Remix.run Logo
guax 4 hours ago

That is not how gdpr works. If you have a legitimate reason to hold the data. You can. Ensuring people have access to purchases is a very legitimate reason.

computomatic 4 hours ago | parent | next [-]

Is there evidence that European courts have sided with that? “We’re holding onto all your data indefinitely just in case you log in again several years from now” seems to be the antithesis of GDPR and I can’t discern the difference between that and what you’re suggesting.

I believe EU has dug their own hole here. And the best move would be to pass more legislation to explicitly require the retention (and transfer, ideally) of purchased digital goods.

buran77 3 hours ago | parent | next [-]

> Is there evidence that European courts have sided with that?

Is there evidence of the contrary? Maybe any store can just delete your personal data right after charging your card and claim GDPR prevents them from shipping your product.

Silly arguments work both ways. You just picked the one that confirms your bias.

GDPR under no circumstances forces processors to delete everything, it defines legitimate interest. Retaining a person's purchases is as legitimate as it gets so the data can be retained for as long as the purchase is valid. And the license itself isn't even the user's personal data, it's just a license, so Sony could give the option to export that license to be used later - even in a cryptographically secure format that can only work if e.g. the account is created with the same email address. If they delete the personal data and throw out the baby with the water, it's not GDPR forcing them to do it.

cccbbbaaa 4 hours ago | parent | prev | next [-]

No need to wait for the courts’ opinions: controllers must keep the data for a limited amount of time (which can be something like “3 years after the last connection”) under GDPR article 5(1)e.

crote 3 hours ago | parent | next [-]

To save everyone a click:

> Personal data shall be: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. (..)

Note that this does not say "it must be stored for a limited amount of time" - it says "no longer than necessary".

Your basic account data (such as username and password, or an email for password recovery) is still necessary to log in to the platform and make use of your purchases. As long as there is no clear indication that the user will never log in again (such as due to death, or because they explicitly deleted their account), it would be reasonable to keep it around.

On the other hand, it may make sense to delete some data. For example, it may make sense to store your full name and address info to make checkout more convenient. If a user hasn't bought stuff in a while, it makes sense to delete it and have them re-enter it in the future.

There might be a bit of a gray space for things like game achievements (especially when there's a public profile) or savefile backups, but reading it as "you MUST delete all digital purchases because GDPR" is just not true.

fabian2k 3 hours ago | parent [-]

I'd consider keeping the other personal data to be still easily justifiable, as you might want to support various account recovery options. And the odds that a user forgot their password only increases for old accounts.

computomatic 3 hours ago | parent | prev | next [-]

5(1)c seems far more relevant than e. “Data minimization” is what’s relevant here. And the article is sufficiently vague that the onus is on companies to decide what is absolutely minimal - that includes, implicitly, removing inactive accounts. Unless the courts have made a judgement to the contrary.

wat10000 an hour ago | parent | prev [-]

"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed"

Keeping "account X purchased game Y" forever is necessary for the purpose of tracking ownership.

Based on how big companies typically behave, I assume that they are storing a metric buttload of other data on their users, which is not necessary for that purpose, and which they aren't inclined to separate out.

This is just like the cookie popup nonsense. You don't have to ask for permission to store necessary cookies. Cookie popups are ubiquitous because sites would rather bother every single visitor so that they can store unnecessary cookies.

BiteCode_dev 3 hours ago | parent | prev [-]

The GDPR does not say that controllers must always delete personal data on request. Article 17(1)(a) — erasure is required only when:

"the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed"

https://gdpr-info.eu/art-17-gdpr

It's like the cookie banner all over again. This law never, ever required a cookie banner.

The big companies are master in malicious compliance that benefit them, and let them blame the EU for it.

Rules of thumbs, international billion dollars company should be assumed to be the ones being the bad guys until proven otherwise. They have lost the benefit of the doubt decades ago.

monocularvision 2 hours ago | parent | next [-]

If it’s malicious compliance and not required why does the EU Commission website have it?

https://commission.europa.eu

crote 3 hours ago | parent | prev [-]

In practice most of the purposes you'd encounter in the wild are directly linked to user activity, so account deletion means most of the reasons to keep it disappear.

You still need to keep it if there's a law saying that you need to have that data, of course, but that's the exception.

cccbbbaaa 3 hours ago | parent | prev [-]

And that data must be held for a limited amount of time under GDPR article 5(1)e. Sony’s policy is very much a consequence of this.