Hacker News new | ask | show | jobs
by mikejb 2819 days ago
I think this is a critical point of misunderstanding:

> if a company sells your data and you invoke your rights against the company, it's the company's responsibility to go after whoever they sold the data to, not yours.

Can you point me to more details on this? I have my doubts about it.
1 comments
pluma 2819 days ago
As a user your contract is with the company you give the data to. That's simply how contracts work. If the contract says they can give that data to someone else, that's fine. If it doesn't, they can't. That shouldn't be surprising.

The GDPR treats personal information as property of the user. Even if access to and processing of that data is permitted by the user, it remains the property of the user. If the company is permitted to also pass that data on, they're still responsible for ensuring the data is handled appropriately.

I'm not sure what you are doubting. The GDPR is (in)famous for this.

This is why GDPR compliance makes it nearly impossible to hand over information to third parties who aren't GDPR compliant and why EU companies are nervous about working with Google and other US companies (because the Privacy Shield is not any more trustworthy than Safe Harbor which died an extremely swift death).

As far as the user concerned there's no difference between you "selling" their data and you handing it over to a third party as a data processor. You can't "sell" it because it's not yours, you can just take money for handing it over -- but that's between you and the third party, the user isn't part of that transaction.

Think of it this way: users can't sell you their data (they literally can't) so the data isn't your property. You can't sell what isn't yours, so the data you hand over to a third party is still owned by the user who gave it to you with the (GDPR-backed) expectation that you're retaining the control necessary to comply with their requests.

FWIW I'm not sure how this works for third-party tracking (e.g. Facebook widgets). Google Analytics avoids this by requiring compliant websites to enable IP anonymization (which supposedly should be sufficient) but liability still resides with the website owner (and the Data Protection Agreement makes this perfectly clear).

As you want sources, here's what a quick Google yields:

https://iapp.org/news/a/threes-a-crowd-third-party-risk-unde...

https://martechtoday.com/gdpr-mean-third-party-data-processo...

https://www.out-law.com/en/articles/2017/november/stricter-c...

And especially this:

http://www.infocore.com/insights/data-privacy-a-marketers-lo...

> Under the GDPR, EU citizens must be given the easy ability to withdraw their consent, often called "the right to be forgotten". If consent is withdrawn, those data subjects have the right to have their personal data erased and no longer used for processing by the data collector, and by any other entity who has ever used or purchased that data.

So in other words: "selling" user data is no different from handing the data to a data processor.

The point of the GDPR is that personal information is something that taints your product's data and therefore something you want to avoid. Selling it to dodgy companies that abuse the heck out of it is exactly what the GDPR is meant to combat.

link
mikejb 2819 days ago
Unfortunately none of your links referred to the actual legislation and only provide summaries and interpretations, but Article 17 (Right to erasure), Section 2 states:

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

So there's an obligation to inform. Which makes sense: Assume you (with consent of the user) sell data to some company, you have to forward them the request of said user to be forgotten. But you have no authority over that company. You can report them to any and every authority if they ignore or actively refuse your request, but you as a company have no authority over them. Particularly if they don't operate within the reach of the European authorities, there's little you can do. And that's what I mean with "You surrender control of the data once you sell it".

link