undefined | Better HN

0 pointsDanBC7y ago0 comments

Why do you think "legitimate interests" isn't enough?

> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

0 comments

erichocean7y ago

Let me put it this way: if I found out this guy was using my IP address and machine config to do analytics and perform "security" checks, I'd report him to my regulator. Dead serious.

"Analytics" is not what his company is for, ergo, using my Personal Data to do analytics isn't okay. He sure as hell isn't doing it for my benefit. I'm also not hiring him for security, so the same reasoning applies: he doesn't get to store my IP address in his logs without asking.

And when I say "no" to his opt-in modal, he'll still have to provide me non-degraded service. The fact that he can do so is yet another indicator that the data collection is not a legitimate interest.

DanBCOP7y ago

The security of their network is a legitimate interest. The regulator would see that alone as sufficient reason to gather data, especially if that data is mostly discarded 7 days later.

erichocean7y ago

No. They could start looking at IPs once they actually had a security problem, but there's no way in hell they "need" to write my IP address hither and yon to protect their network.

Look, you can definitely discover and monitor for problems by simply hashing IPs and storing the hash instead. Once you've detected a potential problem (say, a lot of requests from the same hash), only then do you have a "legitimate business need" to record the actual IP addresses and do some short-term analysis of the situation.

The spirit of the law is simple: if you don't absolutely need to store personal data, DON'T. Just don't. Store something else. Or just drop the data into /dev/null. Saying that you'll delete soon the personal-data-you-don't-need isn't sufficient.

And really, if this is the way GDPR compliance is going to go, "muh security" is quickly going to gain the reputation as the bullshit reason shady people trot out who want to disobey the law. People who actually care about security should push back on that strongly.

j / k navigate · click thread line to collapse

0 comments

erichocean7y ago

Let me put it this way: if I found out this guy was using my IP address and machine config to do analytics and perform "security" checks, I'd report him to my regulator. Dead serious.

DanBCOP7y ago

The security of their network is a legitimate interest. The regulator would see that alone as sufficient reason to gather data, especially if that data is mostly discarded 7 days later.

erichocean7y ago

No. They could start looking at IPs once they actually had a security problem, but there's no way in hell they "need" to write my IP address hither and yon to protect their network.

j / k navigate · click thread line to collapse