Comment by eviks
7 months ago
he explicitly said in his email that "Personal emails are PII.", so how is that a defence of his previous position?
7 months ago
he explicitly said in his email that "Personal emails are PII.", so how is that a defence of his previous position?
It does not matter in this context, because it is still incorrect.
> Personal emails are PII. But you can register to Kagi with a random email, and that is not PII.
Company has no means to identify what is the difference between personal or random email. Everything can be and must be treated equally from privacy perspective.
I re-read again. You are right, he says "personal emails are PII" in this email. In the original post however he dismisses the whole GDPR data request process as "we don't need this, because you can provide fake data".
Point is: if the business requests an email address, many people will provide their real email adress and your business needs to document this process under GDPR. I just checked. The signup form doesn't say "please give a FAKE email address", it just says "email address".
If a user provides a real email address, Kagi must respond to GDPR Art. 15 requests by providing...that same email adress. Might sound silly, but usually, there is other data associated with this. Usually, at least the timestamp of the signup. If a business is really GDPR compliant, it will offer a download option for stuff like user settings and so on.
Or, if the user signed up and later deleted the account, his email should explicitly NOT show up when asking for personal data.
See, it is about documenting the process, whether the outcome is "here is your email address you just asked for" or "we don't have any data on you". And Vlad says that this process is irrelevant for Kagi, while it is not.
It's ultimately not up to Vlad. If the law declares email addresses are PII, they're PII.
If he's positioning his company to challenge that law when he runs afoul of it, that's a choice they can make but it's a business risk (and IANAL, but... Probably one they'll lose).
>If a business is really GDPR compliant, it will offer a download option for stuff like user settings and so on.
I've made a bunch of SAR's, including pre-GDPR and I've never received one that contained my user settings, so that seems pretty normal.
The whole PII convo seems incredibly asinine though, "PII" is not a thing in the GDPR. Personal data is[1], but that's not the same thing.
If Kagi keep a record of searches performed by a user, that's something that a SAR should be used for, but the whole convo just misses the mark entirely.
[^1]: See article 4.1 https://gdpr-info.eu/art-4-gdpr/
> I've made a bunch of SAR's, including pre-GDPR and I've never received one that contained my user settings, so that seems pretty normal.
That is odd because the user has right to get ALL the data they want that is stored about them in the service.
Lori is a she, not a he.
Vlad is Vlad, not Lori.