Gregory's ServerPSA: If an American corporation says they are not able to delete your data for legal reasons and offer to “close” your account instead, tell them you’ll file a GDPR complaint against their EU-based subsidiary.
I got a deletion confirmation and an apology within 10 minutes. 🇪🇺
|
92 comments
 @frankrausch But that applies only to data held on their EU based servers, surely?  @BritishTechGuru @frankrausch No. Act on the EU market, follow GDPR or else. Regardless where the servers are.  @BritishTechGuru @frankrausch no, GDPR applies to all entities that process the data of European citizens - this was a meme back when GDPR was originally put into law and some US companies instead just blocked all IPs originating from the EU, or hardcoded to return "451 Unavailable For Legal Reasons" Not just citizens - actually it applies to the processing of personal data of all data subjects within the EU even if the processing is done outside of the EU. Article 3 sets the territorial scope, with recitals clarifying. https://gdpr-info.eu/art-3-gdpr/  @ptrc @BritishTechGuru @frankrausch Yep pretty much any local news site in the US does this - lazy devs/management don't want to pay for it so better to just block the traffic than fix their shitty advertising.  @tanepiper @ptrc @BritishTechGuru @frankrausch this is annoying 1-2 times a year for me, but as an USian I'd ask them WTF they are doing why my data @BritishTechGuru @frankrausch location of the data does not affect GDPR rules. If they operate in Europe, they have to follow the rules. Even if they contract the work to a 3rd party outside of Europe. @dark_stang @frankrausch "operate" so if they have an office in Europe. I can't see somebody just selling stuff to people in Europe much caring.  @BritishTechGuru @dark_stang @frankrausch It becomes harder/impossible to enforce without an office but technically no, even if you are fully US company and you sell to Europe you are bound to GDPR. What we gonna do - throw executives on EU trips into jail until GDPR compliant? @juliank @BritishTechGuru @dark_stang @frankrausch Why not? It's not that the US wouldn't do it (ask Swiss bankers)  @goedelchen @juliank @BritishTechGuru @dark_stang @frankrausch Actually, not really a risk. GDPR is generally administrative law, so jailing people is atypical. And in most European countries, judges don't jail people just because they irritated them. So I don't think there is much of a risk of arrest. OTOH, the fines are painful, somehow generally the EU/MS get their money.  @juliank @BritishTechGuru @dark_stang @frankrausch As for enforcement, ask TikTok. The Italian regulator banned TikTok from processing data for children accessing dangerous content, resulting in a death, and TikTok scrambled to fix its age verification measures and re-verify all users in Italy. @Nickiquote @BritishTechGuru @dark_stang @frankrausch It depends on the country and whether they'd go order the ISPs to ban the services at the DNS level, ultimately that's not universal across them, but that's a pressure point. @BritishTechGuru @dark_stang @frankrausch The test isn’t “operate”. Companies with an “establishment” (subsidiaries, agents etc) in the EEA are caught. Companies without an establishment in the EEA but offering goods or services to EEA data subjects are separately caught and are required to appoint an EU representative for enforcement/liaison with regulators. If you do not comply the fines are up to 4% of global turnover. Identical rules apply in the UK. @Nickiquote @dark_stang @frankrausch That would lead to an ineresting situation if I set up some online business and shipped a packet of cards to a Paris customer. Then I get a nasty message that the gendarms are after me for my non compliance. When I eventually stopped laughing, I might even tell them to bring it on. @BritishTechGuru @dark_stang @frankrausch No, “operate” as in “provide service to those in the EU”. Simply go the EU for a day and call the companies. The law applies even if you don’t live here.  @BritishTechGuru @frankrausch if you're a EU resident and they serve you in EU, then all their global operations are covered and the EU branch is simply the easiest one for EU to extract the fines from if they don't comply. Plenty of companies with no presence in EU don't care because enforcement is impractical, but those who have physical branches here are much more motivated to comply once the regulator calls them  @frankrausch Bet they haven't though. Nobody is *ever* going to go through all the backup tapes with a pair of scissors and snip out your information, for example. @TimWardCam @frankrausch Assuming the backups are cyclical - your data will get purged *in the end*. @Flies4no1 @TimWardCam @frankrausch By that time it could get leaked, sold, or subpeonaed @Flies4no1 @frankrausch Maybe. After the "we have to keep everything for six years in case of a tax audit" has expired (in the case of any business you have financial dealings with).  @TimWardCam @frankrausch they do. At company I work we have long backups and yes there is a deletion concept inside them for when a user demands their data deletion. Including analytics. @hey @frankrausch OK, so there are some exceptions to my "nobody". I am aware that some big data data stores have added cobbled-together half-arsed slow manual deletion features which they tell you "use only for GDPR, you can't delete from this data store as part of your application logic, this feature is just too slow and flaky". @TimWardCam If you can find any company in EU or USA which doesn't delete all the user data within 12 months upon delete request, contact either a privacy adminstration in any country or EU directly and the company will pay you + court orders fines. EU is bad for most things, but GPDR actually works in black and white manner.  @TimWardCam @frankrausch i'd be so happy if all these shitty cost cutting companies actually HAD backups. @adora @frankrausch Most people have systems which, they fondly believe, MAKE backups. What's clever is also having systems that occasionally check to see whether the backups have actually been made and can actually be READ. @TimWardCam @frankrausch i've never worked somewhere that didn't have a backup that wasn't just essentially a "folder on primary" or something equally stupid. forget restore tests, they don't pass the logic tests @adora @TimWardCam @frankrausch This reminds me of the financial collapse in 2008 when people found out the banks didn't have much documentation for credit cards and sometimes mortgages.  @JessTheUnstill @frankrausch @munin If they did, technically, they would be violating GDPR as well, because they would be processing the data they should not be processing for valid business reasons 😉 So checkmate. @JessTheUnstill @frankrausch @munin You only have to be a European resident, not citizen.  @frankrausch
Could you share the screenshot of the apology and how you/they confirmed the deletion?  @bouriquet @frankrausch LMAO, no, they just work for different corporations.   @xyhhx @frankrausch they kinda cant (they may not have enough info to know who you even are, let alone that youre a citizen or not, and you dont even have to be a citizen for this to apply. this would not be something they could do in a reasonable amount of time) and if they were ever wrong in assuming someones not in the eu theyd be breaking the law so no they dont check @h @frankrausch i *was* kinda specifically thinking about my old facebook and instagram accounts which probably would have my location data but i've not logged in for years so (as pointed out in another post) i could just lie and say i moved since then 😎 @xyhhx @frankrausch when i wanted to close a certain videogame account, i just lied about moving to germany (despite living in a country more closely associated with picking pointless public fights with the eu) after some back and forth in emails and a threat (bluff) to file a complaint against the company, they scrambled and seemed to have removed my data lol  @frankrausch So it's like you pretend you're going to file legal action and they pretend that they're removing the data. @ruff @frankrausch Next: An u̶n̶h̶a̶p̶p̶y̶ ̶e̶m̶p̶l̶o̶y̶e̶e̶ whistleblower publishes how much data was not not deleted despite being requested. @goedelchen @frankrausch hopefully. many employees don't realize they are responsible for data deletion. and there unlikely to be external audit as it's non-eu entity. So we can only rely on a chance.    @frankrausch I would love to know more details on this. There's someone I go walking with who is trying to get Deliveroo to delete all his data but they're refusing to do so. Even with the threat of a GDPR complaint they still refuse. @frankrausch YMMV: doing (proper) GDPR requests to US companies regularly (as part of investigations into compliance), I am seeing wildly varying results... @frankrausch @mrchrisadams that said, what means do you have to actually check that they indeed deleted your data? It could be inaccessible to you and still be stored somewhere (and potentially retrievable in the event of a breach)…  @metacosm @frankrausch @mrchrisadams It is pretty difficult to completely delete data, given the existence of a functioning backup system. Nevertheless, I suspect that deleting data for processing purposes would suffice (though IANAL). Bringing backup data back online would be a different matter! @frankrausch Finally a solution to my PayPal account which cannot be deleted since years for legal issues. I also never got an answer to what legal issues that would be in detail.  @frankrausch as the US moves deeper into isolationism, the GDPR, and now DMA, are hallmarks in Europe’s growing global soft power. Ah, the thought of Lightning port iPhones makes me laugh in all 24 official EU languages. @ubernostrum I’m not sure we’re on the same page. I’m joking about Lightning and you call that fundamentalism? Are you serious about comparing online privacy and anti-monopoly regulations to colonialism? I may have missed a joke, but I’d like to figure that one out. Who tells/confirms you they really deleted your Data? Probably they just deactivated your account.  @frankrausch @cynicalsecurity now, the interesting question: is the deletion confirmation actually accurate ...  @frankrausch @uastronomer All-staff email from HR: “Customer service staff: If a customer asks to delete all their data, offer to close their account instead. Their data is far too valuable to us and we need it to sell to 3rd parties. If they then threaten you with the GDPR, wait 10 minutes and then TELL them their data has been deleted. And extend an apology. Turn on the “requested data delete” flag on their inactive account, so we know in future to be slightly more careful who we sell it to.”  @frankrausch hopefully its really like that. but you can still file an inquiry in one month or any give time you judge adequate, to verify which data they still own and if you have doubts, you can than ask the EDPS to verify. but there is a logical fallacy in the whole procedure: what if they lie. 🦄  @frankrausch I got my credit record deleted from TransUnion by informing that I am now an EU resident. I haven't tried it on the other two but maybe one day when bored. @frankrausch @frankrausch  @frankrausch It took me a month to get Microsoft to do it with an unused dev account, but they gave in eventually.   @frankrausch Would you be so kind in sharing as much as you can (while protecting your own privacy, etc) so that we can try to duplicate the good results that you managed to get, please? P.S. I shared your info on my Facebook (now changed to "public") pending #FactChecking, which is what I'm trying to do now. Thanks! @frankrausch I'm trying to get my flux.ai account deleted, this sounds like it might be the way to go as their support has been unhelpful for over 4 months... |
@frankrausch so based