• promitheas@iusearchlinux.fyi
    link
    fedilink
    arrow-up
    21
    ·
    10 months ago

    Ive been engaged in discussion with my country’s data protection officer since the summer, and the reply I got was that I should delete comments myself. There are 2 comments that appear on my profile only if viewed while I am signed out, and when I raised the concerns with her I basically got the reply that “there is no personal information contained within and once you delete your account there is no username attached to them so you cant be linked with them”. Is she right, and how do I handle this situation?

    • Blackmist@feddit.uk
      link
      fedilink
      English
      arrow-up
      11
      ·
      10 months ago

      As I understand it:

      As long as the link between data and user is severed, they are compliant with GDPR. Anonymising data (proper non-reversable anonymisation, rather than pseudo-anonymisation) is as good as deleting. As long as it’s not personally identifiable, it’s OK.

      I suspect anyone else expecting the EU to purge reddit of their comments will be equally disappointed.

      • sibachian
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        10 months ago

        what about the whole knowing who is who based on word pattern/habit, and connected content and/or opinion?

        • Blackmist@feddit.uk
          link
          fedilink
          English
          arrow-up
          4
          ·
          10 months ago

          None of that really seems to count for GDPR. And good luck picking any one person out of a sea of a million orphaned comments.

      • LWD@lemm.ee
        link
        fedilink
        arrow-up
        3
        ·
        10 months ago

        According to how the UK’s Matrix/Element “privacy” messager app acts, that is correct. If, for example, you request a GDPR compliant data deletion of your messages in a room that contains 100 people, they will continue storing your data and delivering it to those 100 people, as well as propagating your data across any other servers where those people may be.

        If you’ve lost access to any of those rooms, screw you, your data doesn’t belong to you but it does belong to anybody who was there at the time.

      • jarfil@beehaw.org
        link
        fedilink
        arrow-up
        2
        ·
        10 months ago

        As long as the link between data and user is severed, they are compliant with GDPR. […] As long as it’s not personally identifiable, it’s OK.

        Wrong.

        In the US, data protection refers to “personally identifiable” data, so severing the link is enough. Under the GDPR, all “personal” data is protected, doesn’t matter if it has a link or not to identify the person.

        The test under the GDPR, will be whether a comment has any personal data in it. If it’s a generic “LMAO”, then leaving it anonymous might be enough; if it is a “look at me [photo attached]” or an “AITA [personal story]”, then the person can ask for it to be removed, not just anonymized.

        • LWD@lemm.ee
          link
          fedilink
          arrow-up
          1
          ·
          10 months ago

          That sounds like it places an undue burden onto the user to determine and explain why data might be personal. Is a particular writing style personal? Something that identifies their IP address, or time zone, or three separate messages that can be used to pinpoint someone’s identity or narrow it down significantly?

          To build on the Matrix example I mentioned, they give you the ability to “redact” messages but it’s your job to hunt them down across their entire platform, and obviously you can’t look at any messages in any rooms you’ve been kicked out of (and I’m pretty sure an API call to redact them, even if you correctly guessed the ID, would be rejected).

          • jarfil@beehaw.org
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            10 months ago

            places an undue burden onto the user to determine and explain why data might be personal

            The other way around: all data originating from a person, is by default “personal data”, and the burden of explaining which one is not, lies with whoever is keeping it.

            you can’t look at any messages in any rooms you’ve been kicked out of

            If they’re keeping them, then you can request a GDPR export of ALL your data. Doesn’t matter whether some interface or application allows you access to the data or not, or even if you’ve been banned from the whole platform; as long as they keep the data, they have an obligation to honor your rights of:

            • Access
            • Correction/Modification
            • Removal

            Even during obligatory data retention periods, when they can’t remove the data and only make it inaccessible, you still have the right to get a copy of your own personal data.

            • LWD@lemm.ee
              link
              fedilink
              arrow-up
              1
              ·
              10 months ago

              I really hope I’m wrong and you’re right here! I agree with you entirely in terms of what should be allowed, if it isn’t already allowed. And I definitely hope you’re correct. I haven’t recently requested a data export from my languishing Matrix account, but I might give it another go to see what kind of data is stored on my home server.

              • jarfil@beehaw.org
                link
                fedilink
                arrow-up
                1
                ·
                10 months ago

                I’ve had to deal with this on the data collection end, and it’s a PITA to build in the mechanisms to fully follow the law. If you’re an EU resident, and especially if the server is in the EU or has to follow EU agreements, then they’d risk some quite high penalties if they didn’t follow it.

    • AlteredStateBlob@kbin.socialOP
      link
      fedilink
      arrow-up
      8
      ·
      10 months ago

      The DPAs have discretion on how they interpret the laws and what guidance they give. This is something you could only really pursue through litigation beyond what reply you’re getting from your DPA. Personally, I am not trusting reddit to actually, truly delete anything. But there would need to be proof for that, beyond my suspicions.

      If deleted was truly deleted, I’d say they’re right on an individual case.

      The issue I’m outlining is however of a different nature, so I am somewhat hopeful at least some DPA will take this issue on.

    • xor@infosec.pub
      link
      fedilink
      arrow-up
      1
      arrow-down
      1
      ·
      10 months ago

      wrong because “deleting” your data doesn’t make it disappear