| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by wtfstatists 2949 days ago

> ToU don’t change what PII is or isn’t under the GDPR.

ToU can by prohibiting user from entering any PII. In case of email, ToU would say that only non-identifying email can be used.

For the rest of your comment, I dont see any relevance here. There is no need for consent for non-PII userdata. All PII userdata is behind legal and technical wall and cannot be accessed by the processor/controller of non-PII userdata.

1 comments

dogma1138 2949 days ago

There is no such thing as a “non-identifiable” email. You cannot use ToU to bypass GDPR.

link

wtfstatists 2949 days ago

Ok here is my email: 1373f84998986cf8@tutanota.com. Identify me! Know that I wont used the email elsewhere.

> You cannot use ToU to bypass GDPR.

Just to clarify this is not buried in ToU but laid out clearly.

So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.

link

dogma1138 2948 days ago

Are you serious? the fact that your email isn't yourname@mailprovider.com doesn't make it any less identifiable. My IP address is 192.168.1.1 identify me... It also doesn't matter if you think the information is identifiable or not what matters is how the GDPR defines it.

The GDPR defines PII and there isn't anything you can do about it you can't ask users to make a throwaway email account and hope that you can pass GDPR by claiming that it's not PII this isn't how regulation works.

What matters isn't that the email address reveals your name is that someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.

>So the website says dont give PII. User still does. And GDPR would penalize the website ? Citation please.

If the website asks for an email address that is PII under the GDPR.

link

wtfstatists 2948 days ago

IP is not a user-entered data and cannot be freely selected, unlike email addresses.

> the fact that your email isn't yourname@mailprovider.com doesn't make it any less identifiable.

The only official guidelines about email I could find are in here [1]. It does not say all email addresses are PII. It just says "name.surname@company.com" type addresses are PII and "info@company.com" type addresses are NOT PII. So even "yourname@mailprovider.com" may be non-PII.

> someone can use it to identify additional information about you such as if you are subscribed to a specific service or not.

Thats not enough. The service need to have PII. That is, if none of the services has PII, the email address is not PII.

> you can't ask users to make a throwaway email account

Throwaway is not needed. At best an individual need 2 email accounts. One address for the services where he is identified (eg bank website) and one address for where he is not (eg random forum).

So this is not an onerous condition at all. If thats the case you are making.

> If the website asks for an email address that is PII under the GDPR.

This is not a (official) citation.

[1] https://ec.europa.eu/info/law/law-topic/data-protection/refo...

link