I am not a lawyer, but GDPR explicitly covers the plugin pipelines - they're "processors". The requirements for processors are basically that you can only use processors that are compliant with GDPR themselves. Any well designed regulation disallows skirting liability by subcontracting out functionality. Is that really unreasonable? It describes pretty clearly how to be a compliant processor, and it's basically saying that you have to have a contract with the "controller" that requires you to fulfill the same responsibilities that the controller would have under GDPR if they were doing the work in house.
> The requirements for processors are basically that you can only use processors that are compliant with GDPR themselves.
How can you be sure that the compliance isn't just marketing? There is no official cert body or institution for GDPR afaik. Isn't it all trust based at this point?
Actual certification would require a huge continous investment, where a outside body would constantly monitor and proof your code and its side effects.
>Any well designed regulation disallows skirting liability by subcontracting out functionality. Is that really unreasonable?
But what if this industry, especially the small business world is based on subcontracting out functionality? They're basically ignoring an existing ecosystem and methodologies that developed over a decade in that space.
>It describes pretty clearly how to be a compliant processor, and it's basically saying that you have to have a contract with the "controller" that requires you to fulfill the same responsibilities that the controller would have under GDPR if they were doing the work in house.
If its so clear, why isn't there an official cert body or institution? Afaik there is none. Compliance refers to the interpretations of the GDPR text, not real logical safety on an technology level, the laws aren't detailed enough for that. To cert or guarantee safety they'd have to monitor code repos and analyze side effects of the code on a constant basis.
I think the correct way to handle data privacy is on an individual level, within the operating system and browser, making sure that your privacy settings are respected. A page that doesn't conform to your settings just wouldn't load, you get the internet you deserve.
Everybody should also have the opportunity to learn the basics of using an internet connected device, similar to driver licenses. The individual level would be a much better fit, and potentially real solution and not just a castle in the sky.
GDPR relies on trust, one little bug that results in a privacy issue and you can close up shop as business. It's a setting where those that employ cyber warfare to hack competitors and have those resources win. Politicians who brought you GDPR are the same ones that wage wars on drugs. Total morons.
makes available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
Adherence of a processor to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate sufficient guarantees as referred to in paragraphs 1 and 4 of this Article.
You can subcontract, in the same way that a any other business has to subcontract with businesses that obey relevant laws. They didn't ignore history or the present - they added new responsibilities to subcontractors, and described requirements for those contracts.
The subcontracting provisions I think are actually very reasonable and well defined. Things like the Right to be Forgotten have other issues around free speech, but the controller -> processor relationship seems pretty well specified.
https://gdpr-info.eu/art-28-gdpr/