Does GDPR cover the collection of data by websites that crawl the web and resell user data Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?Contract necessary for the most basic processing under GPDR?Under the GDPR, should transaction data be deleted on account deletion or on user request?GDPR impact on genealogy website / uncontrolled user dataWill GDPR (EU law) make bad practices in security illegal?Does GDPR apply to internal employees data?Does keeping an MD5 hash of user data violate GDPR?GDPR and personal data that gets crawled and ends up on other websitesGDPR - is user social ID personal dataDoes my Personal Web App need to comply to GDPR?Replication of user data a violation of GDPR
Implementing 3DES algorithm in Java: is my code secure?
How would this chord from "Rocket Man" be analyzed?
"My boss was furious with me and I have been fired" vs. "My boss was furious with me and I was fired"
Are these square matrices always diagonalisable?
Passing args from the bash script to the function in the script
Has a Nobel Peace laureate ever been accused of war crimes?
How to avoid introduction cliches
A Paper Record is What I Hamper
Married in secret, can marital status in passport be changed at a later date?
Justification for leaving new position after a short time
Rolling Stones Sway guitar solo chord function
What is /etc/mtab in Linux?
The art of proof summarizing. Are there known rules, or is it a purely common sense matter?
What was Apollo 13's "Little Jolt" after MECO?
What *exactly* is electrical current, voltage, and resistance?
What's parked in Mil Moscow helicopter plant?
A faster way to compute the largest prime factor
How to get even lighting when using flash for group photos near wall?
What’s with the clanks in Endgame?
Are there moral objections to a life motivated purely by money? How to sway a person from this lifestyle?
How can I wire a 9-position switch so that each position turns on one more LED than the one before?
Multiple fireplaces in an apartment building?
Did the Roman Empire have penal colonies?
"Rubric" as meaning "signature" or "personal mark" -- is this accepted usage?
Does GDPR cover the collection of data by websites that crawl the web and resell user data
Announcing the arrival of Valued Associate #679: Cesar Manara
Unicorn Meta Zoo #1: Why another podcast?Contract necessary for the most basic processing under GPDR?Under the GDPR, should transaction data be deleted on account deletion or on user request?GDPR impact on genealogy website / uncontrolled user dataWill GDPR (EU law) make bad practices in security illegal?Does GDPR apply to internal employees data?Does keeping an MD5 hash of user data violate GDPR?GDPR and personal data that gets crawled and ends up on other websitesGDPR - is user social ID personal dataDoes my Personal Web App need to comply to GDPR?Replication of user data a violation of GDPR
I have found that a lot of my personal info is now available on a bunch of websites that collect data and resell it.
I'm talking about those 'find anything about anyone' websites.
A lot of the data is also inaccurate.
Since a lot of these companies are American and I have lived my life half US / half EU and I'm now an EU resident, I was wondering:
- does the GDPR applies to them?
- does the GDPR applies to data they claim was 'public', but I see that this is not really true?
- What's the responsibility of search engines, like Google, in indexing and promoting that content. As they seem to have a 'contact the webmaster' approach to it, is it possible to get the content (at the minimum the inacurate one) removed from their index?
gdpr
asked 2 days ago
ThomasThomas
1814
add a comment |
I have found that a lot of my personal info is now available on a bunch of websites that collect data and resell it.
I'm talking about those 'find anything about anyone' websites.
A lot of the data is also inaccurate.
Since a lot of these companies are American and I have lived my life half US / half EU and I'm now an EU resident, I was wondering:
- does the GDPR applies to them?
- does the GDPR applies to data they claim was 'public', but I see that this is not really true?
- What's the responsibility of search engines, like Google, in indexing and promoting that content. As they seem to have a 'contact the webmaster' approach to it, is it possible to get the content (at the minimum the inacurate one) removed from their index?
gdpr
asked 2 days ago
ThomasThomas
1814
1
"data they claim was 'public', but I see that this is not really true": what sort of data do you have in mind? A lot of information that people think is private is actually public. For example, home ownership records are public in at least some of the US, and they can include the size of the mortgage, if there is one. Court dockets can be public, including the names of criminal defendants.
– phoog
2 days ago
One example is an unlisted phone number, so it had to be purchased somewhere, similarly an address is listed while it was never under my name but rented by a business and my name was never on the contract. But also a few wrong information. I have quite a unique name yet some sites have the wrong age, wrong family ties, etc. Overall 2/3 is accurate and 1/3 is really not.
– Thomas
2 days ago
@Thomas The company would have to provide you with information for their basic transparency requirements: “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” (Art 14(2)(f)). Furthermore for access requests per Art 15(1)(g): “where the data is not collected from the data subject, any available information as to their source”. It's debatable whether the sources must identifiable or if classes of sources are sufficient here.
– amon
2 days ago
@amon, that’s very good to know; thanks!
– Thomas
2 days ago
add a comment |
I have found that a lot of my personal info is now available on a bunch of websites that collect data and resell it.
I'm talking about those 'find anything about anyone' websites.
A lot of the data is also inaccurate.
Since a lot of these companies are American and I have lived my life half US / half EU and I'm now an EU resident, I was wondering:
- does the GDPR applies to them?
- does the GDPR applies to data they claim was 'public', but I see that this is not really true?
- What's the responsibility of search engines, like Google, in indexing and promoting that content. As they seem to have a 'contact the webmaster' approach to it, is it possible to get the content (at the minimum the inacurate one) removed from their index?
gdpr
asked 2 days ago
ThomasThomas
1814
I have found that a lot of my personal info is now available on a bunch of websites that collect data and resell it.
I'm talking about those 'find anything about anyone' websites.
A lot of the data is also inaccurate.
Since a lot of these companies are American and I have lived my life half US / half EU and I'm now an EU resident, I was wondering:
- does the GDPR applies to them?
- does the GDPR applies to data they claim was 'public', but I see that this is not really true?
- What's the responsibility of search engines, like Google, in indexing and promoting that content. As they seem to have a 'contact the webmaster' approach to it, is it possible to get the content (at the minimum the inacurate one) removed from their index?
gdpr
gdpr
asked 2 days ago
ThomasThomas
1814
asked 2 days ago
ThomasThomas
1814
asked 2 days ago
ThomasThomas
1814
asked 2 days ago
ThomasThomas
1814
asked 2 days ago
ThomasThomas
1814
1814
1
"data they claim was 'public', but I see that this is not really true": what sort of data do you have in mind? A lot of information that people think is private is actually public. For example, home ownership records are public in at least some of the US, and they can include the size of the mortgage, if there is one. Court dockets can be public, including the names of criminal defendants.
– phoog
2 days ago
One example is an unlisted phone number, so it had to be purchased somewhere, similarly an address is listed while it was never under my name but rented by a business and my name was never on the contract. But also a few wrong information. I have quite a unique name yet some sites have the wrong age, wrong family ties, etc. Overall 2/3 is accurate and 1/3 is really not.
– Thomas
2 days ago
@Thomas The company would have to provide you with information for their basic transparency requirements: “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” (Art 14(2)(f)). Furthermore for access requests per Art 15(1)(g): “where the data is not collected from the data subject, any available information as to their source”. It's debatable whether the sources must identifiable or if classes of sources are sufficient here.
– amon
2 days ago
@amon, that’s very good to know; thanks!
– Thomas
2 days ago
add a comment |
1
"data they claim was 'public', but I see that this is not really true": what sort of data do you have in mind? A lot of information that people think is private is actually public. For example, home ownership records are public in at least some of the US, and they can include the size of the mortgage, if there is one. Court dockets can be public, including the names of criminal defendants.
– phoog
2 days ago
One example is an unlisted phone number, so it had to be purchased somewhere, similarly an address is listed while it was never under my name but rented by a business and my name was never on the contract. But also a few wrong information. I have quite a unique name yet some sites have the wrong age, wrong family ties, etc. Overall 2/3 is accurate and 1/3 is really not.
– Thomas
2 days ago
@Thomas The company would have to provide you with information for their basic transparency requirements: “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” (Art 14(2)(f)). Furthermore for access requests per Art 15(1)(g): “where the data is not collected from the data subject, any available information as to their source”. It's debatable whether the sources must identifiable or if classes of sources are sufficient here.
– amon
2 days ago
@amon, that’s very good to know; thanks!
– Thomas
2 days ago
1
1
"data they claim was 'public', but I see that this is not really true": what sort of data do you have in mind? A lot of information that people think is private is actually public. For example, home ownership records are public in at least some of the US, and they can include the size of the mortgage, if there is one. Court dockets can be public, including the names of criminal defendants.
– phoog
2 days ago
"data they claim was 'public', but I see that this is not really true": what sort of data do you have in mind? A lot of information that people think is private is actually public. For example, home ownership records are public in at least some of the US, and they can include the size of the mortgage, if there is one. Court dockets can be public, including the names of criminal defendants.
– phoog
2 days ago
One example is an unlisted phone number, so it had to be purchased somewhere, similarly an address is listed while it was never under my name but rented by a business and my name was never on the contract. But also a few wrong information. I have quite a unique name yet some sites have the wrong age, wrong family ties, etc. Overall 2/3 is accurate and 1/3 is really not.
– Thomas
2 days ago
One example is an unlisted phone number, so it had to be purchased somewhere, similarly an address is listed while it was never under my name but rented by a business and my name was never on the contract. But also a few wrong information. I have quite a unique name yet some sites have the wrong age, wrong family ties, etc. Overall 2/3 is accurate and 1/3 is really not.
– Thomas
2 days ago
@Thomas The company would have to provide you with information for their basic transparency requirements: “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” (Art 14(2)(f)). Furthermore for access requests per Art 15(1)(g): “where the data is not collected from the data subject, any available information as to their source”. It's debatable whether the sources must identifiable or if classes of sources are sufficient here.
– amon
2 days ago
@Thomas The company would have to provide you with information for their basic transparency requirements: “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” (Art 14(2)(f)). Furthermore for access requests per Art 15(1)(g): “where the data is not collected from the data subject, any available information as to their source”. It's debatable whether the sources must identifiable or if classes of sources are sufficient here.
– amon
2 days ago
@amon, that’s very good to know; thanks!
– Thomas
2 days ago
@amon, that’s very good to know; thanks!
– Thomas
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
The GDPR applies to such sites if they offer services in the EU/EEA. If they clearly wanted to avoid being subject to the GDPR, they should block visitors from the EEA. For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant.
Personal data does not turn non-personal just because it was public. So the GDPR still applies when the data was collected from public sources. However, the data controller (who determines the purpose of processing) often has to balance your rights and interests against other interests (e.g. when using legitimate interest as a legal basis for some processing). For the purpose of publicly displaying your data, only showing data that was already public anyway makes it easier to argue that this is fine.
But when the GDPR applies, you have data subject rights. Relevant rights include:
- a right to access, to see all the data they have about you
- a right to rectification, to correct wrong data they hold about you
- a right to restriction, effectively an opt-out
- a right to erasure (also known as the right to be forgotten)
These rights apply both against the website and against Google Search (arguably, both are doing the exact same thing). Google correctly points out that they can't remove information from the Web, but they can hide information from search results.
If you feel that your requests have not been resolved correctly, you can issue a complaint with your country's data protection authority. In theory you can also sue them. In practice, GDPR enforcement against overseas data controllers can be quite difficult and has not yet happened.
answered 2 days ago
amonamon
1,07827
"For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant." I remember reading otherwise. Can you back up this claim with sources?
– Ave
2 days ago
1
@Ave this is a very common misconception about the GDPR. But the EU cannot make extraterritorial laws, so Art 3 “Territorial Scope” limits the applicability to cases where the data controller is in the EU, or where the data controller offers services in the EU, or where the data controller observes behaviour of data subjects who are currently in the EU. But e.g. a EU citizen visiting the US is not protected by the GDPR.
– amon
2 days ago
"An EU citizen visiting the US" is conceivably "in" the EU for the purpose of GDPR protection if he or she maintains a residence there. The protection surely does not evaporate for a week or a month for EU residents when they leave the EU for short-term travel elsewhere. An EU citizen residing in the US is less likely to be "in" the EU under the meaning of the GDPR, of course, and one who has never been to any EU territory even less likely still.
– phoog
2 days ago
@phoog These apparent contradictions disappear when you look at individual subject–controller relationships separately. E.g. if I visit the US and check into a hotel then that hotel is not bound by the GDPR. But while in the EU I opened a Facebook account and now want to close it. While I used FB the relationship between me and FB was clearly subject to the GDPR. But can I exercise my data subject rights while physically in the US? I'd argue yes, I do have GDPR rights for data that was collected/processed under the GDPR. But I can't do squat about new data collection while not in the EU
– amon
2 days ago
1
Facebook is perhaps not a great example, since it has offices in the EU, but the point is well taken nonetheless. But the question of GDPR rights for covered data subjects with regard to controllers who otherwise would not be covered is probably fairly academic anyway, regardless of where the subject is at the moment of data collection, because, as you note, there is unlikely to be a way to enforce the GDPR against a company that has no presence in the EU.
