|
|
|
|
|
|
by mpeg
3238 days ago
|
|
|
As far as I understand the GDPR, email hashes wouldn't be "anonymous" data at all, they'd be considered pseudo-anonymous (and therefore still PII) I mean the problem is that this makes good-willed sites like haveibeenpwned.com illegal in the UK (with criminal sanctions) as they attempt to re-identify data that comes from a breach. But on the other hand, I don't see why processing PII that comes from a data breach with the intent of de-anonymising it should be legal. Maybe protections should be in place for security researchers, but how do you distinguish between them and malicious actors? |
|
|