> I can't go to my school or a credit bureau or an insurance company and say that all my past history should be forgotten.
> Why should we enforce such a regulation online?
I'm a bit confused. Exactly the same laws apply to the insurance company and credit bureau. They have to have valid reasons for keeping the data, and if they don't have those reasons they need to get rid of it. Which applies equally to online companies.
OK, can you also post here all your personal details, so I could sell them to anybody who wants to exploit them to earn money? OK, fine, you don't want to post it here. Could I get them from your bank, work, friends, family, post it here and sell to anybody?
This is a strawman. You are talking personally identifiable information and data usage policies which is an entirely different thing than the requirement for all data to be deleted.
> You are talking personally identifiable information and data usage policies which is an entirely different thing than the requirement for all data to be deleted.
Could you explain a bit more by what you mean? GDPR only concerns itself with personally identifiable information, and is at it's core about the rules for "data usage policies" around it (which of course will involve rules for when to delete data).
Are you sure that GDPR only concerns itself with PII information. In other words, is it legal to collect information about users as long as it isn't tied to PII?
I consider PII to be things like name, Social Security Numbers, a credit card #, an email, DOB, etc.
You seem to be suggesting as long as the data isn't associated with the above or can't reasonably be tied to the above then GDPR doesn't apply.
I am in favor of rules around the usage and collection of PII information. i.e. that information should not be shared with other parties without the user's consent and in general access should be restricted.
My main beef with GDPR, is the difficulty to implement such a system, with on demand wipeout.
"just PII" was a bit too strong, but this is how GDPR defines personal data, which is what it regulates:
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Identifiable is core to this definition. It's important to note that it's taken so far that it's enough if others can establish the link, which is why things like IP addresses or photos fall under it, even if I as a website operator can't just go ask ISPs for the user behind an IP.
> with on demand wipeout.
I keep coming back to that: GDPR only has something I'd call "on-demand wipeout" if your only base of processing is "I've asked the user for consent", because they can revoke said consent (or if you kept data without justification of course). If you need the data to fulfill a contract, you can store it as long as that's still true. If you're legally obligated to keep records, the person can't just request you delete it. If you can argue a strong overriding interest to keep some data, you can keep it - although that one is of course open to interpretation when your interest is actually weighing higher than the persons interest (an example might be fraud prevention records)
> right to be forgotten is to onerous to implement and not present in other domains
Not always, but it definitely is. Take the legal system. The UK has something called the Rehabilitation of Offenders Act. After some varying time - dependent on seriousness of offence - I can legally answer "no" to a potential employer asking "have you ever been convicted?".
Google makes a mockery of that. If the law says a 7 year old minor offence is spent, why not search and media too?
> They do make it harder for smaller businesses to compete
As someone working mainly for smaller UK businesses over my career, I don't see this at all. Complying with GDPR, and its very similar Data Protection Act predecessor has been fairly trivial.
> a credit bureau or an insurance company and say that all my past history should be forgotten
For both credit rating and insurance history, they age out after 5 or 6 years.
Seems like it's online that is wanting the exception of "everything, forever".
I don't believe that is true. Credit Bureau's and Insurance companies have information about every place you have lived and worked, what school you attended.
The actual ratings may be waited on information in the last X years.
Also, it is much easier to implement a policy where no data can be retained after X years than on-demand wipeout.
Neither has which school I attended, or has ever asked. An insurer has employers, but only those whilst insuring with that company. I suppose my bank could have told the credit rating agency, but they'd have to infer it from the monthly wages deposit. Is that required in the US?
If they are only weighting on the last 5 years they no longer have a business case under GDPR to retain it[1]. Essentially it crystalises in law what should already have been the case.
> it is much easier to implement a policy where no data can be retained after X years than on-demand wipeout
Not sure how when all that changes is the clock.
[1] If my account was fraudulent in some way, or there's a law requiring some retention, there is a business case for retaining longer, and it is permitted.
> Not sure how when all that changes is the clock.
This is most surely not the case. Many data stores are simply dated collection of files.
With fixed expiration for all data you can simply implement GDPR with things like TTLs and making sure that any downstream systems do not consume data older than a certain date.
With individual wipeouts that can happen at any time this becomes much more challenging.
Now all data, in all systems that use that data have to the ability to wipe data at the individual record level on demand.
This broad implications especially depending on how interpret whether things like derived models, aggregate stats, etc. need to be recalculated in light of GDPR requests.
> I can't go to my school or a credit bureau or an insurance company and say that all my past history should be forgotten. Why should we enforce such a regulation online?
GDPR makes no difference between online and offline businesses: They can keep data if they have a proper justification for it.
https://gdpr-info.eu/art-6-gdpr/ is the core list of reasons for data processing, any company needs to justify its data usage based on them. (Case a., consent, is a bit special, other articles put clear limitations on it so it isn't abused, make it revocable, ...)
> They do make it harder for smaller businesses to compete
Small business person here - implementing GDPR compliance basically meant a few tweaks to our privacy policy to make it clear what data we collect, why we collect it, and how long we retain it for.
Why was it so simple? Because GDPR is honestly not that onerous, and because we already gave a fuck about privacy.
I think mandatory do not track settings are great, but the right to be forgotten is to onerous to implement and not present in other domains.
They do make it harder for smaller businesses to compete.
I can't go to my school or a credit bureau or an insurance company and say that all my past history should be forgotten.
Why should we enforce such a regulation online?