– phoog
2 days ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "617"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f39322%2fdoes-gdpr-cover-the-collection-of-data-by-websites-that-crawl-the-web-and-resell%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The GDPR applies to such sites if they offer services in the EU/EEA. If they clearly wanted to avoid being subject to the GDPR, they should block visitors from the EEA. For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant.
Personal data does not turn non-personal just because it was public. So the GDPR still applies when the data was collected from public sources. However, the data controller (who determines the purpose of processing) often has to balance your rights and interests against other interests (e.g. when using legitimate interest as a legal basis for some processing). For the purpose of publicly displaying your data, only showing data that was already public anyway makes it easier to argue that this is fine.
But when the GDPR applies, you have data subject rights. Relevant rights include:
- a right to access, to see all the data they have about you
- a right to rectification, to correct wrong data they hold about you
- a right to restriction, effectively an opt-out
- a right to erasure (also known as the right to be forgotten)
These rights apply both against the website and against Google Search (arguably, both are doing the exact same thing). Google correctly points out that they can't remove information from the Web, but they can hide information from search results.
If you feel that your requests have not been resolved correctly, you can issue a complaint with your country's data protection authority. In theory you can also sue them. In practice, GDPR enforcement against overseas data controllers can be quite difficult and has not yet happened.
answered 2 days ago
amonamon
1,07827
"For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant." I remember reading otherwise. Can you back up this claim with sources?
– Ave
2 days ago
1
@Ave this is a very common misconception about the GDPR. But the EU cannot make extraterritorial laws, so Art 3 “Territorial Scope” limits the applicability to cases where the data controller is in the EU, or where the data controller offers services in the EU, or where the data controller observes behaviour of data subjects who are currently in the EU. But e.g. a EU citizen visiting the US is not protected by the GDPR.
– amon
2 days ago
"An EU citizen visiting the US" is conceivably "in" the EU for the purpose of GDPR protection if he or she maintains a residence there. The protection surely does not evaporate for a week or a month for EU residents when they leave the EU for short-term travel elsewhere. An EU citizen residing in the US is less likely to be "in" the EU under the meaning of the GDPR, of course, and one who has never been to any EU territory even less likely still.
– phoog
2 days ago
@phoog These apparent contradictions disappear when you look at individual subject–controller relationships separately. E.g. if I visit the US and check into a hotel then that hotel is not bound by the GDPR. But while in the EU I opened a Facebook account and now want to close it. While I used FB the relationship between me and FB was clearly subject to the GDPR. But can I exercise my data subject rights while physically in the US? I'd argue yes, I do have GDPR rights for data that was collected/processed under the GDPR. But I can't do squat about new data collection while not in the EU
– amon
2 days ago
1
Facebook is perhaps not a great example, since it has offices in the EU, but the point is well taken nonetheless. But the question of GDPR rights for covered data subjects with regard to controllers who otherwise would not be covered is probably fairly academic anyway, regardless of where the subject is at the moment of data collection, because, as you note, there is unlikely to be a way to enforce the GDPR against a company that has no presence in the EU.
– phoog
2 days ago
add a comment |
The GDPR applies to such sites if they offer services in the EU/EEA. If they clearly wanted to avoid being subject to the GDPR, they should block visitors from the EEA. For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant.
Personal data does not turn non-personal just because it was public. So the GDPR still applies when the data was collected from public sources. However, the data controller (who determines the purpose of processing) often has to balance your rights and interests against other interests (e.g. when using legitimate interest as a legal basis for some processing). For the purpose of publicly displaying your data, only showing data that was already public anyway makes it easier to argue that this is fine.
But when the GDPR applies, you have data subject rights. Relevant rights include:
- a right to access, to see all the data they have about you
- a right to rectification, to correct wrong data they hold about you
- a right to restriction, effectively an opt-out
- a right to erasure (also known as the right to be forgotten)
These rights apply both against the website and against Google Search (arguably, both are doing the exact same thing). Google correctly points out that they can't remove information from the Web, but they can hide information from search results.
