I'm currently working on implementing GDPR practices and I've run into an interesting situation with my data and legal colleagues located in Russia.
My colleagues insists that if we obtained their data from an "open source" third-party, they have consented to us using their data by giving their data to that third party. For example, if someone submits their data to a directory or a tradeshow, we are free to use their data from the tradeshow. An example he gave was Facebook giving user data to third-parties. His justification is that the legal team has told him this is okay but somehow I am not entirely trusting of the legal team's judgement on this as I have not personally spoken with them.
I had a lot of issues with this and I wanted to get input and verification on my arguments from anyone else who would have expertise. Please let me know if this all makes sense. Here are my issues:
I feel like this is pretty compelling evidence that the situation he's indicated is NOT GDPR compliant, but I want to be sure. Thanks in advance for any input.
I 100% agree with your assessment, Lawrence.
I don't even know what "open source" could possibly mean here except a total corruption of the term. To use Facebook -- who have been known to break their own privacy agreements and/or not enforce them for 3rd party apps -- as an example is almost like a confession.
I agree also.
I'm not a lawyer (thankfully), but based on what I do know:
One key component of consent under GDPR is that it must be clearly informed, clearly recorded and easily revoked (see: Consent | ICO). I would be very sceptical of a suggestion that you could use consent as a legal basis here - this:
they have consented to us using their data by giving their data to that third party
Would only stand up (in my mind) if, when they provided their data to that third party, they were presented with and agreed to an opt in was explicit about the data being given to you specifically, and explicit about exactly what you would do with that data, and explicit about exactly how long you would hold that data, and provided a link to both their and your privacy policy, and there was an adequately easy means for the user to revoke that consent. Not to mention, all of this would need to be demonstrably proven in court if you were challenged - so you'd have to record what they consented to and when and where and store that data. Any thing less than that and you're likely open to challenge - which, based on the high consequences for failure in GDPR... Well let's just say I'd err on the side of nothing less than that.
And that doesn't even get into the whole other kettle of fish of sharing data with third parties requiring additional agreements around data processors vs data controllers, and which of the two is liable if the processor causes a breach of GDPR...
Yes.
GDPR is clear that even if the person Consented to communications with a Tradeshow company, they ALSO have to explicitly OPT IN to communications from YOU if the data is to be shared. You should definitely not use data w/o a clear chain of consent. Perhaps best to confirm this with EU Counsel, rather than Russian Counsel.
Open Source info is essentially website scraping or research, which is not legal in most countries outside the US and generally against most websites' privacy policies. "Open Source" is a term from the intelligence community where they gather info from news, libraries, easy to access places that do not require spying.
I find this odd, because Russia does have an interesting set of privacy laws for themselves.
If so that's a far, far secondary definition.
"Open data" is the term I've heard for that.
No matter what, this data is laughably not-open!
Thank you everyone for your input.
I was able to put together a pretty compelling set of evidence why it is 120% not compliant and I think they have no qualms about my assessment. Much appreciated!
100% sure this is not compliant to GDPR. Period
-Greg