this post was submitted on 30 Jul 2023
93 points (92.7% liked)
Technology
59314 readers
4798 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Not how it works. GDPR gives DPA powers to for example order deletion of all of the iris data for not having being collected with proper consent and at that point operator bleeding "but it breaks our system" doesn't cut it. If it breaks the system, then it breaks their system. They should have thought about that before starting collecting data without proper consent.
Plus on top of Fines, GDPR gives DPAs some investigative powers and power to ask police assistance to enforce their orders. They might come and confiscate servers or shut them down personally, if the organization refuses to comply on their own.
Only business they can make is the little they do before the hammer falls and as said after that they can't claim and keep PII or any derivative data they have collected. The data has been poisoned with non-compliance. It will be ordered to be deleted, since the processor has no right possess it let alone process it. Any money they make will probably end up spent on paying fines.
It is non starter, specially their "you can't ask us to delete it". The most severe category of infractions of GDPR are exactly datasubject rights violations. Those are deemed more serious, then say failures of data breach and security. Since those infractions violate the corner stone data subject rights, which again are extension or specific application of the fundamental human right of right to privacy.
DPA will just say "if your organization/business/operation model is based on carte balance refusal to offer right of deletion while operating on legal basis of consent, your operations model is fundamentally incompatible with the laws of EU. More simply put, it is fundamentally illegal for you to operate in EU. Shutdown your operation immediately and permanently."
Also there is no free consent, if it cannot be withdrawn. Again part which is "I withdraw my consent for you to possess and process my information, I want nothing to do with you anymore. Delete everything". There is no free consent without the possibility to have ones data deleted. You can't claim legal basis of consent and then say that consent includes consenting to have ones data never deleted. Infact judge would invalidate such consent even from the data subjects side. You can't consent to relinguis core data subject rights. Those are mandatory minimal terms, legal right. You have them, want it you or not and cannot relinquish them.one can choose to never apply those right one has, but it doesn't remove them still existing or one giving them up.
This will get banned, since their operating model is fundamentally incompatible. That or they have to change their model to a compatible one. Which would mean re-engineering their whole operating concept and technology.