If you feel that your requests have not been resolved correctly, you can issue a complaint with your country's data protection authority. In theory you can also sue them. In practice, GDPR enforcement against overseas data controllers can be quite difficult and has not yet happened.
answered 2 days ago
amonamon
1,07827
"For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant." I remember reading otherwise. Can you back up this claim with sources?
– Ave
2 days ago
1
@Ave this is a very common misconception about the GDPR. But the EU cannot make extraterritorial laws, so Art 3 “Territorial Scope” limits the applicability to cases where the data controller is in the EU, or where the data controller offers services in the EU, or where the data controller observes behaviour of data subjects who are currently in the EU. But e.g. a EU citizen visiting the US is not protected by the GDPR.
– amon
2 days ago
"An EU citizen visiting the US" is conceivably "in" the EU for the purpose of GDPR protection if he or she maintains a residence there. The protection surely does not evaporate for a week or a month for EU residents when they leave the EU for short-term travel elsewhere. An EU citizen residing in the US is less likely to be "in" the EU under the meaning of the GDPR, of course, and one who has never been to any EU territory even less likely still.
– phoog
2 days ago
@phoog These apparent contradictions disappear when you look at individual subject–controller relationships separately. E.g. if I visit the US and check into a hotel then that hotel is not bound by the GDPR. But while in the EU I opened a Facebook account and now want to close it. While I used FB the relationship between me and FB was clearly subject to the GDPR. But can I exercise my data subject rights while physically in the US? I'd argue yes, I do have GDPR rights for data that was collected/processed under the GDPR. But I can't do squat about new data collection while not in the EU
– amon
2 days ago
1
Facebook is perhaps not a great example, since it has offices in the EU, but the point is well taken nonetheless. But the question of GDPR rights for covered data subjects with regard to controllers who otherwise would not be covered is probably fairly academic anyway, regardless of where the subject is at the moment of data collection, because, as you note, there is unlikely to be a way to enforce the GDPR against a company that has no presence in the EU.
– phoog
2 days ago
add a comment |
The GDPR applies to such sites if they offer services in the EU/EEA. If they clearly wanted to avoid being subject to the GDPR, they should block visitors from the EEA. For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant.
Personal data does not turn non-personal just because it was public. So the GDPR still applies when the data was collected from public sources. However, the data controller (who determines the purpose of processing) often has to balance your rights and interests against other interests (e.g. when using legitimate interest as a legal basis for some processing). For the purpose of publicly displaying your data, only showing data that was already public anyway makes it easier to argue that this is fine.
But when the GDPR applies, you have data subject rights. Relevant rights include:
- a right to access, to see all the data they have about you
- a right to rectification, to correct wrong data they hold about you
- a right to restriction, effectively an opt-out
- a right to erasure (also known as the right to be forgotten)
These rights apply both against the website and against Google Search (arguably, both are doing the exact same thing). Google correctly points out that they can't remove information from the Web, but they can hide information from search results.
If you feel that your requests have not been resolved correctly, you can issue a complaint with your country's data protection authority. In theory you can also sue them. In practice, GDPR enforcement against overseas data controllers can be quite difficult and has not yet happened.
answered 2 days ago
amonamon
1,07827
The GDPR applies to such sites if they offer services in the EU/EEA. If they clearly wanted to avoid being subject to the GDPR, they should block visitors from the EEA. For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant.
Personal data does not turn non-personal just because it was public. So the GDPR still applies when the data was collected from public sources. However, the data controller (who determines the purpose of processing) often has to balance your rights and interests against other interests (e.g. when using legitimate interest as a legal basis for some processing). For the purpose of publicly displaying your data, only showing data that was already public anyway makes it easier to argue that this is fine.
But when the GDPR applies, you have data subject rights. Relevant rights include:
- a right to access, to see all the data they have about you
- a right to rectification, to correct wrong data they hold about you
- a right to restriction, effectively an opt-out
- a right to erasure (also known as the right to be forgotten)
These rights apply both against the website and against Google Search (arguably, both are doing the exact same thing). Google correctly points out that they can't remove information from the Web, but they can hide information from search results.
If you feel that your requests have not been resolved correctly, you can issue a complaint with your country's data protection authority. In theory you can also sue them. In practice, GDPR enforcement against overseas data controllers can be quite difficult and has not yet happened.
answered 2 days ago
amonamon
1,07827
answered 2 days ago
amonamon
1,07827
answered 2 days ago
amonamon
1,07827
answered 2 days ago
amonamon
1,07827
1,07827
"For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant." I remember reading otherwise. Can you back up this claim with sources?
– Ave
2 days ago
1
@Ave this is a very common misconception about the GDPR. But the EU cannot make extraterritorial laws, so Art 3 “Territorial Scope” limits the applicability to cases where the data controller is in the EU, or where the data controller offers services in the EU, or where the data controller observes behaviour of data subjects who are currently in the EU. But e.g. a EU citizen visiting the US is not protected by the GDPR.
– amon
2 days ago
"An EU citizen visiting the US" is conceivably "in" the EU for the purpose of GDPR protection if he or she maintains a residence there. The protection surely does not evaporate for a week or a month for EU residents when they leave the EU for short-term travel elsewhere. An EU citizen residing in the US is less likely to be "in" the EU under the meaning of the GDPR, of course, and one who has never been to any EU territory even less likely still.
– phoog
2 days ago
@phoog These apparent contradictions disappear when you look at individual subject–controller relationships separately. E.g. if I visit the US and check into a hotel then that hotel is not bound by the GDPR. But while in the EU I opened a Facebook account and now want to close it. While I used FB the relationship between me and FB was clearly subject to the GDPR. But can I exercise my data subject rights while physically in the US? I'd argue yes, I do have GDPR rights for data that was collected/processed under the GDPR. But I can't do squat about new data collection while not in the EU
– amon
2 days ago
1
Facebook is perhaps not a great example, since it has offices in the EU, but the point is well taken nonetheless. But the question of GDPR rights for covered data subjects with regard to controllers who otherwise would not be covered is probably fairly academic anyway, regardless of where the subject is at the moment of data collection, because, as you note, there is unlikely to be a way to enforce the GDPR against a company that has no presence in the EU.
– phoog
2 days ago
add a comment |
"For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant." I remember reading otherwise. Can you back up this claim with sources?
– Ave
2 days ago
1
@Ave this is a very common misconception about the GDPR. But the EU cannot make extraterritorial laws, so Art 3 “Territorial Scope” limits the applicability to cases where the data controller is in the EU, or where the data controller offers services in the EU, or where the data controller observes behaviour of data subjects who are currently in the EU. But e.g. a EU citizen visiting the US is not protected by the GDPR.
– amon
2 days ago
"An EU citizen visiting the US" is conceivably "in" the EU for the purpose of GDPR protection if he or she maintains a residence there. The protection surely does not evaporate for a week or a month for EU residents when they leave the EU for short-term travel elsewhere. An EU citizen residing in the US is less likely to be "in" the EU under the meaning of the GDPR, of course, and one who has never been to any EU territory even less likely still.
– phoog
2 days ago
@phoog These apparent contradictions disappear when you look at individual subject–controller relationships separately. E.g. if I visit the US and check into a hotel then that hotel is not bound by the GDPR. But while in the EU I opened a Facebook account and now want to close it. While I used FB the relationship between me and FB was clearly subject to the GDPR. But can I exercise my data subject rights while physically in the US? I'd argue yes, I do have GDPR rights for data that was collected/processed under the GDPR. But I can't do squat about new data collection while not in the EU
– amon
2 days ago
1
Facebook is perhaps not a great example, since it has offices in the EU, but the point is well taken nonetheless. But the question of GDPR rights for covered data subjects with regard to controllers who otherwise would not be covered is probably fairly academic anyway, regardless of where the subject is at the moment of data collection, because, as you note, there is unlikely to be a way to enforce the GDPR against a company that has no presence in the EU.
– phoog
2 days ago
"For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant." I remember reading otherwise. Can you back up this claim with sources?
– Ave
2 days ago
"For the GDPR, only location matters. Other concerns like residence or citizenship are generally irrelevant." I remember reading otherwise. Can you back up this claim with sources?
– Ave
2 days ago
1
1
@Ave this is a very common misconception about the GDPR. But the EU cannot make extraterritorial laws, so Art 3 “Territorial Scope” limits the applicability to cases where the data controller is in the EU, or where the data controller offers services in the EU, or where the data controller observes behaviour of data subjects who are currently in the EU. But e.g. a EU citizen visiting the US is not protected by the GDPR.
