Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think you don't understand the GDPR. The GDPR does not disallow the processing of personal data, nor does it disallow the sharing of personal data with suppliers or other entities in the supply chain. For example, if you run a merch store, it's perfectly OK to share the buyer's address with DHL or whoever does the shipping.

What the GDPR requires is that the user is informed about the processing and the suppliers used, and in some cases, provides consent to the processing.

The new proposal which suggests that pseudonymized data is not always PII is a different thing. It actually opens the door to a lot of new problems in my opinion. For example, with this new interpretation, big tech might question whether IP addresses are still personal data (which is something EU top courts had previously established)? What about cryptographically hashed values of your social security number (easy to break)?



> The new proposal which suggests that pseudonymized data is not always PII is a different thing.

This actually is already the case, see the recent CJEU Cā€‘413/23 P. Currently the main question is if the recipient has a way to unmask the user. In case of IP address the answer is almost always yes since the recipient could ask competent authority to unmask the IP address if there is crime involved. That was the exact reasoning provided in the Breyer case.

In Cā€‘413/23 P the recipient didn't have any reasonable way to map the opinion to real person so it was determined that it's not PII from recipient's POV but it was from the data controller's.

One of the issues in the new proposal is that it lowers the standard quite a bit compared to Cā€‘413/23 P.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: