this post was submitted on 20 May 2025
5 points (85.7% liked)

degoogle

210 readers
1 users here now

Quit your Google addiction. Use privacy focused Services.

founded 3 months ago
MODERATORS
tfm@europe.pub
5
How can I send a GDPR request to Google if I am not a user/patron? How can Google ID me to process my request if I do not want them to have my name or mailing address? (slrpnk.net)
submitted 1 month ago by activistPnk@slrpnk.net to c/degoogle@europe.pub
6 comments fedilink hide all child comments
 

Sometimes a gmail user sends me an email. I object to that. In principle, I need be able to tell Google that I do not consent to them processing my personal data whatsoever.

If one of their users addresses an email to one of my email addresses, I do not want Google to store the message or even transmit it. They must refuse to handle my personal data, and thus refuse to process email traffic involving my email address.

I believe this falls under GDPR Art.18 or 21. But the question is, how can I submit my GDPR request to Google? I can write them a letter but I do not want Google to get my address. I don’t even want Google to know my name. The only thing I want Google to know is my email address, so that Google’s mail servers can refuse mail to that address. But the mere act of submitting a GDPR request inherently requires data subjects to prove their identity to data controllers.

top 6 comments
sorted by: hot top controversial new old
[–] red_bull_of_juarez@lemmy.dbzer0.com 1 points 1 month ago (1 children)

I'd like to see this go to court, actually. I don't think you have a case, because Google is just acting as a service provider and those have been found to not be liable for actions of their users. Like Google is not at fault if some users conspire for a crime over their services. But as I am not a lawyer, I'd really want to see what a court has to say.

[–] activistPnk@slrpnk.net 1 points 1 month ago (1 children)

Google is certainly obligated to comply with the GDPR. But I suspect they are shielded if they can call themselves a /data processor/ and not a /data controller/.

It’s certainly a big hole in the GDPR. The GDPR framers did not consider the fact that in some situations you have countless data controllers all using the same giant processor, in which case it’s only reasonable for data subjects to be able to go direct to the data processor rather than playing whack-a-mole with controllers.

[–] red_bull_of_juarez@lemmy.dbzer0.com 1 points 1 month ago (1 children)

And that's why I'd like to get a court ruling on this. Would be quite interesting.

[–] activistPnk@slrpnk.net 1 points 1 month ago* (last edited 1 month ago)

For a bit more depth on this, the EDPB elaborates on the controller/processor separation and relationship in their 2020/07 guidelines.

It’s a long read, which I just skimmed. It’s mostly grim news. There is even a specific example in that doc stating that an email provider is a processor. But I see an angle:

A data processor has a duty to offer an appropriate level of security to controllers under Art.32. Another finding by the EDPB is that processors who violate the GDPR can be treated as controllers. It could be argued that (unlike protonmail) Google and MS both fail to offer e2ee and simultaneously supplies its insecure email service to controllers who handle sensitive info like lawyers, hospitals, and banks. The violation of art.32 by Google and MS enables them to be treated as controllers.

[–] tfm@europe.pub 1 points 1 month ago (1 children)

Maybe here? https://reportcontent.google.com/forms/rtbf

[–] activistPnk@slrpnk.net 2 points 1 month ago* (last edited 1 month ago)

hmm.. painful. That page assumes I speak the language of whatever country my Tor circuit exited. I see at the bottom there is a Google reCAPTCHA barrier.

Nonetheless, I’m glad to know my options but I guess I’ll have to keep trying that page until it speaks my language before I can work out whether it’s a lesser of evils.

In the end, my question is more legal than technical. I could find out Google’s postal address and send them an anonymous letter. But the problem is perhaps that legally Google only needs to honor the GDPR requests of those whom it can identify. In fact, I think it’s expressly written somewhere that anonymous people do not have GDPR protection.

My question may have no answer. Perhaps I have to let Google have my identity as a trade-off to getting GDPR rights.