Since you want everyone to be fined, why not start with YCombinator? You can ask them for a list of all of their PII removal requests and to see proof that it was all removed.
I’m sure that’ll go over well.
Then maybe you can submit an Ask HN to see how many startups will self-report to you.
There are over 26M small businesses in the EU. You’d better get started...
By the way, GDPR isn’t just about misuse of PII, it’s about use of PII after it’s been asked to have been removed; and most sites use email addresses as usernames which are PII, so that’s all over the application logs, comments, etc. and when people submit a PII removal request, you can’t share or store the PII in the request itself, so better not use Slack, email, etc. and accidentally refer to the PII to be removed. If you do and need to follow-up again with clean-up, don’t refer to it then either, or you could get stuck in a endless loop of PII removal. Also, how do you know you removed the PII of the user who didn’t specify all of it I’m the removal request? You ask them for it- but does that allow the PII they sent at that point to be kept? I don’t know!you know why? Because it’s not fucking defined in the law clearly enough. What if they requested removal of data that wasn’t their PII?
It’s the law, and it places undue burden on small companies that may not have the technical resources to modify their site/apps/data as expected, as many of them contracted out the work initially at great expense.
An email address is considered PII, so if users request their data be deleted, the small business is honest and says they can’t, and the user and others raise this to the government, you think that small company won’t be fined? That company, worried about doing things illegally, may end up giving a bunch of money to a contractor to fix their application- and for what? To allow users to request that their email address be anonymized or removed? That’s stupid.
Apparently those supporting GDPR would rather have the EU fine Google than to ensure small businesses can survive and be productive with technology, even when the fine to Google is a small amount compared to how much Google makes in the EU. Makes perfect sense, no?
An email address is PII. Given that many preexisting systems used email addresses as usernames to identify users, let’s say a small business in 2015 hired a company to create a web app which let a user create an account using their email address and it put the email address into a log file with that user’s activity. The contracted developer finished the site, which cost 25000 EUR, much more than the business could afford to spend on tech another ten years. If this company gets 500 GDPR requests and cannot remove the PII because they don’t have the skill or money, should that company be fined? Should it shut down? What if there were 14 million companies with the same problem?
I’m sure that’ll go over well.
Then maybe you can submit an Ask HN to see how many startups will self-report to you.
There are over 26M small businesses in the EU. You’d better get started...
By the way, GDPR isn’t just about misuse of PII, it’s about use of PII after it’s been asked to have been removed; and most sites use email addresses as usernames which are PII, so that’s all over the application logs, comments, etc. and when people submit a PII removal request, you can’t share or store the PII in the request itself, so better not use Slack, email, etc. and accidentally refer to the PII to be removed. If you do and need to follow-up again with clean-up, don’t refer to it then either, or you could get stuck in a endless loop of PII removal. Also, how do you know you removed the PII of the user who didn’t specify all of it I’m the removal request? You ask them for it- but does that allow the PII they sent at that point to be kept? I don’t know!you know why? Because it’s not fucking defined in the law clearly enough. What if they requested removal of data that wasn’t their PII?