Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> "control" over the data after broadcast, albeit legal control via contracts with advertisers

Now there's a claim only a court would buy!

A court probably would buy it, though.

Sigh.



That is the GDPR-default though. You're still allowed to give data to third parties, you just need to have contracts with them regarding the handling, deletion etc of that data. Of course, mostly that's for data processors, which I don't think ad networks working with Google would fall under.


No, a data processor is any entity that collected personal data gets passed on to and where it is processed as part of the business arrangement. An ad network that receives personal data is definitely a data processor.


> No, a data processor is any entity that collected personal data gets passed on to and where it is processed as part of the business arrangement.

I'm relatively sure that there's another part: it's data processing for the client (here: Google) and the data cannot be used for other purposes. In this case, they don't process data for Google, they process it in cooperation with Google for the ad-buyers. Google also doesn't name them as data processors (which it would have to if that were their relationship).

If some contract was all it took, what would stop hospitals from selling patient info to insurance companies, saying "hey, they are processing the data, and we have a business agreement, this is all fine".


The 'client' in this case is the individual web sites that use Google's ad solutions -- not Google itself. It's the same thing with businesses' Facebook pages -- Facebook simply acts as a data processor in that case.

This is why nothing will be done about this. Sure, we might see a few smaller businesses fined, but the vast majority of sites using Google for ads will simply slip under the radar, while Google simply puts the blame on the site owners.


You are misreading the GDPR badly. A data controller can only pass on PII to a data processor. That is, any entity receiving PII from a data comtroller automatically is assigned this role by law. There are no alternative roles that could assumed instead. This means that a data processor must obey the rules laid out for it by the GDPR or it is in violation.


Oh, okay, I believe I understand your point and understand the misunderstanding. My point is that you can't just make everybody a data processor by signing a contract, share PII with them and be compliant (i.e. hospital sharing data with insurance companies). You're saying that by sharing PII with them, you're making them a data processor, but that says nothing about whether the DC or the DP are compliant.


Yup. That clears it up!


I discussed GDPR with you before and based on your answer here and maxidorius answer to you I will not accept anything you say about the GDPR unless it is obvious or has references I can verify.


You're suggesting that hospitals would be allowed to sell patient info to anybody willing to pay, as long as they have a contract?


In the US, HIPAA would apply to individually identifiable health information. HIPAA Providers share information with other HIPAA-covered entities all the time under contracts where the associate entities (non-providers) agree to comply with HIPAA privacy rules.


Those are generally with patient's previous consent though, right? Things get a lot easier if you have somebody sign some documents before you start working on them.


I'm suggesting :

1.) it might be stricter than you say.

2.) you (possibly like me? ;-) seems to have stronger views on what GDPR means than you can argue for.


Probably, I'm somewhat of a fundamentalist pragmatist ("this cannot be legal!" - "everybody does it, judges say it's okay" - "oh, I guess it's legal then :("), but in this case I'm not so sure. I still believe that Google does not consider them data processors (possibly because they don't consider a google_push id PII), because if they did, they'd have to name them in their privacy terms as entities they share data with. They don't. Of course, this might be because they don't care, but since it's a delicate issue and the stakes are somewhat high already, that doesn't sound plausible to me.

Pretty much all examples for data processing I've read are similar in this regard: the data controller (DC) passes data to the data processor (DP) so the DP can perform a specific task for them (handle invoicing, do analytics, run a web server, mail packages etc). The DP must not use the data for anything else, must not share the data with anyone (except for sub-processing, which has strict rules, too). "Exchanging/Syncing PII of users so we can create better profiles, more efficiently track them and show ads to them that are more personalized" doesn't fit the bill at all from what I understand. Similarly, landlords cannot get together and share all the data on their tenants to figure out who was a pleasant renter and who sued because the heater broke in winter.

So, in my understanding, even if you and I used the same invoicing provider, they wouldn't be allowed to tell me if they've invoiced a certain person for you previously, because we're different entities using them as a data processor and our data is to be kept separate. If we wanted to do data sharing (or even share aggregate probabilities like credit check agencies), we'd need a different construct, explicit consent and a bunch of additional compliance requirements.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: