Hacker News new | ask | show | jobs
by closeparen 2556 days ago
Well, suppose he does some transformation involving position. GPS points also have altitude in them. He neglects to sanitize altitude at the point of collection, and is therefore collecting and retaining more data than necessary to perform the service. He plots positions on a relatively zoomed-out map. Only the first six significant figures make a perceptible difference in the map position, but he retains the same precision that was uploaded, usually higher. Again, failure to minimize. Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.

Now he has "decided to build a business around profiting from the abuse of personal data" and the consensus in this thread looks on his destruction with glee.
1 comments
hdfbdtbcdg 2556 days ago
> Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.Worse, he enabled automated periodic VM snapshots with his VPS provider, so is not properly complying with deletion requests.

This is typical FUD. GDPR allows backups. Right to be deleted doesn't mean grovelling through backups. If those snapshots are rotated out after e.g. 3 months he is fine.

And regarding sanitizing altitude. Again pure FUD. There is no way that that would be a problem.

Of course if he stores the data in a personally identifying way and then is either incompetent or abusive then he could attract a fine...

In the real world GDPR enables such websites because users can trust that he has to follow some minimum standards.

link
closeparen 2556 days ago
The great thing about TFA is we can stop speculating and see what the regulators are actually doing.

>After the controller succeeded to identify the data subjects he refused to comply with the deletion request, arguing he is legally obliged to retain backup copies according to the Accountancy Act and internal policies. Since he did not properly inform about these policies, the NAIH held the controller breached the principle of transparency.

So maybe if his backup regime were precisely specified in his privacy policy. But even a conflicting legal requirement is no defense, here.

Regarding minimization, 4 other cases:

>During an inspection, the Lithuanian Data Protection Supervisory Authority found that the controller processed more data than necessary to achieve the purposes for which he was a controller.

>Data was not only processed if adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed

> The video surveillance subject of the proceedings is therefore not limited to areas which are under the exclusive power of control of the controller.

> The Commissioner considered that the aim could be achieved by referring only to the initials of their name and/or their faces being blurred and/or publishing photographs drawn from a distant distance

"Of course if he stores the data in a personally identifying way..." GDPR cares not for identifying but for identifiable. It's GPS data. If someone uploads data pertaining to their home, workplace, frequent travel routes, etc. then it is definitely identifiable.

Regarding FUD, it seems FUD is exactly what the DPAs intend, since they are punishing rather than helping when asked for advice!

>Kolibri Image had send a request to the Data Protection Authority of Hessen asking how to deal with a service provider who does not want to sign a processing agreement. After not answering Kolibri Image in more detail, the case was forwarded to the locally responsible Data Protection Authority of Hamburg. This Auhtority then fined Kolibri Image as controller for not having a processing agreement with the service provider.

link
johndough 2556 days ago
Statement from Kolibri Image (German):

https://kolibri-image.com/causa-datenschutz/

Google translate:

https://translate.google.com/translate?hl=&sl=de&tl=en&u=htt...

tl;dr

The Data Protection Authority of Hessen suggested Kolibri Image to draft their own data processing agreement and get Packlink, located in Madrid, to sign it. [1]

Kolibri Image then stated that they would "leave things as they are", which was incorrectly interpreted to mean that they'd use Packlink without an agreement instead of not using Packlink in the future.

In addition, Kolibri Image forgot to update one of their six data processing agreements on various websites which still mentioned Packlink, so their clarification of the matter was not believed.

Finally, the case was dropped because it (partially?) happened before the 24th of Mai.

[1] Drafting a data processing agreement for Packlink is of course not very practical because who knows how they handles their data and why would Packlink sign it in the first place if they don't want to offer a data processing agreement. In addition, the cost of drafting and translating the agreement is much more expensive than the savings from using Packlink as a shipping processor.

In any case, I agree that fining after asking for advice is not a friendly move.

link
hdfbdtbcdg 2556 days ago
I think you should dig into these cases a little deeper.
link
closeparen 2556 days ago
The people who can be relied on to do that correctly when money is on the line are called lawyers, and they aren't cheap.
link