THE GDPR AND DFIR
THE IMPACT OF THE EU GENERAL DATA PROTECTION REGULATION ON DIGITAL FORENSICS AND INCIDENT RESPONSE
Tag: GDPR
Daniel GoldsmithI find it incredible that the Telemedia Act, as enacted, claimed to be an implementation of Directive 2000/31/EC - the e-commerce directive - and yet appears to primarily be in use as a method of rent-seeking by unscrupulous individuals. The scope of the Directive (and thus the intended scope of implementing laws) is on the sale and supply of goods and services in the online sphere.
Secondly, and having said the above, I still do not agree with your initial contention. It is my opinion that the hugely restrictive German definition of personal and household activity (doubtless emanating from the critical overreach of the Telemedia and the Abmahnung) is not one which has any reasonable prospect of being adopted widely by other DPAs or by the ECJ. The ECJ has given no support to the idea that website takes on the characteristics of a commercial activity merely by being related to the site-owners profession. Nor has the ECJ given any support to the idea that merely publishing to a publicly-accessible website would be beyond the boundaries of what is considered “personal”; if this were the case, then why provide a personal activity exemption at all?
I agree with Daniel's assessment of the GDPR and how it applies to personal websites. The German interpretation of the GDPR is too restrictive and in my opinion, most likely unenforceable.
GDPR : Devil in the Details
There’s also a grey area around accountability and proof of data-handling compliance. “The GDPR requires that you can show evidence that you’ve received a request and taken action in an appropriate timeframe,” Klassen explained.
And that, he explained, carries its own set of new privacy considerations, many of which will be challenging for U.S. companies looking to comply with the regulation.
“It gets tricky,” he said. “When an individual makes a request, the company has the right to ask for proof of identity, because after all, that could be catastrophic if they erase the wrong person’s information or return a different person’s information. So for instance, Google requires you to take a picture of your passport—then the question becomes whether you’re giving them information that’s more sensitive than the data you’re looking to access.”
Further, companies can’t erase that proof of ID.
“A data subject can say, that wasn’t me, prove that it was,” Klassen explained. “So if they don’t have that proof, they’re in trouble.”
Ugh! My head hurts thinking through all the technical problems created by this piece of legislation that was most likely created by lawyers and bureaucrats without an understanding of technology or process. I can't even get a straight answer as to whether my simple blog needs to be compliant nor can I afford to pay a lawyer to answer that question. And even if I needed to be compliant, I am certain it would have a financial impact on my ability to operate this website.
You're a photographer in an E.U. member country. You snap a photo of someone or group of people in public or at an event. You get signed content to use the image for news reporting or your website. The image is published in a newspaper/magazine/website. One of the people in the image later object to its use and wants the image removed. What do the photographer and publisher do? How do you recall and destroy all copies of the newspaper or magazine? How do you ensure that the online image has not been downloaded and copied elsewhere by people /entities you have no control over?
