(Note that this is all written from a European perspective, applies European Economic Area law and human rights as defined by the Council of Europe (which includes Russia, to everyone's surprise). I know that in the USA everyone is much more pro frontier justice, for example when it comes to pervasive and continual monitoring of employees while at work.)
I think it's very arguable that they have a legitimate interest here. Privacy has always been a weighing of interests, at least that's how I've always heard it explained by the Netherlands' face of digital law (Arnoud Engelfriet) also back in the days of WBP (the law from ~1995 that is 97% the same thing as GDPR), also in light of the European Convention of Human Rights (article 8 is a right to privacy).
A common example is filming the road: illegal, but if you park your car in front of your house and there have been car fires in your neighborhood lately, then it can be justified.
Filming employees inside a warehouse: invasion of privacy (illegal) but if there have recently been thefts from a certain part of the building then it's justified to hang up a camera there, introduce a lock that registers who went there at what time, or some such. (With adequate security measures so only authorized people can use it for the intended purpose.)
Personal example: monitoring everything I do on the company network is illegal, but because I work in a business where secrecy is important (security consultancy) it was considered justified to do spot checks, tell every employee upon entering into the employment contract that spot checks are a thing, and inform the subjects of spot checks after they were part of one. Transparent but still effective.
The two things to consider (iirc) are:
- Do my rights weigh heavier than the other party's right to privacy? (e.g. car fire is a fairly big impact on your right to the peaceful enjoyment of his possessions)
- Is there any other way in which I could achieve this goal with a lesser impact on the right to privacy?
In the case of Elsevier, from what I heard this whole scheme is a big mafia-like practice (wouldn't want to be published in a niche corner nobody reads now would you?) and so in my opinion it's entirely unethical to support (work for) them in the first place, at least in any role except one where you think you might be able to nudge things in the right direction. But I could see how a judge says: well, that's how today's law works, that you have moral objections is something you can take to your favorite religious leader and lament about, not a court of law.
If I'm being fair, there isn't even really an invasion of privacy because PDFs don't have executable code (usually) that can track you. Rather, they need to hide it somewhere so that, if it appears on the pirate bay, they can read out the ID and see who the perpetrator is. More like a criminal investigation using a fingerprint on a glass, and less like a cookie actively sent with every action you perform on a website.
TL;DR: GDPR applies, but it probably doesn't make this database illegal. It's not a loophole by which a person can say no to literally everything. (Would be cool if you could require the police to stop using your fingerprint in a legitimate investigation.)
Still, if I were that sysadmin... I probably wouldn't 'drop table elsevier', but I'd rather live off government benefits than support that scheme.
Thank you for this cogent analysis. It sounds valid as they probably notify their subscribers that they forbid document release to the wild and use technical means to measure it. The only hope is the usual request to the authors, who have traditionally sent papers to all requests, of course the profs can also pay 'blotgelt', and as long as the fees are small enough or the prof can afford, file it as an open paper. I am encouraged that the open paper concept is gaining traction - in the days when Nobel was alive, his Nobel Prize was in fact created on this basis of open papers freely sent to others - sadly, had he known, he may well have included the open paper concept into his legacy to prevent the blatant rent seeking empires we now see.
That said, curation and acceptance/publication of papers is a service of value and it is needed, at a lower cost as the journals do a job of work to keep totally crappy AI/idiot created papers that get into the totally open journals who are unable to deal with the blizzard of papers they face - the bad get through. There are also the fake fee based online journals where a distressingly small fee gets you online for citation by your coterie of anti vaxxers, nutrition gurus, etc etc. - essentially insoluble, save by intelligent readers who often shed this burden to avoid the waste of time. Fortunately the 'contents **' publications winnow most of these out.
I think it's very arguable that they have a legitimate interest here. Privacy has always been a weighing of interests, at least that's how I've always heard it explained by the Netherlands' face of digital law (Arnoud Engelfriet) also back in the days of WBP (the law from ~1995 that is 97% the same thing as GDPR), also in light of the European Convention of Human Rights (article 8 is a right to privacy).
A common example is filming the road: illegal, but if you park your car in front of your house and there have been car fires in your neighborhood lately, then it can be justified.
Filming employees inside a warehouse: invasion of privacy (illegal) but if there have recently been thefts from a certain part of the building then it's justified to hang up a camera there, introduce a lock that registers who went there at what time, or some such. (With adequate security measures so only authorized people can use it for the intended purpose.)
Personal example: monitoring everything I do on the company network is illegal, but because I work in a business where secrecy is important (security consultancy) it was considered justified to do spot checks, tell every employee upon entering into the employment contract that spot checks are a thing, and inform the subjects of spot checks after they were part of one. Transparent but still effective.
The two things to consider (iirc) are:
- Do my rights weigh heavier than the other party's right to privacy? (e.g. car fire is a fairly big impact on your right to the peaceful enjoyment of his possessions)
- Is there any other way in which I could achieve this goal with a lesser impact on the right to privacy?
In the case of Elsevier, from what I heard this whole scheme is a big mafia-like practice (wouldn't want to be published in a niche corner nobody reads now would you?) and so in my opinion it's entirely unethical to support (work for) them in the first place, at least in any role except one where you think you might be able to nudge things in the right direction. But I could see how a judge says: well, that's how today's law works, that you have moral objections is something you can take to your favorite religious leader and lament about, not a court of law.
If I'm being fair, there isn't even really an invasion of privacy because PDFs don't have executable code (usually) that can track you. Rather, they need to hide it somewhere so that, if it appears on the pirate bay, they can read out the ID and see who the perpetrator is. More like a criminal investigation using a fingerprint on a glass, and less like a cookie actively sent with every action you perform on a website.
TL;DR: GDPR applies, but it probably doesn't make this database illegal. It's not a loophole by which a person can say no to literally everything. (Would be cool if you could require the police to stop using your fingerprint in a legitimate investigation.)
Still, if I were that sysadmin... I probably wouldn't 'drop table elsevier', but I'd rather live off government benefits than support that scheme.