undefined | Better HN

0 pointsgeocar6y ago0 comments

> What do you think the new subject access rights, notably the right to data portability, are intended to achieve, if you interpret the definition of personal data so narrowly?

I am not going to speculate.

> The GDPR actually defines personal data as "any information relating to an identified or identifiable natural person (‘data subject’)...", which is significantly different to what you wrote.

I can't speculate on what you think qualifies as "significantly different". I copied and pasted my definition from the ICO's website, which I also linked to. You can disagree with them, but I suspect strongly, even in the current Brexit climate, that the EU courts would agree with the ICO's interpretation over yours.

You might find the part that follows the "..." useful though. It's in Article 4 § 1, if you're unaware.

> It seems to be widely understood, including acknowledgement in various statements by EU officials, that these provisions were aimed squarely at businesses like social networks to avoid them locking users in by holding the user's data hostage. That seems to be exactly the scenario we're talking about here.

That may be part of your confusion. "We" weren't talking about anything to do with social networks, but whether a GDPR regulator is going to levy a heavy fine to Trello for this behaviour.

0 comments

1 comments · 1 top-level

Silhouette6y ago

I'm well aware of what the GDPR actually says, thanks. I was the one quoting it.

My point is that what it actually says, unlike the definition of personal data you gave, clearly goes beyond just the identifying information.

Moreover, there was also clear intent, reflected in the provisions of the GDPR itself and in statements by officials involved in writing and interpreting it at EU level, for the safeguards on data portability and erasure to cover exactly the sort of data we are talking about with a service like Trello.

I'm not aware of any action so far that has actually tested this, but if a national regulator chose not to penalise flagrant non-compliance with both the letter and the spirit of the GDPR such as we see in this case in response to a genuine complaint, it simply wouldn't be doing its job, since it would essentially be unilaterally deciding that entire articles of the GDPR are pointless.

This certainly isn't beyond the bounds of possibility. Indeed, the vague nature of the GDPR in many respects and the reliance on subjective interpretation by all the different national regulators was one of the big criticisms that I and others made at the time it was introduced. But if that happened here and the regulators chose not to enforce in a situation like this, it really would turn the GDPR into a bit of a joke.