Hacker News new | past | comments | ask | show | jobs | submit login

As long as the ONLY processing of the data is for fraud detection/prevention, then GDPR specifically allows it as a “Legitimate Interest”

Recital 47: “The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned…”

Recital 71: “decision-making based on … profiling should be allowed where expressly authorised by … law … including for fraud or tax evasion monitoring and prevention purposes”

First of all the "legitimate interest" part only works if the publisher can prove that the user data is only used for the stated purpose.

The fact that a third party server handles this is a problem. Because then the publisher has to have a data processing agreement in place with the third party.

This is what makes Google Analytics problematic too. The collection of analytics for improving the service can be a legitimate interest, however the data amendment for Google Analytics basically passes the blame on the publisher. I don't think many publishers read carefully Google's data processing amendment, otherwise they would drop usage of Google Analytics. Actually most publishers aren't even with GDPR for more serious reasons, like not anonymizing the user's IP or sharing data with Google for the purposes of ads targeting.

And there are many questions to be asked here.

Is that data private, for the use of the publisher in question, or is this a shared pool of knowledge between publishers?

If the later, then we have a problem, because even if there is a legitimate interest, it only applies to the publisher being visited. Can a user be blocked due to a profile that was built on another website? We are in murky waters.


Then there's always the question ... does the publisher really have a legitimate interest?

Claiming that you can have one under the law, doesn't mean you actually have it. There's a set of conditions that you have to comply with.

For example for the purposes of preventing fraud, at the very least you have to be able to show that fraud is possible. Just because you have a login form that's about managing the user's color preferences on the website doesn't mean that you can transmit the user's traffic to Google.

The requirements for legitimate interests are hard to comply with. And I have a hunch that in this case many websites won't comply.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact