BBO Discussion Forums: BBO, GDPR, and all that rot - BBO Discussion Forums

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

BBO, GDPR, and all that rot

#1 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-September-25, 17:11

In the before, back when BBO didn't have any kind of presence in the EU, the company could pretty safely ignore the GDPR. However, things changed dramatically once BBO got bought by Funbridge which is based in France.

My understanding is that a number of people who are caught up in the recent online cheating scandals are trying to assert a right to be forgotten and claiming that BBO needs to purge their hand records.

One of the things that the compliance group within Akamai InfoSec does is handle issues related to the GDPR. I have a few quick thoughts / observations.


First and foremost, it is vital that BBO update their current privacy policy and specific define that one purposes for which they are collecting data is specifically to identify individuals who are compromising the platform by cheating. The GDPR provides exceptions to the right to be forgotten which include situations in which

"The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing."

and

"The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority."

Furthermore, BBO needs to assert that achieving these purposes necessitates sharing this information with third parties including individuals and organizations the administer bridge tournaments as well as analysts who might be doing research with the data.

Equally significant: The data sets that BBO current has that include hands in which people are cheating are an incredibly valuable resource. These provide a very important training set for future research. If individuals start asserting a right to be forgotten its crucial that BBO respond with obfuscation rather than casewise deletion.
Alderaan delenda est
5

#2 User is offline   smerriman 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 3,720
  • Joined: 2014-March-15
  • Gender:Male

Posted 2020-September-25, 17:43

View Posthrothgar, on 2020-September-25, 17:11, said:

In the before, back when BBO didn't have any kind of presence in the EU, the company could pretty safely ignore the GDPR. However, things changed dramatically once BBO got bought by Funbridge which is based in France.

This isn't really true. Regardless of where the company is based, the GDPR legally applies to all EU citizens accessing BBO.
1

#3 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-September-25, 17:48

View Postsmerriman, on 2020-September-25, 17:43, said:

This isn't really true. Regardless of where the company is based, the GDPR legally applies to all EU citizens accessing BBO.


Perhaps, but if a company doesn't have a presence in the EU, it doesn't really matter...

Simply analogy: The UK has much stricter laws with respect to libel than does the US, however, US courts don't bother to enforce the results of those cases.
Alderaan delenda est
0

#4 User is offline   Zelandakh 

  • PipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 10,666
  • Joined: 2006-May-18
  • Gender:Not Telling

Posted 2020-September-25, 18:29

I am fairly sure that investigation and/or prosecution by a recognised governing body counts as a legitimate interest of a third party, so I do not think this is a major issue. The processing is necessary for that purpose and the 'interests rights and freedoms' of the individuals can hardly be said to override that legitimate interest. This is the "3 part test" that governs this part of the law.
(-: Zel :-)

Happy New Year everyone!
2

#5 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-September-25, 19:18

View PostZelandakh, on 2020-September-25, 18:29, said:

I am fairly sure that investigation and/or prosecution by a recognised governing body counts as a legitimate interest of a third party, so I do not think this is a major issue. The processing is necessary for that purpose and the 'interests rights and freedoms' of the individuals can hardly be said to override that legitimate interest. This is the "3 part test" that governs this part of the law.


But the data isn't being used by a recognized governing body, rather you have Nicolas Hammond doing his own thing and the CAT doing there's...
Alderaan delenda est
0

#6 User is offline   johnu 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 4,833
  • Joined: 2008-September-10
  • Gender:Male

Posted 2020-September-25, 22:19

View Posthrothgar, on 2020-September-25, 19:18, said:

But the data isn't being used by a recognized governing body, rather you have Nicolas Hammond doing his own thing and the CAT doing there's...

BBO which runs the whole thing also investigates cheating.
0

#7 User is offline   paulg 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 5,052
  • Joined: 2003-April-26
  • Gender:Male
  • Location:Scottish Borders

Posted 2020-September-26, 01:30

View Posthrothgar, on 2020-September-25, 17:11, said:

In the before, back when BBO didn't have any kind of presence in the EU, the company could pretty safely ignore the GDPR. However, things changed dramatically once BBO got bought by Funbridge which is based in France.

This shows a fundamental misunderstanding of GDPR and why lay people should leave this area to the lawyers. However one advantage of being owned by a French company is that BBO may start taking its GDPR responsibilities more seriously which would include the lawyers helping with the privacy policy and ensuring assent to the change is properly obtained.

I suspect what you find frustrating are that people may be showing the futility of 'safely ignoring GDPR' in the past, despite its relevance to an online business where EU citizens are involved.
The Beer Card

I don't work for BBO and any advice is based on my BBO experience over the decades
0

#8 User is online   mycroft 

  • Secretary Bird
  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,055
  • Joined: 2003-July-12
  • Gender:Male
  • Location:Calgary, D18; Chapala, D16

Posted 2020-September-26, 12:31

"safely" is not "legally", and until the EU can do something to US companies with no European presence to restrict, attack, or fine, Hrothgar's statement applies. After all, it's not the most illegal thing these companies have done or are doing that they will answer the regulators with "yeah, so what?" to. Frankly, that seems to be the attitude of most of the US authorities, corporate or political (or both) - "whaddaya ya gonna do about it, big boy?" - to anything. I have a pithier description of this attitude, but it would trigger the autocensor.

And as he says, having ownership in France gives the EU regulators a handle, and provided his reading of the GDPR is correct (which, if it's his job as he says, I have no worry about trusting), it certainly is something worth considering.

And I say this as a Canadian, who benefits from the GDPR en passant, and would really prefer Paul's world to the real one.
When I go to sea, don't fear for me, Fear For The Storm -- Birdie and the Swansong (tSCoSI)
0

#9 User is offline   thepossum 

  • PipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 2,362
  • Joined: 2018-July-04
  • Gender:Male
  • Location:Australia

Posted 2020-September-26, 22:13

As someone with no skin in the Bridge game so to speak, but along with everyone huge skin in the general data game, there is the broader issue of data security and privacy so I am watching with interest.

One thing that concerns me greatly (in the broad) with the massive changes over recent years/decades in how operating systems and software are delivered and hosted, and our data is how far some agencies would take such powers in feeling they had the right to snoop around in places that are well beyond legitimate access to datasets
0

#10 User is offline   gordontd 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 4,485
  • Joined: 2009-July-14
  • Gender:Male
  • Location:London

Posted 2020-September-27, 01:00

View Posthrothgar, on 2020-September-25, 17:48, said:

Perhaps, but if a company doesn't have a presence in the EU, it doesn't really matter...

This is not quite true. EU companies having data processed by companies outside the EU need them to also have equivalent safeguards. I suppose the question is whether or not BBO are acting as data processors on behalf of EU organisations.
Gordon Rainsford
London UK
0

#11 User is online   mycroft 

  • Secretary Bird
  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,055
  • Joined: 2003-July-12
  • Gender:Male
  • Location:Calgary, D18; Chapala, D16

Posted 2020-September-27, 09:27

And I think they are, now, if they are running clubs for FFB, et al, which of course they are.

But my point (and Hrothgar's) still applies: the only real leverage the EU has over a US company is through those EU organizations. They can threaten to fine the FFB, and the FFB can lean on BBO to follow the GDPR; and if BBO says "no", the FFB can find another place to spend its money. Whether BBO thinks this is worth the money they lose is another question.

