Re-identifying folks from anonymised data will be a crime in the UK The British government is planning to impose criminal sanctions on people who intentionally re-identify individuals from data that should have protected their identities. The plans will be set out in the Blighty's Data Protection Bill – due to be introduced to Parliament next month – and could see an unlimited fine levied on …
"Are they cancelling out their own snoopers charter?"
Well, the document says Our vision is to make the UK the safest place to live and do business online. With the increasing volumes of personal data there is an increasing need to protect it. so they'll have to, won't they? Won't they?
encrypted traffic which is essentially anonymised data is safe
Encryption != anonymisation..
(I understand that you were trying to make a point about the snoopers charter - however, it's much more helpful to make a point that's supported on a solid foundation and not an error.)
@CrazyOldCatMan
I see where you're coming from. However...
It is essentially anonymised if more than one person uses the associated internet connection and/or encrypted service.
You can't specifically attribute an encrypted data stream to a specific person without decrypting the data.
Just because X person is paying for a VPN service doesn't mean they are the sole consumer of it.
Case in point, Daddy might pay for VPN services to protect his family and route all traffic over it using OpenWRT. Guests might visit and use his wifi.
Coincidence != Causality.
The only way to know for sure (if the VPN service is outside appropriate jurisdictions) who is doing what is to decrypt (and therefore deanonymise) the traffic.
RE "permission ping-pong"
It shouldn't work out like that. Under GDPR if you don't choose to grant permission then they can't use that as a reason to refuse you access to the service, except where such permission is absolutely required to provide the service.
So, Amazon can refuse to deliver a parcel to you if you refuse to share your address, because without knowing your address there's no way for them to deliver to your house, but Google can't refuse to let you use their search if you refuse to allow them to harvest your data.
Interesting times ahead, depending on how this all shakes out, but it has the potential to properly bugger up entities which make their money solely out of harvesting user data. In my opinion, that's no bad thing, and the new regulations appear to have been well-written enough that they don't leave any obvious loopholes like the whole "implied consent accept our cookies" bullshit that plagued the last iteration.
"So, Amazon can refuse to deliver a parcel to you if you refuse to share your address, because without knowing your address there's no way for them to deliver to your house"
Actually they could deliver a parcel to an Amazon locker without knowing your home address so they couldn't actually refuse to do business on that account.
You're entirely correct, but you're also agreeing with me. Note that I specifically stated they could not deliver to your home address without knowing it.
GDPR states that if it isn't neccesary (and your locker example is a good illustration of that) then they can't refuse to take your order without that information.
There may be an issue where billing address is required for card validation but if you were paying with a voucher then that wouldn't be relevant.
but it has the potential to properly bugger up entities which make their money solely out of harvesting user data
Please, please - I really, really hope it does this. But it does need for everyone to at least understand the basics of GDPR (or at least the UK version) and to make sure that they hammer the organisations that fail.
Maybe it's something that should be taught at school - preferrably by someone who knows about the subject and not by a harassed and overwhelmed teacher delivering a lesson plan that they've never seen before.
>where oblivious users will grant permission via installing an app and accepting terms to harvest data
"by clicking this link you agree that your data will not be anonymised, thus protecting you from cyber-criminals who wish re-identify individuals from anonymised data."
I am confident my mum would click that link ...
"Even the most eye-watering fines found only rebound on a CEO by their being sacked."
Define "eye-watering". I bet if I cost my company a "ten years' profit" fine, not only would I be sacked but also I wouldn't get the golden parachute and nor would I be offered the chance to walk straight into another job.
> Define "eye-watering".
A long time ago in another country, the CEO of a company I worked for sent out this message:
"I have no desire to go to jail for something one of my staff has done, therefore I wish to state in no uncertain terms that in light of recent legislation, undertaking the following activities is expressly prohibited for employees of this company at any level from the coalface to the boardroom."
That's the kind of thing that gets attention.
Existing law is rarely enforced in the UK. Just look at the farce that was the Google/NHS trials if you want one example, or the ICO's failure to act when 3UK proposed giving Shine/Rainbow the browsing habits of their customers.
Huge fines have already been available for quite some time but the ICO seems to prefer using their toothless 'undertakings', and even getting that far seems to take an inordinate amount of effort.
As for criminal offences, it might be worth remembering that the City of London Police were wined and dined by the very people that happened to be the subject of one of their investigations (Phorm) before conveniently closing it without prosecuting anybody.
Forgive me if I fail to see anything changing any time soon.
Why should those flouting the rules now be any more less confident about breaking them when GDPR/data protection bill comes into force? The price of avoiding justice seems to be little more than that of a good meal. We also have a regulator so keen to avoid enforcement that it's difficult to stop from asking ourselves why we should bother with them.
P.S. 'cmomitting'?
What El Reg missed, but the BBC noted, was that the GDPR right to take collective action has been omitted from the proposal. It's fairly obviously missing in the linked doc.
So enforcement by consumer groups is dependent on the outcome of the Brexit negotiations. Otherwise it's little old you vs Google, and how do you think that will go?
Same as pretty much all of our recent consumer protection legislation.
There is a difference here. The consumer protection stuff is an EU directive, which means that national parliaments are required to transpose it into national law. Some enact laws that go further than the directive, as the UK did for consumer protection. UK consumer protections go beyond the EU-mandated minima.
GDPR is a Regulation, it is an EU law that is binding as-is on all EU members without any national legislation being required.
"This seems like the best thing to come out of Brexit so far to me, provided it actually gets enforced."
It only "comes out of Brexit" in the sense that without Brexit there'd be no need for an act; GDPR would apply automatically - and would do so from between May and Brexit without the Act.
Strasbourg is much more democratic.
I'm genuinely curious about how you define "democratic".
The European parliament has 751 members, elected last time round by only 42% turnout, much lower than most national elections. The number of MPs from each member is inversely proportional to the population, smaller countries have more MEPs per head than large ones and hence more weight.
It can't decide to make law, it has to wait for the Commission to do that, after which the parliament can only change or reject it. It spends a fortune of taxpayers money every month switching between Brussels and Strasbourg to avoid upsetting the French even though most MEPs would prefer to be based solely in Brussels, but that would be vetoed by France.
Frankly it's more like a company board than a parliament, I'd argue that most national parliaments, and regional assemblies, are more democratic and more representative of their constituents than it is.
subject to the ECJ, something which Weak and Wobbly May has claimed will not happen to the UK after Brexit.
The ECJ rules on EU law. Doesn't matter where the parties involved are, it's the law in question that's the decider. Nothing about Brexit was ever going to change any of that, if you thought someone said otherwise then you misunderstood. Where the UK replaces EU law by UK law, the ECJ will not have jurisdiction. Where the UK is still affected by EU law, such as in dealings with EU countries, the ECJ will have jurisdiction. Just as it does for US, Chinese, and any other non-EU country that deals with the EU.
"Even the US will have to respect GDPR if it wants to handle data on European citizens."
Quite so. What are they doing over there to provide similar legislation? Or is any UK or EU company using US data processing services going have to cross their fingers every time they say they're compliant?
I do feel a little bit exposed in that my personal details are freely
Then ask them to be hidden. You have to provide them, but you can ask for anything other than your name to be not publically available.
And this has been the case for quite a few years - but scum DNS Registars (GoDaddy - I'm looking at you) don't necessarily tell people.
Well, not per se under existing law.
Klimas v Comcast 2003 and Robinson v Disney 2015 both ruled that the IP address alone is not PII, however when used in combination with other data sources the resultant information could be used to identify an individual.
However, insofar as you don't use it to attempt to extract or compile PII, then existing law has determined that an IP address is not PII in itself. Typical, of course, of this Government to actually ignore the existing body of law and simply make stuff up as they go along. Why this particular item has to be specifically included rather than the USE of this information being legislated is just beyond me. Far more personally identifiable is the MAC address, and if THAT is not specifically mentioned in the law... I mean, that's a hole the size of Kansas. But Mme May was notorious for that kind of sloppy thinking and lack of technical understanding when she was home secretary... I don't think she'll hold her successors to a very high standard of competence.
From REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - (30) "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
The GDPR definition is not in any way at odds with the existing body of law. It imposes upon a data controller an obligation to consider the implications to the end user of their storage of the information. It leaves the actual day to day implementation of techniques compatible with the law up to future adjudication to decide. GDPR also explicitly defines sensitive information rather than just personally identifiable information; a higher standard applies to these data.
How the UK's Act will be worded remains to be seen. The devil is in the detail.
How the UK's Act will be worded remains to be seen. The devil is in the detail.
Not just the wording of the relevant acts, but interpretation and enforcement by the regulator. The significant sounding fines under GDPR are a maximum, and the term "up to" usually includes the value of zero.
I expect post GDPR data protection to continue to be a concern for SMEs and mid-sized listed corporations, whilst the US-based mega corps are let off the hook time and again (or fined sums that are a flea bite in their enormous, tax-avoiding profits).
"Typical, of course, of this Government to actually ignore the existing body of law and simply make stuff up as they go along."
Parliament is sovereign. If they pass a Bill to designate IP addresses as being entitled to the same protection as PII they can do so.
I'd expect that attempting to use an IP address on its own to identify a user in court would still be fraught with the same problems as a present.
MAC Address?
Remote sites can't see a MAC address but any devices you directly connect to like a WiFi router would need to record the MAC for at least a temporary period to allow routing and DHCP.
It may be possible to create a backhaul for a large data gatherer to provide WiFi routers out to all public WiFi areas and build a database of MAC addresses but it would seem to be of limited use when Beacons and cookies could gather a good percentage of the same data a lot cheaper.
Anything government based would be using IMEIs and cell tower locations to track. An IP is far easier to use/abuse than a MAC for remote sites.
" a legitimate right exists to retain the source used to connection from, and share and process it as necessary"
If it's just IPs from otherwise anonymous computers trying to connect to your mail server then you shouldn't feel you have a problem.
But if you keep sufficient information for it to identify person in the EU (the IP plus other data from a reverse IP lookup, whois etc perhaps), then you will have to document internally that you do retain this data and how you process and make specific reference to the legal right you are claiming in your documentation.
you will have to document internally that you do retain this data and how you process and make specific reference to the legal right you are claiming in your documentation.
Even more of a problem is that under GDPR you'll have to provide the owner of the data with a way to obtain it in a reasonable time, and in a standard format. Fine for a large business with a web presence, but how many small businesses will want to setup a portal where people can log in, identify themselves, and then recover all the info you have on them?
I can see a market for third-party companies offering this as an online service.
I think what might swing it is the wording "natural person". My IPv4 address identifies only the corporation that has been allocated that range. It't not a natural person. However, my ISP has the ability to map my IP address to my particular NAT'd router at any particular time point. So really, my ISP could anonymise my IP address by jiggling it about a bit instead of only changing it once in a blue moon (seemingly quite literally that infrequently). How that all might be with IPv6 is another matter as intrinsic to the design is keeping a lot of the things the same and doing away with NAT.
Well, if tying an IP address to an individual is considered unanonymising data, it gives a new string to the bow for winding up those "I'm from Microsoft/BT/whatever and we've discovered a lot of virus activity coming from your IP address" merchants who always seem to know your name when they call.
"a legitimate right exists to retain the source used to connection from, and share and process it as necessary."
What legislation do you rely on for this statement?
You need to retain that address for as long as the connection remains current. Afterwards you might want to retain it, share it and process it but you have no right to do so.
Nevertheless HMG might impose a duty on you to do so by their surveillance legislation. The document remains notably silent on this matter.
Despite Sony et al trying to say that you broke the law because your IP address was used to share e.g. Torrented pirate films, even when the IP address had been hijacked or was a shared one...
Or when I store the IP address of a computer used to fill in a web-form in a school setting, so as to provide a 60 second hold-off against multiple submissions, where the same computer is used by a dozen different children one after another.
Or do they mean e.g. IPv6? Some sort of personal IP address that travels with you across different networks, only it isn't really that is it, because you still need to route to a particular network - you can't hold routes to every single IP device in the universe in the one distributed table.
That suggestion is just utterly ludicrous. Are you supposed to ask everyone "does your IP address identify you personally?" every time they go onto your network? Or are you expected just to encrypt ALL your logs even if doing so is a pointless and time-consuming task? We suddenly have to buy new networking hardware with processors rated at 20-30 times the previously required performance just to handle the encryption load?
"Or are you expected just to encrypt ALL your logs even if doing so is a pointless and time-consuming task?"
Retail the logs long enough to provide the service and then delete them. Unless HMG rope you into providing them with free surveillance service you don't need to retain them.
