What new requirements can be set by the board? As far as I understand EDPB can only issue guidelines, recommendations and best practices. All of these are just guidelines on how to interpret GDPR. Courts are the ones who ultimately decide if are complying with GDPR. Local DPA likely won't harshly punish you if you follow EDPB's recommendations if they end up getting overturned by court.
DPA won't punish you for not following EDPB's recommendations, they will punish you for breaking GDPR. You are free to ignore EDPB if you think your legal position is strong, but you carry the risk if you are wrong.
Google has specifically said that certain API keys like Firebase are not secrets (since people will find them)... though Gemini then ended up changing stuff. https://news.ycombinator.com/item?id=47156925
If PIs can "legally" do it then it sounds like there is a law which allows them to do it. That law can be revoked (unless the power comes from Constitution which would make it effectively impossible to revoke).
Note that PIs are effectively illegal under GDPR by default. They would generally need to provide Article 13 notice, i.e. you would become aware of them unless they were just asking around without actually following you. Member states can make them legal though (via Article 23) and likely in many cases they have done so.
In the US, PI licensing is only about PIing for hire. The actual act of going through public records, following cars and whatnot do not require a license, you can spy on anyone without a license as long as you don't get paid for it.
EU is more complicated, but Article 14.5.b allows withholding notice if it would impair/defeat the purpose of processing. The PI must however apply "safeguards", whatever it could mean.
Article 14(5)(b) does, but that only applies for Article 14 notice (personal data not directly obtained from data subject). Article 13 (personal data obtained directly from data subject) does not have such exception in GDPR itself.
This becomes extremely relevant when you read it in the light of the C-422/24 decision. In that personal data collected via body worn cameras was determined to be "directly obtained". Paragraph 41 from the judgement:
> If it were accepted that Article 14 of the GDPR applies where personal data are collected by means of a body camera, the data subject would not receive any information at the time of collection, even though he or she is the source of those data, which would allow the controller not to provide information to that data subject immediately. Therefore, such an interpretation would carry the risk of the collection of personal data escaping the knowledge of the data subject and giving rise to hidden surveillance practices. Such a consequence would be incompatible with the objective, referred to in the preceding paragraph, of ensuring a high level of protection of the fundamental rights and freedoms of natural persons.
Given this it's very unlikely that PI observing (especially if they record) could be considered to be Article 14 instead of Article 13 type of collection as it's exactly "hidden surveillance practice" that the Court warned about.
Member states do have a right to restrict the Article 13 disclosure obligations via Article 23 restriction, but that requires specific law in the member state & the law itself must fulfill the obligations that Article 23 requires. Article 23(2) essentially forbids leaving everything up to the controller.
And as far as PI in the US goes, actions between stalking and PI "for self" tend to be so similar that I wouldn't necessarily recommend anyone to try it.
Surely EU members should care if Spain blocks the access to government services offered by EU members. In Finland various government services (like Police's website) do use Cloudflare.
And Spain is not blocking access to Spain's citizens, it's blocking access people in Spain. These could be citizens of other EU members who need to access their government's website for reason or another (e.g. renewing passport) while they visit Spain or reside in Spain.
> Seems obvious at this point there needs to be EU-level regulations against individual countries, such as Spain and Italy, implementing these absurd restrictions.
I don't think there is EU-level "regulation" in this specific thing. However there is something somewhat better: European Convention on Human Rights. It's just that challenging these kind of bans via that route is very slow (similar how slow it is to challenge the laws which go against the Constitution in the US via Supreme Court).
Yeah, if this is stopped, it'll be because of the European Charter of Fundamental Rights or the ECHR.
The Charter and the European Court of Justice is why we don't have blanket data retention in the EU but it took twelve years to strike down the Data Retention Directive (though it was killed off much faster in some national courts).
You don't need to colocate the solar, but you need to make sure you can get that power when you actually need it.
During crisis nations are going to restrict exporting electricity and prioritizing their own residents. Electricity that is generated in Germany is not going to warm up Nordic countries if Germany doesn't let it.
Wires are also susceptible to sabotage, especially undersea ones (which are the current major connection points to Europe).
Sure, that is the current situation but if the Nordic countries started relying on solar from central Europe (especially Finland since it doesn't have the hydro capacity Norway & Sweden have) things could get ugly during crisis.
The GP essentially framed overprovisioned solar as solution to anyone who might rely on nuclear without taking in account realities in many countries.
I selected random date in July 2025. During that time Finland produced about 10GWh of solar. I selected random one from February 2025. During that Finland produced about 0.5GWh. February also actually doesn't have shortest daylight hours, mid-December situation is even worse. Christmas Eve 2024 produced about 0.05GWh.
You sure overprovision factor of 200x is still cheaper? This is when looking at the peak generation. From what I understand solar has about 30-40% capacity factor in summer. Just to panels (I'm not sure about total cost of grid-scale solar) seem to be about $300k per rated 1MW or $750k per 1MW during peak. $150M per 1MW during December. OL3 cost about 11B € for 1.44GW (assuming 90% capacity factor) or 7M € per MW.
Unless there has been some huge overnight exchange rate change 7M € seems much cheaper than $150M. Latter of course would actually be much higher when you factor in rest of the equipment, labor etc. Some numbers I found say that it's probably 5x higher.
They could potentially file the suit against Spain in European Court of Human Rights if they have exhausted national remedies. ECtHR has previously ruled some blocks to be illegal, but generally in the context where country sought the ban. Of course in both cases Court is the one that actually orders the ban.
One relevant would be Yildirim v. Turkey where court ordered blocking access to all Google sites because there was one that where someone insulted the memory of Atatürk. This was due to request from Telecommunications Directorate. This then caused the appellant's website to get blocked as well.
Another one would be Vladimir Kharitonov v. Russia.
DPA won't punish you for not following EDPB's recommendations, they will punish you for breaking GDPR. You are free to ignore EDPB if you think your legal position is strong, but you carry the risk if you are wrong.
reply