It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
originally posted by: Blaine91555
a reply to: studio500
I think you are misunderstanding what data they are talking about. No such data is asked for, stored or available here.
GDPR: How the definition of personal data will change.
The EU General Data Protection Regulation (GDPR) will be enforced from next year, superseding the Data Protection Act (DPA).
With the Regulation expanding the definition of personal data, many organisations have expressed their uncertainty as to what the new definition now includes.
The scope of personal data Let’s start with the circumstances under which the processing of personal data must meet the GDPR’s requirements.
This set of circumstances is now broader than under the DPA, with Article 2 of the GDPR stating that the Regulation applies to “the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system”.
What constitutes personal data?
The GDPR’s definition of personal data is now also much broader than under the DPA.
Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”.
It adds that: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Perhaps the biggest implication of this is that, under certain circumstances, personal data now includes online identifiers such as IP addresses and mobile device IDs.
Similarly, the GDPR introduces the concept of ‘pseudonymous data’ – personal data that has been subjected to technological measures (for instance, hashing or encryption).
The qualifier of ‘certain circumstances’ is important to highlight here, because it’s often the context in which information exists that determines whether it can identify someone.
The same issue applies to the DPA, and the ICO uses the example of a person’s name to explain this issue: By itself the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual. However, it also notes that names are not necessarily required to identify someone: Simply because you do not know the name of an individual does not mean you cannot identify [them].
Many of us do not know the names of all our neighbours, but we are still able to identify them. Generally, if you’re unsure whether the information you store is personal data or not, it’s best to err on the side of caution. This means not only making sure that data is secure, but also reducing the amount of data you store and ensuring that you don’t store any information for longer than necessary.
originally posted by: Blaine91555
a reply to: studio500
I'm glad you posted your question. I was not aware of this and I find it interesting.
originally posted by: studio500
a reply to: Blaine91555
It does not matter if the site is not in the EU. If it serves members of the EU, (Which it does), it must still comply.
Failure to do so can result in huge fines.
That's probably one reason why Facebook and Google aren't too happy about it but they still must comply.
originally posted by: Blaine91555
a reply to: studio500
I think you are misunderstanding what data they are talking about. No such data is asked for, stored or available here.
originally posted by: ArMaP
I started reading the Regulation, and it looks like collecting the data is considered processing, but I think article 6, paragraph f) ("processing is necessary for the purposes of the legitimate interests pursued by the controller") means that the data collected by Internet forums (email and IP addresses) is considered lawful processing, and, as such, there's no need for a specific consent from the data subject.
originally posted by: EvillerBob
You want to look at Article 4, it sets out some of the definitions.
Processing covers essentially everything, including collection and storage.
Legitimate interest is the category that many organisations are aiming for (because the new consent system sucks) but it remains to be seen how the right to object will impact on this.
I could, for example, object to ATS (assuming it was based in the EU and therefore beholden to GDRP) using my email address to login - the same objective could be met through using the unique userid as a method of anonymisation, therefore there is no actual legitimate business interest for my email to be stored any longer than is necessary to confirm registration.
originally posted by: ArMaP
I could, for example, object to ATS (assuming it was based in the EU and therefore beholden to GDRP) using my email address to login - the same objective could be met through using the unique userid as a method of anonymisation, therefore there is no actual legitimate business interest for my email to be stored any longer than is necessary to confirm registration.
That's true, and can really be considered that the email address, after registration, is not needed, unless the administration needs to contact the user outside the forum, to warn them, for example, that their password was changed for security reasons. In that case I think it's a legitimate use. Besides, that's something easily added to the consent text when people join the forum.
Lots of (digital) ink will flow regarding this legislation.
originally posted by: Springer
a reply to: studio500
We don't have any personally identifiable data, nor do we allow any to be posted (for this very reason). We have never sold any of the data we don't have either. Even if we did have any data of value (we don't) we wouldn't sell it, I think it's just a dirty business, all this data selling.
originally posted by: EvillerBob
For the purposes of this legislation, you do. Email addresses, cookies, IP logs, etc.
originally posted by: ArMaP
originally posted by: EvillerBob
For the purposes of this legislation, you do. Email addresses, cookies, IP logs, etc.
Cookies? Only if they have personal data, right?
originally posted by: AugustusMasonicus
I hereby authorize The Above Network the permission to sell my personal data they don't have stored on that server they don't own that's not residing in a sub-basement in Langley for whatever they can monetarily obtain for it.