It's clear from comments here that the notion is deeply ingrained that everyone with a server has an expectation of mining every last nanobit* out of any data that passes it by. The whole basis of GDPR is that not only are you not actually entitled to do that any more, you're not allowed to. It's going to take some time to sink in.
*Probably the best approximation to what it's really worth is all those "we think you'll like these" offerings are anything to go by.
Connection logs are the main tool to identify a malicious connection attempt. If you dispose of connection logs and then find out your database or website has potentially been hacked, well good luck finding out when, how and to what extent if any logs detailing connection activity are removed.
This doesn't mean you are mining data or using it for marketing or other purposes, it's just common sense. Every decent decent firewall or IDS will keep a log of all connections with full connection details, it is expected by anyone who buys/uses one.
As far as web stats/analytic go. These are a very important tool for sites. Without them it is difficult to ensure that your site is working properly and the UX is correct. How do you know if your customer journeys are correct or that the visitor is being giving the correct information on a large site. Now a technical solution might be to run a one way hash on the IP, however as an IP is generally regarded as being fairly anonymous without a court order and any one way hashing could also be carried out be every other site using the same algorithm, the it would lead to the same tracking issues.
It's not as easy as 'just destroy the logs every 24 hours'.
"A lot of companies will find ways to ship the data out, to the illegal stuff in places like the US were it isn't illegal and ship the results or the decisions taken back to the UK/EU."
And after a few big finds get handed out they'll put more effort into finding ways to ensure that they don't. Not unless the US adopts similar legislation.
'It's not "anonymised", it's "decontextualised"'
It's referred to in the trade as "de-identified" data. It's actually very difficult to do, because any information that could be used to identify an individual needs to be obscured in some (non-reversible) way. There's a good paper on the subject that explains how the Census data was handled, but I'm danged if I can find it at the moment. I'll provide a link when I can find my notes :-)
I don't have a lot of confidence identifiable patterns can be obscured in a lot of cases.
e.g. Can you identify a Commentard coming from a different IP without logging in? Quite possibly, if they're interested in upvotes to their posts, have mutually exclusive activity times, no interest in things they've already read, excepting comments, which they click through to so fast you know they already read the article etc.
If it's my job to make sure patterns can't be found, well, if looking is illegal I think this goes in the same bucket as possessing hacking tools, so you can test your own shields. You can be thrown to the wolves at any time. It's really no fun being one of the good guys.
"Does that even make sense? If people CAN be identified from data, then it's not ... anonymised... is it?"
Depends. On it's own, it may be. But in conjunction with other data that may not be available to the original anonymiser, some of the data me be deanonymised. Just ask AOL.
Making it a crime to de-anonymise data seems rather like shooting the messenger.
Surely the real problem is at the other end of the line, with the person who claimed that the data was "anonymised" when it really wasn't, as a pretext for ignoring the normal restrictions on handling personal data.
This is my concern too. Making it a crime to de-anonymise some half arsed 'we used double ROT13 to protect our beloved customers' data' is a good thing. But the way I imagine this to be written will pretty much leave security researchers on the hook every time they discover data at risk. We saw this same lack of foresight down under with #censusfail and 'statistical linkage keys'. It boils down to whether the company finds it cheaper to comply with the legislated anonymisation requirements or just sue the researcher. I know where my money would bet.
"Making it a crime to de-anonymise some half arsed 'we used double ROT13 to protect our beloved customers' data' is a good thing."
My concern is that there has been a lot of work in government to arrive at robust methods to de-identify data but to have that data still usable for statistics. Of course this takes time and money and a great deal of thought to ensure that the methods used really do result in data sets that cannot easily be converted to re-identify individuals.
How much easier and cheaper for government to say "We'll make it a criminal offence to re-identify people, then we can use any old technique, yes including ROT-13, to obscure personal details. That "solves" the problem cheaply. Because of course no one would ever break the law. <rolls eyes>
Part of the issue here is that the data still needs to be useful.
Remove too much information, and it's no longer of use.
That anonymous data could potentially be cross-checked with other data sources, and you can then de-anonymise it, despite no directly identifiable information being left in the original data.
For example it might be work absence data, just containing dates and a reason for the absence (holidays, sick etc), and no other details. With the company using the data to predict things like cover requirements (like getting temps in over summer etc).
But someone with access to their time management system, could correlate the dates in the anonymous data, against absence dates in the time management system, and de-anonymise it again.
I think it's this type of scenario that the new law is trying to block.
Still need good laws on the creation of the data in the first place of course :-)
"It boils down to whether the company finds it cheaper to comply with the legislated anonymisation requirements or just sue the researcher. I know where my money would bet."
So do I, on the basis that pissing off an expert who can give evidence against you that could result in an eye-watering fine really isn't a good idea. If your legal department is any good they'll tell you that.
Then you are more courageous than me sir. I was using hyperbole with ROT13 (I hope that was obvious, sometimes tone can't be easily carried). My point is that a combination as simple as gender/date of birth/postcode is frighteningly close to unique. Under this sort of rule, could such a study such as that undertaken by Harvard in the link even be possible?
Security researchers shouldn't have to risk their personal freedom to responsibly disclose anonymisation vulnerabilities that may be exploited by less savoury types. The company will argue that they acted on good faith when some combination of data which was exploited was not commonly known to leak identities and that they took reasonable steps to check their process up front (security experts at 12 paces). They're just the victim of bad advice, or advice that was considered best practice at the time. But that horrible security researcher is in violation of this shopping list of laws. We at ACME totally support security research but the actions of this researcher are just beyond the pale. Plus she even used end to end encryption like a terrorist. There is also the recent arrest of the Wannacry ratchet. If he's innocent, then this is exactly the sort of thing that turns would be researchers to other endeavours. If he's guilty, I guess that proves the companies point that these researchers are just criminal haxors. They can't win either way.
Surely the real problem is at the other end of the line, with the person who claimed that the data was "anonymised" when it really wasn't, as a pretext for ignoring the normal restrictions on handling personal data.
This can happen quite easily if multiple sources are cross-referenced. Consider a trainee GP and to review their work as part of that training you have a document giving the date and time of consultation and anonymised clinical summary of the case. On the other you have financial and auditing records giving the date and time of consultation and the patient seen.
The first document holds sensitive information in anonymised form. The second holds PII but not of an overly sensitive nature - merely the fact someone went to see a doctor. However, put the two together and it is trivially easy to get back to "Mr X is suffering from erectile dysfunction."
"This can happen quite easily if multiple sources are cross-referenced."
Well yes, and what that tells you is that the GP's data, in the example you gave, was not, in fact, anonymous. It was personal. It contained information that could be used to identify the individual. The users of it were just claiming it to be anonymous to circumvent restrictions on handling personal data.
There's only one kind of anonymous data in my book, and that's data which is _impossible_ to convert back to personal data. Yes, that is a very high bar. If it's possible to convert it back to personal data, then it is personal data - even if the law bans such a conversion in one particular country. Converting so-called "anonymised" data back to personal data should be a non-issue, because if it's not really anonymous, it should be handled as personal data already.
"Oh, look, my AI Big Data analyser has just taught itself to recreate personal information from anonymised data and started selling it to our clients."
"Well, stop it, then."
"We have already, twice. It just keeps teaching itself new ways to do it."
"Is there no way to stop it?"
"Yes, tell it to stop adding value to our product."
" > @!...* < "
They will be using that fantastical A.I. of theirs to de-annonymise the data so that they can just carry on with business as usual and gather more and more data on each and every one of us and to hell with the consequences.
Other slurping companies will be wanting to do the same.
What about Security researchers and Privacy campaigners that are out to prove the data ISN'T anonymised? The people doing for gain will be
a) Secretive
b) Outside jurisdiction
c) Probably very large companies already well known for exploiting and directly harvesting personal data.
I have a better idea. No company should pass ANY data to a third party, except in the normal individual case (people making a purchase and company getting paid by 3rd party).
NHS, HM Revenue (Road tax etc), Big retailers are already giving data they shouldn't basically to anyone "big" that offers something shiny.
Actually abolish tolls and Road tax. Tax Electricity, LPG, Diesel, Petrol etc for vehicle use. Fairer as it's then based on road usage and resource consumption, not vehicle size or power which is unfair. Fuel use is anonymous, unless a fuel card is used.
Big retailers are already giving data they shouldn't basically to anyone "big" that offers something shiny.
Because they think it's a risk worth taking. It'll stop being worth taking. As ever, some will only learn the hard way.
