Isn’t this more easily fixed?

$ adb shell 'pm disable --user 13 com.google.android.gms'

grapheneOS and the like might work for the OP and anyone with a mainstream phone, but there are a lot of unsupported cheap obscure phones which are stuck with stock Android.

The fun aspect to this is that some banks have forced customers to use an Android for all their banking ops. So:

① You’re late paying a bill
② Creditor locks your phone
③ You cannot access your bank to make the payment because your phone is locked

Brilliant.

You can check it’s installed (stock android) Settings > Apps > All Apps > three dot menu, Show system > search “DeviceLockController”.

Is that just a “feature” of recent AOS versions? AOS 5’s triple dot menu has nothing like “show system”.

Is Wordpress a service? It seems to be software that is apparently runs on other people’s property. So this is what I’m confused about. I write a blog that is served by a non-profit org and the software is apparently Wordpress. I don’t understand how the copyright on my work in this context would exempt Wordpress in any way.

(edit) This article clears it up → https://lifehacker.com/tech/the-difference-between-wordpress-and-wordpresscom

Ebikes and electric devices, however, sound to me like something futuristic

There are kits enabling you to convert a muscle bike (push bike) into an e-bike. If you get one with a torque sensor, then it will detect how hard you push on the pedals and drive the motor proportional to that force. So you still must pedal but it amplifies your effort which preserves the natural feel and control of pedaling. It essentially makes the hills go away; a hilly place becomes a flat place.

IMO part of the fix for that is liberating psychedelics. There has been some research finding that if someone takes psilocybin (shrooms) before they reach the age of 35, they are significantly more open minded for the rest of their life. Though I’m not sure how they controlled for the question as to whether the drug makes people more psychologically flexible or whether they are more psychologically flexible in the first place if they are willing to try it.

Either way, it seems to naturally follow that conservatives proportionally tend to avoid psychedelics. It’s anecdotal but my fellow psychonauts are all liberal.

Might be a fun social experiment to propose a public gun lending armory. Like a library, you can walk in and check-out an AK-47 for a day or week for free. But just like the library charges for printed pages, you would have to pay for the ammo.

I don’t think a car-free city actually exists. The article mentions Copenhagen:

“[London] has avoided the kind of outright car bans seen elsewhere in Europe, such as in Copenhagen”

I’ve been to Copenhagen. There are cars throughout the city. There are some cycle-only paths that connect to intersections with cars. I cycled along side cars all over the city. Apparently Wired is calling car-reduced cities and cities with small car-free regions a “car-free city”.

Exceptionally, Brussels is a car-free city but for only one day out of the year. And car-free day falls on a Sunday. On that day it becomes illegal to drive a car in the city center without a special pass after showing you have good reason to use a car on that day. But even on that day, the outer region of Brussels is unaffected.

You might want to crosspost your story to !uklaw@feddit.uk. But if you do that be clever with your phrasing so as to not seem to be asking for advice, but rather for information. E.g. is there any case law for this situation…

(I’m assuming you’re in the UK because other commenters focused on UK law)

There really needs to be a resource where data subjects can pool their evidence and collaborate on GDPR actions against common data controllers.

Thanks!

The To: address in the header would be interesting. Of course, you wouldn’t want to disclose it verbatim here but it might be useful to have a rough idea. Was it Firstname.Lastname@yadayada.com or some variation of that, or was it more like commonNickname@yadayada.com? Some people here think it doesn’t matter, that it’s inherently personal info, but the European Commission says it matters. It’s not hard and fast; there are varying shades of gray here. Maybe they kept logs of your IP address and maybe that makes a difference. You might want to read WP136 (I have yet to read that).

I would love to see action taken against Reddit, if anything just to burden their lawyers and create some costs for them. But I doubt it will go anywhere. GDPR enforcement is such a shit-show in Europe. Even dealing with clearly blatant violations that are wholly internal to Europe which should irrefutably incur penalties, simple obvious cases are being ignored by DPAs. So I have little confidence that this cross-border case against a non-EU data controller would actually get results when the law is not really concrete. The one factor in your favor is that Reddit is somewhat high-profile which might take a DPA’s interest.

I don’t think a “delete my account” button constitutes an Article 17 request. It removes the purpose of processing to some extent, which then relies on the data minimization principle (Art.5). Reddit can do a bit of hand-waving to make excuses like needing to retain your email address in case one of your posts sparks a legal inquiry. Your case would be stronger if you had submitted an explicit Art.17 request to Reddit.

From the email:

Per our lawyercats, we are not able to respond to further inquiries or questions.

I wonder if that statement might be actionable. Art.12 and 13 require Reddit to identify a data controller with a point of contact and to tell you your GDPR rights (IIUC). And here they are outright stating in effect “we don’t want to hear from you”. I would stress that in your GDPR complaint, not just the misuse of your email which you expected to be deleted. But note they do provide an address at the bottom of that msg. Although that angle of attack might require Reddit having a way to know you have ties to a GDPR region after the supposedly “deleted” your acct.

Also, I would look into any anti-spam laws your country has. There may be a higher degree of legal actionability there.

I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.

GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.

Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.

Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.

See https://infosec.pub/comment/6975469

That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?

According to the Commission, “an email address such as name.surname@company.com;” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)

The EC also says “an email address such as info@company.com” is not an example of personal data.

This should really be covered by an EDPB Guideline, but I’m not finding one.

If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.

As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).

(edit) more clarity here, hopefully → https://infosec.pub/comment/6975469

Kind of. Yes you really should make an Art.17 request to ensure having a strong GDPR case in the event of non-compliance, but technically there is still an Art.5 data minimization rule that applies to data that is no longer needed for performance of the contract.

So cool to hear that Brazil has a GDPR equivalent. That (and the fact that Bolsanaro got booted) makes me want to live there.

Embarrassing that the US can’t get on the ball with this.

Delete is not same thing, as requesting to destroying all identifiable data of you.

This is what I don’t get. How are Reddit accounts not pseudo/anonymous? Back when I had an account (~5+ years ago at latest) they had nothing personally identifiable on me, in which case there are no GDPR rights to speak of. Even if I were to make an Art.17 request and go above and beyond by supplying a copy of my ID card with the request, Reddit would have no way to even verify that my ID is associated to the acct.

I think the whole discussion is moot when the data is “anonymous”.

But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.