Weaponizing GDPR Data Privacy Requests

Data privacy requests have been weaponized in a manner inspired by glitter-filled tubes. An intrepid individual recently created the website www.shipyourenemiesGDPR.com; the site notes it is inspired by the infamous www.shipyourenemiesglitter.com, which sends glitter-filled springing tubes or phallus-shaped gummies as gag gifts upon request.

The shipyourenemiesGDPR.com site is based around European Union’s General Data Protection Regulation (GDPR) requirements and provides a quick and easy template to send your “enemies” GDPR Data Access Requests seeking access to personal data pursuant to the provisions of the GDPR. From the website platform, users are invited to target those they are less-than-friendly with, such as landlords, email providers, insurance providers, banks and ex-employers by means of GDPR data requests that recipients may in some cases be legally required to respond to within 30 days. The stated idea is to bombard data protection officers with requests for consumers’ personal data and, in the words of the website itself, “waste as much of their time as possible.”

To give you some context to how this works, you’ll need a quick primer on the GDPR itself. The GDPR is a set of strict regulations in the European Union (EU) and European Economic Area (EEA) for data protection and privacy of individual citizens. Although it is an EU regulation, it attempts to transcend the geographic limits of the EU and broadly impacts the international market including foreign companies that engage in business in the EU or interact with EU citizens as consumers. The goal of the regulation when adopted was to empower EU citizens to control the use their personal data. To give the individual consumer some control and oversight over this industry, if GDPR is applicable to a business, it requires the business to disclose data collection practices and enacts safeguards to protect certain personal information. Under GDPR, a consumer has the right to request access to certain of their personal information.

The creator of www.shipyourenemiesGDPR.com claims that the website is a form of parody or satire meant to call attention to the fact that people can and will abuse this process, but if consumers do take up the call to submit the requests as the website allows, it poses some interesting legal questions. Chief among them, does the service facilitated by shipyourenemiesGDPR.com meet the elements for tortious interference with a business relationship? It can be actionable to interfere with a validly existing business relationship between two parties without a legitimate reason to do so. We can see from the oversized and animated title line that shipyourenemiesGDPR.com is directly targeting parties whom the user is engaged in a business relationship with – “Do you hate your competitor, insurance provider, your bank, your ex-employer, your internet service provider, your email provider?” The website implies it is aware of the business relationship and encourages consumers to act against the parties with which they are engaged in a business relationship. However, if nothing else, GDPR requests seem far preferable to receive than tubes of glitter.