal data performed by a natural person in the course of a purely personal or household activity.
The second exception above gives us another important consideration that affects whether, and to what extent, a personal website is within the scope of the GDPR. More on this below. There are also some interesting exceptions to individual rules that will be covered later.
Purely personal activity
To further investigate what is meant by purely personal or household activity, let’s have a look at recital 18 from the preamble of the GDPR:
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities. However, this Regulation applies to controllers or processors which provide the means for processing personal data for such personal or household activities.
In other words, when you process personal data in your spare time related purely to your personal life or household or talk to your friends, this is outside the reach of the GDPR. Same thing when this is done by posting something on Facebook, Twitter, or YouTube. In this case, these companies are the controllers and they are responsible under the GDPR, but you are not.
If you use a blog service for your personal blogging, the same might apply here. The blogging platform is the controller and the GDPR doesn’t apply to you personally. All the time, this assumes that any processing of personal data by you is strictly within the context of purely personal activities and that the blog service is the controller for any other data processing.
The situation changes if you decide to provide a blog directly to the public, where you control the entire blog. A few aspects are different in this scenario. First, any processing of personal data relating to public blog visitors is no longer in the context of a purely personal or household activity since it involves unsuspecting strangers whose right to privacy the GDPR is meant to protect and who are outside of your personal or household life. Second, there’s no longer another controller for you to point at. You are now clearly the controller who makes the overall decisions about the website and as such the GDPR is fully applicable. Third, if you provide a professional (or commercial) service in any way, you are definitely outside of this exception even if you make no money. These are several ways to reach the same conclusion.
It’s naturally hard to draw the exact line for purely personal activities. Only the Court of Justice of the European Union can decide what the correct interpretation is. There are, luckily, multiple rulings that give precedents for this.
Court rulings, according to the earlier Directive 95/46/EC, show that:
- Video surveillance that partially covers a public space is not a purely personal or household activity.16
- Data collected through door-to-door preaching and its subsequent processing is not carried out in the course of a purely personal or household activity.17
- Recording colleagues and posting the video on YouTube is not within the context of purely personal or household activities.18
My conclusions: a public personal website is within the scope of the GDPR without exception. When using a blog platform or similar, the GDPR doesn’t apply to you as long as you aren’t in control of the overall website and you only process personal data yourself that is purely related to your personal life.
What is needed to comply?
This is a much bigger topic than whether the GDPR applies and it varies depending on the circumstances and the purpose of the processing. I will give a short overview and then focus on the basics.
There are many aspects to be aware of, such as:
- Lawfulness of processing according to one of the bases in Article 6.
- Consent is required for one lawfulness basis according to Article 7.
- Processing needs to be transparent by informing the data subject according to Articles 12, 13, 14.
- The data subject has various other rights, such as:
- Special rules for automated decision-making (Article 22).
- Controllers and processors have responsibilities (Chapter 4):
- Extra requirements for transferring data outside of EU (Chapter 5).
I’ll go into some details for a few of these areas. See the links above for more!
Lawfulness of processing
There are six bases for lawful processing of personal data according to the GDPR (see Article 6):
- Consent has been given by the data subject.
- Processing is necessary to carry out a contract with, or request by, the data subject.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
For a personal website, the first two and the last bases are most interesting. The full text of the last lawfulness basis is:
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
For a personal website without cookies that only uses personal data as part of server access logs, to detect fraud and handle outages, and which collects at most anonymous visitor statistics, the second and sixth bases should cover all processing. This is the easiest way to comply with the GDPR. Note that you still need to comply with many of the GDPR rules even in this scenario.
To collect full statistics about your visitors using tracking cookies with Google Analytics, you need to ask for consent before activating data collection. This consent can then be withdrawn at any time.
Processing without identification
One interesting exception from some of the GDPR’s rules can be found in Article 11. If your data processing doesn’t require that you identify the data subject (which will be the case on many personal websites), you are not required to collect or process additional information to identify a data subject for the sole purpose of complying with the GDPR.
If this applies to you, then you no longer need to comply with Article 15-20 and that will be a relief for any owner of a small website. In other words, there are good reasons to avoid being able to identify data subjects both for their privacy and to reduce your burden.
Unfortunately, this exception disappears the moment that a data subject provides you with additional data that is sufficient to identify that data subject in your data. This may not always be practically realistic, on the other hand.
Transparency and privacy policies
Assuming that data is obtained from the data subject, you need to provide information at least about the following (Article 13):
- The identity and the contact details of the controller.
- The purposes of processing personal data and their legal bases.
