Hacker Read

groestl · 2023-04-01 08:52:55

AFAIK training on API is opt-in, training on the consumer interface is opt out. And one must also say that there are enough levers in the GDPR to argue a legal basis for processing PII, not the least of which is the catch all "legitimate interest". But you need to implement appropriate controls, otherwise data privacy regulators will complain.

SahAssar | karma 5923 | avg karma 2.35 · | 2018-04-20 17:43:41+00:00

So basically, the training set is under the GDPR if it includes PI, but the resulting model is not (unless you can extract PI from it), and you need user permission to use PI for training in most cases, right?

(Also IANAL, and also trying to understand)

reply

bluesign | karma 1261 | avg karma 2.17 · | 2020-12-24 07:32:42

It is PII under GDPR for sure.

raverbashing | karma 22421 | avg karma 1.64 · | 2018-12-11 07:50:32

Here's your one line compliance GDPR course: don't treat customer data like it's something to be sold to anyone that asks for it. PII is not yours.

lwansbrough | karma 5115 | avg karma 5.38 · | 2018-04-30 09:31:51

Everything you mentioned is considered PII according to GDPR.

herbstein | karma 1344 | avg karma 4.36 · | 2020-03-25 11:45:48+00:00

Good thing I'm not relying on you for my legal questions. GDPR gives the user control over their own data, and each new use of the data requires specific consent be asked. So using PII on any person, no matter where you found it, requires explicit consent.

balena | karma 29 | avg karma 2.23 · | 2023-02-08 17:42:50

I assumed you need consent to receive PII, full stop. Again IANAL, but I assumed saying you don't do anything at all with the PII you receive doesn't exempt you from anything under GDPR. I may be wrong, though I hope not to be.

e12e | karma 13838 | avg karma 1.49 · | 2023-03-07 01:28:21

The GDPR is quite clear on defining PII, I don't understand why you would claim otherwise?

switch007 | karma 4828 | avg karma 1.92 · | 2018-05-13 19:11:17

PII is not a GDPR term, by the way.

olivierduval | karma 792 | avg karma 2.58 · | 2023-10-07 06:06:47

Actually, GDPR doesn't forbid using PII for legitimate interest like fraud detection

labawi | karma 869 | avg karma 1.02 · | 2020-02-04 19:21:14+00:00

Under GDPR you can use all the PII you reasonably need to provide expected services, you don't even need separate consent. But, if you have PII, the moment you use it for other purposes, or obtain/retain/share without proper cause, you are breaking the law.

IMHO, that is very reasonable.

Real world example - giving your phone number and information to your car mechanic / doctor / bank teller / plumber is reasonable. Using that information to score girls or ask donation for a puppy shelter would be considered improper.

reply

oblio | karma 25694 | avg karma 2.47 · | 2021-01-02 11:44:06

GDPR doesn't define IPs as PII, unless you use them as such. If you have a legitimate use for IPs, then you're fine.

kasey_junk | karma 13439 | avg karma 2.75 · | 2018-05-17 16:24:33

PII is not a GDPR concept. Most opinions (including the GDPR faq) will tell you IP is personal data.

kasey_junk | karma 13439 | avg karma 2.75 · | 2018-05-17 22:45:29+00:00

PII is not the standard for GDPR compliance.

manigandham | karma 24990 | avg karma 2.69 · | 2019-05-20 19:28:14+00:00

The PII is necessary to pay for the content. If you don't give consent then they can't process the data and cant offer you the service. Necessary requirements are allowed under GDPR.

GDPR can prevent extraneous data capture but it can't force companies to provide services without compensation.

reply

Tarq0n | karma 1218 | avg karma 2.79 · | 2023-04-14 05:40:06

This is way off base. Using PI to fulfill a request someone has made of you is the happy path of GDPR, you just can't retain or reuse that information more than you have

1) a contract or

2) permission or

3) a lawful task

For.

Having other parties process PI for you is fine as long as it's done under an agreement that binds them to the same terms.

reply

andylynch | karma 1657 | avg karma 2.43 · | 2022-05-08 16:29:29

Keeping PII for fraud detection is not barred by GDPR.

In this context the more relevant aspect of GDPR, which I think receives too little attention and more so enforcement, is article 22 (Automated individual decision-making, including profiling)

reply

detaro | karma 40664 | avg karma 1.79 · | 2020-02-04 23:29:10+00:00

Where do you get the idea that GDPR doesn't allow you to process PII for the purpose of routing packets?

jayelbe | karma 113 | avg karma 2.35 · | 2020-06-18 05:22:08

This is completely meaningless. PII as a term from US legislation and has nothing to do with GDPR.

kasey_junk | karma 13439 | avg karma 2.75 · | 2018-05-17 14:25:59+00:00

PII is not a concept of GDPR. Whether IPs are considered personal data covered by GDPR is open to interpretation, but most of the experts I've talked to say yes.