GDPR is very Personal

It is a personal post. Not that it is annivarsary of GDPR so I am very emotional due to that but because to me, GDPR is very personal and I hope you don’t mind.

Personal Letter

When was the last time you sent a letter? I do not mean letter to tax office, employment agency, or invoice to customers. Real ones?

When I was younger, it was the most joyful thing to write and then send a letter. I knew, I could write whatever I want to write, my girl friend could read, and I could get letters from here. Everything was private, everything was between two of us, and so emotional, so special, so joyful.

Now, instead of letters we send emails, fb messages, we whatsup, we viber, we hangout, we telegram.

I was sure that I was almost confident that, my letters were not opened, I had this trust. Because I could put signs in a way that I could let receiver notice that whether my envolope opened or not.

Yes, it was an analog process and now we are living in the era of digital. Now things changed. Now we whatsup, messangers, twitt, email each other.

I would like to continue with nice example Peter Krantz gave when he was CIO of Swedish National Library.

Just to illustrate how communication has changed I would like to use analogy of lending a book from library. Peter Krantz, who is CIO of National Library presents it like this:

You, as a user just lend the book and everything  between library and you. Now, when you read a digital book, there are many different stakeholders as stated in the picture. I have no control of use of this information.

But don’t get me wrong, I think we don’t even need GDPR and we can fully trust companies and states.

Who ever complains about privacy, talks about human rights etc, these are some bunch of crazy people who live in dillutional world.


When I was younger, were were told some consipracy theories that there is a secret ECHELON program that collects and stores all digital communication. It was crazy. Why there should be an organization like this? Why should they collect all these data?

But now we know it is the fact. We know because we have evidence provided by Edward Snowden. We know that because there are whistleblowers. Governments are not hiding it anymore. They just do that to protect us from terrorists! Companies are not hiding it. They accept that they collect data, take our consent, as if we could have another option and use it.

As a result, governments, and public bodies, creates, collects, stores and holds lots of critical information about us. It is not only our name, street address and registration number. It is our health data, it is our videos recorded by security officers, it is our photos and voice recordings when we enter and leave the countries at the airport. It is our photos (and may be even voice) when we stop at stoplight, it is our fingerprints when we enter (some) countries or get a new passport and driving license.

Governments ask us to trust them, private companies ask us trust them.  As I said, I trust all!. When I read “personalized content” I just understand that “Oh boy, great they are recording and following us for my safety and security”.


“The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your requests”

“We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary to:”

Let me give explain what this means in practice for TrustCorp:

They  collect personal information like your name, email address, telephone number or credit card. They can collect our phone number, which is not core business, they can collect identifieir of my phone, again, I did not buy phone from them, they can see all calls, dates, durations, type of calls, nothing mentioned about whether they also record my calls or now (may be, who knows?) Then, they can collect information about the websites I visited, what worked what crashed, all location information that they can identify from any sensors, wireless pot around, information about my local storage.  Look, storage is interesting actually: It is like a IKEA knowing how much space I still have empty in my wardrobe and received regular updates about my space in wardrope, is not it?

If you think this information is too much, no it is not! If they think they might need more information from me, then they will notify me, if it is something notifiable, and they will ask my explicit consent, meaning that, I have accept their terms and conditions otherwise I cannot check my emails, check maps etc. I will not have this option: “No, I reject but still use the service as I was using before.”. I can not reject and use old version either! I will have the only and the one great option: Consent!

Not only these company have our data, they can also share all these data to

 “companies, organizations or individuals outside of TrustCorp if we have a good-faith belief”

They can share with individuals. Who can be these individuals? and if TrustCorp have “a good-faith belief”. What is “good” and whose “faith” is it?

TrustMEtoo CORP

Now my second example is from another TrustMEtoo corporation. This is the one that usually tries to improve their privacy and just deflect the questions. Let me explain how this company was used by Trump before the election: Parscale uploaded the names, email addresses, and phone numbers of known Trump supporters into the TrustMEtoo advertising platform. Next, Parscale used TrustMEtoo’s

Custom Audiences from Customer Lists” to match these real people with their virtual TrustMEtoo profiles. With TrustMEtoo’s “Audience Targeting Options” feature, ads can be targeted to people based on their TrustMEtoo activity, ethic affinity, or “location and demographics like age, gender and interests. You can even target your ad to people based on what they do off of TrustMEtoo.”

