|
Condiv posted:structure your off site, offline backups properly so that PII can be disposed of on request. or even better, don't keep PII floating around in offsite, offline backups unless you're legally required to, at which point right of erasure doesn't apply. This is basically just revealing you have no idea how broad a category personally identifiable information is, or apparently the fact that people intentionally asked that their data be stored in physically redundant locations because they intended to make it hard to lose that data unintentionally.
|
# ? May 27, 2018 20:28 |
|
|
# ? Jun 8, 2024 13:05 |
|
fishmech posted:This is basically just revealing you have no idea how broad a category personally identifiable information is, or apparently the fact that people intentionally asked that their data be stored in physically redundant locations because they intended to make it hard to lose that data unintentionally. actually fishmech, i listed the PII that is eligible for deletion just a post or two back. why don't you follow the link in it and educate yourself
|
# ? May 27, 2018 20:44 |
|
fishmech posted:You appear to have no idea what justifying means. Why don't you try looking it up and then go back to this post and figure out where you went wrong The statement; You're within the specs of "justifying" your use, under the GDPR, simply by slathering something in about how "giving access to all your info enables enhanced brand experiences". is nonsense. What specific processing actions are you as the data controller presenting to the data subject to consent to in this case? Is the collection of ‘all your info’ legitimately a requirement for your service? You’re just rehashing the implicit argument made by Facebook in their revised terms, which form the second strand of the NOYB case, and even they go into detail as to what ‘enhanced brand experience’ means quote:Additional “hidden consent” in terms of service
|
# ? May 27, 2018 20:49 |
|
Condiv posted:actually fishmech, i listed the PII that is eligible for deletion just a post or two back. why don't you follow the link in it and educate yourself Right and that's "basically all personally identifiable information". Which again includes a ton of stuff that there would be no reason to keep in special secure storage the way you would, say, national identity card scans. Like is this just some type of joke or what? Total Meatlove posted:The statement; Once again, the companies are under no obligation to justify things with a real justification. They can just say "we need this for a bullshit reason" and that's 100% valid under the GDPR. Because the GDPR doesn't care about a justification's content. They don't have to explain poo poo so long as they present consent switches. fishmech fucked around with this message at 20:52 on May 27, 2018 |
# ? May 27, 2018 20:49 |
|
fishmech posted:Right and that's "basically all personally identifiable information". sorry, no it's not. quote:Which again includes a ton of stuff that there would be no reason to keep in special secure storage the way you would, say, national identity card scans. so? quote:Like is this just some type of joke or what? you tell me fishmech. i posted a relatively simple article and you seem to have failed to comprehend it in just about every way possible and just seem to be making poo poo up at this point. quote:Once again, the companies are under no obligation to justify things with a real justification. They can just say "we need this for a bullshit reason" and that's 100% valid under the GDPR. Because the GDPR doesn't care about a justification's content. They don't have to explain poo poo so long as they present consent switches. no, not really. yes, they can give a user a bullshit justification and refuse to comply. and if they give that same bullshit justification to a court at a later date and the court finds their justification to be... bullshit, then they can be held liable. and if you could read the article i kindly linked, you would see that consent can be revoked and said company has to comply with requests for deletion after the revocation of said consent. so yes, they still need a justification if they want to hang on to pii regardless of consent, and they need a non-bullshit one if they don't want to be sued and fined. hope this explains things for you, though i expect you're going to just flail around and make up some more stuff
|
# ? May 27, 2018 21:03 |
|
Condiv posted:sorry, no it's not. It is though. Why don't you just go ahead and name a type of personally identifiable information you think can never be subject to a deletion request? What do you mean, "so"? It's quite relevant to why a bunch of stuff was never and will never be easily arranged to be separable from the rest of a backup, say. It's why your little rant about how offsite storage is hard to justify is stupid. Giving the user a useless justification isn't "refusing to comply". You're not required to be given any usable information about why something would be kept, just that they to need to ask your consent to keep it.
