Hi all,
We have been contacted a while back from an American individual who is convinced that Google is leading an elaborate conspiracy to spy on him. As part of his investigation, he noticed that someone from our institution had looked up his profile in LinkedIn (which anyone on LinkedIn can do).
Based on this, as he puts it, "corporate surveillance", he made a Data Subject Access Request to our institution asking us to comb through every email, document, and browser history for all our employees to find who had been working alongside Google to spy on him.
My view on it was that an individual who lives and works in the US (as far as I know this individual has never stepped foot in the EU) is protected by US law, and out of scope of the GDPR (which protects individuals "who are in the Union"). Additionally, as we are not the data controller of that LinkedIn search (I would assume the individual who made the search is? Either that or LinkedIn) and invading the privacy of 1000 staff to find a single LinkedIn name search is a massive breach of our employees' rights.
That individual contacted the ICO, who advised that this individual had the full rights of the GDPR, and that the explanation given for why we could not find and provide the information requested was insufficient.
This means that anyone, anywhere could just request any EU entity and ask them to comb through all their files for any reason, any suspicion of holding data even if no data is actually held on the individual. That seems a really dangerous precedent to me? But it's the ICO.
Has anyone dealt with similar requests from individuals with no EU ties? If so how did you respond?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|