undefined | Better HN

0 pointsNextgrid4y ago0 comments

It seems like that's what's happening here though. The IAB appears to take all the blame while everyone else gets away.

0 comments

They lose all the data though. They may have avoided some name smearing but it's the data that they really want.

I'd argue that the data has already been integrated into ML models or mixed in such a way that there's no way to even tell where the data originated from. While the logical conclusion would be to just delete any data they can't prove a legitimate origin for, I very much doubt this is going to happen.

Most importantly, tens of billions have already been made using this ill-gotten data.

heavenlyblue4y ago

Or just force all models to be deleted that had any input of that data in the first place. If they don't do that in practice let the whistleblowers do their job in exposing the companies.

1 more reply

tomjen34y ago

The GDPR doesn't apply to data that can't be related to a natural person. Those models would therefore no longer be under the scope.

Another example: You get consent from me, count your distinct visitors for January and I revoke my consent tomorrow. You do not have to change your visitor count retroactively.

2 more replies

Guest424y ago

I wonder if these models would become inaccurate over time without the data inflow.

tremon4y ago

I'm not sure to what extent this should be classified as a data breach, since the data was in effect illegally harvested and processed.

In case of a data breach, the controllers (i.e. the 1000+ companies) would be required to provide notification to the respective supervisory authorities of the affected users [33] -- although due to the one-stop-shop mechanism, that notification will be considered already done. But on top of that they would also be obligated to inform the affected users themselves [34].

Article 34 also includes this stipulation: The communication to the data subject [..] shall not be required if [..] it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Note that these requirements are on the controllers, not the processor. IAB in this case is the processor. So if the data authority were to consider this a data breach, the controllers would not get away scot-free.

[33] https://gdpr-info.eu/art-33-gdpr/

[34] https://gdpr-info.eu/art-34-gdpr/

j / k navigate · click thread line to collapse