|
# ? May 27, 2018 21:09 |
|
fishmech posted:It is though. Why don't you just go ahead and name a type of personally identifiable information you think can never be subject to a deletion request? data that is being held to comply with a legal obligation. you would have known that if you had bothered to read. quote:What do you mean, "so"? It's quite relevant to why a bunch of stuff was never and will never be easily arranged to be separable from the rest of a backup, say. It's why your little rant about how offsite storage is hard to justify is stupid. no, not really. why would you think PII will never be seperable from other data to be backed up? if the PII is eligible for deletion under the GDPR, you have at best a temporary case for keeping it, and should back it up accordingly, not like an idiot pretending he gets to keep all info forever. because you don't get to keep it forever if the user doesn't want you to. thanks GDPR! quote:Giving the user a useless justification isn't "refusing to comply". You're not required to be given any usable information about why something would be kept, just that they to need to ask your consent to keep it. and if you revoke that consent they must delete it. if they want to keep your data despite you revoking said consent, they have to have a legitimate justification for it that will hold up in court. try reading next time fishmech
|
# ? May 27, 2018 21:26 |
|
Hey can we get back to Elon saying the Jews control the media? Cause he's having quite the meltdown lately.
|
# ? May 27, 2018 21:46 |
|
Sir Tonk posted:Hey can we get back to Elon saying the Jews control the media? Cause he's having quite the meltdown lately. go nuts
|
# ? May 27, 2018 21:49 |
|
Sir Tonk posted:Hey can we get back to Elon saying the Jews control the media? Cause he's having quite the meltdown lately. This seems about right https://twitter.com/Vinncent/status/999379218059313152
|
# ? May 27, 2018 22:17 |
|
fishmech posted:
This is gold fringed flag levels of bullshit, again.
|
# ? May 27, 2018 22:38 |
|
Condiv posted:data that is being held to comply with a legal obligation. you would have known that if you had bothered to read. I've already read that, that is not answering any questions in the least. You really seem to have a hard time understanding that practically all personally identifiable information can be legally required to be held, and also be eligible to be asked to be deleted. Publicly hosted pictures of you are personally identifiable information. They are also not likely to be specially marked and processed separate from the other public pictures on a site that offers image hosting, even though you can request to have them deleted just as you can request to have billing information for the same site deleted. Is this really so hard for you to comprehend? That's not where "justification" comes in. We are talking about what they have to tell you when you agree to hand over your data in the first place, not 10 years later when you decide you want the thing deleted. You'd understand this if you were capable of reading. Total Meatlove posted:This is gold fringed flag levels of bullshit, again. Seems pretty loving weird to say the European Union's new laws are "gold fringed flag bullshit" but ok there buddy. This is a fact: they don't need to tell you they want you to say, share your location to the site because they use PROJECT SAND DUST to monitor it to specifically find out whether you ever jog. They just say "we want your location for reasons, please click here to accept". Et cetera. It's like you people have never even read the laws you claim to love so much.
|
# ? May 27, 2018 22:53 |
|
So the way I understand this thing is that it covers any person in Europe and not Europeans in other countries. Is there a way one in the US could make thier Internet traffic covered by it?
|
# ? May 27, 2018 23:28 |
|
fishmech posted:
You keep arguing the position that vague terms and conditions will satisfy GDPR when it’s demonstrably untrue, and then argue the same thing again and again, both examples you’ve given of consent language would fail. This is from the Working Group 29’s latest position on GDPR quote:3.3.1. Minimum content requirements for consent to be ‘informed’
|
# ? May 27, 2018 23:43 |
|
Until there are court challenges and rulings one way or the other, we don't know exactly where the line will be drawn, and there necessarily has to be some overreach in the present law, because bad actors have repeatedly shown that they cannot be trusted to act responsibly and in the general best interest of the consumer. At this point, the law is vague enough in a lot of cases that we may as well debate how many angels can dance on the head of a pin. It will take a while for interpretations of the law to actually be made and enforced, and until then, we should only debate what we think the interpretations should be, not what we think they are or will be.
