In answering this question, this seems to be relevant:
GDPR Art.7(3):
…It shall be as easy to withdraw as to give consent.
^ If you can no longer login to easily withdraw consent because they started blocking your connection, Art.7(3) would apparently be unsatisfied.
EDPB Guidelines 01/2022 pg.21 ¶53:
The EDPB encourages the controllers to provide the most appropriate and user-friendly communication channels, in line with Art.12(2) and Art.25, to enable the data subject to make an effective request.
^ Blockades against platforms, tools, mechanisms that users rely on would seem to be “user-unfriendly”, though it’s unclear if their meaning of “user friendly” is broad enough to have this interpretation.
EDPB Guidelines 01/2022 pg.23 ¶63:
The controllers must implement or re-use an authentication procedure in order to ascertain the identity of the data subjects requesting their personal data or exercising the rights granted by the GDPR.
^ Creating new access restrictions would seem to fail to re-use the original authentication procedure.
Data controllers often tend to start blocking Tor and/or VPNs spontaneously without warning. That seems to violate the rules of informed consent. That is, the data subject consented to the processing of their data by website A, but when website A made a significant material change (i.e. blocking Tor/VPNs), it effectively changes the deal the data subject thought they were consenting to. EDPB Guidelines 05/2020 pg.23 ¶110 seem to capture this:
There is no specific time limit in the GDPR for how long consent will last. How long consent lasts will depend on the context,the scope of the original consent and the expectations of the data subject. If the processing operations change or evolve considerably then the original consent is no longer valid. If this is the case, then new consent needs to be obtained.
So IIUC, the data controller must warn you before blocking your access to their service and give you a chance to withdraw your consent. This assumes we can interpret the IT infrastructure of the data controller as part of the “processing operations”.
I get the feeling the EDPB has not exactly nailed the scenario of Tor/VPN blockades, so we are left with picking through scraps somewhat out of context to get an idea of how this would go in court.
Are there any more relevant decisive guidelines from the EDPB that I’ve missed?