User: Password:
Subscribe / Log in / New account

EU data protection

EU data protection

Posted Oct 13, 2012 21:43 UTC (Sat) by man_ls (guest, #15091)
In reply to: Fedora is retiring Smolt hardware census (The H) by rahulsundaram
Parent article: Fedora is retiring Smolt hardware census (The H)

I think EU data protection regulations don't work as you think they do. You can collect personal data to your heart's content, and you can make the collection mandatory. In fact, very often you have to (e.g. if you are opening a bank account you have to collect all kinds of personal data). But you have to provide for a way to remove that data; I think it is similar in the US. Also there are some stringent requirements on how you use the data: protect access to it with a password, store securely, do not share it with others without user consent, and so on.

As long as you are not collecting personal data, or data that can be used to identify you, then there is no need to do any of that. Example of personal data: your name. Example of data that can be used to identify you: your IP address. (Yes, every time you collect IP addresses in your weblogs, you are entering EU data protection territory. Funny, huh?) Example of data that might be used to identify you in some bizarre scenario but nobody cares about: your hardware information, your configuration is probably shared with the other 1000s of people that bought the same machine. And anyway nobody can prove that this particular configuration is only yours.

So remove all unique MAC-like information, anonimize the IP addresses and you are golden.

Disclaimer: IANAL (but I paid good money to a real lawyer to learn about these things). I may misrepresent everything in the little puppet theater inside my head.

(Log in to post comments)

EU data protection

Posted Oct 16, 2012 22:44 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

All "personally identifiable" information stored in any sort of retrieval system by an EU company must obey the rules. A shoebox full of unsorted hand written letters is not a retrieval system, a list of railway stations is not personal, a novel is not information for this purpose.

Such information must be stored for a specific purpose, the subject must be told the purpose and consent to it. Using the information for another purpose is illegal. Giving the data to another entity, except if the subject was told this was part of the purpose, is illegal. Moving the data out of the EU is illegal, except if these rules can be enforced elsewhere.

The subject is entitled to see all information you have about them, and you must correct errors which are reported to you. You may charge a "reasonable" (most jurisdictions interpret this quite narrowly) access fee and demand some evidence of their identity.

You must destroy any information you no longer need. You should have explicit policies justifying any data retention and scoping it appropriately.

Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds