GDPR and stuff

Ace Modder · 20 Apr 2018 at 13:01

Been thinking about this and communication apps like what's app.

Scenario:
Person 1 - John
Person 2 - Paul

John has WhatsApp, he doesnt care about FB having his data etc.
Paul doesn't have whatsApp because he hates FB and doesn't want them to have his info.

John has Paul in his phone contact list - All phone contacts are taken from John's device by the Whatsapp account, this includes Pauls contact info.

GDPR will be broken when the laws come into force I think?

Tefal · 20 Apr 2018 at 13:03

I dont think is a phone number so sidered personal private data if you've shared it with somone else?

Dave M · 20 Apr 2018 at 13:13

Technically John is required to get the consent of Paul to pass his data onto a third party but as GDPR does not apply to personal activity I guess the only relevant relationship is between John and Whatsapp. Their use of the data is required to fulfil the contracted service (messaging) so is covered without explicit consent required. Subject Access may still be relevant however.

And the gdpr question is directly or indirectly personally identifiable data - not private data. The expectation of privacy is another subject entirely.

VincentHanna · 20 Apr 2018 at 13:25

I thought Whatsapp and Facebook aren't interlinked? Pretty sure that was made clear during the hearing the other week (the stupid question about "emailing on Whatapp about Black Panther")

Randomface74 · 20 Apr 2018 at 13:38

I'm not sure - would like someone to clear this up for me.

Personally, I think no company should be holding my personal information without my consent.

I can't tell whether this is what the laws require or not.

MM-Seat · 20 Apr 2018 at 13:42

It relates to data that is personally identifiable. A phone number alone does not identify someone.

GhostlyPea · 20 Apr 2018 at 13:44

MM-Seat said:
It relates to data that is personally identifiable. A phone number alone does not identify someone.

What about a phone number stored with a name? Thats pretty much the definition of personally identifiable and I cant imagine anybody would store a number without a name

- GP

Hades · 20 Apr 2018 at 13:44

Facebook's solution is to simply move accounts outside the EU and dodge the GDPR that way.

http://www.bbc.co.uk/news/technology-43822184

ubersonic · 20 Apr 2018 at 13:48

Hades said:
Facebook's solution is to simply move accounts outside the EU and dodge the GDPR that way.

Somebody should tell them that doesn't work as they are still dealing with the data of EU citizens so must conform with the law.

But that's not what they are doing, they are making sure their Ireland datacentre doesn't hold any accounts of non-EU citizens (as those users would be granted the same defacto rights as EU ones as the DC is in the EU).

Hades · 20 Apr 2018 at 13:49

ubersonic said:
Somebody should tell them that doesn't work as they are still dealing with the data of EU citizens so must conform with the law.

They are moving non-EU citizens accounts out of the EU. They are currently based in Ireland (I assume for tax reasons) but facebook is now moving them out of Ireland to avoid them coming inscope of the GDPR. EU citizens accounts aren't moving.

JoeF1 · 20 Apr 2018 at 13:53

ubersonic said:
Somebody should tell them that doesn't work as they are still dealing with the data of EU citizens so must conform with the law.

But that's not what they are doing, they are making sure their Ireland datacentre doesn't hold any accounts of non-EU citizens (as those users would be granted the same defacto rights as EU ones as the DC is in the EU).

Are you sure this is correct? We have dropped around 3 suppliers so far due to them being in NZ because they won't conform to GDPR. I'm pretty sure if Facebook move the data to the states, they will only have to change their Ts & Cs and if we accept that is our fault?

Could be wrong mind.

Relentless81 · 20 Apr 2018 at 13:59

He is not a Data Controller he is a Data Processor so it still falls within the Data Controller (whatsapp) responsibility

ubersonic · 20 Apr 2018 at 14:04

JoeF1 said:
Are you sure this is correct?

Which part?

If you deal with the data of EU citizens you must comply with GDPR or you can be fined, it doesn't matter where you're based or where you process/store the data. If you deal with anyones data inside the EU (even non-EU citizens) you must comply with GDPR or you can be fined.

This is why FB are going to move the data of non-EU citizens outside the EU so the don't have to worry about GDPR for it, only their EU users.

JoeF1 · 20 Apr 2018 at 14:12

ubersonic said:
Which part?

If you deal with the data of EU citizens you must comply with GDPR or you can be fined, it doesn't matter where you're based or where you process/store the data. If you deal with anyones data inside the EU (even non-EU citizens) you must comply with GDPR or you can be fined.

This is why FB are going to move the data of non-EU citizens outside the EU so the don't have to worry about GDPR for it, only their EU users.

Thanks for that, totally makes sense.

MM-Seat · 20 Apr 2018 at 17:14

JoeF1 said:
Are you sure this is correct? We have dropped around 3 suppliers so far due to them being in NZ because they won't conform to GDPR. I'm pretty sure if Facebook move the data to the states, they will only have to change their Ts & Cs and if we accept that is our fault?

Could be wrong mind.

Not sure if this has been answered but, yes! It's been explained to me that it's like going to LA and because you have a European citizen in the car you drive to laws within the EU rather than in the US.

MM-Seat · 20 Apr 2018 at 17:15

GhostlyPea said:
What about a phone number stored with a name? Thats pretty much the definition of personally identifiable and I cant imagine anybody would store a number without a name

- GP

Ah but, then there is a definite need for that data. I should imagine sharing that data without the need would cause a problem.

glenimp617 · 20 Apr 2018 at 18:35

Easy, tech companies are moving all user accounts to the US to avoid GDPR

Amp34 · 20 Apr 2018 at 21:42

Out of interest how do companies define who is an EU citizen and who is not for situations like this?

Location someone first set up their account? Location they say they are living at the time? Latest IP address?

As an EU citizen living outside the EU at the moment it may presumably be quite complex to deal with my records.

And thinking about it even more it becomes a logistical nightmare. Any Canadian company dealing with my details will need to comply with GDPR technically, whether it be a large multinational or a small one man band working out of a local workshop. Presumably though it’s only really going to affect those companies that want to be registered in some form in an EU country, those that aren’t would (again presumably) be untouchable?

Edit: to clarify then, EU citizen in this instance actually appears to be just someone located in the EU, whether they be an EU citizen or not, which makes it more realistic.

Tefal · 20 Apr 2018 at 22:03

GhostlyPea said:
What about a phone number stored with a name? Thats pretty much the definition of personally identifiable and I cant imagine anybody would store a number without a name

- GP

But it's not strictly your name

ic1male · 22 Apr 2018 at 12:02

I was wondering all about this GDPR stuff. How does it relate to forums like this? Say I wanted to delete my account, does this forum then have to delete all data, posts included?