I wonder if you can, under GDPR, request that all your data is deleted and then create a new account. Not allowing you to create a new account could be argued as a violation of GDPR as it would mean that they kept personally identifiable data about you.
I was banned the same way as the OP, few months ago.
They(humans)collected my Id, bank details, personal address, original invoice of the items I was selling, some calls, to finally ban my 15+ year user.
Contrary to popular understanding, the GDPR does not allow you to force a company to delete all data about you.
In effect, it lets you revoke your consent for the company to store and process your data. But it also provides for cases where your data can be processed without your consent. It's not an unlimited carte blanche, but fraud prevention is explicitly given as an example of a legitimate purpose.
Businesses are allowed to retain information necessary to operate. Which would include things like names, email addresses, IP addresses, etc of people who are banned (to prevent them from returning).
If GDPR required a company to delete everything, it would be impractical. (E.g. imagine you request a company delete your info, and then you immediately sue them for something that happened while using their product/service… the company wouldn’t be able to defend themselves unless they retained a record/logs of your usage.
You can submit a deletion request, but in most cases much of your data won’t actually be deleted.
> Which would include things like names, email addresses, IP addresses, etc of people who are banned (to prevent them from returning).
I'm not sure about that. The company might reason it needs this data to operate, but you should be able to contest that with a data protection authority.
The data that you can not request to delete is for example money transaction data, which the company has to retain for 10 years or so due to other laws.
I have. It was about a company that kept spamming me with SMSes. I had to file an archaic form for a government agency. It took a while, I received a few emails about progress and asking for additional details.
This is what I was going to say. As an American, I have no recourse in these situations. Europeans are fortunate to have governing bodies with at least some teeth. Not sure how that applies to UK citizens post-Brexit, though.
A bit over 10% (and probably somewhat higher than 10% on HN) of Americans do have something like GDPR. California Consumer Privacy Act. I'm not including Colorado, Virginia, or Utah because I'm not sure how equivalent their laws are.
> This is what I was going to say. As an American, I have no recourse in these situations. Europeans are fortunate to have governing bodies with at least some teeth. Not sure how that applies to UK citizens post-Brexit, though.
GDPR applies to all individuals in the EU, not just citizens.
GDPR specifically carves out keeping data for "legitimate business needs" including fraud prevention and so on. Whatever data Ebay (thinks it) has about this person that they are using to enforce the ban would be data that they would argue falls under this clause.
They probably check an external list upon account creation. If the ban had to do with KYC (Know-your-customer) and the user is on or unintentionally confused with a banned entity, then it doesn’t matter.
keeping information for the purposes of enforcing rules and bans is explicitly allowed in GDPR and you are not forced to delete it. (similarly, you can't ask a company to delete all the stuff you've bought and sold them from their accounts)
However many companies are sufficiently scared of the GDPR and potentially keeping data they shouldn't accidentally that they will just delete everything about you. You can totally use that to get the 'new customer discount' again at Uber for example...
Keeping PII for fraud detection is not barred by GDPR.
In this context the more relevant aspect of GDPR, which I think receives too little attention and more so enforcement, is article 22 (Automated individual decision-making, including profiling)
If I were trying to be sneaky, could you create a series of hashes of the name/email/address/bank type of info to stored on GDPR deletion request that could then be checked against any new account creation? Since the only data stored after deletion would be a hash with no PII remaining, is this a viable workaround?
I do not agree. The identity can be extended with some GUID and then hashed. The GUID and hash can be kept, but the identity discarded. Then the original identity is lost, but if encountered again, it will be known that it was previously seen.
>but if encountered again, it will be known that it was previously seen
But when you see it again you have personally identified the individual have you not? Doesn’t that by definition mean it is identifiable if you are able to determine the identity later?
This is something that advertisers/supermarket points schemes etc used to do when they didn’t have consent to share personal data, hash it and align it with what they already had so effectively they shared the subsets of interest anyway. I remember at university when some guys from yahoo sponsored a hack event, they literally gave a guest lecture boasting about doing this with Sainsbury’s to squeeze through a legal loophole back in 2013.
That's the fun of thought experiments, the rabbit hole just keeps going.
If your original delete request was followed so that everything they knew about you was deleted, they would not be able to relink everything that GUID linked to. It should be gone now. However, if that hashed value lives in a BANNED_ACCOUNTS table, then all they have to do is create the hash, check the table, disallow new account. You can even do it in good faith by not storing any of the new info rather than storing it and forcing a new delete request.
It's different because a hash of the ID can be used by anyone who knows the hashing algorithm. If the ID is combined with a UUID/GUID and the UUID/GUID is kept secret/isolated by the entity doing verification, then nobody else can make use of the hash, even those within the entity organization who do not have access to the UUID/GUID. The UUID/GUID itself is not PII so it can probably be retained without violating the GDPR. The same goes for the hash. And since there is no way to reconstruct the original ID given the UUID/GUID and hash, there should be no GDPR violation.
In a large entity such as Google, you almost need to outsource ID verification to ensure it's not abused by other (advertising/marketing) parts of Google. Of course all of this requires good faith on the part of the implementing entity, which is certainly not guaranteed.
Not really, as GDPR is not only about screwing up big companies.
Certain kind of data must be saved by companies (like financial transactions).
You can request the deletion, but they are still allowed to save some of the data.
