Yeah, EU directives need to be adopted into local country legislature (with some deadlines), whereas EU delegated acts (usually hierarchically under a directive) automatically apply to all EU members. Hehe, members.
The GDPR is a not a directive. It’s a regulation. Nontheless, I read that the GDPR was specifically mirrored into UK law with a couple minor modifications.
But to answer @automaton@lemmy.world, AFAIK the #GDPR does not apply in this situation anyway because Reddit accounts are “anonymous”. The GDPR only protects identified people.
An e-mail address is “user identifying information” per GDPR, so if the UK version does not differ from the EU version on this (and it would be pretty weird if it did), it applies.
That’s how I understand the UK situation too, however what is anonymous is left much for debate & sometimes local best-practices. Like, a user can be identifiable by their posts, or even full name.
If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.
As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).
Yeah, EU directives need to be adopted into local country legislature (with some deadlines), whereas EU delegated acts (usually hierarchically under a directive) automatically apply to all EU members. Hehe, members.
The GDPR is a not a directive. It’s a regulation. Nontheless, I read that the GDPR was specifically mirrored into UK law with a couple minor modifications.
But to answer @automaton@lemmy.world, AFAIK the #GDPR does not apply in this situation anyway because Reddit accounts are “anonymous”. The GDPR only protects identified people.
/cc @d00ery@lemmy.world
An e-mail address is “user identifying information” per GDPR, so if the UK version does not differ from the EU version on this (and it would be pretty weird if it did), it applies.
See https://infosec.pub/comment/6975469
That’s how I understand the UK situation too, however what is anonymous is left much for debate & sometimes local best-practices. Like, a user can be identifiable by their posts, or even full name.
If I create an anonymous account but put what looks like a real name in the username field, and sign all posts with that real-looking name, who’s to say it’s really my name? Then suppose I lose my internet connection but want to exercise my right to be forgotten. The GDPR enables people to make an Art.17 request in writing but the GDPR also mandates that data controllers identify who the request comes from (so Mallory does not request deletion of Alice’s records). If a user ad hoc puts their name on everything then mails a request with a copy of their ID card which matches the name they put on everything, it’s a bit off because a company who does not ID users would not normally have the infrastructure in place to support GDPR requests. (and that’s a good thing… it’s good that there’s incentive to support the practice of offering anonymous accounts) But here’s the other problem: the ID mechanism itself must be minimal. A data controller cannot demand a full copy of your ID card if they can verify using something less intrusive like date of birth to verify you. Perhaps in this case a copy of the ID card would be necessary. OTOH, names are not generally unique, which would mean I could use my ID card to request deletion of all records of other people who have the same name.
As a practical matter, we also have to figure that DPAs are extremely lazy. I’ve filed many Art.77 reports with strong irrefutable evidence and the cases just sit for years. I cannot see a DPA being motivated to work on a case that Reddit can easily defend. OP’s best move is to look at local anti-spam laws (I’m guessing it’s spam… I do not have access to the Cloudflared image the OP posted).