All geek questions in one place

Data Protection and Web 2.0 Web Sites

Currently, many countries have data protection laws that give people the right to:

  • ask the organization to transfer all the information they store and
  • to request the destruction of any information held by a person.

Facebook got into trouble in the second part of this in the UK , since it is almost impossible to delete your information from Facebook.

It's clear. The data of people on the site in social networks is complexly woven into the fabric of the site. Users generate messages, messages, chats, relationships with others, photos, applications, etc., And in turn, other people will add their own comments / thoughts on this content.

However, I am far from convinced that simply stating in your conditions and conditions that your data cannot be deleted complies with the data protection legislation (at least in the UK - do any legal programmers want to comment?).

We tend to handle the issue of deleting user content by overwriting the key fields in the entries for that user (for example, username, name, email address) and overwriting the key fields in the content posted by him (for example, comments, blog posts). This means that you can go to the discussion post related to the "deleted user", which reads: "This message has been deleted."

Data protection problems even affect solutions such as hosting (we tend to host applications in the UK for many customers for data protection reasons, despite the higher cost).

As a developer, how much is my problem? I have a feeling that responsibility ultimately depends on the copyright holder of the application (my clients / employers), and this will be due to the fact that they will come after my company because they did not pay due attention to the issue if they are mistaken.

My questions for you:

  • How do you solve the problem of removing content from an application on social networks, where the problem of data protection is a problem?
  • Whose responsibility is ultimately?
  • Should I just lighten up and worry less about these issues?

EDIT: some great answers to 2 and 3 already, but what of the main problem? How do you handle the removal of user content from a complex application for social networks, where it is associated with a lot of other content.

+4
source share
2 answers

The assertion that the data cannot be deleted, of course, does not comply with EU data protection laws; where we have the right to request removal and ask him not to share; basically we can expect the data

  • fairly and lawfully processed, - is processed for certain purposes and is in no way incompatible with these purposes,
  • adequate, relevant and not excessive,
  • accurate
  • stored no more than necessary
  • processed in accordance with the legal rights of individuals,
  • stored safely
  • transferred to countries outside the European Economic Area only if the rights of individuals can be guaranteed.

Thus, without deleting when the user closes his account, it may be violated "stored no more than necessary."

Responsibility lies with the data controller; A company that collects and processes data. If you do not participate in the daily work of the system, if you sold it to customers and administer the system, then this is their problem.

Should you make it easy? Well, that is subjective; personally, while in the UK, I take this into account; because privacy is important regardless of the commercial aspect.

To solve your question about removal from the application for social networks, it just does not matter. Data must be deleted regardless of the application itself. Now this is personal information, which is a problem, so you can assume that these are only names, dates of birth, etc .; however, what if a comment provides identifiable information? This is a bit of a minefield. The safest option is to simply destroy everything. In addition, since displaying information on the Internet means that it can / will be transferred outside the EU, you must have explicit permission to do this when users register, the UK Information Commissioner has principles

Paste the standard I'm not a lawyer, this is not a legal recommendation.

+1
source

The answer to Blowdart is great, although I'm curious about data that inherently refers to more than one person β€” for example, a Facebook post or post on a wall. Or even a PDF that contains the names of several individuals - what if one of them asked to delete this information? I assume that you will be allowed to save this data.

In any case, this is not my answer. I answer the question "who is responsible." While the data controller (your client) is really responsible by law, you, as a professional adviser, may have a duty to them. Therefore, if they are held accountable, they may prosecute you for damage for providing incomplete or incorrect advice.

I would recommend that you inform them of the law, advise them to get a lawyer (there are many good ones who specialize in information law) and place them in writing. You will do the service to the client and at the same time protect yourself.

If you host the application, the position may be slightly different - in accordance with the law on data protection, a β€œbureau” may be registered, but in any case, you may have to take some legal advice yourself.

None of this applies to you as an employee, but it may apply to your employer as a provider.

+1
source

Source: https://habr.com/ru/post/1277227/

More articles:


All Articles