Weaponizing GDPR Data Privacy Requests

Data privacy requests have been weaponized in a manner inspired by glitter-filled tubes. An intrepid individual recently created the website www.shipyourenemiesGDPR.com; the site notes it is inspired by the infamous www.shipyourenemiesglitter.com, which sends glitter-filled springing tubes or phallus-shaped gummies as gag gifts upon request.

The shipyourenemiesGDPR.com site is based around European Union’s General Data Protection Regulation (GDPR) requirements and provides a quick and easy template to send your “enemies” GDPR Data Access Requests seeking access to personal data pursuant to the provisions of the GDPR. From the website platform, users are invited to target those they are less-than-friendly with, such as landlords, email providers, insurance providers, banks and ex-employers by means of GDPR data requests that recipients may in some cases be legally required to respond to within 30 days. The stated idea is to bombard data protection officers with requests for consumers’ personal data and, in the words of the website itself, “waste as much of their time as possible.”

To give you some context to how this works, you’ll need a quick primer on the GDPR itself. The GDPR is a set of strict regulations in the European Union (EU) and European Economic Area (EEA) for data protection and privacy of individual citizens. Although it is an EU regulation, it attempts to transcend the geographic limits of the EU and broadly impacts the international market including foreign companies that engage in business in the EU or interact with EU citizens as consumers. The goal of the regulation when adopted was to empower EU citizens to control the use their personal data. To give the individual consumer some control and oversight over this industry, if GDPR is applicable to a business, it requires the business to disclose data collection practices and enacts safeguards to protect certain personal information. Under GDPR, a consumer has the right to request access to certain of their personal information.

The creator of www.shipyourenemiesGDPR.com claims that the website is a form of parody or satire meant to call attention to the fact that people can and will abuse this process, but if consumers do take up the call to submit the requests as the website allows, it poses some interesting legal questions. Chief among them, does the service facilitated by shipyourenemiesGDPR.com meet the elements for tortious interference with a business relationship? It can be actionable to interfere with a validly existing business relationship between two parties without a legitimate reason to do so. We can see from the oversized and animated title line that shipyourenemiesGDPR.com is directly targeting parties whom the user is engaged in a business relationship with – “Do you hate your competitor, insurance provider, your bank, your ex-employer, your internet service provider, your email provider?” The website implies it is aware of the business relationship and encourages consumers to act against the parties with which they are engaged in a business relationship. However, if nothing else, GDPR requests seem far preferable to receive than tubes of glitter.

Five Steps to Control Legal Risk

Benjamin Franklin coined the axiom that an ounce of prevention is worth a pound of cure. In the 1970s, Fram oil filters used the advertising jingle of “Pay me now or pay me later” to tout buying a $4 oil filter regularly to prevent having to replace an engine later on. Taking a small amount of time to address a potential problem up front will often save a substantial amount of time and money down the road. This is as true in the legal and compliance world as it is in the healthcare and automotive fields. Here are five steps your business can take to help control legal risk:

Losey PLLC Controlling Legal Risk Infographic 2.10.19

Compensation History Laws: State by State

What you can- and can't- ask about a potential hire's pay history is in flux. A patchwork of laws on pay history issues are popping up across the country. Check out our informational chart showing various state and local laws on pay history issues.

Losey Compensation History Laws

Trademark Rights

Contrary to popular belief, you do not need to register a trademark to have rights in the mark. Rights in a trademark arise in the United States from use of the mark. What is a trademark?  A trademark is generally a word, phrase, symbol, or design, or a combination thereof, that identifies and distinguishes the source of the goods of one party from those of others. A service mark is the same as a trademark, except that it identifies and distinguishes the source of a service rather than goods.  Marks typically protect brand names and logos used on goods and services.

Read more: Trademark Rights

Employer Duties to Protect Employee Data

Do employers have a duty to protect their employee’s data? In Dittman v. UPMC, the Pennsylvania Supreme Court determined, among other things, that the defendant employer had a duty to use reasonable care in protecting employee data. See __ A.3d __, No. 43 WAP 2017 (Pa. 2018). Dittman concerned a data breach that allegedly compromised the personal information of employees and former employees of the defendant. The defendant required employees to provide this personal information as a condition of employment. The claims asserted, among other things, that the defendant was negligent by not taking appropriate steps towards safeguarding employees’ sensitive information.

Read more: Employer Duties to Protect Employee Data