And as others have pointed out, no the users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do with personal information about their users. But feel free to argue that it is your moral right to sell user's e-mail addresses to some spammer or whatever.
I'll let that excerpt speak for itself.
And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary.
Views like this are exactly why we need the GDPR.
I find it utterly ridiculous - disgusting even - that you really believe you have the right to do whatever you want with someone else's personal information. When you provide an email address, physical address, name or other PI, it's with the expectation of it being used for a specific purpose - you should absolutely not give you the right to sell that information to the highest bidder.
The GDPR prohibits me from doing that, and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
Some people, on hearing this, say, 'well, that's fine, you can just store 192.0.2 or 192.0 instead.' That seems pretty silly to me, since the whole point of logs is that they contain full information.
The GDPR tries to do the right thing, but it's broken. Immutable logs are a fundamental right.
It appears to me that as long as you don't use the logs for nefarious purposes you'd at least have legitimate interest in processing them (including the IP addresses), and so could keep them. This is the stance I am taking with respect to my personal webserver (together with a time limit after which logs are deleted); if a regulatory body informs me to change my approach, I'll gladly adapt.
Note also that IP addresses can be personal data, but do not have to be. Most claims here seem to relate to a ruling, where the IP address was deemed personal data in the hands of an ISP, who would be able to resolve it to a real person [1]. If you hold an IP address, but can't connect it to a real person (e.g. by having legal means to convince the ISP to give you that name based on the address), then it seems the IP address would not even be personal data in the first place. In the particularly ruling, the operator of the webserver was the German government, which presumably has more legal power to make an ISP turn over identifying data on a customer than a random website would have.
In any case, I hope some more clarity about this will emerge soon. But what you are talking about here would at best be a borderline infraction (and probably just be covered under legitimate interest). OTOH, what the person starting this thread had in mind seems to be that all the data he might collect on his users is fair game to do with as he pleases.
[1] https://www.whitecase.com/publications/alert/court-confirms-...
No it doesn't.
> and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
No it doesn't.
I absolutely agree. If you feel a law is wrong, it is your absolute right to say so and demand change. This is the basis of all law and civilisation. The consensus of what is right-or-wrong is what makes a society.
Go for it.
If it is a fundamental right, how far does it go? Should I be able to sue you for watching me walk in a public place? Photographing me? Video taping me? What about a privately owned but still public place?
There are a lot of questions here that I think people tend to skip over about users owning information about them and being able to control it.
Making some observations out your window of cars passing by is something no one ever had a problem with. Taking down every single identifier you could and coordinating with others to track that person, for a profit, is something that would not be kosher in meat space.
Why this different just because it's on a computer?
What? Because you just decided that it does?
It's people like you why we need GDPR-like laws. I'm curious, what's your stance on the Equifax data breach? They had data that belongs to them and they could do with and treat it as they pleased, right?
