undefined | Better HN

story

0 pointsiagovar8y ago0 comments

But op-int for what? For being tracked? Using you data? Just showing you an ad?

0 comments

You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.

TomMarius8y ago

Defend it? What happened with "innocent until proven guilty"?

cyphar8y ago

This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.

TomMarius8y ago

> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws

Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.

> This is a corporate regulation, not a criminal case.

That doesn't matter in most EU countries.

zaarn8y ago

The GDPR does somewhat turn handling private data into "guilty until proven innocent".

Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.

xxs8y ago

This isn't a criminal case.

TomMarius8y ago

Most of European constitutions don't limit this principle to criminal cases - actually most of the time it specifically says that it especially applies to interaction with government on top of criminal cases.

s73v3r_8y ago

The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.

j / k navigate · click thread line to collapse

0 comments

mziel8y ago

You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

TomMarius8y ago

Defend it? What happened with "innocent until proven guilty"?

cyphar8y ago

TomMarius8y ago

> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws

> This is a corporate regulation, not a criminal case.

That doesn't matter in most EU countries.

zaarn8y ago

The GDPR does somewhat turn handling private data into "guilty until proven innocent".

Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.

xxs8y ago

This isn't a criminal case.

TomMarius8y ago

s73v3r_8y ago

The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.

j / k navigate · click thread line to collapse