This raises an important issue that hasn’t been raised here yet. The GDPR (General Data Protection Regulation) in the EU very tightly controls how “personal information,” which includes anything that can be used to personally identify an individual, can be used. Processors (Plex in this case) must have a lawful purpose for retaining and processing that information. The possible lawful purposes are these:
- (a) If the data subject has given consent to the processing of his or her personal data;
- (b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
- (c) To comply with a data controller’s legal obligations;
- (d) To protect the vital interests of a data subject or another individual;
- (e) To perform a task in the public interest or in official authority;
- (f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the [Charter of Fundamental Rights]
While, as an EU-based user of Plex, I’m sure I was asked to accept the privacy policy as well as the TOS, it is not at all clear that using my IP address to send me an email to announce that my server will be blocked from using the service is in compliance with any of the lawful purposes. For starters, I never consented to have my personally-identifying information used in this way: it’s not part of the privacy policy or the TOS. That means that, under GDPR, Plex has to have another lawful purpose for harvesting people’s IP addresses and using them to send emails to them and ban the recipients…
I’m not a lawyer, but it seems dubiously legal to me.
I don’t think any of the other lawful purposes apply here. Even (c) (to comply with legal obligations) doesn’t apply: there is no legal obligation to mass block an entire IP range or to send those emails to people who are not accused of any illegality or violation.
Of particular interest here is Article 22 of the GDPR, paragraph 1 of which states this: “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”
I believe that EU residents, at least, have had their rights violated by this decision. A decision based on automated processing (the determination of IP addresses belonging to Hetzner) resulted in users being effectively profiled producing legal (or other) effects.
Despite selling their product to EU customers, Plex doesn’t seem to have any kind of GDPR-compliant privacy notice outlining the lawful purposes of processing and other necessary information. The issue was raised in this forum in 2018, when GDPR was about to go into effect. A Plex employee responded in this thread that: “With regards to GDPR as a whole, Plex has been working for the last few months to meet our obligations under the GDPR. The Terms of Service and Privacy Policy we published yesterday were prepared and reviewed with a legal team that specializes in privacy law and understands the impact of the GDPR. Based on their advice, we are confident that we will be in compliance with the regulation.”
I don’t believe that this action with regard to EU-based Hetzner users is in compliance with the regulation. I also don’t believe the TOS or the Privacy Policy are sufficient under GDPR.
Fines for GDPR violations on the part of corporations can run into the millions. As an EU citizen, I have a right to know not only the data that they are collecting but also the lawful purpose under GDPR for collecting it.
