7 comments

[ 2.9 ms ] story [ 24.5 ms ] thread
If you remove "anything that you could conceivably use" to identify a user from the data, is it exception to GDPR?

What if you store only unidentifiable data and enforce pseudonymity? There would be still ways to connect data to a person using forensic techniques like text analysis, but that would be hard.

There's always grey areas with everything, and something like this would likely come down to a court decision.

Was the person who removed the PII acting in good faith and to the best of their ability?

So, if I understand this right, a dating website cannot ask you your sexual orientation, hobbies, religion, or really anything that might be useful in finding a match. Am I missing something? Can personal health forums not exist for EU residents, since it's not "legally required" to collect health information from forum participants? Either I'm not getting this, or it's insane.
From what I understand, a website can ask you for anything but they need to explicitly get consent (unlike say cookies policies) and they need to inform the user what the data is used for.

In your dating example, the user agrees the company can use the data to get a match. The company can't use the data for other purposes.

Well, that's not what Article 9 says, at least according to this source.

"Unless required by some other law (employment or real estate) – don’t collect any data about race, politics, religion, union status, health data, sex life or sexual orientation."

That's an oversimplification. You can collect it, but you have to be very careful about securing it and not misusing it.

In the real world, those collecting this data are in fact generally misusing it or storing it insecurely.

That makes more sense. Thanks for the explanation.