Those vendor-specific email addresses I use could be quite handy.
Depends on your definition.
"A tax levied only to maintain the public roads" then yes, it was abolished along with National Insurance, income tax and all the other taxes initially created for some specific purpose.
"A tax on vehicles using the public road network" then no, it still exists along with National Insurance, income tax, etc.
De-anonymising data and then using it already seems to be a crime?
From the ICO's own guidance:
If you produce personal data through a re-identification process, you will take on your own data controller responsibilities. [Link - section 2]
Also from the ICO on the subject of what a data controller is:
8. The DPA draws a distinction between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. It is the data controller that must exercise control over the processing and carry data protection responsibility for it. This distinction is also a feature of Directive 94/46/EC, on which the UK’s DPA is based. [Link - page 4]
So if you de-anonymise data & use it you're responsible under the DPA already, and since consent is supposedly already such an important part then it's difficult seeing how using de-anonymised data could be used legally today (assuming no legitimate interest case could be made)
Like I said before: don't expect things to change.
"[...] the UK's legislation will require that parents have to give consent for children to access online service for kids aged under 13. The GDPR's default age is 16."
Do I read that correctly - the UK is allowing kids under 16 but over 12 to sign up to online services without parental permission - rather than a 16 threshold? The same government that is going to stop under-18s accessing whatever is considered unacceptable?
How will parents give consent - is this the government's pr0n verification system being stretched into new areas?
So the fines have been increased - window dressing! no corporation ever gets fined anything approaching the max - and to many the maximum fine is petty cash.
I advocate legislating for damages, if they collect, share or associate data in breach then, apart from fines, the individual is entitled to damages say 25k per data 'bit'?
We also need stronger (than proposed) law around what data companies are allowed to insist on. I recently had to give my date of birth to buy some theatre tickets! Totally unnecessary data collection irrelevant to the activity of selling theatre tickets.
"I recently had to give my date of birth to buy some theatre tickets!"
Did you try refusing? Most times it's because marketing have told them to get the data but it's rarely mandatory unless there's a legal requirement. The customer facing staff are usually instructed to ask in a specific way for extra data so that the customer gets the impression they must give it or be refused.
I once had one try to tell me the info was required due to the Data Protection Act. She backed down when I ad libbed (ie made up) that the DPA makes it illegal to collect data not specifically required to provide the service offered and as the data collector she would be liable in law :-)
ad libbed (ie made up) that the DPA makes it illegal to collect data not specifically required to provide the service offered and as the data collector she would be liable in law :-)
Which isn't actually too far from the DPA. Data collection should be "proportional to and required for, the service provided". So - if their is no age requirement in order to buy the ticket, asking for your age is actually against the DPA since it's neither proportional nor required.
Despite the intellectual snobbery, your comment is irrelevant.
It does not matter whether you thought I meant the law makers considered themselves all powerful, or whether they realised they are powerless and will be ignored by virtually the whole world.
The fact is that they are essentially pointless laws. Once the data has been deanonymised and published, it can't be put back in the bottle.
Given how windows 10 was designed specifically to profit off their user's data then when this law comes into effect they are going to have to accept that market is unavailible in Europe.
Given how much it will cost them find and disable all the spyware in windows 10 it has got to be cheaper to make a windows 11.
Stevie[0] decides to post AC here on ElReg.
jake sez "I recognize that poster! That's not AC, that's Stevie!"
Is jake going to get nicked[1] for "outing" Stevie-as-AC?
Is ElReg going to get a visit from TheBeak for making it possible?
[0] Your name was handy, don't take it personally. Beer?
[1] Next time jake visits Albion, of course.
People still know how to READ? What about universal ADHD? It's the 140 character thing...
I would give you some examples but I only speak/read/write about 5 real languages and some more computer languages... Verstehen Sie mich? Forstår du mig? Und so weiter...
"...the UK's legislation will require that parents have to give consent for children to access online service for kids aged under 13. The GDPR's default age is 16."
So the UK's interpretation of GDPR will allow 13-15 year olds to do what they like, which will not be the case elsewhere.
This seems so completely at odds with the usual government mantra of "think of the children" that it sets alarm bells ringing.
The cynic in me is wondering if it's so they can at some later point introduce some really draconian legislation affecting everyone with the usual justification that they're protecting the kids
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