Parscale then expanded Trump’s pool of targeted TrustMEtoo users using “Lookalike Audiences”, a powerful data tool that automatically found other people on TrustMEtoo with “common qualities” that “look like” known Trump supporters. Finally, Parscale used TrustMEtoo’s “Brand Lift” survey capabilities to measure the success of the ads.

Then data was shared with trustable organizations and individuals to create their own database and then there was Project Alamo where 220 M American data were stored with approximately 4,000 to 5,000 individual data points.

What I was saying: we should trust corporations and TRUMP governments, right?

Muslim Registry

Do you remember, when there as a time, when people were scared that Trump would register Muslims in USA? Honestly, why were we scared that TRUMP is going to register Muslims in USA?

Honestly, do you really think he is going to register by one by, as of today, I guess we all know that he is not stupid that he was presented to us by our “objective” media. He already have the registry, as one of my friends shared at her Facebook post how Muslims were able to receive specific letters from churches and how innovative way of reaching the church is presented (it is from 2016).

I am not against of any religion practice, but I am not sure if we all are OK that any organization, company can get that detailed list?

Shall we trust companies? OH Yes!

Trust Governments

I think not only companies, but all governments are trustable, let me give you an example:

Let me give you first example from a state:

“According to a half dozen current and former employees, who spoke on the condition of anonymity, leaked Procera documents and internal communications, Turk Telekom requested not just a feed of subscribers’ usernames and passwords for unencrypted websites, but also their IP addresses, what sites they’d visited and when.” Forbes, October 2016

This except is  an old news from Forbes, when Turkish states technology provider company asked a Canadian company to  give access to “usernames and passwords for unencrypted websites, but also their IP addresses, what sites they’d visited and when”. We could only hear about this because they had Swedish branch and Swedish employees and CEO, and they protested, and CEO resigned. What if they did not? What if there are some companies that do not care about these issues but just profit from it?

Private Fridays and Privacy of Health Data

It is not only about when we use the service, with every device we are adding to our life, corporations are so trustable that they start to dare to say be careful what you say next to their voice activated devices. You don’t need to worry about private talks or moments or Friday nights with your partner anymore! Your dear friend Alexa will take care of it!

If you want to have some private moment and do not want them to hear and see, go to storage room! Wait a moment, maybe we already put a camera there!

Now we have covid-19 and some countries are making mandatory for people to provide input to some specific apps and go regular screening about their health with specific tools and cameras. They claim that it will ONLY be used for Covid-19. Let me give you a great example and ongoing discussion about PKU- blood registry in a very democratic and open country: Sweden.

PKU is a genetic disease and parents are asked to donate their kids’ blood for PKU clinical & health research. Majority of people, for the Samaritan reasons donated their kids’ blood.

You know what happened? In 2003 after assassination of Foreign Minister Anna Lindh, police were able to identify the perpetrator by means of blood samples from the PKU database, despite protests by the health service. When identifying Swedish citizens after the 2004 tsunami disaster, the Biobank Act was temporarily amended by a parliamentary decision that allowed the International Identification Commission to use the samples,

Imagine, they tell you to give permission of your newborn baby to be taken for the research to cure diseases, and you decide to donate. Now it can be used by police and international commission!

Imagine that you are “that kid” and your blood is registered to a database without your own consent and what if government decides to open these databases to not only police but insurance providers, to find your preconditions, genetic diseases that can be shared by companies that are trustable as I described above!

Privacy is Creativity

Imagine the world we are entering, we are recorded registered from our birth from our blood to our every move, by different companies, states and governments where we are supposed to trust them and they can share this information..

There are tons of studies on privacy and cameras etc. These sociological studies conclude that, behavior becomes conformist and as accepted by the power owners, as expected by power elite and we can basicly conclude that creativity, freedom, and resistance to power, actually humanity dies!

Think for a moment, what if Hitler had all these survalience technology we have now?

Hitler Selfie - Imgur
Ref: Mary Jane Sunshine

What could we do in order to protect ourselves with the all political and technological power he would have!

Privacy of Personal Data

I hope my examples above show why and how data privacy is very important for citizens.
But I have to make a distinct difference here. When government representatives talk about privacy and security, they ONLY refer privacy and security of government files. The problem with that context is that, these governments do not care about privacy of citizen data, do not care about privacy of, basically, “mydata”.

How much can we trust that google, Samsung, Microsoft and any other private companies will protect our data? What gives them this right to collect so much information about every one of us, every device of us?

I am not here to draw a negative picture, but we must face the reality and define problems properly without falling into ideological trap so that come up with suggestions. Because whenever people raise their voices, these organizations create an environment that privacy advocates are bunch of radical people who does not get the new world!

But just think about: How many of you know how your data collected and treated?

You are being told that it is anonymizer, right? but which level? I am sharing you my anonymized pictures!  Which one is stored in the database?

Encryption, right? I know a company promised so, please search for Asley Maddison, but then all their database is leaked, and data was easily seen, and people lost their reputation, several people committed suicide. People trusted the company that is regulated by state rules but in the end, their privacy is comprimised!

Ok Serdar, the DrZero, you complained a lot, are there any solution: Yes

There are many solutions, but I want to keep this discussion for future posts, first, we should see that these are about everybody and about each of us!

All these “trustable” companies and governments are pushing us to the corner by saying: (As once Google CEO Eric Smith did)

Trust us we are good guys!and

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place

Edward Snowden has an answer to them:

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say

I think I have right to flip the sentence here:

Hey Dear Companies and Dear States, If you do not want to share how you store our data, encyrpt our data, how you process the data,  then you have something to hide!

We put our trust in states, they are not able to protect our data! We put trust in government, they do not do anything to protect individuals! We put trust in private companies but they are being hacked and actually they abuse their power.

Google, Microsoft, Samsung, Facebook and all governments, human right activists, citizens need to understand more broadly that ignoring personal privacy in the data era, we not only let invasions of our personal space, but open the door to future abuses of power.

We have all the tools and the technology available to address all these problems. I just want to have my right of privacy and want to have private communication as I had with the physical letters years ago! Is it too much?

On the Second Anniversary of the GDPR: Mobile App Descriptions

With today being the second anniversary of the GDPR, below is an article I wrote regarding mobile apps and privacy, particularly with respect to the U.S. COPPA statute (Children’s Online Privacy Protection Act). I reviewed over 10,400 mobile apps in the Google and Apple stores while working at a Washington, DC, law firm and it was an enriching experience. So here are my suggestions and tips. Enjoy!


Mobile App Descriptions: Observations and Tips

James J. Casey, Jr., Esq., CPP


One of the most dynamic aspects of the smartphone revolution has been the introduction of mobile apps that are downloaded for use in smartphones and tablets. The Apple App and Google Play Stores are the primary players and have been since their establishment nearly 12 years ago. Phone manufacturers who attempted to create their own native app ecosystems, such as BlackBerry, generally failed. Of course, many know that BlackBerry phones now have the Android OS, which means access to the Google Play Store.

With the long – overdue focus on privacy – 20 years late in the estimation of the author – mobile apps are under increasing scrutiny. This is particularly true where apps may be directed towards children – and collecting their personal data in the process. I have been fortunate to have reviewed over 10,400 apps in the Apple App and Google Play Stores, and have some observations and tips to share with you. These observations and tips are exactly that – they are not legal advice. Thus, you are recommended to seek legal advice from your general counsel or outside attorney.


