UPDATED: GDPR (Briefly) Blocked Grocers From Accessing Lists Of 'At Risk' People In Need Of Food Packages
from the so-private-you-might-just-die-from-it dept
Kind of a major update here: it appears the GDPR was likely not to blame for the delay in grocers getting lists of vulnerable citizens in need of food deliveries. As is pointed out by DocGerbil in the comments, this more likely had some to do with a processing hiccup by the Department for Environment, Food, and Rural Affairs (DEFRA). DEFRA apparently had the data but had not turned it over as soon as expected, resulting in a slight delay in deliveries.
The Department for Environment, Food and Rural Affairs (Defra) confirmed it is “working with the retailers to get them the information they need”.
Defra said by combining Government and supermarket data, it could “ensure essential items are delivered as soon as possible to the people with medical conditions that make them most vulnerable”.
This is confirmed by sources other than the Telegraph, including a piece by The Guardian that explains data protection details were being finalized, which may have contributed to the delay.
Britain’s supermarkets have been warned against holding on to NHS data about vulnerable patients which they will receive as part of the government’s efforts to combat Covid-19 once the crisis has abated.
The retailers will this week begin contacting customers whose names are on a list of medically vulnerable individuals, handed over by the government.
But they must delete the data they have received when the coronavirus crisis has abated, the information commissioner warned. Until then, the information, which covers at least 1.5 million people, may be kept and used by the supermarkets to help prioritise deliveries to those most in need.
The delay may have been due to the UK’s own Data Privacy Act, rather than the GDPR. What’s said about the GDPR generally sucking still stands, but I will take the hit for what was written here, drawn from a report only quoting an anonymous source saying it was the GDPR standing between vulnerable citizens and grocery deliveries. My apologies to our readers, who certainly expect and deserve better.
Original post follows with references to the GDPR’s culpability struck through to clarify, while still leaving my screwup on my permanent record, mainly as a warning to myself.
——-
The GDPR is a mess. Still. After nearly two years of existence, it hasn’t done much to improve the privacy of the millions of Europeans it affects. But it has made big tech companies even more dominant and generated a hell of a lot of collateral damage.
The privacy law was created by regulators bursting with short-sightedness and good intentions. And, if we’re honest, a lot of unmitigated hate towards powerful US tech companies. (Hate, let’s continue being honest, many of these companies did little to mitigate.) Transferring the power of privacy back to the people sounds good on paper, but in practice, it results in things like EU regulators violating their own law and, um, trash cans being temporarily removed from post offices because of the personal data they “collected” without permission.
The unintended consequences of the broadly-written law have been discussed here at Techdirt with alarming regularity. Clerical mix-ups have resulted in people accessing other people’s personal data. The law has reached across the pond to screw with US court dockets and vanish posts from American search engines. GDPR has even made Christmas more of a logistical nightmare than it usually is.
Now there’s this: in the middle of a pandemic, GDPR is preventing food from being delivered to at-risk Europeans self-isolating to prevent exposure to the deadly coronavirus. [See update above] (Paywall-free link here.)
Supermarkets have been unable to get the names of 1.5 million vulnerable people being shielded from coronavirus to deliver food boxes because of EU data protection rules.
Grocers are waiting for a list of those self isolating for 12 weeks due to underlying health conditions so they can be prioritised for deliveries.
The details were expected to be handed over at the weekend, but insiders said they have been held up because of the European Union’s general data protection regulation, which prevents mass sharing of information such as people’s names, addresses or emails.
Awesome. They can either eat or have their privacy protected. But not both. And they don’t get to choose which option they get. The GDPR has already decided they don’t get to eat until the government straightens this out. Multiple major grocers confirmed they had no access to lists of vulnerable residents in need of food assistance.
Fortunately for everyone involved — especially those considered to be at-risk — this has been sorted out. One day after the original reporting, supermarkets stated they had finally received the lists previously blocked by the GDPR.
While this is a surprisingly speedy turnaround, the fact is the blocking of at-risk residents’ info never should have happened in the first place. While GDPR’s goals are (mostly) good, the side effects of mandating broad restrictions on data-gathering and sharing screws with the interoperability of the private and public sectors. In the GDPR’s case, it also screws with the interoperability of multiple public entities, making it a nightmare for everyone involved. Good intentions only get you so far. And those good intentions don’t mean much when they’re undermining the public’s health and well-being.
Filed Under: at risk, eu, food, food boxes, gdpr, groceries, pandemic, privacy
Comments on “UPDATED: GDPR (Briefly) Blocked Grocers From Accessing Lists Of 'At Risk' People In Need Of Food Packages”
What one must remember
When rightly criticising this madness is why it exists. Partly to punish "those horrible Americans" is true but it is mainly because governments and big business blatantly abused the freedom they used to have.
Most of life works like a pendulum, one side swings it hard there way and then the other side pushes back just as hard. Neither want a reasonable resolution, both want to win. Until we all learn that compromise isn’t a dirty word we will have these problems. Not everything governments do should be public as it happens, not everything governments do is entitled to secrecy. Not all of our data should be private nor should all of it be on the front page of the paper.
The GDPR is a terrible law but no GDPR was worse law.
Re: What one must remember
That’s only true if the GDPR has its desired effect. That’s yet to be seen, and while the existing data protection rules were in dire need of an update, most of the problems that come with badly written laws is because some people demanded "something" be done rather than the correct thing. A lot of the "unintended" or "unforeseen" consequences of the GDPR are things that people were warning would happen if it was put into force in its current form.
"The GDPR is a terrible law but no GDPR was worse law."
That depends on which part of things you want to look at. In the situation being discussed above, no GRPR was clearly better, which raises major questions about what other emergency requirements are being delayed because the people who wrote it didn’t think about.
Re: Those horrible Americans
If you think Americans are horrible (thanks for lumping us all in together), why don’t you disconnect from the ‘Net, stop watching Netflix, Amazon Prime, DVDs, and off yourself. When you do — don’t use a S&W or a 1911 — Americans made that too. Use a Glock. It’s Austrian.
Oh Crap, it uses 9mm parabellum ammunition0 created by NATO, an American thing. Man, try something else.
Sorry for that. Hope you find a good option to NOT EVER USE ANYTHING CREATED BY AMERICANS. Because you can’t. There’s a reason for that.
E
Re: Re: Those horrible Americans
"who invented everything about the Internet"
Except for the web, which was invented by a British scientist in Switzerland and forms the bedrock of what most people actually consider "the internet" today
"who invented space travel"
As long as you ignore the work done by the Soviets, and the fact that most the the more prominent scientists involved were German.
"who pioneered every health improvement in the last 50 years"
Except for the ones invented elsewhere, of which there are many. Unless by improvements you mean just those involved in bankrupting people to access necessary medical care, in which case you are the world leaders.
We get it, you have to ignore history to pretend Americans did everything alone. What a shame you’re incapable of sharing credit where it’s due.
"DVDs"
The format created by a conglomerate of Korean and Japanese companies?
Re: Re: Re: Those horrible Americans
The US invented transistors, some lasers, the first four bit electric computer, some lights/LEDs, and some screens.
The germans and the chinese invented a large and portion of the current internet. It is not necessarily something they are proud of.
Re: Re: Re:2 Those horrible Americans
also integrated circuits
Re: Re: Re:2 Those horrible Americans
India may or may not have been "it" instead of china.
GDPR is still illegal
denying supplying that thata is bullshit reasoning and is in itself grounds for heavy fines under that very same GDPR.
This is because the GDPR provides for EXACTLY THAT purpose:
"1. Processing shall be lawful only if and to the extent that at least one of the following applies:
[…]
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
[…]"
(article 6 of GDPR)"
if they denied supplying the data about persons in need of vital supplies (e.g. food), that means they are actually in breach of GDPR and subject to heavy fines.
Re: Re:
oops. typo:
s/ thata / data /g
Re: Subject to heavy fines
HEFFY FINEZES? FOR ZE GEE DEE PEE ARRRR? SHVINEHUNT!
Mine gott im himmel.
We’re not in Nazi Germany and there are no fines.
E
h/t Mike G.
Re: Re: Subject to heavy fines
So, you’re saying that sovereign nations should not have the right to enforce their own laws?
Re: Re: Re: Subject to heavy fines
Sovereign nations should always have the rights to enforce THEIR own laws on THEIR own land.
So, to use recent history as an example, the US shouldn’t enforce US laws on El Chapo in Mexico. The US shouldn’t march an army into Panama and arrest Manual Noriega.
Along those same lines the French shouldn’t decree what Google does with its servers that are not in France. Neither should Australia.
Imagine if we in the United States had to put up with every little stupid rule that every stupid little "sovereign nation" came up… under penalty of either being invaded, having our president arrested and taken to that country to "face trial" after his assets are first stripped so he can’t afford a lawyer, then jailed. (And I don’t even like our current president but I sure respect his right not to be tried in a foreign court for stuff he does her that other sovereign countries don’t like.)
E
Re: Re: Re:2 Subject to heavy fines
"Sovereign nations should always have the rights to enforce THEIR own laws on THEIR own land."
So why the problem with the EU enforcing their rules on theirs?
"Along those same lines the French shouldn’t decree what Google does with its servers that are not in France."
They’re not, unless they are trying to access the data of customers who ARE in France, in which case the laws where the customer is based apply. They’re not trying to control domestic American transactions or Australia or whatever. They’re simply attempting to protect their own citizens, no matter which server Google decide to hide the data on.
Are you really OK with Google being able to skirt any national law so long as they use a remote data centre, or would you be OK with Spotify deciding to misuse any data on Americans as much as they want so long as they use their data centre in Sweden to do that?
Your entire objection seems to be based in misunderstanding the rules, deliberately or otherwise.
Re: Re: Re:3 Subject to heavy fines
Please stop making up legal standards that don’t exist. You’re obviously an Internet lawyer or just a Techdirt novelist. Either way your fiction is your story, not how the world works.
If Google is in the US and has a server in the US and some French dude accesses that server, the laws that apply are US laws. The French would LOVE it to be different (and apparently you do too) but it doesn’t work that way. See my previous posting re Noriega, El Chapo, etc.
I have servers here in the US. French people can access them. I do not have to follow the GDPR or any other EuroCrap. Not to mention TechDirtWannabeLawyerCrap.
Please stop asking hypothetical questions to try and build up your untenable position and misunderstanding of international law:
The legal standard is not "Am I [Ehud] OK with Google doing X." There are laws, and there are treaties, and you address none that I’ve already brought up.
I’m OK with no strawman arguments. I just told you. Google is bound by the laws under which THEY operate, not random laws in which people who choose to use Google’s server live.
E
Re: Re: Re:4 Subject to heavy fines
So, your standard is that EU governments should have no control over the way data is gathered and used about its citizens so long as it’s stored on a different continent.
"Google is bound by the laws under which THEY operate"
So, you’re happy for them to pick and choose which laws apply to them, as they can avoid any jurisdiction my moving data around. Got it.
Re: Re: Re:5 Subject to heavy fines
I’ll try for the third time to explain jurisdiction.
Your mommy is driving down the road and you’re in her car. The speed limit sign says "60". The speedometer shows "60".
Some potentate in Luxembourg issues a law that says "nobody shall ever drive faster than 59."
Is your mommy supposed to slow down?
NO. So stop being a douchebag and get a clue. You follow the law where YOU are, not where FRANCE is.
E
Re: Re: Re:6 Subject to heavy fines
So, what you’re saying is that if Spotify decided to abuse the data of their US customers, they can escape any legal response by the US government so long as they keep the data on their European servers. No US legal action can ever be taken for this abuse. Again, got it.
I disagree, but at least you’re honest that the rights of a corporation to abuse their customers, in your mind, trumps the ability of them to be protected against abuse.
Re: Re: Re:7 Subject to heavy fines
I said nothing of the sort. For for FOURTH time what I said is that a company is not liable for violating laws in countries in which they don’t operate. I gave several examples.
If I’m a "customer of Spotify" then we have a business relationship; I signed a contract or EULA or equivalent; the laws of my region apply.
Going back to the speed limit analogy.
Your mommy is taking you for a drive and the sign says "Speed limit 60". The speedometer says 60. That’s legal. You take a video of this and put it on YouTube.
Some potentate in an irrelevant other place gets a law or an executive order that says "Nobody shall drive faster than 59 ever!" Someone in his jurisdiction chooses to view your video and sees your mommy commit the crime of driving faster than the speed limit in THEIR jurisdiction.
Is mommy now a criminal, or have we relegated mommy to have to be COGNIZANT of EVERY POSSIBLE LAW IN THE WORLD that could affect her, and OBEY ALL THESE LAWS under penalty of maybe $500,000/day or something stupid like that.
What I’m saying is mommy should obey the posted speed limit. If she doesn’t, the fines are listed in her statutes and she knows what it will cost her. If France or Australia create "austerity speed limits" it won’t change how fast she can drive.
Buckle up and enjoy the ride. Google doesn’t have to put up with small-minded EuroRules unless they want to put up offices there and have contracts there. [Which in some countries they do… but watch how this all plays out.]
Ehud
Re: Re: Re:8 Subject to heavy fines
"I said nothing of the sort. For for FOURTH time what I said is that a company is not liable for violating laws in countries in which they don’t operate. I gave several examples."
Yes, so what you said is that if Google wish to contravene EU laws, they merely move their data to a DC outside of the EU, and any other corporation can do the same, and the country where the abused consumer lives cannot do anything about it. They essentially lose all consumer rights, as well as some other more fundamental rights.
You can spin it whichever way you want, but this is what you’re saying. Again, own it, this is what you support.
"Going back to the speed limit analogy."
I’d rather you come up with something relevant. What you’re saying has nothing to do with the issue at hand. Any physical analogy is obviously not going to work here.
"Google doesn’t have to put up with small-minded EuroRules unless they want to put up offices there and have contracts there"
Then, by your standards, any company anywhere outside the US can fleece US customers and tell the US government to fuck off when they complain. That’s not a good standard. I bet you’d change your tune in an instant if we were talking about a Chinese company selling data on US citizens.
Re: Re: Re:8 Subject to heavy fines
Umm. All EU-based users of Google services receive those services from Google EMEA, based in Dublin. Ireland. A member of the EU.
This is also true, for the most part, of Apple, Twitter, Facebook, Amazon, Microsoft, LinkedIn and a slew of other organisations. All of these organisations manage data centres somewhere in the EU, mostly Dublin, London, Frankfurt but also other locations throughout the EU.
The Google-shouldn’t-have-to-abide-by-the-laws-of-the-countries-it-isn’t-active-in argument holds some very shallow water, but it 100% doesn’t apply in this case, as Google is present in the EU.
Re: Re: Re:9 Subject to heavy fines
Umm, you’re not a Google customer. You just use their services for free. Here’s what they owe you: $0.00. Convert to your own currency.
I’m actually a Google customer. My company has a contract with Google. We pay them monthly. What they owe us they deliver.
So "Umm, no."
Irrelevant unless you have a contract with them. So long as you CHOOSE to use their FREE SERVICES they owe you exactly what I’ve stated above. If you’re unclear on the concept pretend that I owe you something because we’re both on the Internet and let me know what weird French or Australian or Danish or other irrelevant law you think I violated… because… umm… no.
E
P.S. I’m a citizen of several countries, but my actions in one country aren’t subject to the law of other countries no matter how much the small side of the pond wants to think so.
Re: Re: Re:9 Subject to heavy fines
That’s true, but the real problem is that he’s supporting a situation where only the server side of a transaction matters. That any company can do whatever they want with data after they get it from an end user without any recourse from their own government if it’s abused. That’s extremely problematic no matter what.
I certainly don’t support everything in the GDPR, but the idea that corporations should have carte blanche over what they can do so long as they make sure their customers and databases are in different locations is a very dangerous one.
Re: Re: Re:10 Subject to heavy fin
Yeah. I should not have bothered.
… suggests that users sit close on his contemptometer to where Google has put them on theirs.
There’s a reason why some suggest that were not "users", but "useds".
Re: Re: Re:11 Subject to heavy
I don’t think you bothered. I think you dabbled.
If you end up bothering or thinking or articulating or — better yet — analyzing.. that will be great.
Here’s your call to action
or
The two don’t seem to align when it comes to criticism and censure of successful Internet firms — all of whom are US firms.
E
Re: Re: Re:12 Subject to h
"all of whom are US firms."
Hint: if you have to lie wile being insulting, you’re probably not on the right side of an argument.
But, thanks for confirming that you’re a sociopath who doesn’t mind screwing over the data of individuals for profit so long as they’re waving your flag. Hopefully your demand that corporations can do whatever they want to you without recourse doesn’t backfire on your too much when you find it’s you being screwed.
Re: Re: Re:13 Remotely diagnosing sociopathy instead of addressing the topic
Hey thanks for your concern, girl. However, you should probably stick to the topic.. or better yet, find something on which you have an expertise or knowhow — and stick to that.
Best regards and be well.
E
Re: Re: Re:14 Remotely diagnosing sociopathy instead of addressing the top
I addressed the issue multiple times, but hey you found a word to allow you to whine and ignore instead, so you have that going for you.
Re: Re: Re:15 Remotely diagnosing sociopathy instead of addressing the
No, you didn’t.
That is what people always say when they can’t point to
Yes I have "that" going for me that I’m not part of the EuroTrash pretending their laws apply to the whole world. You, and China, and Russia, take your self-entitled attitudes and keep lecturing us about what we "have going for" us.
It’s call freedom of expression. Sucks to be you and to not have it.
E
Re: Re: Re:16 Remotely diagnosing sociopathy instead of addressing
"No, you didn’t."
I did, actually.
"That is what people always say when they can’t point to
the comment they are responding to
the critique of that comment"
What was there to respond intelligently to in that last idiotic comment of yours? I see nothing other than someone who decided to switch to xenophobia when they couldn’t defend their own thoughts.
