One of the major goals of GDPR is to discourage firms from retaining personal data in the first place. It did not used to cost them anything so they kept it regardless of its use. Now that there are big risks to keeping it these firms have to think twice about it.

This "cobra effect" is one more reason NOT to retain personal information in the first place.

And yet other laws require the collection and retention of sensitive user data, in particular any service that allows for transmission of large amounts of money (crypto exchanges were a good example).

That is well covered within GDPR scope. Retaining data to fulfill legal obligations is allowed. One common related example is invoice data.

But then "just don't keep the data" is not an effective response to these attacks of requesting someone else's data.

Yes, it requires people to be trained in this area to make these judgements ... imagine that!

How well is that turning out? You can't rely on people to get it right 100% of the time. I definitely wouldn't.

I signed up to a crypto exchange, then I requested removal of my account and data and they said they cannot delete my data. Guess what? I had zero transactions, the account was new, etc. They are legally obliged to keep almost nothing for 7 years. How lovely. At least they were open about it, right? Some will just tell you they deleted your account when in fact it was just a soft delete. Screw these places. I, for one, hope that Bisq will become popular.

You don’t have to get it right 100% of the time, you just have to look like you’re trying.

Not to mention anything that requires the provision of real-world goods and/or services. If a data protection law ever had sufficient teeth and regulation to cause Uber or Seamless to force a user to type their credit card information and home address every time they wish to make a transaction, it would be wildly decried as paternalistic by the public. And those companies are equally vulnerable to this type of social engineering.

GDPR identity verification as a service would be an amazing thing to have. Articles like [0] bring up a sad irony: in order to verify someone's request to delete their information, you need to obtain information from them in an unusual way that you may not have built infrastructure to easily or automatically delete.

[0] https://www.braze.com/perspectives/article/gdpr-compliance-d...

I'm not sure why everybody here seems to think that sites need to fork over all date they have on store via e-mail if a registered user requests it via e-mail.

A site could easily be compliant by answering general questions (this is what kind of data we have, this is how we collect it, this is what we need it for, this is our legal basis) via e-mail but requiring data exports to be performed via the site itself.

The GDPR actually encourages sites to provide automated self-serve data export mechanisms. The entire point of being able to request a copy of your data is data portability.

"But what if the user never signed up?", I hear some people ask. Why did you collect their data in the first place? If you collect sensitive data like that described in the BBC article, you better have explicit consent and if you have explicit verifiable consent, you should be able to verify a request is made using the same identity that granted the consent (be it an e-mail, a phone call or a signature). So just ask for that again.

Also, if you can't easily comply with a data request because the data is so sensitive and the identity can't easily be verified, you can still explicitly say so. Describe the kind of data you have and offer to delete it, then offer whatever form of authentication is adequate given the level of sensitivity of the data in question should they still demand it.

I'm not sure why some people seem to think this is particularly unreasonable. Just because it isn't code, doesn't mean you have to reinvent authentication from scratch. Think of how you identify someone before you agree to store their data. You already do that for all other business processes, why should data requests be any different?

EDIT: Also if you figure you can't easily verify someone's identity after you took their data, that sounds like a good reason not to take their data in the first place. And that's the entire point of the GDPR: minimising personal data. The GDPR makes personal data toxic and that's intentional. Just like toxic substances you need special precautions for handling and storing it, and you probably want to avoid both unless absolutely necessary.

Which i agree should become a new habit. Yet the mandatory right to access doesnt help

I'll let you in on a secret. For government institutions which in general have huge amounts of information about you and are notoriously bad at security. They don't even get fined with the GDPR. The worst that can happen to them is bad press.

So the institution that has all the healthcare data of all German citizens can not get fined under the GDPR. Same with any other KdöR

https://de.wikipedia.org/wiki/K%C3%B6rperschaft_des_%C3%B6ff...

EDIT: weird, any explanation for the downvotes?

I've heard of local GDPR complaints and enforcement actions (no fines yet, in administrative proceedings) against various state agencies, municipalities and also hospitals, so it does apply to state institutions at least to a certain extent. They have it a bit easier with the reasons for processing, as usually there's an existing law that mandates (and thus allows) the data processing they do, so they usually don't need consent, but the other requirements should apply.

Why wouldn't GDPR apply to german KdöR? I'm not aware of any exemptions in GDPR that could apply to them; governments can make specific local exceptions for national security, defense, judicial process, etc needs (https://gdpr-info.eu/art-23-gdpr/) but Germany shouldn't be able to simply exempt all their KdöR.