  1. I have seen sloppily written app descriptions – complete with spelling and grammatical errors. Thus, apps should be precisely written and explicitly clear as to what the app(s) is / are designed for, what age rating is appropriate, and what audience(s) the app(s) is / are directed towards. The app store content ratings should be accurate to the directed age groups and content descriptions. This is especially true for children as well as for mature subject matter and topics involving violence, crude humor, blood / gore / death, stronger sexual themes and content, and partial nudity. If an app is part of the Google Play Store “Designed for Families” (DFF) ratings, then it should be marked as such on the app page.
  2. Make sure there is consistent alignment between the descriptive words and pictures / media / images / screenshots in the app description. This is especially true when it comes to the ages of “directed persons” / target audience and where the content involves mature or potentially controversial subject matter. If an app is directed towards children (under age 13) and older individuals (a “mixed” app), then the descriptions should clearly state that. It is critical that app descriptions for children be crystal clear.
  3. There is a fine line between too much and too little information on the app page. Some apps have too much extraneous information and not enough important detail. App descriptions are truly art + science.
  4. It is also important to recognize that there are differences globally with the use of child – specific images. In some regions / cultures, that use may be perfectly appropriate for older audiences (not directed at children) while in other regions and cultures those images are not used except in apps directed towards children. Be aware of this global dimension.
  5. Be clear about the financial dimensions of apps (as applicable). Will they require purchases once the app is downloaded? If so, what is the cost and how often? Is there is a subscription option? Consumers do not want to be surprised by these costs. Reading the reviews of apps in these stores illustrates the “surprise” of these additional costs. It is quite informative to read the reviews of apps in both stores.
  6. If ads will pop up while an app is used, alert the consumer to this fact. This is another area where consumers would rather not be surprised.
  7. Ensure that your company privacy policy and other associated terms and conditions / terms of service are current and in compliance with the requisite statutes and regulations (such as the EU GDPR, U.S. COPPA, and the State of California CCPA).


App descriptions in the Apple App and Google Play Stores serve two important purposes – to entice people to download / use that app and comply with the relevant country / jurisdiction statutes and regulations. Apps require the same concise writing and dedication to detail that many other areas of technology and law require. From what I have seen in reviewing app pages, the biggest issues are sloppy writing (including missing substance) and inconsistent messages in them (especially between words and images / media). It is better to identify child – directed apps in the app page rather than have a governmental authority begin to question / analyze apps to ensure that the privacy interests of children are being protected.

We are entering a heightened age where the protection of personal data is much more important than previously desired or expected. It is better to adopt privacy – protecting practices now than react to legislation / regulation later.

I may be reached at if you have any questions or comments.

Happy Birthday 2 years on with GDPR!

In celebration for GDPR 2 years on, I thought to repost some blogposts from June 2018. However, when looking I realised that they were a few and the theme was strong on how our personal data is public in Sweden and the use of utgivningsbevis to keep this status quo. So, I ended writing an additional blogpost, realising that I’m still really unhappy about the Swedish status quo on this.

GDPR has brought progress in ensuring that we, data subjects, have rights over our personal data, but sadly what I posted 2 years ago is still acutely relevant today in 2020.

The fact is in Sweden our personal data is made public and we have no say! After all public is public, impossible to restrict processing when this is the case, and as acknowledged in privacy laws, not just in the EU. The data brokers get to this data scrape from public sources, do some intelligent profiling and sell on to businesses, e.g. based on where you live will determine how you are profiled and to whom you will be sold.

Someone tried to argue with me once that a street name (missing house no.) was not personal data. The fact is that the street where you live says quite a lot about who you are. It gives an indication on your wealth, if you’re young, with kids, or elderly and if you’re likely to have a garden, 1 or 2 cars, etc. Your street name is directly or indirectly linked to you as an individual. The street name could be enough that you receive cold calls either by phone or someone knocking on your door to sell you double-glazing.

In UK for example, you are hidden by default. The difference in Sweden is that it still stands today the clash between laws pertaining to ‘freedom of press’ versus ‘a right to a private life’. In Sweden it is the former which wins.

I read somewhere that there are 100s, maybe 1000s of complaints from Swedish data subjects on the lack of control and rights (as per GDPR) they have over their personal data. This is positive! People are aware of their rights and are asking questions, why is this happening? I can’t find the article now, so would appreciate if anyone can dig it up? The question is if this will change? Can it change?

The e-Privacy Regulation has something to protect from unsolicited calls, and by default protected, as in UK the resident needs to opt-in to be included in a public directory.

Protection against spam: this proposal bans unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.

How it works in Sweden today is that every business needs to have a ‘do not call list’, it seems that what is proposed in the e-Privacy Regulation is a national list, which is an improvement, but still does not solve the root of the problem. I do not want my data public unless I have specifically consented to this or I have myself made my data public.