800
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 23 Feb 2024
800 points (98.9% liked)
Privacy
32506 readers
1231 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
Wrong.
In the US, data protection refers to "personally identifiable" data, so severing the link is enough. Under the GDPR, all "personal" data is protected, doesn't matter if it has a link or not to identify the person.
The test under the GDPR, will be whether a comment has any personal data in it. If it's a generic "LMAO", then leaving it anonymous might be enough; if it is a "look at me [photo attached]" or an "AITA [personal story]", then the person can ask for it to be removed, not just anonymized.
That sounds like it places an undue burden onto the user to determine and explain why data might be personal. Is a particular writing style personal? Something that identifies their IP address, or time zone, or three separate messages that can be used to pinpoint someone's identity or narrow it down significantly?
To build on the Matrix example I mentioned, they give you the ability to "redact" messages but it's your job to hunt them down across their entire platform, and obviously you can't look at any messages in any rooms you've been kicked out of (and I'm pretty sure an API call to redact them, even if you correctly guessed the ID, would be rejected).
The other way around: all data originating from a person, is by default "personal data", and the burden of explaining which one is not, lies with whoever is keeping it.
If they're keeping them, then you can request a GDPR export of ALL your data. Doesn't matter whether some interface or application allows you access to the data or not, or even if you've been banned from the whole platform; as long as they keep the data, they have an obligation to honor your rights of:
Even during obligatory data retention periods, when they can't remove the data and only make it inaccessible, you still have the right to get a copy of your own personal data.
I really hope I'm wrong and you're right here! I agree with you entirely in terms of what should be allowed, if it isn't already allowed. And I definitely hope you're correct. I haven't recently requested a data export from my languishing Matrix account, but I might give it another go to see what kind of data is stored on my home server.
I've had to deal with this on the data collection end, and it's a PITA to build in the mechanisms to fully follow the law. If you're an EU resident, and especially if the server is in the EU or has to follow EU agreements, then they'd risk some quite high penalties if they didn't follow it.