|
# ? May 27, 2018 23:48 |
|
Condiv posted:if the PII is eligible for deletion under the GDPR, you have at best a temporary case for keeping it, and should back it up accordingly, not like an idiot pretending he gets to keep all info forever. because you don't get to keep it forever if the user doesn't want you to. thanks GDPR! However, that same PII may be user data that they are expecting you to keep for them indefinitely, and it should be backed up accordingly. You don't know whether you need to keep it indefinitely or delete it within 30 days until the user requests it. Limiting backup retention is an easy solution, but one that doesn't necessarily work for all cases, and keeping long term backups while also ensuring that specific data can be removed from them on demand easily and on a regular basis is not trivial. Again, a case where designing with GDPR in mind makes things a lot easier, but can be a lot harder to retrofit. I'm not complaining or objecting, but I do think it's okay to acknowledge that certain aspects can be expensive or difficult to comply with, and not just for those acting in bad faith, even if worth that expense and difficulty.
|
# ? May 27, 2018 23:53 |
|
It seems like, in the case of backups, provided sufficient security (either physical or digital as applicable) is used to prevent unauthorized access to the backups, it would be sufficient to ensure that requested PII deletion is carried out immediately at the first practicable time following the restoration of a backup. Penalties for failure to do so would depend on what, if anything, is done with the information improperly. That seems like a more reasonable approach for backups that currently exist, rather than demanding that all backups be restored and purged of the requested data immediately, but again it requires data controllers to act in good faith, so it could be too lenient.
|
# ? May 28, 2018 00:01 |
|
Total Meatlove posted:You keep arguing the position that vague terms and conditions will satisfy GDPR when it’s demonstrably untrue, and then argue the same thing again and again, both examples you’ve given of consent language would fail. It's not untrue, it's fully within the scope of the text. You don't have to give any special justification for why you ask for data in the first place, you must simply state what it is you want the person to fill out a checkbox for so they can get back to using the site (since they're not going to read it anyway). You can feel free to jerk off to how you believe this is meant to include having 9 pages of description of exactly wha tthe data will be used for, but that is what would be "gold fringe bullshit" as it ain't in the law. Steve French posted:However, that same PII may be user data that they are expecting you to keep for them indefinitely, and it should be backed up accordingly. You don't know whether you need to keep it indefinitely or delete it within 30 days until the user requests it. Limiting backup retention is an easy solution, but one that doesn't necessarily work for all cases, and keeping long term backups while also ensuring that specific data can be removed from them on demand easily and on a regular basis is not trivial. Correct, tons of people explicitly want to use services to make sure their data, much of which will be personally identifiable, is securely available. People who go around claiming NOBODY SHOULD BE STORING PII!!!! are just ignorant of what is personally identifiable information.
|
# ? May 28, 2018 00:02 |
|
They don't call you the smartest boy in America for nothing!
|
# ? May 28, 2018 00:29 |
|
BrandorKP posted:So the way I understand this thing is that it covers any person in Europe and not Europeans in other countries. Is there a way one in the US could make thier Internet traffic covered by it? False. An EU citizen in the US is covered there. An EU citizen in Australia is covered there. There's quite a lot of EU citizens in Australia, as it happens ... So no, geoblocking is not gonna protect goddamn idiots like the LA Times.
|
# ? May 28, 2018 01:29 |
|
fishmech posted:I've already read that, that is not answering any questions in the least. You really seem to have a hard time understanding that practically all personally identifiable information can be legally required to be held, and also be eligible to be asked to be deleted. You keep making this assertion but it’s not true. Why don’t you back up your assertions fishmech? quote:Publicly hosted pictures of you are personally identifiable information. They are also not likely to be specially marked and processed separate from the other public pictures on a site that offers image hosting, even though you can request to have them deleted just as you can request to have billing information for the same site deleted. Is this really so hard for you to comprehend? Requesting deletion of images is not a new thing for image hosting sites fishmech. And no, the PII shouldn’t be held specially since any image removed from said site needs to stay gone even in the case of a restoration from backup. I’m not sure why you think any of that is particularly important to your argument though. quote:That's not where "justification" comes in. We are talking about what they have to tell you when you agree to hand over your data in the first place, not 10 years later when you decide you want the thing deleted. You'd understand this if you were capable of reading. Sorry, but again that’s not the case. Seems like you’re just flailing at this point considering you’re just repeating debunked arguments and demanding that they’re true. Steve French posted:However, that same PII may be user data that they are expecting you to keep for them indefinitely, and it should be backed up accordingly. You don't know whether you need to keep it indefinitely or delete it within 30 days until the user requests it. Limiting backup retention is an easy solution, but one that doesn't necessarily work for all cases, and keeping long term backups while also ensuring that specific data can be removed from them on demand easily and on a regular basis is not trivial. Of course. Designing these kinds of backups and systems is not trivial, but at the same time they’ve been necessary. Unfortunately, many people didn’t bother cause they didn’t have to until GDPR
|
# ? May 28, 2018 03:53 |
|
Condiv posted:You keep making this assertion but it’s not true. Why don’t you back up your assertions fishmech? I'm sorry, what is it that you want me to back up? You keep screeching about the situations where personally identifiable information is allowed to be kept against deletion requests, that is quite different from what things are personally identifiable information. That you can't comprehend this is quite odd. So you agree that it's not a bad thing when personally identifying information is not kept separate or in highly secure storage, and that it might take quite a while, if ever, to purge it from any applicable backups? This is not debunked, it is explicitly true. You seem to have a bad time comprehending the law you claim to defend. They were definitely not always necessary. I just gave you a pretty good illustration of why they're often not necessary - because different sorts of personally identifiable information have inherently quite different security requirements and expectations.
|
# ? May 28, 2018 03:58 |
|
divabot posted:False. An EU citizen in the US is covered there. An EU citizen in Australia is covered there. There's quite a lot of EU citizens in Australia, as it happens ... That's not what the marketplace tech lady was saying, they were saying it was geographical. Here's what the site says : "Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location. Previously, territorial applicability of the directive was ambiguous and referred to data process 'in context of an establishment'. This topic has arisen in a number of high profile court cases. GDPR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU. " That's seem like one just has to "reside in" but that (residence) can be squishy.
|
# ? May 28, 2018 04:03 |
|
BrandorKP posted:That's not what the marketplace tech lady was saying, they were saying it was geographical. The thing is, a business that truly refused to do business in the EU can't be punished and the EU citizen who thinks they were affected has no legal recourse. If Tronc say truly has divested all their assets and accounts that were in EU territory beforehand, the EU could write them a bunch of mean letters and threats about them refusing to comply, but the US courts are highly unlikely to do anything about that.
|
# ? May 28, 2018 04:09 |
|
PT6A posted:It seems like, in the case of backups, provided sufficient security (either physical or digital as applicable) is used to prevent unauthorized access to the backups, it would be sufficient to ensure that requested PII deletion is carried out immediately at the first practicable time following the restoration of a backup. Penalties for failure to do so would depend on what, if anything, is done with the information improperly. You're correct that the practical effect on security is the same. But that isn't what the law says. Your data sitting there behind military grade encryption and in the middle of a heavily guarded salt mine or converted missile silo offline is about as secure as possible. You could argue that the act of bringing it online to restore it would be a greater risk to the data than simply leaving it be. That is where the disconnect is. The requirement to purge offline data imposes significant costs for no gain in privacy. Also people keep talking about PII. The GDPR covers "Personal Information", this is broader than "Personally Identifiable Information". BrandorKP posted:That's not what the marketplace tech lady was saying, they were saying it was geographical. This is another thing that will come down to litigation. Because under the broadest interpretation it also means that if an EU citizen visits another country and does business their the EU can try to claim jurisdiction over that data. I've seen other places claim that even dual citizens residing in a non-EU country brings the data under GDPR rules.
