The Internet is forever, we tell social media users: be careful what you put online, because you can’t ever take it back off. And while that’s gospel for US users, there’s some nuance to that dictum across the Atlantic. In Europe, individuals have a right to be forgotten and can request that information about themselves be taken down—but only, a court has now ruled, within Europe.
The Court of Justice of the European Union, the EU’s highest court, issued a ruling today finding that there is no obligation under EU law for a search service to carry out a valid European de-listing request globally.
I think this is a logical, common-sense ruling. I’m not entirely sure what to make of the right to be forgotten, since I can see valid uses for it, but it’s also very open to abuse, and one has to wonder just how effective it really is.
The level of greed some corporations did reach does make it useful, but it will affect smaller businesses.
Case in point: We now have priority check points at the supermarket where you can check out only if you have a card from the supermarket. During signup process you must provide personal details (phone number and email).
I would be ok with receiving all sort of price deductions and offers from them in a simple email, but that’s not the case..
Before GDPR was implemented you used to receive this type of spam from just about every single seller that had a similar product on their shelf and even companies selling additional offers just because they found out you purchased winter tires from that place.
Now, it’s more manageable.
Would the average people consider this useful? Doubt it. Everyone is searching for good deals these days.. Implementing GDPR does have it’s costs as well..
Sidux,
Well, the GDPR is bad for business because it really limits what businesses can do with your data, like selling it and using it for advertising. But then again, it is your data, so really they should have never been using it in the first place without your explicit consent. I’m glad that the EU is making laws that protect consumers, which is in stark contrast to the US where corporations can lobby against and often succeed at impeding consumer rights.
With that said, clearly the EU laws do not and should not apply outside of the EU. The notion that EU laws (such as the GDPR) claim to be in effect even outside EU jurisdictions is legally absurd. Unless there’s an international agreement/treaty to give it credence, EU laws are not enforceable outside of the EU just as US laws are not enforceable outside the US, etc. So regardless of the merits of ‘right to be forgotten’, this was really the only sound ruling.
Agreed for the most part – living in Canada, where we’ve had similar privacy laws since 2004 (PIPEDA, the Personal Information Protection & Electronic Documents Act), it seems insane to me that the US has no real federal privacy protections. And the few laws that touch on related aspects end up getting defanged before passage – compare the hopelessly toothless & appropriately “CAN-SPAM” laws (AKA “spam all you want, as long as you have a working “unsubscribe” link) with the CASL (requiring senders of commercial EMail marketing to obtain explicit, opt-in consent from all recipients, or at least implied consent via the existence of an active business relationship).
The parts I’m not so hot on are some of the things that the GDPR defines as personal information, E.g. IP addresses in web server logs and pseudononymous comments. It’s also made a bit of a mess out of the WHOIS system – not even considering the implications for security research:
https://krebsonsecurity.com/2018/04/security-trade-offs-in-the-new-eu-privacy-law/
I know I’ve personally run into situations in the past that would have been much more difficult, if not impossible to resolve without being able to lookup at least the registrant/admin EMail. E.g. where someone registered the domain for a long term, forgot the EMail they used for it, and/or used an EMail that’s no longer valid, and then come to me for help sorting that out.
Yep. Mark Jeftovic, the CEO of EasyDNS, a registrar based in Canada, made more or less the points a bit over a year ago:
https://easydns.com/blog/2018/05/28/gdrp-why-should-any-non-euro-companies-care/
StephenBeDoper,
I haven’t noticed any changes in WHOIS, but that’s an interesting perspective. There are definitely pros and cons to balance and to be honest I haven’t given much thought to all the ways it might be abused.
The big change I’ve noticed with WHOIS since the GDPR came into effect is that the output of most of the lookups I’ve run now include “REDACTED FOR PRIVACY” in place of any of any of the actual contact details. Though it seems to be fairly random, E.g. a WHOIS lookup for osnews.com does show the full output.
There’s also the comedy of errors it set off (described in the easydns.com link in my prev. comment) for EU-based domain registrars, who were put in between a rock and a hard place: comply with their ICANN contracts (which require them to collect & publish WHOIS data) & violate GDPR in the process… or comply GDPR & break their contracts with ICANN in the process:
https://domainnamewire.com/2018/05/25/icann-files-legal-action-against-tucows-registrar-over-gdpr/
Dude they ask for your phone and address, but its not like they validate it. Just fake it, and all is good. Its amazing how people will give out their real information knowing it will be abused. I guess that should be reassuring about how honest most people are even if its not in their interest to be.
They’re wising up to that now. Some stores are requiring that they mail you a card, rather than just giving you one right there. My response to that is simple: I stop doing business at those stores immediately, and I tell the manager why. It probably won’t do any good, but hey, maybe it’ll get through to someone.
Your address is probably the least valuable piece of information… As soon as you use your credit card they know exactly who you are and the address you live it is not really very important for building a profile of your shopping habits. The only real way I see to avoid it would be use fake information AND only pay in cash.
Good. I hope the GDPR is just the start, and that personal information as a product becomes a nonviable business. It is a disgusting and shady business, and It sickens me to know how many companies use it as a second revenue stream.
I’m glad. I always thought the GDPR had an admirable aim but a terrible implementation (see my comments from May this year on this site), and was deeply concerned about the extraterritorial language in it, so to have it clearly defined as limited to just the EU greatly reassures me.