Comment by seanhunter
3 years ago
That's not a lawful basis under GDPR. There are only 6.[1]
(a) Consent
(b) Contract
(c) Legal obligation
(d) Vital interests
(e) Public task
(f) Legitimate interests
What a lot of companies are trying to do right now is weasel through under "legitimate interests" (eg a lot of scumbag seo-monkey websites have cookie consent dialogs stuffed with "legitimate interest" switches even though that doesn't work the way they think), but it's not clear that "improving my services at the expense of people's privacy" would pass the "legitimate interest" test if that ever goes to court. Legitimate interest requires them to pass "purpose", "necessity" and "balancing" tests. The "balancing" test in particular balances the companies interests against the interest of the user in maintaining privacy. Here's more about "legitimate interest" under GDPR.[2] it's not the get-out clause that people seem to think.
[1] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
[2] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
It doesn't matter what the law says if it's not being enforced. Much more blatant GDPR breaches are still going unpunished, so do you really think they are going to audit every single website to make sure they comply?
Enforcement is a huge problem, that is true.
My hope is that with recent rulings against Google, Meta etc. we might see an improvement across the board. Like there's some improvement with reject buttons: https://noyb.eu/en/where-did-all-reject-buttons-come
Absolutely and I have to say one of the problems with the (vast) ambition of GDPR in tackling what is a huge problem is that enforcement is a massive undertaking especially when the (alleged) transgressors are these massive multinational corporations who have practically infinite resources to put into evasion.
How on earth do these HR companies that scrape LinkedIn and sell the data fall under GDPR? They claim to.