GDPR: The Illusion of More Rights and the Hypocracy
GDPR has just come into action throughout the EU, telling you that you have more rights regarding data held about you, nothing can be further from the truth.
The full script of the Regulation is here.
Notice in paragraph 5 & 6, especially the text:
What about sharing of your data
I am confused as to whom is protected by GDPR, as apargraph 14 reads:
This I feel is one of the best bits, Article 5, paragraph 1:
I have your name, email, address, age and other data that I have collected about you to send those junk emails, etc. to you. You decide you do not want to see my junk email and click the unsubscribe link. I have to comply with your wish, however I must also keep my data accurate and upto date, which includes your unsubscribe request (I need this information forever now). What if I buy data that you are included on in the future, if I deleted your data, I would start sending you marketing information again as the records would have been erased of your request to unsubscribe. However I could use the excuse that I kept the data to ensure that your wishes are kept, and as people have more than one email, I need to keep further data about you so that I can compare such data to identify you and your unsubscribe request. In essence, even after you unsubscribe, I must keep your data up to date, accurate, etc. just in case I merge in other data lists that you are included on.
Erasing of data is also dangerous, lets take the PPI scandal that happened 20 years ago. A tiny percentage of us still have the paperwork to prove that we took out PPI, the only people with data this old are the banks. What if today I was a bank that sold a product like PPI that I knew was worthless, after 6 years (maximum time financial information needs to be kept) I can erase this information and use GDPR to justify this. Now when this scandal is uncovered in 10 or 20 years, I have erased all that history, and was legally allowed to do it. So the bank is protected and keeps the money, the people lose out.
There are loads more lousy examples of how this regulation is pretty pathetic and affords no positive benefit to people. One key issue it does address with no uncertainty is the box you tick allowing a company to use your personal data can now no longer be pre-ticked, like that makes a difference.
Erasing of any data is erasing history, and that is a bad thing. If your past data is not used, it will just sit on a hard drive, and the older it gets, the less significance it will have. Making me care that there is data that I once subscribed to the Maplin catalogue 20 years ago is scare mongering by the media. GDPR does not mean criminal records, tax data or medical data get erased, quite the contrary.
I agree corporations should keep your data safe, and the vast majority do as this data is their livelihood and cost them a lot of time and money to collect, thus they don't want it falling into the wrong hands. If your data does fall into the wrong hands, GDPR does not give you the right to compensation, only the state can be compensated in the form of a fine, so your personal data breech goes to benefit the higher cause of the state. However this fine is limited to €20 million, pocket change for a huge corporation or government (the ones that can afford EU lobbying), a big deal for a small company. The data breach by Facebook and Cambridge Analytica caused an increase in the use of Facebook, this increase probably earned Facebook far more than a poultry €20 million fine, the same probably true for Ashley Madison.
The full script of the Regulation is here.
Notice in paragraph 5 & 6, especially the text:
5) ...National authorities in the Member States are being called upon by Union law to cooperate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State.
6) ...should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations,
10) ..This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’).Basically the above translates to the fact that your information must be shared with other EU states, whether held by your own state or a private company. States also don't have to comply like everyone else has to, as they get a "margin of manoeuvre", enabling individual states to make their own rules for themselves.
What about sharing of your data
13) The proper functioning of the internal market requires that the free movement of personal data within the Union is not restricted or prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.Basically, your data can be shared, and personal protection of your data can not allow the prevention of sharing your data, on this principal, it can even be sold.
I am confused as to whom is protected by GDPR, as apargraph 14 reads:
14) This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.We are all a "legal person" who reside in the EU, so the afore mentioned means there is no protection afforded to me or you on how our data is processed (Article 4, paragrph 2), where processing includes the storage and retrieval of data (amongst others). Also as a small side note, paragraph 27 says that once you are dead, corporations can do whatever they want with your data, not even your next of kin gets to stop them.
This I feel is one of the best bits, Article 5, paragraph 1:
1) Personal data shall be:
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed...Now this gives marketeers a licence to keep your data forever, even after you ask to unsubscribe from them. Let me explain and imagine for a moment that I am a marketeer:
I have your name, email, address, age and other data that I have collected about you to send those junk emails, etc. to you. You decide you do not want to see my junk email and click the unsubscribe link. I have to comply with your wish, however I must also keep my data accurate and upto date, which includes your unsubscribe request (I need this information forever now). What if I buy data that you are included on in the future, if I deleted your data, I would start sending you marketing information again as the records would have been erased of your request to unsubscribe. However I could use the excuse that I kept the data to ensure that your wishes are kept, and as people have more than one email, I need to keep further data about you so that I can compare such data to identify you and your unsubscribe request. In essence, even after you unsubscribe, I must keep your data up to date, accurate, etc. just in case I merge in other data lists that you are included on.
Erasing of data is also dangerous, lets take the PPI scandal that happened 20 years ago. A tiny percentage of us still have the paperwork to prove that we took out PPI, the only people with data this old are the banks. What if today I was a bank that sold a product like PPI that I knew was worthless, after 6 years (maximum time financial information needs to be kept) I can erase this information and use GDPR to justify this. Now when this scandal is uncovered in 10 or 20 years, I have erased all that history, and was legally allowed to do it. So the bank is protected and keeps the money, the people lose out.
There are loads more lousy examples of how this regulation is pretty pathetic and affords no positive benefit to people. One key issue it does address with no uncertainty is the box you tick allowing a company to use your personal data can now no longer be pre-ticked, like that makes a difference.
Erasing of any data is erasing history, and that is a bad thing. If your past data is not used, it will just sit on a hard drive, and the older it gets, the less significance it will have. Making me care that there is data that I once subscribed to the Maplin catalogue 20 years ago is scare mongering by the media. GDPR does not mean criminal records, tax data or medical data get erased, quite the contrary.
I agree corporations should keep your data safe, and the vast majority do as this data is their livelihood and cost them a lot of time and money to collect, thus they don't want it falling into the wrong hands. If your data does fall into the wrong hands, GDPR does not give you the right to compensation, only the state can be compensated in the form of a fine, so your personal data breech goes to benefit the higher cause of the state. However this fine is limited to €20 million, pocket change for a huge corporation or government (the ones that can afford EU lobbying), a big deal for a small company. The data breach by Facebook and Cambridge Analytica caused an increase in the use of Facebook, this increase probably earned Facebook far more than a poultry €20 million fine, the same probably true for Ashley Madison.
Comments
Post a Comment