Has anyone leveraged GDPR to overturn automated bans?

From memory I believe FAANG etc all _claim_ that appeals you lodge are reviewed by a human.

Now if you don’t believe them then you’d need to take them to court and show why you think that’s not the case.

Which I guess means my question is why don’t you believe them and how likely is it that they are lying when they claim thy appeals are reviewed by a human?

We seriously need an Internet Bill of [Personal] Rights and get it into law and use it against the FAANGs. Europe at least seems to be trying, along with California sometimes.

Yes. I once got my account permanently locked at a well known service provider when I simply tried to make a payment for the first time. Support wasn't useful and all they could do was tell me that I somehow violated their Terms of Service for committing "fraudulent patterns" over and over again.

I could have and maybe should have just let it go, but it really got under my skin. I first tried out of band approaches to contacting somebody there. I didn't reach anybody, and you quickly realize how everybody else on the Internet just assumes you must either be lying or not telling the full story. Maybe it's just acceptable losses while doing business at scale.

So I finally just emailed them a polite GDPR request containing some spiel about Article 15(h), how I have the right to request my personal data, and also have the right to correct any inaccuracies in it, which must be the case since I committed no such fraudulent actions. I also requested a full list of all their data subprocessors, which I couldn't actually find listed anywhere on their site.

I'm not a lawyer, and I don't know if my request hit all the right notes or not. But literally one hour later, I got my account unlocked with a personal apology.

For what it's worth I also let them know that I'm not really looking to circumvent their systems, and I'm sure they have to deal with a lot of bad actors. But there really needs to be a better way to reach somebody to fix things when automated systems go wrong.

I also have the feeling that this approach would fall on deaf ears for big FAANGs, and there really needs to be some high profile ruling to put the fear in them.

The problem is that the GDPR is pretty much not enforced. See https://ruben.verborgh.org/facebook/ where the author tries to get all his data from Facebook - the case hasn't moved since 3 years now.

The regulators are useless (especially the Irish one which seems happy to shield big tech scum from having to comply with the law) which confirms my own experience raising complaints with the ICO (the UK privacy regulator).

Not speaking for my employer, but the actual quote from GDPR is:

> The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Emphasis mine. This would not include the vast majority of automated bans. It's more meant as a way to prevent e.g. automated police action via algorithmic selection.

There’s also the right to be forgotten. How can they ban you if they have to delete all information that can be used to identify you?

Even hashes of your email address or payment data should be something you should be able to request they must delete.

Aside from using imap to backup my mail, what else should I do to help mitigate an arbitrary ban? I’ve had a gmail account for 20 years since 12 year old me got caught up in invite fomo. I’ve since moved to other providers but still there’s a fair amount tied into my account currently.

Mostly I’m scared of ‘multifactor’ where email access is considered a form of identity, but I’m not sure what else

getting anything sensitive data out of large companies with the GDPR seems to be impossible unless you want to resort to lawyers

I was trying to get my matchmaking data out of Activision Blizzard and they flat out refused, saying my data was their property

their exact response was:

> "the information requested are trade secret and/or intellectual property needed to preserve our game integrity"

I complained to the regulator, who agreed with my assessment, but to enforce it I'd have to go to court

seems the GDPR is basically useless

GDPR Article 22 (the rule you refer to) also has exceptions:

> Paragraph 1 shall not apply if the decision...is necessary for...performance of, a contract between the data subject and a data controller

Which I can see applying as they probably have something in the ToS to enforce here.

It also allows automated decision making to comply with EU law. I don't know EU copyright law well enough, maybe Google has a responsibility to take down that data under copyright law and so this exception applies too.

The data subject shall have the right not to be subject to a decision based solely on automated processing

Lots of leeway for FAANG/BigCo management to wriggle out of that one. "Sure, Jones in Legal gets an email notification every time an account is banned and has the option to review it."

I can only imagine the lobbying and "negotiation" that takes place to have legislators water down the requirement for real human beings to review or respond to such bans.

Are these actual GDPR takedowns causing accounts to be banned, or are these via the internal copyright enforcement systems implemented so that actual legal GDPR requests don't have to be sent (with all the strings attached to those). ie. Banned because of GDPR (giving you rights) or banned because of violating Terms of Service (giving you no rights in almost all TOS)?