A thorough article on the current challenges, technically and ethically, regarding the use of elsewhere published public data that can be regarded as 'personal data' in the GDPR/DSGVO sense. Data that will be published for example by pulling in likes, shares and comments posted on Twitter here in my blog, as 'reactions' alongside with 'real' comments on my posts.

As Sebastian writes

Just the fact that I can aggregate a “facepile” showcasing everybody who clicked “like” on a tweet of mine does not mean that my motivations for doing so are more important than their right to stay in control over that interaction.

This, and his conclusion to disable the webmention/backfeed process, plus deleting all data aggregated this way, to be on the 'save' side, or ethically, on the 'right' side, illustrates how the GDPR of course effects even the smallest part of 'the web'.

As it is intentionally, since 'the personal data', and not 'who uses the data' is in focus. Of course there are differences between a multibillion data processing adplatform and a personal blog by a concerned web citizen, but the (mis)use of data as in 'whoops, I didn't know that my profile pic would turn up on every bridgy/webmention/backfeed enabled site in the world, and getting indexed by search engines in that site's context', well, looking from that point of view, the (mis)use is there.

And while I still think that there has to be a leverage of intention and possible damage, I do see how this gets really really tricky really quick. And that's why I am kind of divided in my thoughts about this whole GDPR / DSGVO thing.

On part of me is really annoyed, mostly because for weeks now I am in the middle of handling clients' expectations who are in the majority not informed, who think that GDPR has mostly to do with 'the web site' and can be dealt with by publishing a standardised Privacy Policy. And who somehow expect, that I as someone who 'makes' web sites in their mind can automatically provide such texts, for free, since I surely have done so elsewhere, of course. And for me, my company and my personal projects trying to get behind what and where I need to adjust and what to create - whch by itself is like walking through a swamp, since so many things are on the 'it depends' side of, well, things.

The other part however is quite pleased with all the discussion and action that is happening right now, since people now are forced to think about privacy implications of their (design) decitions. Unfortunatly, not many are aware of the chances this brings, the majority still doesn't care, but only wants to get out of this current hassle with a minimum amount of effort.
Very telling is how many of my clients confirm that they really don't use google analytics much, yet they have full IP logging. They won't even notice a difference if the IPs are masked, but prior to the current GDPR hassle wave, didn't care to change their settings.

Still, the amount of research, of legal counsil, of work needed in the markup of year-old sites (not even starting to look for implication in-house) – all this currently sheds a very bad light on GDPR in most people's mind, and for the average web user it'll bring just another onslought of disclaimers and policies to read/click through. And since very few really think about changing their practise, not much will change in terms of the real data processing. This is my pessimistic view of things. My sarcastic view of things waits for the wave of legal battles that'll start because of wording in the policies and/or the confusion what is to be considered a 'personal' site.

Very interesting times ahead. Interesting as in this chinese curse 'May You Live In Interesting Times'.