Hacker News new | ask | show | jobs
by dsnr 1918 days ago
I guess we should ask the EU MPs who included this loophole in the GDPR law.

„Processing shall be lawful only if and to the extent that at least one of the following:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.“
3 comments
mqus 1918 days ago
This "loophole" is necessary to allow certain usecases not to need a banner or opt-in at all. E.g. If I want to buy something online, the shop has to know my adress to ship me something. It shouldn't have to ask to use it for that usecase. Otoh, if it does not ship me anything and still asks me for an address, that would not be legitimate interest anymore, except it can argue for it (e.g. needs the adress for the invoice).

I would argue that this loophole is for conveniency and was not a hot topic anywhere. How it used now however is a different thing.

link
dsnr 1918 days ago
> This "loophole" is necessary to allow certain usecases not to need a banner or opt-in at all.

This use-case was already covered by letter b) of the same Article 6.

„b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;“

link
pjc50 1918 days ago
The problem is that not having the legitimate interests clause in there potentially causes far more problems - suddenly the law has to enumerate what all the purposes for data processing might be, and new purposes are illegal by default. That would have produced even more HN outrage about GDPR.
link
dsnr 1918 days ago
That's what consent is for. GDPR allows tracking with user consent (letter a) of article 6). No need to enumerate all the purposes in the law. The problem is that the GDPR allows companies to use hide tracking behind the concept of legitimate interest, and behind 1 million checkboxes that users now have to click in order to opt-out of tracking.
link
TeMPOraL 1918 days ago
That's unrelated, except the fraudsters designing the cookie popups borrow the term "legitimate interest" from GDPR in order to confuse the users.
link
dsnr 1918 days ago
That term is already confusing and not unrelated at all. It‘s an actual loophole which enables those abuses.
link