Hacker News new | ask | show | jobs
by mziel 3031 days ago
You're supposed to enumerate all uses of the data (and they need to be sufficiently detailed and specific). The user has a choice to opt-in/out of each of them separately.

There is currently no detailed description as to what the definition of "sufficiently" is. For example:

- can I use your data to build a targeting machine learning model?

- can I use it to target you?

- do I need specific opt-in for every model?

Most things in GDPR are not specified in order to both give flexibility to the sites and to reduce the number of loopholes (which are technically legal but against the spirit of the law). You need to decide on the implementation and be ready to defend it in case of an audit.
1 comments
TomMarius 3030 days ago
Defend it? What happened with "innocent until proven guilty"?
link
cyphar 3030 days ago
This is a corporate regulation, not a criminal case. When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws. I don't see why auditing for GDPR compliance should be different to auditing for VAT compliance.
link
TomMarius 3030 days ago
> When a company gets audited by the tax office of a country, they similarly have to defend their finances and prove that they were following relevant tax laws

Not true. There are some countries where it works like this, but also countries where it's the opposite. In some EU countries this got ruled as unconstitutional. In some other countries, this got ruled by the highest court of law as unlawful.

> This is a corporate regulation, not a criminal case.

That doesn't matter in most EU countries.

link
zaarn 3030 days ago
The GDPR does somewhat turn handling private data into "guilty until proven innocent".

Until you prove otherwise, by means of contract, legitimate business interest, law or consent, assume private data is meant to remain private.

link
xxs 3030 days ago
This isn't a criminal case.
link
TomMarius 3030 days ago
Most of European constitutions don't limit this principle to criminal cases - actually most of the time it specifically says that it especially applies to interaction with government on top of criminal cases.
link
s73v3r_ 3030 days ago
The industry decided to vacuum up every last little bit of data they could get their hands on. They've very much already been proven guilty. This is now probation for the industry.
link