Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Whatever the case might be, companies have shown themselves to not handle people's personal data properly, as shown by the massive leaks in the past. Whatever utopia you're thinking of, it's not happening anytime soon, and GDPR is a rightful measure to slightly apply the brakes on rampant data collection and misuse.


Massive leaks are a security issue, and have nothing to do with users being able to delete their data at will.


It certainly is related. One core argument is that the vast majority of currently stored personal data has no good reason whatsoever to be there, the company should not be collecting, using and storing any personal data.

If half of the companies remove that private data which they shouldn't have, then that will reduce the impact of breaches, as there'll be twice less breaches where's something sensitive to leak.


I can't think of massive leaks that involved data that wasn't 'legitimate'. What's your go-to example?


No particular single example in mind, but just going through random large leaks:

The Republican National Committee leak (https://gizmodo.com/gop-data-firm-accidentally-leaks-persona...) - all the involved companies which swapped data records to make up this trove would not have had the permission to have much of that data under GDPR.

World Wrestling Entertainment 2017 leak - the leaked data included home and email addresses, birthdates, as well as customers' children's age ranges and genders where supplied, and even ethnicity; there's simply no reasonable reason why they should have had data like that in the first place. It it hadn't be collected, it couldn't have been leaked.

Joblink breach (https://www.identityforce.com/blog/americas-joblink-data-bre...) leaked among other things birthdate and social security number. There's no good reason to ask the birthdate in the first place, and to store the social security number after you've run whatever verification they do (presumably it gets used for background screening).

The big point is that almost always data minimization would have reduced the consequences. Companies keep old data forever, and that creates extra risk; Companies ask for and store more data than they need and that creates extra risk; Companies buy and sell data that shouldn't be bought and sold, and so the data copied in multiple organizations and again, creates extra risk.


Well, if it's their data, shouldn't they be able to delete it at will?


If you know something about me why is it my right to make you forget about it?


human memory isn't data storage.

companies aren't humans.


They can totally delete "their" data. It's not "their" data if someone else has it.


Why do you think users can delete their data at will?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: