Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If I had the resources, I would establish an organization for privacy badges for products. From "absolutely anonymous", through "necessary violations of privacy for function" till "unnecessary harvesting of data".

Till such an organization for handing out badges will exist, it will be a hard task to buy any hardware and being able to trust its privacy.



~ https://tosdr.org/


Thanks, looks great.


Respects Your Freedom Certification:

https://ryf.fsf.org/


With GDPR in place, "unnecessary harvesting of data" should in theory be a thing in the past (unless the user explicitly makes a voluntary choice to opt-in after being informed of the options).

Reality is different, but NGOs can in theory sue to make reality align better with the intent of GDPR. NOYB (https://noyb.eu) is supposed to be such an NGO, and they seem to be doing a decent job so far, although they're limited in what they can do with their resources, facing a never-ending wall of vendors that blatantly violate GDPR.


Afaik GDPR allows harvesting of data as long as I agree to that in the user agreement. The problem is of course that more than once I found out the user agreements after purchasing the product, when it was too late.

(I live in the EU, so GDPR is relevant to me)


GDPR allows collection of data on the basis of very specific reasons: https://gdpr-info.eu/art-6-gdpr/

Option a), consent, is further regulated later. The key aspect is https://gdpr-info.eu/recitals/no-43/ "Consent is presumed not to be freely given if (...) the provision of a service, is dependent on the consent despite such consent not being necessary for such performance". Further requirements in https://gdpr-info.eu/recitals/no-32/

Each option only lets them process the data to the extent necessary, so if they can argue that they need the data to provide a service (option b), they can only use it for that, not for e.g. resale. I think a court also clarified that "but we need it to show personalized ads" doesn't count.

I don't think anyone tried to argue that ads or other common ways to monetize data are in the public interest, and such an attempt would likely not stand.

Option f (legitimate interest) also seems to be popular, but I think that again, a court clarified that invasive tracking for ads doesn't meet the balance.

The problems with GDPR are really more on the enforcement side: The DPAs are overwhelmed and in some cases (Ireland) they seem to be rather keen on not doing their job. Also, it's hard to enforce GDPR against companies that are outside the EU.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: