Many countries have permissive laws that allow the owner of DVDs/BluRays to make digital copies for personal use. This would be what Plex is for.
I am not sure if those countries also do not prohibit breaking the encryption of the discs; I believe that this is a country-specific law, so even if it applies in the US and UK, it doesn’t mean it applies everywhere. It would be interesting to know.
This is stupid. I’m not a lawyer. But I am a trained GDPR officer at my employer. I don’t work for our data protection office but I work with them all the time. And GDPR violations generally don’t involve the person whose rights have been infringed contacting a lawyer. They contact the Data Protection Commission in their country who pursue the case or don’t.
Let me explain to you (and my erstwhile debaters earlier in the thread) why GDPR is directly relevant to this action by Plex.
There are two possible angles to this: the Article 22 angle and the Article 5 angle.
Article 22
My interlocutors earlier in the thread seemed to want to claim two separate things that are likely contradictory:
Article 22(1) reads as follows:
- The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
Now, Plex has been anything but transparent in what it’s been doing here. They don’t even mention that Hetzner is the company in question and they don’t accuse anyone who got the email of being guilty of TOS violations. That lack of transparency is itself a likely violation under GDPR. But one can imagine that the process went something like this: Plex decides to block all Hetzner IPs. Someone writes a script to go through their customer base, pull out all the Hetzner IPs and send the same email to the account owner. It’s not clear that this meets the definition of “a decision based solely on automated processing,” but it’s not clear that it doesn’t either. It depends what counts as “the decision” and how you interpret “based solely on automated processing” (particularly the words “based on”). First, the decision to block all Hetzner IPs could have been entirely automated: the brief for the script might well have been “find out where TOS violations are likely, find the IP address blocks involved, write an email to any of our customers whose accounts serve from IP addresses in that block.” And all of that could have been automated.
“Decision” for the purposes of Article 22 is a decision to which a person is subject. What decision was I subject to in this case? It wasn’t the decision to block Hetzner. I wasn’t subject to that: Hetzner was. It was the decision to block my IP because it’s hosted by Hetzner. That’s the decision I was subject to. Was that decision based solely on automated processing? I’d say it’s very likely it was.
If it was “based solely on automated processing” then it’s clearly prohibited under Article 22. And I’ve previously linked to some ancillary documentation to GDPR (the WP29 document) that makes clear that this is something that is prohibited outright, not a right that those adversely affected have to claim.
But let’s say it wasn’t totally automated and that humans made the decision based on judgement, etc. Then we have to consider:
Article 5
The first two paragraphs of Article 5 say this:
Personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
There is no question that IP addresses count as “personal data” under the definition provided in Article 4 of GDPR. Plex itself also includes “IP addresses” in what it calls “personal data” in its Privacy Policy.
Now, there has been very little “transparency” or “fairness” in relation to those of us whose IP addresses are going to be blocked. Fairness? We are blocked not for having violated the TOS but because others are suspected of violating them. Transparency? We have no idea which providers are blocked (no hosting provider is named in the email), what the process was by which the decision was made to block these IPs, how it was carried out, etc.
So that’s pretty clearly not in compliance. And if you look at Articles 12-21 of GDPR, it becomes a lot more egregious.
Article 12: " The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form,"
and
“The controller shall facilitate the exercise of data subject rights under Articles 15 to 22.”
Article 13: " Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:
There’s a lot more listed and Plex has done, essentially, none of it.
And this is where the non-compliance with and flouting of GDPR become pretty flagrant. Plex is supposed to have a list of purposes for which they process personal data. And they do:
- To provide the Services
- To improve and enhance the Services
- Product development
- To respond to your requests
- To consider your application for a job
- To communicate with you about Plex (as permitted by applicable law)
- To personalize marketing, advertising, recommendations, and other content and experiences delivered or offered to you through the Services (as permitted by applicable law)
- To facilitate your payment for any products and services we sell
But they are also supposed to provide, under Article 6 the legal basis for that processing. There are only 6 legal bases for processing and Plex haven’t provided any of them. Worse, the purpose for which the personal data was collected in this instance (to block the IPs of those Plex customers using a hosting service that Plex regards as suspicious) figures nowhere in the list of purposes in Plex’s privacy policy. Indeed, it’s incompatible with those purposes (Article 5(2)): if your purpose, for example is “to provide the service,” blocking a customer’s ability to avail himself of the service is not a compatible purpose.
So the situation is, they are using the personal data of those affected customers for a purpose that they have not listed among the purposes for which they collect/process such data; they have not provided any legal basis either for the original purposes or for this new purpose; and they haven’t done any of this in a transparent manner or complied with the GDPR requirements that they provide data subjects with processes to uphold their right of access to the data (Article 15), their right to object (Article 21), their right to rectification of erroneous data (Article 16), etc.
So Plex is not only not in compliance with GDPR in general, but that non-compliance exacerbates and enables the violations of EU data subjects’ rights in this particular case.
I don’t know if they are in compliance or not and they likely don’t care because American company, I certainly don’t feel they are in compliance with the spirit of the GDPR but in the end that doesn’t matter they don’t need to actually be in compliance or not to the letter of the written word, EU can prosecute regardless and they make the decision they can also say plex isn’t in compliance even if the use case is not currently in the written word just look at meta and google who were complying technically but were still fined massively because they were using loopholes
No you weren’t. The decision was already made irrespective of you as an individual. It has absolutely nothing to do with you as an individual, natural person, or however else you want to term it. The decision that was made in respect of you was to send you an email, that’s it. And yes, your personal data was used for that but emailing individuals about the service is something that is covered within the privacy policy.
At best (for you and your claims that Plex are deeply in breach of GDPR) the privacy policy is inadequate and needs updating to include their contact details, the legal basis for processing, and a couple of additional points about data subject rights (they do already include details about your rights to obtain copies of your personal data or have your data deleted). Again, best case scenario is they’ll have to reword it, but it’s not going to change anything that’s happened here. Nor is it going to require them to let you host a server at Hetzner or provide refunds or anything else that has been demanded by people within this thread.
That’s because they’re not collecting personal data for that purpose. The data which allows them to block Hetzner’s IP range is the publicly available information about Hetzner’s IP range. They’re not collecting information from individual users to do that.
Please try and understand that they are not blocking individual customers. They are (for all intents and purposes) just whacking an entire IP range into their firewall and dropping all attempts to connect from those IPs. It’s not about you. To put it another way, if all they’d done was put Hetzner’s IP range into their firewall to block it then the outcome for you would be exactly the same as it is now. The only difference was you wouldn’t have had an email to explain why your server was going to stop being able to connect to Plex’s systems.
Yes. And what is next.
Like you can’t put movies of your wife onto your Plex? Or when Plex just fix. We want to deliver the content so no more private content.
If they decide to stop you are at their mercy what you are not with open source solutions.
And speaking of payed sharing. When my cousin moved into his new flat with his room mates he made a big welcome party. He introduced me a friend.
I knew what Plex is, but didn’t use it. He told me he got a big NAS at home and 1 gig fiber. And if someone want to get access he charges 10 Francs a month.
However he said he would not add random people. But since I am the cousin of his friend he would give me access. Ok, didn’t need it but stil. What difference does it make for the copyright folder if the Plex is in Falkenstein Germany or in a cellar in Zurich?
Even if in theory Plex would be in violation of GDPR the remedy would be a fine, not a specific performance. A GDPR violation would not prevent Plex from blocking all Hetzner IPs.
The GDPR debate is colossal a waste of time.
Secondly, the Hetzner IPs belong to Hetzner, not the end user. The IP range ban is a ban of Hetzner not the end user specifically.
Well iPhone is being forced by EU to allow sideloading on their platform they own and manage because the device is in consumer hands, a big parallel could be made to plex, plex banning hetzner is equivalent to Apple banning sideloading if you wanna use iCloud account but allowing on device without authentication, sure there’s a bit of a stretch going on here but still plex doesn’t run any of the software that handles things they just handle authentication account wise for easier management and sharing but all that really matters is running on the consumers devices, you can always add your IP to the allowed without auth section and then probably keep accessing despite ban but you can’t then use when out side because phone IP changes all the time and sharing you can’t manage which libraries someone can access I imagine
In the end won’t matter what how why where they are allowed to or not they will likely go through with it, they’ll see it made no difference to those breaking ToS and if they weren’t allowed they’ll be punished and that’s
One irony I find is that if they instead did the ban so that on hetzner IPs only the owner of the server could still access and manage but no sharing it would actually look less heavy handed and stupid, it wouldn’t be better but at least the plex pass subscribers and owners of said server they pay for ain’t just completely locked out because plex refuses to authenticate you to it
For the copyright holder? It makes no difference. For Plex? Visibility and scale probably. If your cousin’s friend is sharing access with a small group of people that they personally know then it’s very unlikely Plex would ever become aware of it. It’s a very different situation to a large number of ‘resellers’ hosting servers on Hetzner and advertising their services on the internet.
A bit of? That’s an understatement.
You can be obtuse all you like but it’s not an understatement and it’s quite equivalent in the end but as I said doesn’t matter you can whine about this and that being allowed and doesn’t match criteria blabla doesn’t matter because government can change the rules anytime and hit you with the hammer which is what EU has been doing to all the big American corporations for a couple years now lol
It is.
It’s not.
A stretch, I think you mean a false equivalency.
No, it’s a false equivalency.
Forcing Apple to use USB-C instead of a lightning connector is not remotely the same as forcing Plex to authenticate the Hetzner IP range. If anything, an EU law change as you propose would likely be a violation of the Computer Fraud and Abuse Act in the US.
Never mentioned USB-C, sideloading is installing apps outside their locked AppStore but you defenders of plex can say what you want makes no difference to me just amuses me lol
Good thing American laws can stick it where sun doesn’t shine as far as EU is concerned
Hi,
I’ve been your Plex Pass customer for around 10 years. Recently I received your infamous e-mail. I replied to it on 16th of September but it is 20th of September and there is no reply (which I really do not understand) so please let me ask here.
"You’re receiving this notice because the IP address associated with a Plex Media Server on your account appears to come from a service provider that hosts a significant number of Plex Media Servers "
Which IP? Which server are we talking about? I got 6 Plex Servers assigned to my account. Which server is the problem? How do I know from your e-mail?
“that violate our Terms of Service”
What was violoted? By who? By me? What exactly? Did I violate something? It is absolutely not clear what are you talking about.
"Due to the large-scale violations occurring from that hosting provider, we will be taking action soon to block access and activity from Plex Media Servers hosted by that provider. "
Still I do not know which server are we talking about on my account or what was violated BUT who will cover the cost of server migration? Usually I need to pay for a:
Thx for your reply,
KRis
Here’s where I learned about it.
Are they all hosted at the same service provider?
The terms of service
By users operating a significant number of Plex Media Servers hosted at the service provider.
Are you breaching the terms of service? You should know, you agreed to them. But, if you haven’t received a notice saying your account is being banned then it’s probably safe to assume that Plex doesn’t consider you are one of the users on the service provider who is violating the ToS.
This one’s easy. You.
Are they all hosted at the same service provider?
No, all servers are different computers, IP, operating systems. How do I know which server this e-mail refers to? I think it requires some clarification.
By users operating a significant number of Plex Media Servers hosted at the service provider.
Aaa, ok, so not me, right? I have done nothing bad. Good.
This one’s easy. You.
Why this one’s easy? Are you Plex Employee? It would suit the story. So I did not breach anything. But I have to find time and pay for the migration because someone breached the whole??? ToS?
And I do not know even what to migrate.
Fun times at Plex offices.
It’ll be the one that’s hosted at Hetzner (or ones if you have multiple servers hosted there). Alternatively you can wait till after 12 October and then just see which ones have stopped functioning correctly.
Because Plex aren’t going to pay for you to migrate your server(s). I don’t need to be an employee to know that.
This is why Plex users can’t have nice things, we can’t even have a rationale discussion on the topic. In your example, Hetzner would likely be in violation of the Computer Fraud and Abuse Act so, now we are going to pretend that US law does not apply to EU companies?
Exactly right they actually don’t if they decide to pull out and you’re the one making this a bad discussion alongside 3 others, if you want a discussion properly participate don’t whine “oh this doesn’t fit stop bringing it up” “false equivalency” with no proof towards it it’s you who’s ruining discussion
Tell me how Hetzner can force Plex to authenticate Hetzner IP ranges? Hetzner would be in violation of the CFAA which, has both a civil and criminal component under US law.
Is your plan to force Plex to authenticate Hetzner IPs to use GDPR which has a judicial remedy of fines?
