BBO, GDPR, and all that rot
#1
Posted 2020-September-25, 17:11
My understanding is that a number of people who are caught up in the recent online cheating scandals are trying to assert a right to be forgotten and claiming that BBO needs to purge their hand records.
One of the things that the compliance group within Akamai InfoSec does is handle issues related to the GDPR. I have a few quick thoughts / observations.
First and foremost, it is vital that BBO update their current privacy policy and specific define that one purposes for which they are collecting data is specifically to identify individuals who are compromising the platform by cheating. The GDPR provides exceptions to the right to be forgotten which include situations in which
"The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing."
and
"The data is being used to perform a task that is being carried out in the public interest or when exercising an organizations official authority."
Furthermore, BBO needs to assert that achieving these purposes necessitates sharing this information with third parties including individuals and organizations the administer bridge tournaments as well as analysts who might be doing research with the data.
Equally significant: The data sets that BBO current has that include hands in which people are cheating are an incredibly valuable resource. These provide a very important training set for future research. If individuals start asserting a right to be forgotten its crucial that BBO respond with obfuscation rather than casewise deletion.
#2
Posted 2020-September-25, 17:43
hrothgar, on 2020-September-25, 17:11, said:
This isn't really true. Regardless of where the company is based, the GDPR legally applies to all EU citizens accessing BBO.
#3
Posted 2020-September-25, 17:48
smerriman, on 2020-September-25, 17:43, said:
Perhaps, but if a company doesn't have a presence in the EU, it doesn't really matter...
Simply analogy: The UK has much stricter laws with respect to libel than does the US, however, US courts don't bother to enforce the results of those cases.
#4
Posted 2020-September-25, 18:29
#5
Posted 2020-September-25, 19:18
Zelandakh, on 2020-September-25, 18:29, said:
But the data isn't being used by a recognized governing body, rather you have Nicolas Hammond doing his own thing and the CAT doing there's...
#7
Posted 2020-September-26, 01:30
hrothgar, on 2020-September-25, 17:11, said:
This shows a fundamental misunderstanding of GDPR and why lay people should leave this area to the lawyers. However one advantage of being owned by a French company is that BBO may start taking its GDPR responsibilities more seriously which would include the lawyers helping with the privacy policy and ensuring assent to the change is properly obtained.
I suspect what you find frustrating are that people may be showing the futility of 'safely ignoring GDPR' in the past, despite its relevance to an online business where EU citizens are involved.
#8
Posted 2020-September-26, 12:31
And as he says, having ownership in France gives the EU regulators a handle, and provided his reading of the GDPR is correct (which, if it's his job as he says, I have no worry about trusting), it certainly is something worth considering.
And I say this as a Canadian, who benefits from the GDPR en passant, and would really prefer Paul's world to the real one.
#9
Posted 2020-September-26, 22:13
One thing that concerns me greatly (in the broad) with the massive changes over recent years/decades in how operating systems and software are delivered and hosted, and our data is how far some agencies would take such powers in feeling they had the right to snoop around in places that are well beyond legitimate access to datasets
#10
Posted 2020-September-27, 01:00
hrothgar, on 2020-September-25, 17:48, said:
This is not quite true. EU companies having data processed by companies outside the EU need them to also have equivalent safeguards. I suppose the question is whether or not BBO are acting as data processors on behalf of EU organisations.
London UK
#11
Posted 2020-September-27, 09:27
But my point (and Hrothgar's) still applies: the only real leverage the EU has over a US company is through those EU organizations. They can threaten to fine the FFB, and the FFB can lean on BBO to follow the GDPR; and if BBO says "no", the FFB can find another place to spend its money. Whether BBO thinks this is worth the money they lose is another question.
All of this, of course, is "back in the good old days", when BBO wasn't owned by an EU organization. Which definitely ties their hands. And therefore, the suggestion of the OP, which is the whole point (not this digression on "you can't just not follow our rules!", which is interesting, but we do already know the RL answer), on how to get around some of the more damaging (from the POV of the bridge community) parts of the GDPR and still be legal, becomes not just important, but critical.
#12
Posted 2020-September-27, 10:22
mycroft, on 2020-September-27, 09:27, said:
I know this is how it is being presented by a lawyer arguing the case of those suspected of cheating, but it seems to me that it falls within the "legitimate interests" of an organisation that runs competitive bridge games for it to store and process data relating to the scores and results of those bridge games. Bridge organisations do not generally need to rely on "consent" as the lawful basis for processing most of their data.
London UK
#13
Posted 2020-September-27, 11:36
gordontd, on 2020-September-27, 10:22, said:
Perhaps. However, I don't think that it's ever safe to assume anything once the lawyers are involved.
The current BBO privacy statements are grossly insufficient.
The only discussions that they have wrt PII involve credit card processing.
They're already being hit by right to be forgotten lawsuits.
They need to address this in a more comprehensive manner.
#14
Posted 2020-September-27, 11:46
hrothgar, on 2020-September-27, 11:36, said:
The current BBO privacy statements are grossly insufficient.
The only discussions that they have wrt PII involve credit card processing.
They're already being hit by right to be forgotten lawsuits.
They need to address this in a more comprehensive manner.
I agree with all of this. My point was that just because one lawyer, acting on behalf of those who are under suspicion, tries to frame the discussion around the question of "consent", does not mean this is how it must be. And the "right to be forgotten" is not absolute.
London UK
#15
Posted 2020-September-27, 12:35
gordontd, on 2020-September-27, 11:46, said:
Absolutely correct. However, in order to enjoy protections against the right to be forgotten, a data processor must explicitly describe the purposes for which it needs to retain access to this data.
Akamai deals with precisely these same sorts of issues for a number of our products.
And we are very careful to describe the specific and limited purposes for which we are retaining data.
#16
Posted 2020-September-27, 12:56
gordontd, on 2020-September-27, 11:46, said:
I have experience at high level in sports where successes and reputations are under public scrutiny and I can testify that several proven cheats have been successful in obtaining internet oblivion of their wrongdoings. Hard to imagine that things will be different or better for bridge. From the legal point of view I suggest we should assume the worst and build from there.