Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

OK, can you also post here all your personal details, so I could sell them to anybody who wants to exploit them to earn money? OK, fine, you don't want to post it here. Could I get them from your bank, work, friends, family, post it here and sell to anybody?


This is a strawman. You are talking personally identifiable information and data usage policies which is an entirely different thing than the requirement for all data to be deleted.


> You are talking personally identifiable information and data usage policies which is an entirely different thing than the requirement for all data to be deleted.

Could you explain a bit more by what you mean? GDPR only concerns itself with personally identifiable information, and is at it's core about the rules for "data usage policies" around it (which of course will involve rules for when to delete data).


Are you sure that GDPR only concerns itself with PII information. In other words, is it legal to collect information about users as long as it isn't tied to PII?

I consider PII to be things like name, Social Security Numbers, a credit card #, an email, DOB, etc.

You seem to be suggesting as long as the data isn't associated with the above or can't reasonably be tied to the above then GDPR doesn't apply.

I am in favor of rules around the usage and collection of PII information. i.e. that information should not be shared with other parties without the user's consent and in general access should be restricted.

My main beef with GDPR, is the difficulty to implement such a system, with on demand wipeout.


"just PII" was a bit too strong, but this is how GDPR defines personal data, which is what it regulates:

> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Identifiable is core to this definition. It's important to note that it's taken so far that it's enough if others can establish the link, which is why things like IP addresses or photos fall under it, even if I as a website operator can't just go ask ISPs for the user behind an IP.

> with on demand wipeout.

I keep coming back to that: GDPR only has something I'd call "on-demand wipeout" if your only base of processing is "I've asked the user for consent", because they can revoke said consent (or if you kept data without justification of course). If you need the data to fulfill a contract, you can store it as long as that's still true. If you're legally obligated to keep records, the person can't just request you delete it. If you can argue a strong overriding interest to keep some data, you can keep it - although that one is of course open to interpretation when your interest is actually weighing higher than the persons interest (an example might be fraud prevention records)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: