-1

Since GDPR strictly requires consent to Personal Identifiable Information (PII), could a criminal exploit online services by remaining anonymous in all his criminal activities?

Providers are not allowed to keep PII without consent. Therefore, any online crimes cannot be traced to the offender.

I have also learnt that online services cannot deny service if a person refuses to consent to the provider's data collection policy as of Article 7 of GDPR. This is also discussed in this question

Wouldn't this create a haven for online criminals/hackers?

user1034912
  • 1,501
  • 1
  • 12
  • 19

2 Answers2

8

It is absolutely not the case that

Providers are not allowed to keep PII without consent.

Article 6 of the GDPR identifies six possible lawful bases for processing personal information. These are:

(a) the data subject has given consent ...
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

If a person requests services from an online service provider, basis (b) will apply, at least to some information. If there is evidence of criminal activity, basis (c) may well apply, as it also will for much routine record keeping. Any in many such cases, basis (e) or (f) will also apply.

In short, article 6 does not create a "haven for online criminals/hackers".

In a comment on another answer the OP writes:

The offender has the right to not be identifiable and he can't be denied this right

That is simply not correct. Nothing in the GDPR says anything of the sort. It is true that consent may not be forced, but if a user requests a service that service may require the user to identify him- or herself. For example, one cannot order physical goods without giving a name and a shipping address. And the provider may retain PI and even PII when it has a "legitimate interest" in doing so, although if challenged it must justify that legitimate interest.

David Siegel
  • 113,558
  • 10
  • 204
  • 404
  • In that case every data collector/processor can claim he is entering a contract with the user! Isn't this a loop hole in GDPR to collect data without consent? – user1034912 Sep 28 '21 at 15:35
  • 5
    @user1034912 a contract must be agreed to by both or all parties. But no "loophole" is needed to "collect data without consent" much data is collected without consent under one of the other bases, particularly (e) and (f) above, and this is by the design of the GDPR. Other data protection laws such as the CCPA have similar provisions. – David Siegel Sep 28 '21 at 15:50
  • 3
    Legitimate interest (f) is probably the most relevant legal basis here. It's pretty well established that online service providers have a LI in ensuring security and establishing legal claims, which allows keeping log files and other personal data as necessary for this purpose. It is usually straightforward to argue that this is an overriding LI so that the right to erasure doesn't apply. This only requires notice per Art 13, not consent or agreement. – amon Sep 28 '21 at 16:17
4

Consent is only one of the 6 GDPR grounds. Necessity is another. Since a provider provides an on-going service, it needs a contract, and the contract by necessity needs to name the parties of the contract.

MSalters
  • 5,629
  • 14
  • 18
  • I understand the contract part, but under GDPR, a service provider cannot refuse service (or force consent by denying service) in order to obtain consent for data collection. The offender has the right to not be identifiable and he can't be denied this right. – user1034912 Sep 28 '21 at 15:32
  • 3
    @user1034912: That's for consent. Here, consent does not even enter the picture. – MSalters Sep 28 '21 at 15:35
  • So can I claim every data collection is to fulfill a contract which requires a PII?? – user1034912 Sep 28 '21 at 15:37
  • 4
    @user1034912: Well, Facebook is certainly trying that approach. But that's probably their next billion-euro fine. If you're not as rich as Facebook, I'd advise you to not try that. Judges will look at the actual necessity, not your claimed necessity. Also note that necessity limits what you can do with the data - just the necessary. You can't resell the data you need for contract purposes. – MSalters Sep 28 '21 at 15:39
  • By the way, personal data ≠ personally identifiable information (PII). – Sam_Butler Oct 20 '21 at 12:28