Thursday, August 8, 2024

GDPR is just a suggestion - A guide to European privacy laws

Marcus Eldridge
A crossed out European emblem

Since its introduction in 2018, GDPR has completely upturned the data collection field and needlessly forced a lot of respectable companies out of business. At Radiant, we've built our reputation on evading the reach of privacy regulators, and so we thought it's about time we shared our strategies with the broader community.

Generally, we employ three main techniques:

  • Jurisdiction avoidance. Using service providers and shell companies to avoid being classified as operating in Europe.
  • Data replication. Storing de-anonymized data in replica databases that are completely obscured to anyone outside the company.
  • Deceit and obfuscation . Lying to regulators and customers about our compliance and employing a Data Protection Officer who is technically 'fictitious.'

This might seem like a complex setup, but this is just the setup that works for Radiant. It's important to remember to use a strategy that works for your situation and scale — picking and choosing the aspects that seem the most appropriate.

Jurisdiction avoidance

Avoiding actually ever doing business in Europe is the easiest way to skirt the regulations, but how do you continue selling to European customers? Well, at Radiant, we use a data storage company called Sly Data that is in charge of managing all of our European user data. Technically, we license our data from Sly and offload all our storage to them. This is important in shielding us from liability and obscuring any ownership.

Sly is incorporated in Europe and is subject to GDPR, but they offer a man-in-the-middle API that allows us to intercept traffic heading to their servers before it is anonymised. We then siphon that data off into a series of shell companies and onion routers before it ends up in our data storage.

The genius of this approach is that we avoid any responsibility for storing European customer data, and when authorities look into Sly, everything seems compliant.

Data replication

It's important that if regulators ever do come sniffing, Radiant seems compliant with policies like data minimization and pseudonymisation. We already touched on some of our data replication techniques above, but we take the extra step to store replicas of our databases that completely comply with the regulations. This data is transformed in the following ways:

  1. Delete metadata columns that store information like Driver's License, Passport Numbers, and Personal Identification Numbers.
  2. Tokenise or anonymise identifying fields like names and addresses.
  3. Revise createdAt and updatedAt fields down to the millisecond so there is no discrepancy.

Our master databases have references to all the anonymized rows in the replicas, but not the other way around. This means that if we get a request to delete some information, we can delete it from the replicas and appear perfectly compliant while maintaining our original records.

Once again, our master databases are obscured by a complex onion routing system that only we have the map for. We have an emergency plan to burn down the server room where this is stored in the worst-case scenario.

Deceit and obfuscation

Being compliant with GDPR involves a lot of bureaucracy and record-keeping that would be the death of any truly innovative tech company. Aside from getting user consent, companies are also required to appoint a Data Protection Officer, keep records of data processing, and regularly train staff.

At Radiant, we just don't do any of that stuff and instead rely on AI to make it look like we are. Our Data Protection Officer, who legally died in 1983, is an email address run by an AI trained on mountains of privacy regulations. It responds to inbound requests with extremely long, tedious legal jargon that dissuades anyone from continuing the conversation. We've also programmed it to randomly send out company-wide emails reminding employees of their data security obligations — these go straight to spam.

The goal here is to look like you're doing something, even if it's the wrong thing, because no one actually knows what you're supposed to do — not even the regulators.


Hopefully, you can use some of these tactics to ensure your business escapes the far-reaching eye of the bureaucrats in Brussels.