"Yes I have "that" going for me that I’m not part of the EuroTrash pretending their laws apply to the whole world."
Because if you were not such a committed dickhead, you’d see that’s not the argument.
"You, and China, and Russia, take your self-entitled attitudes and keep lecturing us about what we "have going for" us"
When everybody else appears to be against you, maybe it is you, not everybody else, who is the asshole.
I’ll just repeat – I bet your opinion would be very different if this were about Chinese corporations stealing and misusing the data of US citizens then telling them that US laws were unable to protect them because they hid the data in China. My opinion would not change. That’s what separates me from the likes of you.
Re: Re: Re:17 Remotely diagnosing sociopathy instead of addres
I think we’re just going to have to agree to disagree.
I say companies don’t have to obey laws in jurisdictions that they don’t operate in (regardless of whether people in those jurisdictions use their products).
You say
So much for open mindedness.
Yeah, lack of open-mindedness, an inability to discuss facts, and the analysis and reasoning powers your don’t possess… those definitely separate you from the "likes of" me, and pretty much Techdirt readers who … umm… can read and articulate.
Have a great night. If it makes you feel better you can call it a draw. If you’d like to persist… choose another forum. We’re done here, Junior.
E
Re: Re: Re:18 Remotely diagnosing sociopathy instead of ad
"I say companies don’t have to obey laws in jurisdictions that they don’t operate in (regardless of whether people in those jurisdictions use their products)."
…and I say that someone doesn’t lose any ability to be protected from the place they’re doing business because the server end of the client/server relationship decides to take advantage of a loophole surrounding where they have the servers. Especially (as in the case of Google), they actually have a presence in the place the client is located.
"So much for open mindedness."
You need to start reading properly. I merely stated that my opinion of whether something is right or wrong does not vary depending on the nationality of the abuser.
"We’re done here, Junior."
The exact amount of intelligence and maturity I expected from you. May you never wake up one morning and realise that the abuses you demanded be heaped upon others are now happening to you, but you have already insisted you have no right to remedy the situation,
Re: Re: Re:19 Sure thing, Junior
You’ve once again missed the boat. I’ll even do you a solid and explain.
Again, this is not about me but thanks for your "well-wishes".
Try and stick to the topic, and if you can’t, just buckle up and enjoy the ride.
This isn’t a debate. A debate would have two opinions. This is you trying to maintain an absurd position and blaming me for pointing it out. Just stop. Go out with your mommy and drive in violation of the speed limit… and HOPE TO HELL nobody in the world says that’s "speeding".
Have a great Day/Night/Morning/Evening wherever your third-world hat is hung.
E
Re: Re: Re:20 Sure thing, Junior
"This isn’t a debate. A debate would have two opinions"
So your solution to being shown to be a sociopathic asshole who doesn’t mind people being abused so long as you are doing the abusing is to pretend I’m not being honest.
Good luck with that, hope you mind the rest of us pointing it out.
Re: Re: Re:21 Sure thing, Junior
So you’ve gone from a remote psychologist to just another Internet troll who calls people names. Good job!
It’s a flaw in the real sociopaths that they think everyone’s with them. There’s no "rest of us." Nobody is pointing anything out. You’re just being insulting.
Thanks, have a great weekend yourself. Try not to insult people or pretend your part of a "posse" or "crew" or "rest of us" or whatever you tell yourself to think you have others that agree with you when you insult people on the Internet.
E
Re: Re: Re:22 -enditem-
You know what, why don’t you go ahead and have the last word. You refuse to discuss the topic and want to make it about me, your views on my mental diseases you imagine, and then resort to namecalling.
Best wishes to you and have a great weekend.
E
Re: Re: Re:23 -enditem-
"You refuse to discuss the topic"
Except I have been discussing it, only you’ve decided to ignore all the points I made because you got butthurt by an accurate description I made of you.
Re: Re: Re:22 Sure thing, Junior
"So you’ve gone from a remote psychologist to just another Internet troll who calls people names"
No, "troll" does not mean "someone who disagrees with you".
As for the diagnosis, you are on record as stating that the rights of people are to be abused at will by corporations for profit with no recourse and that you don’t care so long as they’re "your" corporations abusing them. If you have another diagnosis I’ll be happy to discuss that.
Alternative view
Grocery stores attempted to get a marketing list of 1.5 million customers without strings attached. Authorities replied "Nice try". Less than 24 hours later an alternative list was found, showing how pointless the original request was (presumably the customers can prove they’re in the list without sharing any data about their medical history).
Re: Alternative view
"Grocery stores attempted to get a marketing list of 1.5 million customers without strings attached"
Yes, stories are nice, but do you have any evidence for that, or that they were even attempting any advertising at all?
Unless there’s any further proof, this was simply a case of them trying to get accurate information about customers who had already reported (and where self-reporting wouldn’t work since selfish assholes would just pretend to be in need to jump the queue).
Conspiracies are fun, but sometimes it really is just the sole source of vital supplies to the needy trying to make sure they can supply them.
Re: Re: Alternative view
It’s not a conspiracy theory, it’s what the source literally says: stores wanted 1.5 million names. What we don’t know is whether they got them, or whether the authorities found a way to solve the immediate issue without sharing data which is not immediately needed for the purpose (a boolean information about a subset of those persons).
Re: Re: Re: Alternative view
It’s a ridiculous way to implement this. As you say, all they need to know is whether a given person is on the list. We don’t need every grocer to have the name of every vulnerable person, just in case some want to order stuff. Whoever maintains the list could give a 4-6 digit code on approval; have the customer provide it when ordering, and the grocer can use that plus the postcode to get a yes or no.
Re: Re: Re: Alternative view
"It’s not a conspiracy theory, it’s what the source literally says: stores wanted 1.5 million names"
They wanted the full list of people. Asking for anything else would be pointless for logistics.
The conspiracy theory is dreaming up the idea that they wanted it for marketing, rather than the stated reason of being able to cross-check the names against all current and future orders.
"What we don’t know is whether they got them"
Is there something not in the linked article that explicit says they got them?
Re: Re: Re:2 Alternative view
Why would every store need to know about every vulnerable person? They should only need to know whether the people placing orders with them are vulnerable. What stops them from, say, auto-forwarding the names and addresses to whomever manages the list and getting a "yes" or "no"? Or asking to see some official paper upon delivery (taped to the door, viewed from a distance, whatever)? I might even suggest just asking people, on the order form, whether they’re vulnerable, and estimating after the first week whether there’s a real fraud problem.
One of the whole points of GDPR was to restrict data collection to what’s actually necessary to provide service, and sending sensitive data about 1.5 million people to every shop owner—most of whom the people will never order from—could hardly be considered necessary. Even people who are vulnerable may prefer not to reveal that, for non-time-sensitive orders.
Re: Re: Re:3 Alternative view
"Why would every store need to know about every vulnerable person"
Because how else would they keep track of new customers that fit in that criteria?
"They should only need to know whether the people placing orders with them are vulnerable"
So, they can only ask about the ones currently placing an order? What about new customers? Should a vulnerable person have to wait because they happened to place an order 5 minutes after Asda made the initial request and are therefore not in the customer list they sent for approval? How many times do they need to send new lists to get updates that would have been in the full original?
"What stops them from, say, auto-forwarding the names and addresses to whomever manages the list and getting a "yes" or "no"?"
The GDPR, I’d assume. Them having obtained a list does not give them carte blanche to do what they wish with it after they get it.
"I might even suggest just asking people, on the order form, whether they’re vulnerable, and estimating after the first week whether there’s a real fraud problem."
I’ll save you the wait – if it’s clear that vulnerable people get significantly quicker service, there WILL be a fraud problem, enough to make the question useless. The same assholes that were hoarding vital supplies at the beginning of this will be the same assholes jumping the queue.
"Even people who are vulnerable may prefer not to reveal that, for non-time-sensitive orders."
The minority. I’d guess that if you asked those people if they want their groceries to be delayed for a week or be put on a spam list, most would ask for the spam.
Re: Re: Re:4 Alternative view
What? If they’re not placing orders, how are they customers? An online check is actually easier, because it avoids the "outdated list" problem you mentioned. Asda wouldn’t be building up a list of names to periodically send—this isn’t the 1980s where they need to wait for an off-peak time to place a modem call. They’d immediately send a query (if the user checked the "vulnerable" box) like "SW1:DOWNING,10:JOHNSON" to the list administrator, just as they make an immediate authorization request to the credit card issuer. It shouldn’t take more than a hundred milliseconds.
No, the GDPR does not prevent someone from starting a registry with the sole purpose of letting people voluntarily provide their medical status to expedite deliveries; nor from disclosing, as agreed, a minimal amount of data required to make it work.
Of course, a tiny bit of cryptography and a QR code would let people upload a certificate of their own status to whomever they want, bypassing the whole question.
It might give them a day or two to implement proper verification, anyway, before widespread abuse catches on. And it could easily be made illegal to make a false declaration. If you look at the financial assistance programs of countries such as Canada, they’re intentionally sending the money ASAP and running the fraud checks later.
Really? From my point of view, that’s the situation we’re all in. Online recipe searches are way up, people are looking for clever ingredient substitutions, etc., so they can hold off going to the store for another week. (Weirdest substitution I’ve seen: chickpea brine instead of egg whites in baked goods.)
Re: Re: Re:5 Alternative view
How the scheme works, from DEFRA’s website:
Re: Re: Re:6 Alternative view
Thank you for the summary. Per GDPR, those are two independent purposes: the government food parcel, and sending personal data to all retailers in case the vulnerable person wants to order with priority. One approval may not be used for both.
Re: Re: Re:5 Alternative view
"If they’re not placing orders, how are they customers?"
They’re not yet. But, if they have a list of vulnerable people they can cross-reference that with new customers, enabling them to take action to put them at the front o the queue without having to wait days for the results of new searches every time.
"An online check is actually easier, because it avoids the "outdated list" problem you mentioned"
Is such an online check available? Or does each new search have to go through the same manual check as the entire list?7
"No, the GDPR does not prevent someone from starting a registry with the sole purpose of letting people voluntarily provide their medical status to expedite deliveries"
No, but it prevents them from abusing the registry for marketing purposes, as per your conspiracy theory.
"It might give them a day or two to implement proper verification, anyway,"
What kind of verification can they implement if they’re prevented from accessing the list they need to check against?
"If you look at the financial assistance programs of countries such as Canada, they’re intentionally sending the money ASAP and running the fraud checks later."
So your solution to a company needing to streamline their emergency processes is to overload them with false claims and thus make the entire exercise pointless? Genius.
"Really? From my point of view, that’s the situation we’re all in."
Yes, including vulnerable people who may be in more need for supplies, hence the entire point of this exercise. By definition "vulnerable people" does not mean "people who have to be more imaginative with their menus". It may mean "people who are unable to cook for themselves and may need specific items that are regularly out of stock".
Re: Re: Re:6 Alternative view
I don’t know what world you’re living it, but there’s no reason why searches should take "days". I could easily get this designed and up and running, with protocol descriptions ready for retailers, in a workday; and then debug and refine over a week. It could be so kludgey as to call out to grep via CGI, and still wouldn’t take more than a second to check the list.
The message you’re responding to did not raise such a theory. Whether or not someone would do something bad with the data, the GDPR forbids sharing more than is necessary.
Retailers would defer to the list administrator on this matter, who already needs to vet requests to be put on the list (now or later). If one address is getting like 10 approvals per day, it’s time for a phone call. And if the retailer is getting so many "priority" requests that delays get unacceptably long, they can raise that problem.
What? Trying to solve problems before they exist often causes more trouble then it’s worth. Look at all the hardwringing over voter ID laws in the USA, where the risk of disenfranchisement seems larger than any possible gain.
The whole point of the suggestion is that fraud is not likely to be an emergency right away, and maybe will remain low enough that detection can be deferred till after the crisis. Can be deferred till the "debugging" phase anyway.
I don’t dispute that the list will be important for some vulnerable people. You said all but a minority of vulnerable people would want to be on it, and the above statement does not support it.
