Arbitrary interpretation of GDPR

Feel free to use this in any given situation where one or more people voice the opinion that we can not, and should not, look at GDPR in black or white, but that it should be enforced and used arbitrarily and in “keeping with the spirit and intentions of the policy”.

In other words, “We do GDPR, according to our own needs and interpretation, but we’re not interested in following the law.”

Arbitrary interpretation of the basic human right to “not be tracked”, not have your personal data traded and/or used for commercial purposes, and not to be used by governments without due legal process, is what got us here in the first place.

Arbitrary interpretation of the “good will” and “benign conduct” of any given institution, company, and/or governments’ intentions with said data will not work.

We tried that.


The common arguments list of “Yes but,” and GDPR


“Yes, but our website needs these Google Fonts!”

– So download them to your site and serve them locally. It’s a no-brainer. If your web agency tells you this is not good, not possible, or give you any other excuse about this, you need to switch web agency.


“Yes, but everyone else is using AWS for their service, and they have a Data Center in Ireland, that’s within the EU!”

– No. Amazon is a corporation in the USA, governed by the laws of the United States of America. It doesn’t matter where they store your data, they’re still not GDPR compliant, and neither are you, if you’re processing personal data in the infrastructure. If your web agency tells you that they cannot meet your needs if they can’t use AWS, you may need to design your solution in a different way, or switch web agency.


“Yes, but we use a CDN for our CSS and Javascript framework, surely that’s OK?!”

– Yes, it’s OK, as long as the CDN is legally located within the EU. If your web agency tells you that there are huge benefits from using a CDN, and that your website or service will not function as good without CDN, you need to switch web agency.


“Yes, but there are simply no alternatives to US based cloud services!”

– Yes there are. Many. There are thousands of Internet Service Providers in Europe both willing and able to provide GDPR safe services using a number of solutions, hosted in Europe, by European companies. SaaS, from European providers, is available for things like e-mail, website hosting, Nextcloud, OwnCloud, Mattermost, PixelFed, Rocket.Chat, Mastodon, file storage, S3 object storage, photo storage, and website statistics.

– You may need to re-define your “requirements” and stop looking for something that is a 1:1 replacement for services offered by Microsoft, Google, Amazon, and so on. You may also want to reflect upon why and how some of these US based cloud providers manage to keep their pricing “competitive”.


It’s not rocket science. Really.



Leave a Comment

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.