– amon
2 days ago
@Ave this is a very common misconception about the GDPR. But the EU cannot make extraterritorial laws, so Art 3 “Territorial Scope” limits the applicability to cases where the data controller is in the EU, or where the data controller offers services in the EU, or where the data controller observes behaviour of data subjects who are currently in the EU. But e.g. a EU citizen visiting the US is not protected by the GDPR.
– amon
2 days ago
"An EU citizen visiting the US" is conceivably "in" the EU for the purpose of GDPR protection if he or she maintains a residence there. The protection surely does not evaporate for a week or a month for EU residents when they leave the EU for short-term travel elsewhere. An EU citizen residing in the US is less likely to be "in" the EU under the meaning of the GDPR, of course, and one who has never been to any EU territory even less likely still.
– phoog
2 days ago
"An EU citizen visiting the US" is conceivably "in" the EU for the purpose of GDPR protection if he or she maintains a residence there. The protection surely does not evaporate for a week or a month for EU residents when they leave the EU for short-term travel elsewhere. An EU citizen residing in the US is less likely to be "in" the EU under the meaning of the GDPR, of course, and one who has never been to any EU territory even less likely still.
– phoog
2 days ago
@phoog These apparent contradictions disappear when you look at individual subject–controller relationships separately. E.g. if I visit the US and check into a hotel then that hotel is not bound by the GDPR. But while in the EU I opened a Facebook account and now want to close it. While I used FB the relationship between me and FB was clearly subject to the GDPR. But can I exercise my data subject rights while physically in the US? I'd argue yes, I do have GDPR rights for data that was collected/processed under the GDPR. But I can't do squat about new data collection while not in the EU
– amon
2 days ago
@phoog These apparent contradictions disappear when you look at individual subject–controller relationships separately. E.g. if I visit the US and check into a hotel then that hotel is not bound by the GDPR. But while in the EU I opened a Facebook account and now want to close it. While I used FB the relationship between me and FB was clearly subject to the GDPR. But can I exercise my data subject rights while physically in the US? I'd argue yes, I do have GDPR rights for data that was collected/processed under the GDPR. But I can't do squat about new data collection while not in the EU
– amon
2 days ago
1
1
Facebook is perhaps not a great example, since it has offices in the EU, but the point is well taken nonetheless. But the question of GDPR rights for covered data subjects with regard to controllers who otherwise would not be covered is probably fairly academic anyway, regardless of where the subject is at the moment of data collection, because, as you note, there is unlikely to be a way to enforce the GDPR against a company that has no presence in the EU.
– phoog
2 days ago
Facebook is perhaps not a great example, since it has offices in the EU, but the point is well taken nonetheless. But the question of GDPR rights for covered data subjects with regard to controllers who otherwise would not be covered is probably fairly academic anyway, regardless of where the subject is at the moment of data collection, because, as you note, there is unlikely to be a way to enforce the GDPR against a company that has no presence in the EU.
– phoog
2 days ago
add a comment |
Thanks for contributing an answer to Law Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2flaw.stackexchange.com%2fquestions%2f39322%2fdoes-gdpr-cover-the-collection-of-data-by-websites-that-crawl-the-web-and-resell%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
"data they claim was 'public', but I see that this is not really true": what sort of data do you have in mind? A lot of information that people think is private is actually public. For example, home ownership records are public in at least some of the US, and they can include the size of the mortgage, if there is one. Court dockets can be public, including the names of criminal defendants.
– phoog
2 days ago
One example is an unlisted phone number, so it had to be purchased somewhere, similarly an address is listed while it was never under my name but rented by a business and my name was never on the contract. But also a few wrong information. I have quite a unique name yet some sites have the wrong age, wrong family ties, etc. Overall 2/3 is accurate and 1/3 is really not.
– Thomas
2 days ago
@Thomas The company would have to provide you with information for their basic transparency requirements: “from which source the personal data originate, and if applicable, whether it came from publicly accessible sources” (Art 14(2)(f)). Furthermore for access requests per Art 15(1)(g): “where the data is not collected from the data subject, any available information as to their source”. It's debatable whether the sources must identifiable or if classes of sources are sufficient here.
– amon
2 days ago
@amon, that’s very good to know; thanks!
– Thomas
2 days ago