GDPR compliance questions and discussion
 

On the https://www.flyertalk.com/forum/tech...ce-notice.html thread, it states:

I don't think that this results in full compliance. GDPR rights are for EU citizens, not people that currently happen to be physically present within a European Union country. FlyerTalk admin especially should know that these people are all over the world.

I think that’s for the courts, not FT or IB administration, to decide, IMO. When I travel, I have certain rights as a US citizen. When I am in the EU, or anywhere else, those rights are generally superseded by local law. While GDPR rights may pretend to be portable, the facts of law seem to be contrary.

The issue that is getting traction in the EU, with at least four complaints filed against Facebook, Google, Instagram and WhatsApp, is whether sites can offer services to those within the EU by only offering an “all or nothing” (not merely agreeing to data collection related to the provision of service, but rather including data gathering for or by third parties, such as advertisers) acceptance policy in its TOU.

Does FT fully comply with GDPR? IANAL. That’s what IB legal will have to examine, depending on the EU courts’ decisions, I suspect. Particularly given several US news sites are currently unavailable to users within the EU because of GDLR requirements (link to BBC article).

My 2 cents (so not enough to get you coffee at Starbucks): I think a lot of companies are taking a we don't know if you're in the EU or not approach, we're asking you to opt-in or opt-out or telling you what our privacy notice is across the board/protecting your privacy because it's easier to deal across the board than try to sort out EU etc. Heck, I've gotten privacy notices from multi-national firms as well as domestic firms, small-time book authors, local shops, etc.

BTW - for those unfamiliar w/ GDPR:

"What is the 'General Data Protection Regulation (GDPR)'

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. The General Data Protection Regulation covers all companies that deal with data of EU citizens, so it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies. GDPR will come into effect across the EU on May 25, 2018."

Exactly. This is the only forum that I frequent that has tried to filter required notices by IP address (an inexact science at best)

Well for the time being FT does not comply anyway, see Recital 43:

Recital 43
EU GDPR

(43) In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.

Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.
=> Dossier: Consent

I am currently visiting in the EU and am receiving different levels of notices on sites I am registered on.(all US based sites) The most detailed notice listed each company that the site used and what information they shared with them. I was also able to select/deselect what site they shared my info with. Just for advertising purposes they used 72 companies!

I wouldn't mind having GDPR type regulation here.

This is annoying and violates GDPR.

The GDPR should allow the user to withhold unnecessary data tracking and only allow use of tracing which is absolutely necessary.

https://cimg9.ibsrv.net/gimg/www.fly...cfc0f0231b.png

IB has absolutely no intention to respect GDPR. I got denied access to my personal data despite articles 2,15 and recitals 63,64 clearly stating this as a right.

Frank, when/how did you request this data?

I've PMed you

With the archiving sites out there (waybackmachine at archive.org, etc.) there’s no such likelihood of “being forgotten”, IMO. A person could have every bit erased from FT, yet their posts could still be found.

FT's owner has counsel / teams for regulatory compliance

i hope EU regulations do not negatively impact archive.org

But that would be their responsibility. Your responsibility is to delete the posts from Flyertalk.

Laws are laws, no matter what you think about them.

Not quite. Look at Google's losses in the "right to be forgotten" battle in the UK.

"I'm breaking the law because someone else will break the law eventually" is not a valid legal argument.

I assure you that is not my responsibility. Internet Brands personnel, perhaps. And I’m not sure how some laws may ultimately be interpreted judicially. I.e. can a law passed unilaterally by one nation or group of nations be imposed on entities based in non-participating nations?

1. Obviously I'm speaking in the collective. "You" as in IB.
2. You have the right to not do business in the EU, if you don't wish to follow their laws.

If you have concerns about IB's compliance of GDPR, please write in to the "Contact Us" form, which was kindly posted above. And until more cases are ruled upon now that GDPR is in effect, I think it's difficult to make blanket assumptions. But then again, I'm not an expert on US law, let alone EU/international.

I assume that it's not your intent to squelch debate on this in a public forum?

I won’t pretend to speak for IBJoel, but I think IBJoel may be saying Technical Support doesn’t much become involved with overall administrative and legal issues. Your concerns may best be addressed by others, and using the “Contact Us” form allows you to communicate your concerns to the appropriate party e it’s forwarded to them.

Correct as usual, Jdiver. IBjoel and I are not attorneys. The attorneys responsible for how FT handles GDPR have told us how to handle things, and we have passed along those rules. If you wish to have a legal tussle, please contact [email protected]. We cannot and will not contradict or interpret their guidance here.

From a purely technical standpoint, is it difficult to delete all information about a person, including their posts?

No. To do so without repercussions is, however. It's the old "bazooka versus scalpel" conundrum.

It is my prediction that GDPR will be the death of the European version of "privacy." And it will be partly because EVERYONE (including the GDPR enforcement bodies) will be shown to be in violation of GDPR. I can't say when it will happen, because it is not my area of practice. But I suspect that some lawyer like me will be retained by a client to defend a GDPR violation. And they will gather evidence to show that every minute of every day, because of the complexity of networks and data interchange, the "personal" information of EU individuals is available virtually anywhere in the world. And the concept of "forget me" is virtually impossible because there are thousands of backup tapes, replicated sites, redundant facilities, etc.

I saw a lot of text there, but nothing that represented a valid legal defense.

There's a very simple way to get any company to comply: pull the plug on their computers. It's the responsibility of the offending companies to develop a more elegant solution.

My argument, while from the perspective of a lawyer, was not meant as a legal brief. But your answer was actually perfect. Because one legal term (which is a legal defense, at least in some circumstances) is "impossibility." And the idea that the solution to GDPR compliance is "pull the plug on their computers" is so ludicrous that it would be a concession to "impossibility." That is why I say it will be the death of the concept. And, as stupid as "unplug" would be, it still would not accomplish "forget me." NOTE: At a technical level, there is no such thing as "unplug your computer" because "your" computer is replicated so many times in "other people's computer" that it wouldn't even solve the problem.

To the best of my knowledge, the laws aren't so much about making information disappear, it's about preventing companies from profiting from information that customers don't want being used. That's why the punishments involve fines to gross income.

It's certainly possible to purge personal information from Flyertalk (IB has already admitted as such), so your impossibility defense seems irrelevant, like saying that anti-smoking laws are not enforceable because air pollution is ubiquitous.

I apologize for my difficulty in explaining the relevant technical concepts to you. I have 45 years of computer experience, including being the first non-scientist with regular access to the internet (the IP address was 2 digits when I first got regular access), so I sometimes don't synthesize well enough. Let me try one more time. You misunderstood what IB said. What he meant was (with apologies to IB who is free to correct me) "I can search and delete every post by Hailstorm and I can search and delete every quote of every post by Hailstorm and, if required, I can search the word "Hailstorm" and delete it from every post. However, there are POTENTIALLY serious consequences to stability of the website if I really do that." What he didn't say in his comments, but which I also think is true, is the following:
A. If I do that today, and the system crashes big time tonight, and if I restore the system as of midnight last night, all my work will be wasted because you will be back again; B. You are on every backup we ever did, so if anyone with legal subpoena power wants to find you, you won't really be forgotten - they can still get every post and every quote virtually forever. C. We can't delete you from the Wayback machine or from Google or Bing or Yahoo or anyone else who crawled and copied your posts, so even ordinary people can probably find you for a long time. D. Assuming we have redundant colo facilities, you won't be forgotten by them (at least until the current backups cycle through). E. The contracts between IB and its advertisers won't require them to delete you from their records, so you might still get solicitations, etc. (a profit making venture)l. F. Every member (and guest) who has ever copied one of your posts will have those copies forever and they may repost a bunch of your stuff the day after I delete it, so you will STILL appear on FT. And that isn't the whole list.

I've nothing new to add, except that, if you think that technology renders laws obsolete, then we really have gone from technology working for us to us working for technology.

I would agree with you. And that is the point we have reached. It USED to be that a salesperson could say "Gee, that one is dented, I will charge you 1/2 price." Now they can't do that unless the computer says that they can. And one of the reasons I think GDPR is so ridiculous is because I gave a speech almost 20 years ago in which I pointed out that our conceptions of privacy were outmoded because of technology. Does technology give us benefits? Sure, lots of them. Is is possible that someday technology will give us the benefit of privacy? It is certainly possible. But right now, based on current technology, is the idea that a GDPR citizen can limit their data to the GDPR region or GDPR compliant systems reasonable? No.