Who lost his business because of GDPR? I see a man who decided not to bother with informing himself about how to treat user data properly, and instead shut down his app.
GPDR explicitly lets organizations keep data if they need to. Do you think it just turned into a magical get-out-of-your-past switch that means "my employer will have to delete records of firing me!"?
Your example "my employer will have to delete records of firing me!" is exactly how the GDPR works.
There are exceptions -e .g. if the firing is now leading to a court case, but they are less than you think.
In an ironic twist, after deleting the data subject's personal information, you must be left with nothing that identifies them, so you don't even know that they have requested this in the past - only that someone exercised their right to erasure (not who).
Yes, I have read it, although I am not a lawyer. Have you? Because the exceptions include "necessary in relation to the purposes for which they are collected or otherwise processed", and avoiding re-hire of a bad employee seems pretty related to the purpose of identifying employees in the first place. If you have professional legal advice to the contrary I would definitely be interested in knowing more.
I'm not a lawyer but I've read it fairly thoroughly. From the ico, the exceptions to the right to erasure are below (none of them cover your example):
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing;
or for the establishment, exercise or defence of legal claims.
Article 17.1
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
https://gdpr-info.eu/art-17-gdpr/
If you read further down the page, you come to the section you are quoting, 17.3, which says that the above right from 17.1 does not apply even if one of the conditions in 17.1 is met. However the scenario we are talking about is one where none of those conditions were met in the first place, so we never had to look at 17.3.
You can argue that 17.1.b/c would require an employer to remove any demographic/political data it had stored on you, but absolutely not that it requires the employer to remove the record of your existence at the company.
Again, IANAL, but according to 17.1.b, the data subject..shall have the right to obtain from the controller the erasure of personal data concerning him or her ... where one of the following grounds applies:
(17.1.b) the data subject withdraws consent on which the processing is based
17.1.b appears to be the trump card held by the data subject. They can withdraw consent at any time and request erasure.
Once they do, the data controller can then use any of the exceptions in 17.3 to deny them. However none of these is "because I want to keep records of all firings".
My further understanding is that you certainly could keep a record that someone was fired, just not a record that included any personal information that could identify who that was.
No, I addressed that. 17.1.b doesn't cover identifying data, it covers data about their characteristics. That's what my last sentence was about - you can demand that they remove the information that you are black, but not that they remove the information that you were there.
(edit - and I think you could keep the information about their race/etc if it was properly pseudonymized, but I haven't tried working that out so I'm not sure).
that's not quite correct.... "The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location."
meaning you can be doing business with EU residents as a US only company.
I'm not quite sure how they intend to enforce the GDPR on foriegn companies, but they are making that claim.
Well, the EU basically says that if you store data on people who fall under EU law, you're doing business in the EU.
This doesn't sound crazy to me.
If I'm in europe and I sell to an american, I have to adhere to certain US laws just the same. I have to fill in a W8-BEN form or whatnot.
I can elect not to, but next time I'm in the US, things might get awkward at customs. Also, my customers might be fined or more or less 'ordered' not to do business with me. That's within the US's right.
That's just how it works. Everywhere. For all countries.
GDPR (EU Law) requires companies to delete private data upon request.
SOX (US Law) requires companies do not delete private data, in case the government wants to investigate those companies later on.
SOX has existed since 2002. Did the EU lawmakers even consider this when crafting GDPR? I'm betting not, considering the damage they've done to the WHOIS system as well.
This kind of fallout is the result of poor planning and pushing incomplete legislation for political purposes and I think all of us realize that, so let's not pretend otherwise.
GDPR is pretty clear that a users “right to be forgotten” isn’t absolute and that businesses should be weighing up (and documenting) a users right to privacy against their other legal obligations.
Well, european countries usually didn't shy away from bureaucracy. Now that there is the EU, there is another big layer of bureaucracy, and it doesn't help at all. Even worse is the fact that these bureaucrats are really distant from the people, both physically and with their hearts.
We are still going on because we're wasting the capital we accumulated in hundreds of years, otherwise we would have succumbed long time ago.
Of course, this is a summary of my political analysis, I don't pretend to know the truth or really anything. Don't want to offend people with my opinion.
GDPR is a great example of the kinds of disasters that happen when nations try to force the entire planet to follow their unilateral actions.
(Shrug) It's a public response to abuses by private actors. It's a great example of the kinds of disasters that happen when the user is the product and not the customer.
> (Shrug) It's a public response to abuses by private actors.
I disagree, I think it's a political move and won't have the kind of positive impact that we want it to.
GDPR, as it is written, should put Facebook and Google out of business. Invading people's privacy is a huge part of their revenue stream. I'm all in favor of protecting privacy of individuals but I'm cynical that we'll see any real progress as a result of this and the negative consequences are real, and possibly more significant than any positive effects. Time will tell.
GDPR is a great example of the kinds of disasters that happen when nations try to force the entire planet to follow their unilateral actions.