[Sks-devel] Exploiting GDPR (Re: The pool is shrinking)

[Hendrik Visage]

And then reading Cryptogram this month: 

https://www.schneier.com/blog/archives/2019/08/exploiting_gdpr.html

Exploiting GDPR to Get Private Information

[2019.08.13] A researcher abused the GDPR to get information on his fiancee:

It is one of the first tests of its kind to exploit the EU's General Data Protection Regulation (GDPR), which came into force in May 2018. The law shortened the time organisations had to respond to data requests, added new types of information they have to provide, and increased the potential penalty for non-compliance.

"Generally if it was an extremely large company -- especially tech ones -- they tended to do really well," he told the BBC.

"Small companies tended to ignore me.

"But the kind of mid-sized businesses that knew about GDPR, but maybe didn't have much of a specialised process [to handle requests], failed."

He declined to identify the organisations that had mishandled the requests, but said they had included:

a UK hotel chain that shared a complete record of his partner's overnight stays

two UK rail companies that provided records of all the journeys she had taken with them over several years

a US-based educational company that handed over her high school grades, mother's maiden name and the results of a criminal background check survey.

On 15 Aug 2019, at 15:57 , Stefan Claas <address@hidden> wrote:

Robert J. Hansen wrote:

I'm going to believe the privacy lawyer I pay $450 an hour to more than
I'm going to trust a sketchy website that's not even officially
affiliated with the EU.

Well, it was just one of many example sites, when one is googling
for "has the US comply to the GDPR". If one does the same he will
also find US sites giving US citizens advice.

Quoting from it:

"You may be wondering how the European Union will enforce a law in
territory it does not control."

Yep.

"The fact is, foreign governments help other countries enforce their
laws through mutual assistance treaties and other mechanisms all the time."

Yep.  Except that in America, the government *can't* help enforce many
parts of the GDPR.  The courts prohibit them from doing it.  You walk
into an American court waving a GDPR writ and it doesn't matter how many
EU bureaucrats sign it: if it intrudes on an American citizen's freedom
of speech the government is prohibited from participating.  This is
bog-standard American Constitutional law.

So as an example, US SKS key server operators do not have to honor
removal request (in this case shut-down the server) from EU citizens,
when they receive a letter from a lawyer?

I remember also that plenty of US sites (small and large), where I
did business with, asked for my consent as EU citizen, when they
changed their privacy policy once the GDPR took place.

It does not apply to US companies, except those that have business units
in the EU or have extensive business ties with the EU.

Has an US SKS key server operator then not 'business' ties with EU
citizens, when storing their personal data like name and email address?

And has Mr. Rude then the right to freely distribute this data, without
protecting it, to the whole world? If that is the case then EU citizens
having 'business' with the US can do the same with US citizens data.

Well, just my thoughts.

Regards
Stefan

--
box: 4a64758de9e8ceded2c481ee526440687fe2f3a828e3a813f87753ad30847b56
GPG: C93E252DFB3B4DB7EAEB846AD8D464B35E12AB77 (avail. on Hagrid, WKD)

_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel

---
Hendrik Visage

HeViS.Co Systems Pty Ltd
T/A Envisage Systems / Envisage Cloud Solutions
+27-84-612-5345 or +27-21-945-1192
address@hidden

signature.asc
Description: Message signed with OpenPGP