All of this, of course, is "back in the good old days", when BBO wasn't owned by an EU organization. Which definitely ties their hands. And therefore, the suggestion of the OP, which is the whole point (not this digression on "you can't just not follow our rules!", which is interesting, but we do already know the RL answer), on how to get around some of the more damaging (from the POV of the bridge community) parts of the GDPR and still be legal, becomes not just important, but critical.
When I go to sea, don't fear for me, Fear For The Storm -- Birdie and the Swansong (tSCoSI)
0

#12 User is offline   gordontd 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 4,485
  • Joined: 2009-July-14
  • Gender:Male
  • Location:London

Posted 2020-September-27, 10:22

View Postmycroft, on 2020-September-27, 09:27, said:

And therefore, the suggestion of the OP, which is the whole point (not this digression on "you can't just not follow our rules!", which is interesting, but we do already know the RL answer), on how to get around some of the more damaging (from the POV of the bridge community) parts of the GPDR and still be legal, becomes not just important, but critical.

I know this is how it is being presented by a lawyer arguing the case of those suspected of cheating, but it seems to me that it falls within the "legitimate interests" of an organisation that runs competitive bridge games for it to store and process data relating to the scores and results of those bridge games. Bridge organisations do not generally need to rely on "consent" as the lawful basis for processing most of their data.
Gordon Rainsford
London UK
0

#13 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-September-27, 11:36

View Postgordontd, on 2020-September-27, 10:22, said:

I know this is how it is being presented by a lawyer arguing the case of those suspected of cheating, but it seems to me that it falls within the "legitimate interests" of an organisation that runs competitive bridge games for it to store and process data relating to the scores and results of those bridge games. Bridge organisations do not generally need to rely on "consent" as the lawful basis for processing most of their data.


Perhaps. However, I don't think that it's ever safe to assume anything once the lawyers are involved.

The current BBO privacy statements are grossly insufficient.
The only discussions that they have wrt PII involve credit card processing.
They're already being hit by right to be forgotten lawsuits.
They need to address this in a more comprehensive manner.
Alderaan delenda est
0

#14 User is offline   gordontd 

  • PipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 4,485
  • Joined: 2009-July-14
  • Gender:Male
  • Location:London

Posted 2020-September-27, 11:46

View Posthrothgar, on 2020-September-27, 11:36, said:

Perhaps. However, I don't think that it's ever safe to assume anything once the lawyers are involved.

The current BBO privacy statements are grossly insufficient.
The only discussions that they have wrt PII involve credit card processing.
They're already being hit by right to be forgotten lawsuits.
They need to address this in a more comprehensive manner.


I agree with all of this. My point was that just because one lawyer, acting on behalf of those who are under suspicion, tries to frame the discussion around the question of "consent", does not mean this is how it must be. And the "right to be forgotten" is not absolute.
Gordon Rainsford
London UK
0

#15 User is offline   hrothgar 

  • PipPipPipPipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 15,372
  • Joined: 2003-February-13
  • Gender:Male
  • Location:Natick, MA
  • Interests:Travel
    Cooking
    Brewing
    Hiking

Posted 2020-September-27, 12:35

View Postgordontd, on 2020-September-27, 11:46, said:

And the "right to be forgotten" is not absolute.


Absolutely correct. However, in order to enjoy protections against the right to be forgotten, a data processor must explicitly describe the purposes for which it needs to retain access to this data.

Akamai deals with precisely these same sorts of issues for a number of our products.
And we are very careful to describe the specific and limited purposes for which we are retaining data.
Alderaan delenda est
0

#16 User is offline   pescetom 

  • PipPipPipPipPipPipPipPip
  • Group: Advanced Members
  • Posts: 7,203
  • Joined: 2014-February-18
  • Gender:Male
  • Location:Italy

Posted 2020-September-27, 12:56

View Postgordontd, on 2020-September-27, 11:46, said:

I agree with all of this. My point was that just because one lawyer, acting on behalf of those who are under suspicion, tries to frame the discussion around the question of "consent", does not mean this is how it must be. And the "right to be forgotten" is not absolute.


I have experience at high level in sports where successes and reputations are under public scrutiny and I can testify that several proven cheats have been successful in obtaining internet oblivion of their wrongdoings. Hard to imagine that things will be different or better for bridge. From the legal point of view I suggest we should assume the worst and build from there.
0

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users