8

Background: For roughly 2 decades I've run my own private email infrastructure for myself, open source projects, and a few other individuals over business internet service intended for such usage. I've recently run into a major German ISP blocking my site (this is a new thing; I used to send to their customers with no problem) and interrupting communication with one of their customers I need to correspond with.

After a few weeks of back-and-forth with their email engineering contact giving me moving-goalposts/bait-and-switch about what they want me to do to get unblocked from their system, they are now insisting that I publish legal name and physical street address for the responsible party (that would be me personally) on the web as a condition to access their service.

Is this sort of requirement legal under the GDPR? I could understand (while strongly objecting to, but that's not part of the legal question here) "sorry, we won't open our service to you", but making an offer to provide access but making it conditional on what amounts to doxing oneself seems like it should not be legal. Is this (demanding I publish it publicly rather than give them the same information privately) some loophole for skirting around the GDPR? Is there anything else legally sketchy about the demand?

I am not in Germany; the other party involved is.

More details copied from clarifying comments I posted on an answer (sorry, some of this is technical and may not be useful to non-IT folks):

The data was requested after a long series of individual email exchanges with their email engineering department (which has its own separate mail system that's not blocking my site). No emails were flagged as spam and no spam has ever been sent from my site to their mail system. (Fewer than 50 total emails have ever been sent from my site to them.) They seem to have instituted their own in-house policy for IP addresses to accept from based on IP block ownership data (note: not using any of the well-run RBL/DUL type lists) and allow-listing well-known sites.

Rejection takes place before the SMTP session even begins (error message prior to EHLO, giving the address of the email engineering department which I then contacted). Initial request was that I provide "full contact info" on webserver associated with domain the IP address reverses to in order to be unblocked, with no indication of what that would entail. Eventually after being (apparently intentionally) vague for a long time they started insisting that include physical street address.

Basically, the actionable thing I want to know is whether I have grounds to say something like "The offer to accept mail from my site under the conditions of having published physical contact information constitutes a solicitation for personal data protected by GDPR, and if you are soliciting such personal data, you are required by law to accept it via a secure and private channel."

Improve this question
5
  • 1
    It's not obvious to me that the GDPR applies at all. If I read your description correctly, they would not be processing the data in any way. They are not publishing it, demanding that you submit it to them or claiming they need to record it anywhere. They want you to publish it, which you are still perfectly free to do of course.
    – Relaxed
    Commented May 5, 2020 at 23:22
  • 3
    @Relaxed yeah, that seems more like a policy "we don't do business with anonymous counterparts" or "we expect foreign address owners to follow the same guidelines for publishing contact info of responsible persons as all other (local) address owners, even if it's not mandatory for them there". The act of requiring that data to be published may not itself be covered by GDPR (especially if that person is outside EU) but it's not really a way of "skirting around GDPR" since as soon as that ISP would want to do anything interesting with that published personal information, the GDPR does apply.
    – Peteris
    Commented May 5, 2020 at 23:47
  • @Relaxed: It's not obvious to me (a non-lawyer) whether GDPR applies on legal technicality grounds - that's why I asked the question - but on a common-sense level, accessing a website to confirm that it contains personal information about me and possibly verifying this information (e.g. minimal Google Maps query to see that address is real) constitutes "processing" that information, and should be governed by GDPR.
    – R.. GitHub STOP HELPING ICE
    Commented May 6, 2020 at 1:19
  • Yes, of course, nothing wrong with asking. But my own common-sense intuition doesn't suggest any of this ought to be governed by GDPR. Would you consider that all web surfing by a company's employees needs to be declared to data protection authorities, etc. etc.? It's a significant difference, not a mere technicality or a loophole at all from my perspective. Where the GDPR would obviously kick in as @Peteris explained is if they harvested these data or kept a record of it somewhere.
    – Relaxed
    Commented May 6, 2020 at 12:13
  • 1
    For the scenario of "accessing a website to confirm that it contains personal information about me and possibly verifying this information (e.g. minimal Google Maps query to see that address is real)" the only compliance thing they need to do is to admit that they're doing this and why - and I'm certain that their privacy policy tells this because they do it for all the German contacts. There is legal basis for this processing through the legitimate interests clause, no consent is required, there's no issue with GDPR requests to "provide all my data you have" since they're not storing it, etc.
    – Peteris
    Commented May 6, 2020 at 12:21

1 Answer 1

Reset to default
8

From a German perspective, it would be absolutely normal and expected that you're providing identity & contact information publicly. Per §5 TMG (Impressumspflicht / Anbieterkennzeichnung) this is required for German tele-media offerings, such as websites or email providers, even if non-commercial. Whereas for you as an upstanding and diligent email provider an abuse@... address should be enough, the German context expects a street address where you could be served with a lawsuit…

There absolutely are privacy and free speech issues with this compelled self-doxxing. But by running an email service, you're not just acting as a private person. Your privacy interests and the transparency and security interests of other people have to be balanced.

Now since you are not in Germany, the TMG does not apply to you. You have no legal obligation to provide this information. However, the ISP also has no legal obligation to to deliver your email. The ISP does have an obligation to apply appropriate organizational and technical safety measures. It seems that one organizational measure they have found appropriate is that they will only deliver emails from providers that provide public contact information, as would be the norm in Germany.

I am not entirely sure how the GDPR applies here. The GDPR doesn't really allow or prohibit disclosures of personal data, it just requires that every purpose of processing for personal data has a legal bases per GDPR Art 6.

  • One such legal basis is a legitimate interest, which boils down to a balancing test between your rights and freedoms and other people's interests.
  • I'm also not sure if the contact information should be classified as personal data in this context, because the contact info primarily relates to your role as an email provider.
  • I'm also not sure if the ISP is processing your personal data in the sense of the GDPR when they merely require you to publish it on your own site. They would be processing it as soon as they scrape, store, or otherwise use this info.
Improve this answer
9
  • Note that I'm not in Germany and these are not "services which would usually be paid". Rather the party making the demand is in Germany. Maybe I should clarify that in the question.
    – R.. GitHub STOP HELPING ICE
    Commented May 5, 2020 at 21:00
  • Re: the second bullet point, my understanding is that if they require the information for any other reason, they're required to handle it in certain ways and protect it from unauthorized access by third parties. Requiring it to be conveyed by posting it to a public website seems contrary to that. Re: "since you do not explain this context", can you clarify what you mean so I can explain it better?
    – R.. GitHub STOP HELPING ICE
    Commented May 5, 2020 at 21:03
  • @R.. Ok, if you're not in Germany then most of this answer doesn't apply to you. Regarding the GDPR issue, this depends entirely on the purpose of processing. If they have a legitimate interest, what they are doing might be OK. But your question provides zero insight into why data is being requested in what form. If I had to guess, your emails had been flagged as spam because they looked like from a business but did not include a footer with necessary disclosures?
    – amon
    Commented May 5, 2020 at 21:20
  • 1
    Rejection takes place before the SMTP session even begins (error message prior to EHLO, giving the address of the email engineering department which I then contacted). Initial request was that I provide "full contact info" on webserver associated with domain the IP address reverses to in order to be unblocked, with no indication of what that would entail. Eventually after being (apparently intentionally) vague for a long time they started insisting that include physical street address.
    – R.. GitHub STOP HELPING ICE
    Commented May 5, 2020 at 21:30
  • 1
    @R..GitHubSTOPHELPINGICE This is a super interesting question, and I don't have a clear answer. But I've updated to account for the new information.
    – amon
    Commented May 6, 2020 at 11:31

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .