We all hate spam. Especially spam that tries to hide behind legal jargon like "Art. 6 Abs. 1 lit. f DSGVO" (GDPR's legitimate interest clause). Today, I want to share how I turned my frustration into action - and built an open-source tool that makes it easy for anyone to fight back.
The Problem: Spam Everywhere
"SPAAAAAM" - We all know it, we all hate it.
Every day, our inboxes get flooded with unsolicited marketing emails. The worst part? Many companies claim they have a "legitimate interest" under GDPR to send you their spam - even without your consent.
The Legal Loophole
Art. 6 Abs. 1 lit. f GDPR states that data processing is lawful if:
"...it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject..."
Companies abuse this clause to justify sending marketing emails without explicit consent. But here's the thing: § 7 Abs. 2 Nr. 3 UWG (German Unfair Competition Act) is more specific and requires prior explicit consent for electronic marketing.
Lex specialis - the more specific law takes precedence.
In other words: They broke the law. They mailed me in the face. And I'm not taking it anymore.
The Inspiration: GDPR Nightmare Letter
In 2018, during the GDPR hysteria, Constantine Karbaliotis (PwC Canada) published the legendary "GDPR Nightmare Letter" - a "fire drill" to help companies prepare for GDPR compliance.
The concept?
- One letter
- 7+ main questions
- 30+ sub-points
- 1 month deadline
- €0 compensation for the company
- Up to €20 million fine if they mess up
Brilliant.
My Solution: Automate the Nightmare
I decided to answer spam emails with my own GDPR horror requests. But manually crafting these detailed letters for every spammer? Exhausting.
So I automated it. With AI. But privacy-first, of course.
The Workflow
Here's how DSGVO-Bro works:
- Anonymize locally - Personal data from the spam email is anonymized on your machine
- Use ChatGPT - Send the anonymized text to ChatGPT to generate a comprehensive GDPR request
- De-anonymize locally - Replace tokens back with real data on your machine
- Send to spammer - Fire off the perfectly crafted legal nightmare
No personal data ever leaves your machine to reach OpenAI. Everything sensitive stays local.
Real Results
The Wrong Answer
After sending my first GDPR request, I got this gem:
Dear Mr. Sarikaya,
We found your contact information through LinkedIn research.
We confirm that you will no longer receive emails from us.
Your data has been deleted immediately and was not shared with third parties.
We apologize for the inconvenience and wish you all the best.
Cute. But not compliant.
My Response
(...) Your short message ("researched via LinkedIn", "data deleted") is insufficient. Please provide a complete, structured, and machine-readable disclosure within the legal deadline (max 1 month from my original request) - alternatively within 10 days - with the following points: (...)
Please note: Any further contact for marketing purposes is prohibited. Communication only for fulfilling this disclosure/deletion request.
Should the disclosure be incomplete again (...), I reserve the right to file a complaint with the competent supervisory authority (Art. 77 GDPR).
Company Reactions
Most companies panic. Some send proper compliance responses. And occasionally? A lawyer's letter hits my inbox.
Best outcome?
- Law firm: "Sorry, here's the disclosure"
- Me: "Wait, this isn't even the email address you spammed"
- Law firm: "Sorry, here's the correction"
Achievement unlocked.
Privacy-First AI: The Technical Challenge
Everyone wants AI. Everyone must comply with data protection.
Should we just use inferior EU models? No.
The Best Solution (IMO)
Anonymize personal data with tokens, use the best models (like GPT-4), then de-anonymize locally.
But there's a catch: Local PII (Personally Identifiable Information) detection is hard.
Current Performance Data
| Tool | Precision | Recall | F1-Score |
|---|---|---|---|
| spaCy (en_core_web_trf) | 20.9% | 83.7% | 75.0% |
| spaCy (en_core_web_lg) | 15.1% | 71.0% | 62.1% |
| Fine-tuned GPT-4o-mini | 95.9% | 95.9% | 93.8% |
Translation:
- Precision = Correct PII detections / All PII detections
- Recall = Found PII / All existing PII
- F1 = Harmonic mean of both
The problem? spaCy's local models have terrible precision (20.9%). They flag too many false positives.
The solution? Fine-tuned LLMs or specialized models like GLiNER.
NER Model vs. LLM: A Simple Example
Sentence: "Max works at Google"
spaCy NER Model (trained for names):
- "Max" + uppercase + before verb = 85% PERSON
- "Google" + known entity + after "at" = 90% ORG
- Result: [Max=PERSON] [Google=ORG]
- Done. Can't do anything else.
LLM (general language model):
- Understands syntax, meaning, context
- Can infer: names, relationships, facts
- Can continue: "Max is a software developer..."
- Can answer: "Where does Max work?" → "At Google"
LLMs understand language. NER models recognize patterns.
Future Work
I'm working on better local PII detection alternatives:
- Llama 3.2 3B - Expected precision: 60-80% (vs. current 20.9%)
- GLiNER PII Model - Specialized for PII recognition
- Fine-tuned BERT/RoBERTa - Optimized for German PII data
Goal: Local solution with cloud-API-like quality at 100% privacy
The DSGVO-Bro Tool
DSGVO-Bro is now open-source and available for everyone:
Features:
- Privacy-first AI anonymization
- Automated GDPR request generation
- ChatGPT integration (with local anonymization)
- Ready-to-send legal templates
- Open-source and free
Also available:
- ChatGPT Custom GPT version for quick use
Call to Action: Join the Fight
Want to annoy spammers while exercising your legal rights?
Try DSGVO-Bro now!
GitHub: https://github.com/DGTL-Solutions/dsgvo-bro
Why You Should Care
- Reclaim your inbox - Exercise your GDPR rights
- Privacy-first - No data leaves your machine
- Open-source - Transparent, auditable, free
- Make spammers work - Turn the tables on illegal marketing
Conclusion
GDPR gives us powerful rights. Most companies hope you won't use them. DSGVO-Bro makes it trivial to fight back - automatically, legally, and with complete privacy.
So next time you get an unsolicited marketing email claiming "legitimate interest"?
Send them the nightmare they deserve.