- When based on legitimate interests, these need to be described.
- The recipients of personal data, if any.
- Any transfer of personal data outside of EU.
- The period for which personal data will be stored or a criteria used to determine that period.
- The data subject’s rights under the GDPR.
- The existence of automated decision-making, including profiling.
Keep in mind that whenever you are the controller, your responsibility includes the processing performed by processors on your behalf.
This requirement to inform the data subject does not apply, however, if the data subject already has the information. You don’t need to inform yourself or your own team, for example, and you don’t need to keep re-informing data subjects where it’s clearly unnecessary.
Responsibility as a controller
As with all law, the rules of the GDPR require interpretation and are usually meant to be proportional to the risks and interests of the data subjects. Keeping that in mind, it might be easy or hard depending on the situation to comply with the various responsibilities put on controllers. I won’t go into much detail here.
At a high level, you as a data controller are responsible for protecting the personal data that you process by designing and operating secure systems and by taking sufficient precautions. Similarly, it’s your responsibility when letting another processor deal with personal data on your behalf to make sure that processor also has taken adequate measures to protect the privacy of the data subjects. Additional responsibilities arise when the data processing is especially risky or the controller is a large enterprise.
In addition to security precautions, it’s worth mentioning the requirement to notify both authorities and data subjects in the event of a data breach. Also, unless you are covered by the exception for small-scale data processing, you need to keep records of processing activities. I would guess that most private websites will either be covered by that exception or simply outsource all processing of personal data to processors (who will keep records). If that’s not the case, don’t forget to keep this record.
If you are a big organisation or are interested in that case, then this blog post is not written with you in mind and you should read Chapter 4 carefully.
Transfer of data outside EU
This is an area where complying with the GDPR gets especially complicated. Anyone who uses cloud services is almost bound to enlist the help of some American company as a processor of personal data. For this to be compliant with the GDPR, you need to follow Chapter 5.
In short, the company outside of EU needs to provide appropriate safeguards for the processing of personal data such that the data subjects' privacy will not be worse than if the processing happened within the European Union. What ways are acceptable for achieving and assessing this is a bit more complicated. Most companies that process personal data outside of EU (such as Google) provide information on their website about this.
Here are a few simple scenarios where I apply the above information.
Static site generators
These tools, such as Jekyll and Hugo, are popular nowadays. They generate static HTML pages instead of running computer code for each page request. This offers great security, performance, and low cost. Does it mean that the GDPR doesn’t apply? No.
Static site generators are still a great idea and it typically requires a small effort to comply with the GDPR in this scenario, unless you add external data processing for comments or analytics.
It’s clear that full use of Google Analytics with cookies for tracking individual users, will require consent under the GDPR.
However, Google Analytics without any cookies and with IP anonymisation enabled is, as far as I can tell, fine without consent. You are again processing small amounts of personal data related to requests, but that should be fine under the basis of a legitimate interest. It has a very limited affect on the visitor’s privacy. You should still tell the visitors about this and I believe it goes under the GDPR up to the point where you can no longer potentially identify any natural person from the collected data.
Personal posts on Facebook or Twitter
As long as you only process personal data that is purely personal (related to you), this is a clear case of the exception where the GDPR doesn’t apply to you. Facebook or Twitter will be the controllers and are responsible.
The situation gets more complicated in similar situations where you have more control over the website such as on some blogging services. Somewhere, a hard-to-draw line exists. On the other side of that line, we have your own website that is fully controlled by you (i.e. you are the controller) and which is hosted using e.g. a generic cloud platform (in the role of a processor). See above for more on this.
You are in the UK
As is often the case, this is a bit different. After Brexit, the UK has its own UK GDPR. In the UK, you also have to pay a registration fee to comply in many cases. See ICO’s website.
There are many resources for learning more about GDPR and this post only scratches on the surface. The European Data Protection Board offers guidelines and recommendations online. The regulation itself is worth reading, which is easy at for example gdpr-info.eu. There are also plenty of books by now, of which I can recommend EU GDPR: An international guide to compliance.
To better understand the GDPR, it also helps to read up on EU law in general. Any introductory book on the subject works well for that. The same goes for books on law in general, of course, and for reading up on related privacy legislation.
Especially if you’re Swedish, then you can find more information on the official website of the Swedish data protection authority.
See e.g. BBC News: GDPR: Tech firms struggle with EU’s new privacy rules from 24 May 2018. ↩︎
Full title: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). ↩︎
EU law is a vast area in itself. See any introductory book for details. ↩︎