|
# ? May 28, 2018 04:13 |
|
fishmech posted:I'm sorry, what is it that you want me to back up? You keep screeching about the situations where personally identifiable information is allowed to be kept against deletion requests, that is quite different from what things are personally identifiable information. That you can't comprehend this is quite odd. You need to prove that virtually all PII is eligible for deletion requests, which you keep asserting despite having no grounding for said assertion. I have made no assertions as to what PII is so I dunno why you’re bringing it up (other than your typical flailing). quote:So you agree that it's not a bad thing when personally identifying information is not kept separate or in highly secure storage, and that it might take quite a while, if ever, to purge it from any applicable backups? No. It needs to be kept where it can be deleted in the 30 day timeframe. If that requires separate storage from non-PII data then you need to design accordingly. Your example doesn’t require separate storage from non-pii pictures cause you need to handle deletion of those too when required. Just that the PII pictures be deletable from your systems in a 30 day time limit. You can’t just say “oh these other pictures don’t fit under the GDPR, guess I don’t have to abide by the GDPR for PII ”. If you don’t want to treat non-PII data separately you have to bring non-PII data up to the standard of PII data and design your systems to allow deletion in a timely manner. Hope that clears stuff up for you fishmech. quote:This is not debunked, it is explicitly true. You seem to have a bad time comprehending the law you claim to defend. Just because you claim it’s true doesn’t make it so fishmech. It’s already been shown to you where in the text of the law you’re mistaken. All you’ve come back with so far is “no I’m right”. That’s why I say you’re flailing. quote:They were definitely not always necessary. I just gave you a pretty good illustration of why they're often not necessary - because different sorts of personally identifiable information have inherently quite different security requirements and expectations. Sorry, your illustration was badly concocted. And sure, these measures weren’t necessary by law until the gdpr, but they were necessary for responsible stewardship of personal information. I’m sure you’ll disagree and try to argue that keeping backups of personal data that should’ve been deleted is ok and good, but you’re pretty idiotic so that’s to be expected
|
# ? May 28, 2018 05:28 |
|
Condiv posted:You need to prove that virtually all PII is eligible for deletion requests, which you keep asserting despite having no grounding for said assertion. I have made no assertions as to what PII is so I dunno why you’re bringing it up (other than your typical flailing). That's in the law - that you can request to have your data deleted, and only certain exceptions can be made to when/if the deletion request may be delayed or rejected. Also you kept shrieking about which things could delay/prevent a request in response to me talking about what the information is, so that's your own fault. Yeah a) that's stupid and b) it's a bad idea. Again, an image hosting service is a perfect illustration of that, especially as most people probably won't preemptively tag which of their images qualify as they upload. It is true though, I'm really not sure why you think it isn't. Are you even reading the law or are you just huffing farts about an entirely separate thing? It's not badly concocted it just seems to be making you enraged. And again, they were not and are not neccesary for responsible stewardship of it all - because what is responsible stewardship varies severely depending on the type of data. And it is in fact ok and good to have backups of a lot of kinds of personal data, see again, the exampl eof an image site having backups, or a site that advertises backup of your own files to have further backups - many of thes services have the explicit selling point that you can recover data even if you mistakenly deleted it from live backups. But for some reason you want to act like the only personal data that can exist is passport-level info and it can never have a reason to exist for more than immediate use. It's weird, almost like you have no interest in the GDPR.
|
# ? May 28, 2018 05:38 |
|
fishmech posted:That's in the law - that you can request to have your data deleted, and only certain exceptions can be made to when/if the deletion request may be delayed or rejected. Also you kept shrieking about which things could delay/prevent a request in response to me talking about what the information is, so that's your own fault. And those exceptions mean that your assertion that virtually all PII is eligible for deletion requests is false. Hope that helps you understand fishmech quote:Yeah a) that's stupid and b) it's a bad idea. Again, an image hosting service is a perfect illustration of that, especially as most people probably won't preemptively tag which of their images qualify as they upload. it’s not at all stupid. If you’re using the same system to store PII and non PII data then you have to make all that data capable of being deleted in a timely manner even if the non PII stuff will not need that. You’re free to separate the data if you wish, but you can’t just ignore the deletion requirements of PII in your system fishmech quote:It is true though, I'm really not sure why you think it isn't. Are you even reading the law or are you just huffing farts about an entirely separate thing? Then post something proving it fishmech. I’ve read the law and what you’re saying runs counter to it. I’m not the only one who has pointed that out to you either quote:It's not badly concocted it just seems to be making you enraged. And again, they were not and are not neccesary for responsible stewardship of it all - because what is responsible stewardship varies severely depending on the type of data. And it is in fact ok and good to have backups of a lot of kinds of personal data, see again, the exampl eof an image site having backups, or a site that advertises backup of your own files to have further backups - many of thes services have the explicit selling point that you can recover data even if you mistakenly deleted it from live backups. and now you’re conflating different levels of deletion requests quote:But for some reason you want to act like the only personal data that can exist is passport-level info and it can never have a reason to exist for more than immediate use. It's weird, almost like you have no interest in the GDPR. I’ve never claimed any such thing fishmech, nor have I acted like that. Stop flailing.
|
# ? May 28, 2018 05:58 |
|
Condiv posted:And those exceptions mean that your assertion that virtually all PII is eligible for deletion requests is false. Hope that helps you understand fishmech That's the opposite of what that means, bro. It really seems that you still don't comprehend just how vast the category of personally identifying information is. Of course you've been willfully mistaking its breadth the whole time. The law itself proves it - you do not need to give a big ol justification when you ask for the data in the first place. You need to defend it with detailed justifications if later you decide to refuse deletion requests. A deletion request is a deletion request dude. That is what you're claiming repeatedly. You keep acting like only a tiny amount of data is personally identifying information, and that it can only ever have been stored properly in the past with heavy security measures - this directly implies that you are claiming it is only highly sensitive data.
|
# ? May 28, 2018 06:04 |
|
What's gdpr
|
# ? May 28, 2018 07:28 |
|
fishmech posted:A deletion request is a deletion request dude. no If you’re not even intelligent enough to comprehend that you shouldn’t be trying to debate the details of the gdpr. Though it’d explain why you’re having so much trouble comprehending it.
|
# ? May 28, 2018 08:14 |
|
Mugsbaloney posted:What's gdpr it's a new model of self-driving electric car
|
# ? May 28, 2018 10:47 |
The General Data Protection Regulation, an EU wide rule that requires companies have good reasons to use/store your data and that provides the right for said data to be deleted on the customers request if certain conditions are met.
|
|
# ? May 28, 2018 10:52 |
|
Do you really need more than 30 days of backups of user content? Purge the live data and within the mandated period you will have removed it from your possession entirely. Maybe I'm insane for thinking that if your company gets hit somehow that means you're scrambling for multi-month-old backups of content, you're dead anyway. Legally mandated record-keeping (I.E. billing) should be maintained separately in the first place. E: On the topic of GDPR, I think my favorite part of it is watching ICANN get so turbo-hosed by it. https://www.zdnet.com/article/dns-is-about-to-get-into-a-world-of-trouble-with-gdpr/ (Auto-playing audio warning) https://www.zdnet.com/article/icann-makes-last-minute-whois-changes-to-address-gdpr-requirements/ same https://www.theregister.co.uk/2018/04/10/gdpr_whois_regulations/ Summary ICANN: B-b-b-but we're special EU: No, you're really loving not. Harik fucked around with this message at 11:23 on May 28, 2018 |
# ? May 28, 2018 11:03 |
|
Harik posted:Summary must say it was an exquisite delight when the blockchainers tried the same thing i got to explicitly tell a blockchain conference that the GDPR regulators didn't give a hoot about blockchain company concerns, because apparently this was a loving question like, the precise data storage technology that the GDPR is like some sorta custom-crafted antimatter for
|
# ? May 28, 2018 12:39 |
|
If GDPR makes blockchain illegal than we have to have it in the US as soon as humanly possible.
|
# ? May 28, 2018 12:49 |
|
Xae posted:You're correct that the practical effect on security is the same. I'm aware of that, that's exactly why I proposed a reasonably alternative. I wasn't claiming that my proposal was in keeping with the GDPR in its current form.
|
# ? May 28, 2018 13:15 |
|
Sir Tonk posted:Hey can we get back to Elon saying the Jews control the media? Cause he's having quite the meltdown lately. Ohhhh, this is why that tweet's been everywhere. I thought he just meant rich people. Sometimes I forget the weird hate boner some people have for Jewish people.
|
# ? May 28, 2018 13:33 |
To be fair to Elon, he might be talking about the Reptiloids or the Illuminati.
|
|
# ? May 28, 2018 13:37 |
|
|
# ? Jun 8, 2024 13:05 |
|
Pretty sure the illuminati are also Jews.
|
# ? May 28, 2018 14:00 |