Sometimes a gmail user sends me an email. I object to that. In principle, I need be able to tell Google that I do not consent to them processing my personal data whatsoever.
If one of their users addresses an email to one of my email addresses, I do not want Google to store the message or even transmit it. They must refuse to handle my personal data, and thus refuse to process email traffic involving my email address.
I believe this falls under GDPR Art.18 or 21. But the question is, how can I submit my GDPR request to Google? I can write them a letter but I do not want Google to get my address. I don’t even want Google to know my name. The only thing I want Google to know is my email address, so that Google’s mail servers can refuse mail to that address. But the mere act of submitting a GDPR request inherently requires data subjects to prove their identity to data controllers.
I'd like to see this go to court, actually. I don't think you have a case, because Google is just acting as a service provider and those have been found to not be liable for actions of their users. Like Google is not at fault if some users conspire for a crime over their services. But as I am not a lawyer, I'd really want to see what a court has to say.
Google is certainly obligated to comply with the GDPR. But I suspect they are shielded if they can call themselves a /data processor/ and not a /data controller/.
It’s certainly a big hole in the GDPR. The GDPR framers did not consider the fact that in some situations you have countless data controllers all using the same giant processor, in which case it’s only reasonable for data subjects to be able to go direct to the data processor rather than playing whack-a-mole with controllers.
And that's why I'd like to get a court ruling on this. Would be quite interesting.
For a bit more depth on this, the EDPB elaborates on the controller/processor separation and relationship in their 2020/07 guidelines.
It’s a long read, which I just skimmed. It’s mostly grim news. There is even a specific example in that doc stating that an email provider is a processor. But I see an angle:
A data processor has a duty to offer an appropriate level of security to controllers under Art.32. Another finding by the EDPB is that processors who violate the GDPR can be treated as controllers. It could be argued that (unlike protonmail) Google and MS both fail to offer e2ee and simultaneously supplies its insecure email service to controllers who handle sensitive info like lawyers, hospitals, and banks. The violation of art.32 by Google and MS enables them to be treated as controllers.