One thing is that in some jurisdictions public institutions can't be required to pay fines to the regulator (because transfering money from one gov't pocket to another doesn't make that much sense), however, you can still get an administrative ruling forcing them to change their policies, and if your rights have been violated, then you're entitled to compensation, the "can't be fined" only applies to stuff they'd owe the regulator, not regarding harmed individuals.

> weird, any explanation for the downvotes?

Yes, you're simply wrong. Government agencies do not have a blanket exemption from GDPR rules. There are some difference, and EU countries have some autonomy in the particulars. But as a general principle, the rules are the same: data may only be stored to fulfil a valid purpose, processing and transmission require consent, etc.

Fines don't make any sense in that regard because the government is never fined: first, because it wouldn't make much sense, as fines are payable to that very government anyway. But also because government officials are simply expected to respect court verdicts without the neccessity of fines.

If you don't trust that system you're out of luck, because it's how every single other protection you have against the government is and has been enforced since the inception of "the rule of law".

We had a mayor fined for sending out election mails to a list of subscribers to list intended for other purposes. Not exactly "big government agency" but it still counts.

The downvotes are probably because you failed to cite the laws that exempt government agencies from the GDPR.

It's fairly well cited all over the internet that the EU commission and other European institutions claim they are exempt from the GDPR, after they were found to be in breach of the legislation it created.

This does nothing to discourage keeping data around. A company does not care if they, while following best-effort GDPR practice, release data to a hacker that causes harm to a user. They can simply hide behind the GDPR legislation to say “we did nothing wrong, the law is broken, we were trying our best, we accept no liability”

They are still liable, the waiver is not acceptable under EU law for personal data.

How big a liability it is, is to be decided in a court of law.

Disclosing data to an individual because you make no attempts to verify their identity is in itself a GDPR violation. As far as the GDPR is concerned it doesn't matter whether you were hacked or whether your employees recklessly exposed information to individuals. The only difference is scale and scope.

This is not a problem with GDPR. This is a problem with organizations (companies and governments) treating publicly data as private keys.

Not private keys, secret keys. "A Secret is something you tell one other person [So I'm telling you]".

But yes, that's exactly the problem, the Credit Reference Agencies actually sell this as a service. They think it's a big improvement, and if they're right that ought to be terrifying - what was being done before this crap? "Nothing" is likely to be the depressing answer.

"Hey, we can tell if this is really Dave Smith, because we'll ask "How much did you spend on your credit card in May?" and the real Dave knows the answer, and so do we. Well yes, and so does anybody who saw Dave's card statement, and people at Dave's bank, and the card company, and... also when Dave answers $849.28 that won't match and gets a bad user experience. Oh you mean the _other_ credit card. Yeah, Dave only spent $30.26 on that, he mostly uses it to buy fuel for his jet ski... So you try to solve this "How much did you spent on the VISA ending 4282 in May?" now you've given away a useful fact to an adversary. Idiots.

Moreover, it's a problem with the current state of "identity" as a whole. Most of the data received in the article - passports, addresses, phone numbers, credit cards - does not change very often. Some documents expire, but even then it could be valid for another 3 - 10 years.

We need to move to a system that allows rapid expiry of PII data. Then it will not matter if someone is able to social engineer this data from all these companies. By the time the data leaves the companies HQ, it is already out of date and therefore impossible to use with new services.

I had a thought awhile back. In the vast majority of uses, identity is exactly the issue. Yet in the vast majority of compromises or problems, the problem is correlation and combination of data. By this I mean it seems to me that, say, the Social Security Administration needs to be able to identify a citizen in order to know whether and how much they need to pay a person of a certain identity to avoid paying the wrong amount, the wrong person, double-paying, etc. There does not need to exist an identity which spreads beyond that. Your credit card company does not need to use the same identity and a unique identity which functions solely within the context of the credit card account is all that is needed. Instead, we have identities that get spread across multiple services even though there is never any actual need to relate or correlate the activity across those services. This seems like the sort of situation that cryptography can solve, although obviously there would be a lot of usability work to be done. But it seems to me that cryptographically unrelatable distinct identities which has only 1 possible point of aggregation (you) is what is needed.

I've heard that in Japan, stamping with your personal stamp is accepted (and perhaps sometimes even required?). They have made electronic gadgets that store their stamps as images so that they can directly sign (stamp) an electronic document (using a specific input device).

I think we should have something like this, but with a personal certificate instead of an image. Of course I guess it requires some logistics (lost/stolen stamps, expiration dates, perhaps the stamp should be activated with fingerprints...).

Isn’t this equivalent to stamping PDFs with your signature like we do elsewhere ?

Also the stamp has to be registered to have legal value, which makes it tough to change.

But your idea of signing with the result of some personal certificate is very nice. It can be checked by crypto, different everytime, and wouldn’t matter how it is signed, if it’s easy to reproduce the content etc..

> Also the stamp has to be registered to have legal value, which makes it tough to change.

This is not actually true. Some stamps need to be registered (for example the stamp for corporation), but personal stamps for most applications don't need to be registered -- even for bank accounts. I have several and I'm always forgetting which one I used for my different bank accounts :-P.

One of the strange things about Japanese stamps is that if you let someone have your stamp, then it is considered that you have given them permission to do whatever they want with that stamp. The very fact that they have the stamp means that they are authorised. I got very angry at my previous employer (the government, no less) when my contract was over. They demanded that I give them my stamp I had used for stamping my time card. It happened to be the one I used for my bank account too (because I was clueless at the time!) It took me a couple of months to work around that. If you are ever working in Japan, treat your hanko (stamps) exactly the same way you would treat your encryption keys: use a different one for each application if possible.

As far as I know the registering part is mandatory for legal use but lets the accepting party decide to check it or not.

For instance as you point out for banks you can open an account without any check (you’re giving them money) but you won’t get a mortgage without proof of registration (they’re taking the risk)

At a previous company my boss had his company stamp (a shachihata) in a drawer for us to use when he’s not there. It’s interesting because by the rule of law we would be the one in fault for using someone’s stamp, so it better be for stuff he approved verbally or other ways.

Too bad anyone can access your stamp if you simply lose it. When I first saw the stamp thing for myself, I couldn't fathom how anyone would consider that secure. Better than a signature? Maybe. But easily reproducible and too tangible to consider safe.

See the examples below in discussion with personal certificates and signing keys embedded in gov't ID chipcards of certain European countries, Estonia has this for more than a decade already and now many more countries have something like this.

If GDPR created new vectors of attack which didn't exist before - there's a problem with GDPR even if there are also problems with organizations. Otherwise, you have just created a perfect excuse for any lawmaker: "my law written with good intentions, so not my problem if there are unintended consequences".

Uhm, the corporations handing out private data to the wrong person, are definitely violating the GDPR or probably some earlier privacy law, because you also weren't supposed to give out people's personal data like that before the GDPR either.

That is true. But it is the current state of the world and GDPR enables people to more effectively weaponize that.

Unless you live in Estonia, where each citizen has a private key (on a smart card) and can electronically sign things to prove identity.

Governments could work with big tech players to confirm that certain Gmail/Facebook accounts are linked to one, and only one, national identity. Then through OAuth, you could use that to login anywhere else, proving you are a real person with exactly one ID (which needen't be revealed, just confirming you have exactly one account)

Too bad the rest of the EU doesn't live in Estonia, it would have made GDPR much better.

In my country (Oz) we had a referendum a few decades back about a national ID card, which failed to pass. I for one am against any form of centralised ID system. The basic premise (of the time) was, "if you want to know me, here I am". The government department of Birth, Deaths and Marriages goes to some lengths to ensure that these 3 things are not tied to any one number. Ironically, the government got what it wanted when it introduced a Tax File Number and has bled into some other systems like banking, but thankfully it's not as bad as the U.S's SSN.

I seem to recall reading here on HN a few weeks back how surnames came into existence: it was because the (? Italian) government wanted to track taxes. Before that everyone had several ways of naming themselves: John, John son of Joe, John of someplace, John the carpenter, etc. Personally, I really like that because I'm not just "one thing", but am a person who has different aspects.

You reap what you sow unfortunately. The fact is that the government still keeps track of you but you just have a boatload of downsides by not having a proper system citizens can use.

> Any centralized identity system solves a problem we don't have.

You already have one, SSN and similar absolutely count and allow aggregate different data. Not to mention that you're absolutely forgetting about the fact that humans don't have a lot of entropy, k-anonymous data is not what we have by-default. You are wrong about a centralized system "providing a way to aggregate data" it just makes it easier. I live in a country that actually gives citizens access to a centralized identity system and I'd say it has solved much more than you're giving credit for.