I doubt anyone here cares if you don't trust them and choose not to use their service. But that's not enough for you :)
So it's more like "if you can't do this according to the whims of my government regulators, I'll still be using your service, AND prepare for a large fine."
Is it really too much to ask to clearly spell out how you use my data, clearly get my consent to use it, and provide an email address where I can request it be deleted? Really? You're saying that is too difficult?
It’s only the last part we have a problem with. We’re not going to track down every trace of your data and delete it. We probably also won’t let you do an export.
I think we’re perfectly fine with telling you we use your data for ML training, internal analytics or showing you relevant ads. That is standard stuff you consent to in a TOS.
>It’s only the last part we have a problem with. We’re not going to track down every trace of your data and delete it. We probably also won’t let you do an export.
If you can't easily delete or export my data, it means that you don't have a coherent, legible record of exactly how my data is being processed. You can't be sure if my data has been leaked or stolen. You can't guarantee that you'll be able to notify me in the event of a breach. You can't prove that my data was lawfully collected. I can't check the data you hold on me to ensure that it is accurate.
The GDPR is easy to comply with if your data protection policies and processes were decent to begin with. If you have read the text of the GDPR and can't see how you could bring your business into compliance, then you are almost certainly doing something seriously negligent or seriously shady.
We are not going to go looking through compressed archives and snapshots for your data. We are not going to run routines on immutable logs to filter out all trace of your history. We are not going to check CSV files used for imports. We are not going to track down any third parties who may have shared our data. We are not going to retrain neural networks on a new dataset that excludes your data. We are not going to move heaven and earth for a user who decides it'd be clever to demand all his data be deleted after reading a couple articles on Medium. We don't care how European you are.
What we can do, is set a little deleted flag on your profile to treat you as "deleted".
it is... what does data processing mean? does it include when my databe does a look up on a field which has your name in it or does it mean i do ML on it to serve you adds and profile you? cos it doesn’t say in the regulation... so yes it is very hard to figure out what level is clear... as regulation is not clear.
> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
So not a database query itself, but the thing that drives the database query. It also extends to things like logs - aka don't keep a log full of SQL queries that are full of peoples personal information. Don't ship that log off to some third party, or make it available to random people.
For web apps it's mostly the storage and retrieval aspects that are important. Don't store too much PII. Don't allow anybody to access it at the DB level. Implement appropriate access restrictions at the web-app level.
actually what you quoted might as well apply to query as it is actually processing data... and again the point is the regulation is vague... it can be interpreted in multiple way before we get precedents.
It applies to anything that contains PII, so sure you should ensure your queries are not sent in plaintext over the network and are not logged unnecessarily. There isn't much else that can be done.
It is perhaps a bit too abstract, but that's because it's covering a highly complex topic, but I don't think it's too vague on this: If it contains PII, protect it. Which, of course, you should be doing already.
Whether it's too much to ask is not the issue, nor whether doing what you list is full compliance (doubtful).
No one is asking.
Rather, the right question is whether the entity demanding (the EU government) has the right to do so on the basis that their jurisdiction extends to anywhere that a citizen of theirs can reach via the Internet. I argue no.
You probably disagree, which is fine, but this ultimately comes down to enforcement. And for now at least, I win on that front.
So it's more like "if you can't do this according to the whims of my government regulators, I'll still be using your service, AND prepare for a large fine."