Not Allowed to use Hetzner

I’m not talking GDPR or hetzner forcing anything that’s exactly why you’re not participating and ruining discussion you didn’t even pay attention to what I wrote just started arguing against with falsehoods and misdirection to be argumentative

You admitted your own post was a significant stretch. Do I honestly need to entertain it any further when you, yourself, admitted your post is a huge stretch?

Because Plex aren’t going to pay for you to migrate your server(s). I don’t need to be an employee to know that.

Maybe under the US law but not under the EU consumer protection law.

1. Did I violate anything as a customer? No.
2. Do I use legal hosting provider? Yes.
3. DId I bear costs and effor to set up the service legally and according to the ToS? Yes.

So technically as a EU consumer I should be compansated for this unilateral decision of Plex of not accepting one of the providers which was not in the ToS at the moement I set up the service. Just a respect towards the customers. Nothing more.

What you wrote was a false equivalency. The EU designating Apple as a ‘Gatekeeper’ organisation under the Digital Markets Act and requiring them to allow third party access to their services is hugely different to Plex deciding to block an IP range from their authentication servers (or however else they decide to implement the block).

You’ve not paid anything to Plex for their server software. Nor have they ever said that hosting on Hetzner was supported (not that it really matters for this purpose).

So please tell me/us what piece of EU legislation (and I mean the specific legislation, extra points for specific paragraphs within said legislation, and not a vague overarching description of what is a huge area of law) you think is going to require Plex to compensate you. Maybe you can be the first person in this thread to actually come up with something cogent to back up the alleged claim that the ‘law’ will require Plex to reinstate their server or pay them money etc etc.

I said a bit not significant and I said so because it’s not carbon copy situation but a line can still be drawn

In the end doesn’t matter I’m done on this matter so you can write and proclaim all the things and opposing opinions as you want on what I wrote uncontested

You really don’t know what you’re talking about. You keep importing further qualifications and requirements into “personal data” that are not in the GDPR in order to argue (or: assert, anyway) that Plex’s conduct doesn’t qualify. This, despite the definition having been cited and it’s broad scope pointed out several times. “Personal data” is “‘any information relating to an identified or identifiable natural person (‘data subject’).” Any information relating to a person. It doesn’t matter how they collected it. It doesn’t matter the purpose for which they were collecting. It doesn’t matter if they were targeting individuals specifically or if the individuals’ personal data got swept up inadvertently.

And it is ridiculous to assert that they were just blocking Hetzner, as if that were an end in itself and not, rather, a means to an end. What end? The end of blocking the Hetzner IPs of Plex users. The whole point was to get the individual Plex accounts serving from Hetzner off the network, not to just block a network for fun. They were manifestly not collecting but processing the data for exactly that purpose.

Your position is every bit as ridiculous as Bart and Lisa’s in this video. As if Plex is just blocking away in a vacuum and any collateral damage to their customers (under law) is irrelevant.

And you dismiss the fact that their privacy policy is inadequate as if that were a bagatelle and could be rectified by a few edits after the fact. You ignore the fact that the damage and breach of the regulation has already occurred and it’s not trivial. Processing EU data subjects’ data without a proper Notification containing all the requisite information is already a breach.

If Plex simply blocked the entire IP range (an automated process) and that had effects “similar” to legal effects on the individual, then they would be in violation of Article 22. Which is why you’re arguing out of both sides of your mouth: on the one hand, it isn’t personal because it’s automated; on the other hand, it’s not automated because it was personal. The fact that they wrote emails is an act of linking the personal data explicitly to the natural person. But the violation occurs before that as surely as it would if insurance covered were denied to a whole neighbourhood.

I recognize that I’m dealing with a person who would argue to the death that the sky isn’t blue. But you’ll have to actually address the issue here in terms of the regulations and not what you imagine the regulations might say or how they might define “personal data.”

So do us all a favour and cease commenting on my posts with irrelevancies like your everyday definition of “personal data” which has nothing at all to do with “personal data” as conceived under GDPR. Inform yourself. In particular, you might want to read the sections on pseudonymisation of personal data, beginning with Recital 26 and the WP29 Opinion on the Concept of Personal Data. in particular the section on p. 9 on the meaning of “Relating to…” as used in the definition of “personal data.”

SO. Is there any WHITE LIST of host providers we can migrate from Hetzner? How do f… do we know now where to migrate so Plex will not kick us out again? Any suggestions?

BTW. Plex just got from neutral brand into negative one for many of their loyal many years+ users. But I guess we are not the target customers for their future plans.

@banjopotato I assume you also consider that Plex’s end of support for Windows 7 would be in breach of the GDPR if they were to have contacted any users to tell them their server would soon be unsupported and they’d need to upgrade?

That’s not true according to Article 79. And any fine would likely bankrupt Plex.

The ownership of the IPs is irrelevant. It is their role as “personal data” that matters and IP addresses are mentioned as examples all over the ancillary documentation.

Perhaps it would be easier to break this down into smaller parts. So let’s start with:

• Is the IP range (for example, 116.202.0.0/16) belonging to Hetzner personal data? Just that data by itself in isolation.
• If you put that IP range into a firewall and block all access from it to your internal network have you processed any personal data?

I was never once trying to attack you personally. If the EU assigned Apple a gatekeeper status due to the Apple App Store, that is a 100% different situation than the current Plex/Hetzner situation.

Besides, if Hetzner is ignoring valid abuse complaints from Plex, why would the EU parliament ever pass a law specifically supporting the party not taking action against valid abuse complaints?

If I am understanding your perspective correctly, you are claiming Plex already violated GDPR with the e-mail they sent and thus a fine that could bankrupt Plex could be applicable. If that is indeed the case, how does that help anything as a company in Chapter 13 bankruptcy can not authenticate any IP range because the company has been dissolved?

I am not understanding how GDPR is helpful for the Hetzner IP ranges to continue receiving authentication services from Plex.

Plex states in their privacy policy that they collect:

• Email address
• Username
• IP Address (as permitted by applicable law)

Also from the plex media server section:

Plex does collect:

• Configuration data. … This information may include an IP address and port number(s), the name of a Plex Media Server, and information used to secure access to our Services
• Usage Statistics.Information related to your usage to run and improve our Services, to provide, customize, and personalize your features and account, communications, and other content that we deliver or offer to you.

Based on these privacy policies it would seem that Plex has a record of all plex media server IP addresses and the plex media server “owners” e-mail addresses. If the IP ranges of Hetzner IPs is already publicly known or easily obtainable from entities like MaxMind, it would appear Plex has everything they already need to send all plex media server “owners” using Hetzner owned IP ranges an e-mail.

I am failing to see how Plex is missing anything applicable to the current situation under their currently disclosed privacy policies.

Read the texts I pointed you to (about pseudonymization) instead of firing back immediately from a position of ignorance and you’ll know the answer:

A number of other situations can be mentioned, though, where it is not always as self- evident as in the previous cases to determine that the information “relates” to an individual.

In some situations, the information conveyed by the data concerns objects in the first instance, and not individuals. Those objects usually belong to someone, or may be subject to particular influence by or upon individuals or may maintain some sort of physical or geographical vicinity with individuals or with other objects. It is then only indirectly that it can be considered that the information relates to those individuals or those objects.

A similar analysis is applicable where the data are about processes or events in the first place, for instance information on the functioning of a machine where human intervention is required. Under some circumstances, this information may also be considered as “relating” to an individual.

Source.

That doesn’t answer the question. Do you consider that ‘116.202.0.0/16’ is personal data? That it relates to a specific individual?

To put it into context, Bangor has a population which is about the same as the number of IP addresses in a /16 subnet. Is Bangor personal data?

All kinds of things are missing that are required in a GDPR Privacy notice. I’ve mentioned several. Here’s a more complete list of what a privacy notice must contain:

• The identity and contact details of the organization, its representative, and its Data Protection Officer
• The purpose for the organization to process an individual’s personal data and its legal basis [for this, they need to specify each purpose for which they use personal data and the legal basis for processing it; see the page from my motor insurance company in my earlier post for an example]
• The legitimate interests of the organization (or third party, where applicable)
• Any recipient or categories of recipients of an individual’s data
• The details regarding any transfer of personal data to a third country and the safeguards taken
• The retention period or criteria used to determine the retention period of the data
• The existence of each data subject’s rights
• The right to withdraw consent at any time (where relevant)
• The right to lodge a complaint with a supervisory authority
• Whether the provision of personal data is part of a statutory or contractual requirement or obligation and the possible consequences of failing to provide the personal data
• The existence of an automated decision-making system, including profiling, and information about how this system has been set up, the significance, and the consequences

There’s more here: https://gdpr.eu/privacy-notice/

I have seen no proof hetzner is ignoring abuse complaints and I know for a fact hetzner is mega strict if they see traffic on certain ports they’ll close the network till you fix it, if you get a DMCA notice sent they’ll cancel your server, and they are the only provider I’ve known to actually do so

Anyway Apple was assigned gatekeeper status because the iPhone is in my hands but Apple will only let me install apps from their App Store that’s been approved by them and apps not banned from their App Store

Plex media server software is in my hands installed on my server and I can still do so after ban but I can’t claim or manage it because plex (App Store in this example) is gatekeeping by banning the hetzner IP range

No the situation isn’t carbon copy but that isn’t how this works nor should it, it’s plenty known that laws is not up to date for the internet, several times have GDPR fines been handed out while they weren’t in violation of the letter of the law, Irish commissioner especially has been known for this and then they update the law in accordance because there’s such a thing as spirit of the law and that is something EU takes into account when ruling on these things

It can go either way and in my opinion plex isn’t far off from the same situation whether EU agrees and would rule as such I don’t know neither do you and that’s all there really is to it, plex is also small fry so it won’t likely get any notice or ruling because EU won’t care but that’s another matter

Still haven’t done the reading, I see and therefore continuing to fire off posts and questions from a position of ignorance. That CIDR is an example of “pseudonymised data” under GDPR and, yes, it still “relates to” natural persons even if it has to be minimally unpacked to make the connection.

It therefore “indirectly relates” to the natural persons whose IPs (personal data) are contained within the CIDR.

Citing Recital 26:

The principles of data protection should apply to any information concerning an identified or identifiable natural person. 2Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. 3To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. 4To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

Given that it is trivially easy to unpack a CIDR into an IP range (see: https://www.ipaddressguide.com/cidr, to the extent that any of those IPs relate to an individual, it contains that individual’s personal data (personal data that indirectly relates to that individual).

Bangor itself isn’t personal data. The addresses in Bangor most certainly are.

I give up again. Just getting responses of bits of directive and/or guidance you’ve read online gets us nowhere. I mean we’re now apparently in a world where a business who may do absolutely nothing with individuals has to worry about the GDPR if it puts an IP range in it’s firewall because it’ll be processing personal data.

So, good luck with your complaint to the data protection authorities. I look forward to hearing about how they’ve shut down/fined/otherwise penalised Plex for the colossal GDPR breach you’ve uncovered.

I don’t think a GDPR discussion is very helpful here.

The main issue for me is that somehow Plex bigwigs think that blocking Hetzner is an appropriate and sufficient action to stop people reselling their server access. To anyone with half a brain cell, this is of course stupid. The people who are making money out of Plex will have already moved their servers to another provider. It’s not that difficult, and if their income depends on it, you can be sure they’ve already moved away.
So, this move by Plex will have exactly zero impact on what they are trying to achieve, and a massive impact on their reputation and trust by its legitimate users/customers.