Hacker News new | past | comments | ask | show | jobs | submit login

Actually, GDPR only requires that any links from the data to the user should be destroyed, so that you can no longer figure out who created the data. This means that a lot of data will be left. And realistically I think that a lot of it will remain identifiable, just like anonymized data can be traced back to real users pretty easily if you have enough data points.

I’m not a GDPR lawyer, but I do live with one.

My understanding is that an image is by itself PII, regardless of whether or not it has any additional information associated with it. I don’t think there’s a way to retain images without contravening GDPR.

Data doesn’t have to be PII to fall under the provisions of the GDPR. Personal Data doesn’t have to identify a person; relates to an identified or identifiable living individual is sufficient (https://ec.europa.eu/info/law/law-topic/data-protection/refo...)

Unless I'm misreading, that criteria rules out data about individuals that are not identified and can't be identified.

When looking at a single datum by itself, this seems to rule out anything except PII i.e. data that identifies or can be used to identify an individual.

I’m not sure I understand what you’re saying, but I think you’re misreading ”Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.”

What that says is that, if (A,B,C) identifies a person, each of A, B, and C, in isolation, is personal data, not that you will be allowed to keep the pair (A,B) if it doesn’t.

One mathematically can cut each bit of information in units of arbitrarily small entropy. So, if taken to the letter, “this user is not Mark Zuckerberg” would be personal data. I doubt jurisprudence will go that far, but we’ll see.

Facial recognition means all pictures with a face are personal data?

No clue. All I did was rule out anything that can't be used to identify someone.

Whether information that can only be used to identify someone but doesn't tell you anything useful about them is still personal data is unclear to me.

If in doubt, a picture tells you medical information.

Actually, GDPR only requires that any links from the data to the user should be destroyed, so that you can no longer figure out who created the data.

Not in this case, because if the photos or videos contain recognisable people then they are themselves personal data.

How far the new subjects rights involving data deletion will go in practice is one of the biggest unknowns with the GDPR. Clearly from a technical point of view we understand that deleting a key isn't the same as deleting data from a disk, and often that would also include deleting a file in a filesystem if the underlying storage isn't robustly wiped as well. Throw in the kinds of distributed architecture, redundancies and backup systems that many organisations use, particularly in the era of cloud-based hosting and off-site backup services, and you have an unfortunate conflict between not truly deleting data (and therefore still having some degree of risk that the data will leak even if it's intended to be beyond use, contrary to the spirit and possibly the letter of the new regulations) and potentially high or even prohibitive implementation costs to ensure robust deletion of all copies of personal data when a suitable request is received.

Pretty certain that videos and photos count as personally identifiable information that have to be deleted.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact