> But it's not "their" data. It's the webmaster's data.
No
> It rightfully belongs to the webmaster.
No, you are completely wrong here. The basic point of the legislation (and other privacy legislation in the EU that came before GDPR) is that a users personal data absolutely does not belong to the someone else once collected.
Your personal info, username, account settings, marketing anayltics, etc. are definitley you're data and you should be free to have them deleted.
The two year old IPs in a server log sitting in backup, or a chance occurrence of your username in a random call stack for some web exception is not your data, and you shouldn't force a business to have to dig through that mound of digital noise to satisfy your deletion needs
I obviously wasn't talking in a legal sense, I was talking in a "what's actually right and good" sense. The law doesn't make something right. Rightfully, the information belongs to the webmaster. Under GDPR, users get to put a leash and muzzle on webmasters.
Well, I'd say it's also not at all rightful in a "what's actually right and good" sense.
And as others have pointed out, no the users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do with personal information about their users. But feel free to argue that it is your moral right to sell user's e-mail addresses to some spammer or whatever.
"users don't get to put a leash on webmasters, it just allows the users to retain some degree of control over what the webmasters are allowed to do"
I'll let that excerpt speak for itself.
And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary.
> And yes, I'm arguing it's anyone's moral right to profit off information voluntarily entered into their website unless a specific agreement was made on the website to the contrary
Views like this are exactly why we need the GDPR.
I find it utterly ridiculous - disgusting even - that you really believe you have the right to do whatever you want with someone else's personal information. When you provide an email address, physical address, name or other PI, it's with the expectation of it being used for a specific purpose - you should absolutely not give you the right to sell that information to the highest bidder.
The Equifax breach was already illegal - I assume you mean you think that websites shouldn't keep user information to prevent future data breaches.
This is a bad solution to that problem. So many people's data was stolen that preventing future data from being stolen isn't the most important thing we should be doing. Last I heard it was 150 million people - that's enough that it no longer really matters to the average person if their data is leaked in the future because there's such a high change it already has.
The real solution is to change our systems so that data leaks aren't a big deal. If people didn't ask for a 9 digit number to identify me, as if that's a reasonable thing to keep secret, then it wouldn't matter if everyone in the world knew it. That's the problem with data breaches like this. That's what we should be fixing in response to it.
Holy shit man, did you come right out of "Atlas Shrugged"?
This isnt even users feelings, this is data that can a:have monetary value and b:can be plain wrong and damage a user.
Do you think that merely by observing data you have right to it? Do you not believe in any IP law? If you agree with any type of IP law then you are just being hypocritical by insisting that webmasters get to take and use whatever data they come across
>Do you think that merely by observing data you have right to it?
Yes, with some exceptions for actual copyright and the like.
>Do you not believe in any IP law?
IP law, yes, but I don't feel a user's entries into a website automatically qualify as IP owned by the user. The terms of many websites actually say that whatever you upload to them is owned by the website, unless a prior IP applied to it. I've only ever heard the claim that your name et al. are your inherent IP from "Sovereign Citizens" before.
IP law is not a natural right. It's been encoded into existence by laws. The GDPR is encoding new rights into law in regard with personal data.
I don't see a way to declare one bad and not the other unless you're just saying that new things are bad.
Additionally the terms of websites can say whatever they want but it doesn't mean they are legally defensible. I could put into my terms "by finishing this sentence you agree to be enslaved by Lovich LLC" but that doesn't make it happen
A bunch of 3rd party trackers collecting every move you make with your cursor probably won't fit most people's definition of 'voluntarily entered into a website'.
As a webmaster, I have an absolute right to carve '192.0.2.7 requested /foo.html from me' into stone and store it for posterity.
The GDPR prohibits me from doing that, and in fact requires that I have the ability to rewrite history by removing that fact if the user who had 192.0.2.7 ever requests it.
Some people, on hearing this, say, 'well, that's fine, you can just store 192.0.2 or 192.0 instead.' That seems pretty silly to me, since the whole point of logs is that they contain full information.
The GDPR tries to do the right thing, but it's broken. Immutable logs are a fundamental right.
I also would prefer more clarity in the area of logging IP addresses, and would like to have a clearer consensus on what is allowed here. I think we will get a clearer picture after a bit of time.
It appears to me that as long as you don't use the logs for nefarious purposes you'd at least have legitimate interest in processing them (including the IP addresses), and so could keep them. This is the stance I am taking with respect to my personal webserver (together with a time limit after which logs are deleted); if a regulatory body informs me to change my approach, I'll gladly adapt.
Note also that IP addresses can be personal data, but do not have to be. Most claims here seem to relate to a ruling, where the IP address was deemed personal data in the hands of an ISP, who would be able to resolve it to a real person [1]. If you hold an IP address, but can't connect it to a real person (e.g. by having legal means to convince the ISP to give you that name based on the address), then it seems the IP address would not even be personal data in the first place. In the particularly ruling, the operator of the webserver was the German government, which presumably has more legal power to make an ISP turn over identifying data on a customer than a random website would have.
In any case, I hope some more clarity about this will emerge soon. But what you are talking about here would at best be a borderline infraction (and probably just be covered under legitimate interest). OTOH, what the person starting this thread had in mind seems to be that all the data he might collect on his users is fair game to do with as he pleases.
I absolutely agree. If you feel a law is wrong, it is your absolute right to say so and demand change. This is the basis of all law and civilisation. The consensus of what is right-or-wrong is what makes a society.
I'm sure the person you're replying to is also talking in the 'rightful' sense. While the data collected technically belongs to you, it can still be a privacy violation. This is extremely important on the web where it's very easy to share that data, make it public or accidentally leak it.
It can be a privacy violation but the idea of a fundamental right to privacy is not universally supported like free speech.
If it is a fundamental right, how far does it go? Should I be able to sue you for watching me walk in a public place? Photographing me? Video taping me? What about a privately owned but still public place?
There are a lot of questions here that I think people tend to skip over about users owning information about them and being able to control it.
There are lots of laws against following someone and observing/recording every move they make.
Making some observations out your window of cars passing by is something no one ever had a problem with. Taking down every single identifier you could and coordinating with others to track that person, for a profit, is something that would not be kosher in meat space.
Why this different just because it's on a computer?
The laws you talk about are, I think, laws about stalking. I'm not aware of any laws that apply to that kind of thing if it happens on a massive scale. Singling someone out is an important part of stalking.
Keeping detailed information about everyone that enters your store isn't illegal, as far as I know. Especially not information that is gained from observation (what color shirt they're wearing, their IP address) and information that is submitted willingly (their name given for a reservation at a restaurant, their username).
I wasn't trying to say it was - I was simply saying that when you base an argument on free speech, you don't have to explain why free speech is a good thing because it's generally accepted by everyone to be a good thing.
In this case, a lot of people base their argument on a fundamental right to privacy which is not generally accepted by everyone and therefore it has to be explained because it's an important part of the discussion.
> Rightfully, the information belongs to the webmaster.
What? Because you just decided that it does?
It's people like you why we need GDPR-like laws. I'm curious, what's your stance on the Equifax data breach? They had data that belongs to them and they could do with and treat it as they pleased, right?
No
> It rightfully belongs to the webmaster.
No, you are completely wrong here. The basic point of the legislation (and other privacy legislation in the EU that came before GDPR) is that a users personal data absolutely does not belong to the someone else once collected.