Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
senko 2 days ago

> The company says it will rely on “legitimate interests” as its legal basis and will offer an opt-out so members can refuse use of their data for training

"Legitimate interest" is a very specific term in context of GDPR. Not a lawyer, but have been looking into it previously, and I doubt "we want to feed data to our AI so we can make more money" passes the Legitimate Interest Assesment (LIA) test.

Here's an example of a test that must pass (sorry, docx, but way better than a random explainer): https://ico.org.uk/media2/for-organisations/forms/2258435/gd...

tgsovlerkhgsel 2 days ago | parent | next [-]

That looks like it would be easy to argue that it passes (claiming "makes the platform better for everyone", "not achievable without using the data", "the data is data that the people share voluntarily on the platform and isn't sensitive", "they're customers, we e-mailed them and they could opt out if they cared", "we expect this to have no impact on the individuals" (until the AI starts regurgitating sensitive details, but that's an "oops" for later), and "we are offering an opt-out even though we wouldn't have to" (claimed despite the lawyer strongly urging an opt-out, otherwise they wouldn't have even offered that).

senko 2 days ago | parent | next [-]

They could argue whatever they like -- whether that'd be defensible if a probe is launched (and LinkedIn / Microsoft is big enough target for this) is another matter.

lionkor 2 days ago | parent | prev | next [-]

GDPR doesn't allow "they knew and they could have opted out if they cared". You need explicit written consent.

tgsovlerkhgsel 2 days ago | parent [-]

GDPR allows processing based either on consent (which doesn't need to be "written" but does need to be explicit and informed) or legitimate interest (or some other reasons that tend to be irrelevant for this kind of thing).

Legitimate interest does NOT require consent, is murky, and thus often gets used to justify things that should not exist under GDPR but the most likely consequence is that the company gets to do it for 3+ years before being told "no, you can't do that anymore"...

PunchyHamster 2 days ago | parent | prev [-]

but they will absolutely want to sell it to 3rd parties, else what's the point ?

mhitza 2 days ago | parent | prev [-]

The GDPR is about personal data though. And content your produce is not by nature personal data "in abstract".

That content could contain personal data (such as when including it in your post), but that's an exception rather than a norm. And if we'd be following exceptions, even crawling websites could be illegal under the GDPR.