"GDPR is an identity thief's dream ticket" would require that the GDPR somehow permits companies to hand over personal data without reasonable identity verification. The Register seems to be making this assumption in their editorialized headline.
However, as far as I can tell, these companies have done the opposite and _breached_ the GDPR by failing to keep personal data safe, as the GDPR itself requires, in the process of handling a data access request (as happens to be mandated by the GDPR).
I don't see how this is a problem with the GDPR itself. It _is_ a problem with how some companies have implemented it.
According to the article, the researcher says that "lawmakers need to set a standard for what is a legitimate form of ID for GDPR requests".
I'm not sure I want this. I want companies to remain liable for data breaches even if they come from illegitimate data access requests. A single standard won't suit all situations.
It's the theory-practice divide. In theory, GPDR is supposed to prevent this. In practice it was companies trying to comply with GPDR that caused this.
Maybe things will improve with time as people learn from episodes like this. Or maybe not.
Would the downvoters please explain why you think I'm wrong? Or is this just the typical GDPR hate that seems to infest HN such that I defend the GDPR ergo I'm automatically downvoted?
Giving out data to someone other than the data subject is a data breach.
If you can't identify the subject positively you don't give out the data.
You document this - it is not like you get an instant fine without anybody asking you about what was going on.
This is not YouTube or PayPal or Twitter banning your account without a chance to talk to someone. Before you get a fine someone will talk to you. If you get a fine you can appeal. It is not instant 4% of you income decucdet automatically from you account.
That's why the companies had to respond, yes. But by responding with personal data without first verifying the identity of the requestor, they breached the GDPR by exposing that personal data.
So what are they supposed to do if they have no satisfactory way to verify your identity? They may have all kinds of information on you but not your passport number. Some people eligible to file requests may not even have a passport number. They may not even have your name (and multiple people share the same name anyway).
Without any reasonable way to distinguish between legitimate requesters and attackers, their options are to not provide the information to someone who may be the right person or to provide it to someone who may be the wrong person. If both of those are illegal that implies it's impossible to comply with the law.
> If you need identity data than verify identity. Most companies dont and then they should not store it.
The problem is that there is data which is personally identifying and yet not useful to authenticate the user, and that information may be necessary for the operation of the service.
> This is already the case in banking i dont see a reason why other companies think they shouldnt need to do this.
What banks do is to know the identity of all their users. Requiring sites to do that is the exact opposite of the apparent purpose of this law, so it would be a massive farce if that was the only way to comply with it.
If you lack the means to comply with the law, you must not collect the data!
The article also jumps to the same troubling conclusion: That the law is deficient because it failed to make provision for greedy data hoarders to continue without changing their business.
In my opinion the law is working as intended, and requiring extreme security precautions around the hoarding of personal data. If a few companies with abusive business models become non-viable in the process, that's a side benefit
Except that there are other laws requiring them to collect certain data, or it may be necessary for the operation of the service, so they can't just not collect it either.
However, as far as I can tell, these companies have done the opposite and _breached_ the GDPR by failing to keep personal data safe, as the GDPR itself requires, in the process of handling a data access request (as happens to be mandated by the GDPR).
I don't see how this is a problem with the GDPR itself. It _is_ a problem with how some companies have implemented it.
According to the article, the researcher says that "lawmakers need to set a standard for what is a legitimate form of ID for GDPR requests".
I'm not sure I want this. I want companies to remain liable for data breaches even if they come from illegitimate data access requests. A single standard won't suit all situations.