Overly broad one law to fix it all.
What could possibly go wrong?
Still upset everytime i have to approve cookies.
Should be a way to just set a preference directly in browser like the do not track feature.
Re: Re:
I might be wrong and not have the inclination to research at the moment, but that strikes me as something that would be prohibited in the law itself, especially since the major companies they had a problem with having too much data are the same companies that make the most popular browsers.
Re: Re:
Parts of GDPR require "active consent" which means having to approve individual actions even if the same action occurs many times across different services. This was meant to protect individuals and not hide things under the guise of convenience.
Re: Re: Re:
Of course, the cookie thing is basically malicious compliance. The GDPR’s point was to stop sites collecting unnecessary information, not force people to constantly approve unnessary collection. No site should be asking for cookie approval until someone takes an action that implies personalization.
A news site, for example, shouldn’t be bugging you until you try to log in (for which a "logging in means you accept cookies" message near the username box should suffice), mark a news story as a favorite, etc.
ludicrous!
GDPR isn't the problem
The GDPR isn’t the problem. The real problem is in bad implementations and attempts to abuse the law. In all of the cases listed the root of the issue was in not following the GDPR.
But you do you.
I would take anything printed in the Telegraph, with a massive pinch of salt! They have their own agenda. I’ve not read the article, but there will have been conditions that the data isn’t retained, maybe they don’t need to pass on the names, just the addresses etc. It’s likely it didn’t delay things at all. Although we’re in unchartered waters, the government’s and supermarkets should have disaster planning for such situations. If there was a delay, it will be a failure of planning. GDPR in this situation isn’t much different than our old data protection anyway. We have plenty of data privacy / freedom of information professionals who understand the issues Certain papers like to use anything related to EU as a scapegoat, even if the UK actively supported the actual measures. Indeed this current government have been very skilled at passing blame.
Re: Re:
I argue that they’ve not been skilled in passing blame, only in attempting to do so. They are still very much culpable and I expect the next couple years will bear that out in the courts.
I know, I say the basic reasoning, BUT some dont get it..
Lets see.
The right to protect Everything, but not from spammers..
The right to be forgotten?
really?
Who in the world would really like this to happen?
Anyone wish to list All the people that Would like this idea, Besides…
Persons that have been in jail
Persons that have molested Children
A Thief.
Every politician, that has Screwed up..
Every politician that has LIED.
People who have beaten the Ex-wives. And been divorced, many times..
HOW many more can we list??
Foreigners, that dont want you to know their past, and make you think they LIVED in this country Since birth.
NOW, lets see if we can pass this along to the Gov. of each nation also, and NOT just the internet. Thats Possible.
Re: I know, I say the basic reasoning, BUT some dont get it..
As for RTBF
Victims of crime named on a website. Do yourself think a women who has been raped or beaten deserves for that information to be the number one result when anyone searches her name?
People found not guilty, and as such are innocent
People who were found guilty, but later had their conviction quashed
People simply arrested and never charged.
People whose medical information is online. Is therec really a need for somone to know you had syphilis 10 years ago?
Or simply in cases where the information is completely false
Politicians – well they are a public figures, so unlikely to be able to use it. The public interest test is a major factor.
And yes, people convicted of low level crimes can sometimes benefit. Usually only when the conviction is considered spent, and they legally do not have to declare it for rehabilitation issues. RTBF is just a way that ordinary people can make their case. If there is a real public interest, then they will not succeed.
No.
The TD article is drawn from two highly dishonest articles published in the Telegraph, an overtly-xenophobic, anti-European, British newspaper. Once the political biases are boiled out a little, the underlying truth seems to be somewhat different.
AFAICT, this is a complete non-story that no other UK publications seem to have covered, in the two weeks since the Telegraph originally manufactured it.
Both the Telegraph and TD try to sell this as an EU problem, but this seems to actually be more of a UK-specific bureaucracy issue.
Our Department for Environment, Food and Rural Affairs (DEFRA) was supposed to give that big list to the UK’s big-name supermarket chains – but someone obviously dragged their feet on the paperwork they were supposed to do first, causing a short delay.
The Telegraph and TD spin this as being the fault of the GDPR, but under the UK’s previous law – the Data Protection Act 1998 (variously amended) – the exact same legal obligations for personal information-handling were in place for at least a couple of decades, as far as I know.
The Telegraph quotes a DEFRA spokesperson as saying “Subject to data protection agreements being in place, we expect this [lists] to be shared imminently.”
Managing data-protection in this fashion has been a normal part of DEFRA’s day-to-day business since it was founded. Any delay here isn’t down to the GDPR, it’s down to DEFRA not getting it’s job done in timely fashion, for whatever reason.
Any claim to the contrary is simply a lie.
Par for the course for the Telegraph.
Rather a crying shame for TechDirt.
Re: No.
Exactly, you are completely correct on this.
Re: No.
There’s a reason why they’re referring as the Torygraph after all.
Although, in fairness, the UK is still bound by the GDPR as I understand it? I’ve not kept up with the Brexit mess after all attempts to avoid that disaster were thwarted, but if I’m correct in thinking that, it’s right to refer to this as a GDPR issue at the moment, even if the spin that it was a problem introduced by it is incorrect.
Re: Re: No.
Hello, PaulIT. 🙂
As I understand it, we’re still following the GDPR, but only of our own volition, as we’re no longer legally accountable to the EU bodies that were previously responsible for enforcing EU-wide laws and regulations. Our government can change the rules whenever they have the time and inclination. Presumably, they’re busy with something else, just at the moment.
PaulIT, let me ask you something: you’ve been posting on TD’s comment section a long time, probably far longer than I… when some policeman in the US decides that accurate warrants are too much effort and screws up a drug bust, child abuse conviction, or whatever… do you and I and TechDirt all call that a Fourth Amendment problem or a bad policing problem?
Would TechDirt spend three paragraphs listing out all the problems the Fourth Amendment has allegedly caused in the past, followed by seven paragraphs of new material, where virtually every major sentence openly attacks the Amendment for causing the crime?
Would they do that, PaulIT? Would you – or they – consider it fair and honest journalism, if they did?
I love TechDirt. I’ve been reading it for years. I wear my Home Cooking t-shirt to work with great pride. Against that, I’m no big fan of the GDPR. It is ridiculously bureaucratic, problematic and poorly written, no question.
But I’d be lying if I said I thought that mattered here. In all the years I’ve been reading, TD has almost never had a single good word to say about any legislation other than the US Constitution – and on the rare occasions when it has, it’s usually lathered in so much hyperbolic, face-fanning incredulity they might as well not have bothered.
PaulIT, do you think anyone in the EU will ever be encouraged to fix the GDPR by reading blatantly dishonest and prejudiced articles like this one? Shouldn’t honesty and better speech be a thing, here of all places?
We all have our failings. My own sins and prejudices are far worse, I’m sure. The right thing to do is to help each other overcome those flaws, if we can. Should you really be defending TechDirt – however lightly – when they’re getting something badly wrong? Wouldn’t it be better to help them improve?
TechDirt can do better than this. They’re professional journalists. They can fact-check their sources. They can learn the legal context. They can put their personal hostilities aside and be honest.
But that will only happen if enough commenters like you and I put our hands up, call them on their mistakes and demand they tell the truth.
Do what’s right, PaulIT.
Re: Re: Re: No.
That’s a very strange way of writing. Do you really think that repeating my login makes your points any more important? To me, it reads like you’re being a prick for no reason.
"do you think anyone in the EU will ever be encouraged to fix the GDPR by reading blatantly dishonest and prejudiced articles like this one?"
I don’t think they will be swayed in any way whatsoever by any article written here, no matter how it’s written. Now, the people who comment here and have a vote in the EU might be able to help sway things one way or the other,. But, you acting like an asshole to people making mistakes on a blog written thousands of miles away because they used a source you don’t like certainly isn’t going to encourage those people to take action.
"TechDirt can do better than this. They’re professional journalists"
As far as I’m aware, they’re not, they just have a blog on top of other projects under the Floo64 and other banners.
Re: Re: Re:2 No.
That’s a no, then. Ah, well. At least I tried.
"Do you really think that repeating my login makes your points any more important?"
No, I just wanted to emphasise that I was talking directly to you, rather than being general. In the absence of your real name, a username will have to do. But, since you’ve already made up your mind to do the partisan thing and ignore bad work, rather than push TD to create something better, there was clearly no point, in hindsight.
"[…] you acting like an asshole […]"
That’s fair enough. /Mea culpa./ If you can think of a better way to tell an otherwise good person that they turn into racist dicks with certain topics, a way that’s both kinder and more effective than mine, I’m absolutely all ears.
"I don’t think they will be swayed in any way whatsoever by any article written here […] they just have a blog […]"
I think you’re underestimating TechDirt. When the average mainstream journalist, or parliamentary civil servant, or EU member has to research a new technology topic, where do you think they go first? Some of them will have special advisors for the job, but most will do what the rest of us do: they’ll Google it.
Depending on what they’re looking for, they wind up reading articles on Wikipedia, Ars Technica, TorrentFreak… and TechDirt. TD – and other sites – have a reach and an influence that can’t be easily quantified, but I’ve no doubt it’s there. Just the number of times it’s been quoted on the BBC News website is good enough evidence for that.
If TD weren’t regarded as some kind of professional writers, worthy of some respect, the BBC wouldn’t be quoting them like they’re experts – and I certainly wouldn’t be putting this much effort into their comment section.
When random advisors poke around the internet for information on how GDPR is working out, I want them to find something better than this article.
Re: Re: Re:3 No.
"No, I just wanted to emphasise that I was talking directly to you, rather than being general"
I got that when you hit the reply button to my comment. The rest of it was just you being obnoxious.
"If you can think of a better way to tell an otherwise good person that they turn into racist dicks with certain topics"
Where the fuck did racism come into this?
"If TD weren’t regarded as some kind of professional writers, worthy of some respect, the BBC wouldn’t be quoting them like they’re experts "
The BBC have quoted Infowars in the past. That doesn’t make Alex Jones a credible journalist. It depends on the subject and the context of the article, and even the BBC is not perfect.
"Some of them will have special advisors for the job, but most will do what the rest of us do: they’ll Google it."
So, does Techdirt regularly come up in searches for major topics, over and above even the sources they comment on? Do the advisors not also check their sources, or do they somehow place more weight on random US-based blogs than actual news sources based within their jurisdiction?
"When random advisors poke around the internet for information on how GDPR is working out, I want them to find something better than this article."
Then, your problem is with advisors doing a shitty job. If you’re scared that this post might come up first in a random Google and thus influence advice, your real problem is with advisors who submit reports based on whatever comes p first in Google.
Re: Re: Re:4 No.
With that reply, your goal becomes all too clear. You carefully avoided all points of criticism with weight and substance in my earlier post, but you’re more than happy to engage with the easier targets you’re fed. Being truthful or helpful in any way is not what you care about here, you just want to argue for the sake of it, even if the conversation devolves into nonsense. I think you’re just another troll, albeit a long-term troll with a username.
You enjoy yourself, PaulIT. I’ve already said all I think needs saying. With a lot of luck, perhaps someone who genuinely values TechDirt will pay it some attention, maybe even be encouraged to speak up and complain, the next time we get an article like this one.
Help yourself to the last word.
Have a good one, PaulIT. 🙂
Re: Re: Re:5 No.
So, after being called out for being an asshole, you refuse to answer any points and run away. Fine, it’s clear that you weren’t interested in an actual conversation, as is clear by your behaviour in your first response.
"I think you’re just another troll, albeit a long-term troll with a username."
That’s called a mirror. Address yourself before you get called out again for your behaviour. If you wish to have an actual conversation, I’m always here.
The first issue with the right to be forgotten is the illegal underlying nature of the cyber problem.
The second issue is the transnational nature of the EU making it largely illegitimate anyway.
The third problem appears to be that indo-china appears to be trying to use "alien" or third party status within the EU to troll people instead of the EU wanting it.
Re: Re:
" the illegal underlying nature of the cyber problem."
The Cyber Problem … sounds like the next summer thriller
Is GDPR really all that bad?
Hi,
A few years ago, I made the suggestion to Techdirt to consider bringing an EU-based data-protection expert onto the podcast to discuss the GDPR.
https://www.techdirt.com/articles/20180528/21433139932/eu-parliaments-own-website-violates-gdpr.shtml#c532
I see three main consequences of the GDPR:
Nearly every time I read a negative story about the GDPR it falls into that second bucket — someone who is unqualified to do so decides that the GDPR is the reason why they should do something, or should not do something. I find that the experts I refer you to will agree each time.
I think this is a good time for Techdirt to reconsider inviting someone who works in data protection in the EU (or an expert based in the UK; the GDPR continues to apply there!). Having had Larry Lessig on to discuss his suit against the NY Times and Mike Godwin on to explain the sale of .org shows that podcast guests whose informed positions are opposite to Techdirt’s are welcome, and here’s another opportunity.
Éibhear
Re: Is GDPR really all that bad?
The GDPR was created to force successful firms (all of whom are US based) to comply with things that no
Yes there are parts of the GDPR which are good. Those were buried in the onerous parts designed to PUNISH the successful American companies who DARED to succeed.
The GDPR is worse than Facebook.
Next up… Google Tax on links to stuff in France.
There’s nothing for us to sit around and discuss here. Innovators will always exist… and those who do well, come to the US… where they don’t have to deal with Europe’s small-minded mess.
Best wishes to all,
E
Re: Is GDPR really all that bad?
GDPR is in response to an actual need (outdated data protection laws), but is not very well written, horribly communicated and leaves some major gaps to be either exploited or to stifle innovation). Blaming the people who are confused by this rather than the way the law was written and the way it was distributed is not very productive.
Re: Re: Is GDPR really all that bad?
The GDPR is designed to stifle productivity. Perhaps, as you suggest, its goals, as "…in response to an actual need…" and given the need for data privacy I would personally agree. Sadly I don’t create policy for the small side of The Pond so can’t really opine there.
The GDPR is a big stick used to beat up — primarily — on successful US companies that understand the Internet. All the European companies that begin to get there… move to the US. The US doesn’t have a GDPR (although some form of it would be useful) so we can enjoy growth and prosperity.
Unlike France. Italy. Germany. Well, Europe.
I’m not anti-Europe. I’m anti European-centric anti-US laws.
E
Re: Re: Re: Is GDPR really all that bad?
"The GDPR is designed to stifle productivity."
If your "productivity" involves destroying privacy and putting the personal data of everybody you come into contact with at risk, maybe you need to be less "productive". One of the bonuses of living in Europe is having a government that believes that the rights of citizens do actually trump the next quarter’s profit of a corporation.
"The GDPR is a big stick used to beat up — primarily — on successful US companies that understand the Internet"
No, it’s an extension of data protection laws that are partially intended to stop the rights of citizens being funneled outside of the jurisdiction of their democratically elected representatives (although the laws that govern US companies also apply to EU companies). It’s imperfect and has some major flaws, but there are actual motives, some of which were already enshrined in law for decades before this recent attempt at updating it. Would you also be against a US law that tried blocking data export to China?
"All the European companies that begin to get there… move to the US."
Not all of them, but if that’s what you have to pretend, go for it.
"I’m anti European-centric anti-US laws."
Are you also against anti-European laws in the US?
Re: Re: Is GDPR really all that bad?
One of the biggest complaints I have regarding the GDPR is that it was, as you say, horribly communicated. The messaging was all over the place (even where I live, Dublin, the epicentre of EU-based data-protection controversies), and it was not at all clear as to who were experts and knew what they were talking about, and who were the charlatans seeking to profit from the confusion, and who were the people who should have just kept the bloody mouths shut.
I am no lawyer, so I can’t speak to the way it was written.
I think there is an onus on those making decisions about data protection to ensure they have their facts and legalities correct, and those who opt not to do that can reasonably be described as reckless. I wonder how many of the negative stories regarding the GDPR would be describing exactly this situation. We don’t excuse people making health or (other-domain) legal decisions that impact others without first having sought the appropriate advice.
But the whole point of my comment (above, and back in 2018) is that it would be helpful for Techdirt to ask some questions of data protection experts who deal on a daily basis with the GDPR and for them to be given the opportunity to provide answers. I think the podcast would be an excellent forum for that.
Update response
Well, spank my poodle and call me Aunt Jebidisa! 😀
Mr Cushing, thank you for correcting the record. It’s good to know the people I’ve put my faith in care enough about the truth to do this. I unreservedly tip my hat: huge respect to you, sir.
I also apologise for my more inauspicious comments, in my exchange with the other commenter. I wanted to find out what kind of commenter he was, which worked, but my choice of words along the way was less than kind and too unfair to yourself and TechDirt.
I’m sorry. I don’t always mean to sound like I’m a drunken, abusive, rambling idiot, half the time, but I am, so that’s the way it comes out. It’s been a very long month, involving quite a lot of rather cheap whiskey. I’ll try to do better, next time.
Very well done for finding all those sources. I’ve just had another go and still can’t find some of them through Google, even knowing what I’m looking for. Your research skills evidently vastly outstrip my own. I’m uncertain how you discovered Aberdeen’s Evening Express newspaper, which I didn’t know existed. I had somehow thought publisher D.C. Thomson went to the wall years ago – it’s quite pleasing to see they’re actually still around.
Interestingly, the Guardian’s article doesn’t mention DEFRA at all, but the ICO (For those unaware, the Information Commissioner’s Office handles registrations, inquiries, complaints and suchlike relating to the Data Protection Act). I would have thought DEFRA would have their own sub-department for handling things like this, but if they’re yeeting all of the things to another government department entirely, it probably explains where the delay came from.
It’s still DEFRA’s fault, since it’s hardly the first emergency they’ve ever had to deal with – and with 3,500 employees they really should have staff for this – but it does at least make sense of the issue here.
Once again, my unbounded thanks for the updated article.
Stay safe, Mr Cushing. 🙂