-1

Since GDPR strictly requires consent to Personal Identifiable Information (PII), could a criminal exploit online services by remaining anonymous in all his criminal activities?

Providers are not allowed to keep PII without consent. Therefore, any online crimes cannot be traced to the offender.

I have also learnt that online services cannot deny service if a person refuses to consent to the provider's data collection policy as of Article 7 of GDPR. This is also discussed in this question

Wouldn't this create a haven for online criminals/hackers?

user1034912
  • 1,529
  • 1
  • 14
  • 20

2 Answers2

8

It is absolutely not the case that

Providers are not allowed to keep PII without consent.

Article 6 of the GDPR identifies six possible lawful bases for processing personal information. These are:

(a) the data subject has given consent ...
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

If a person requests services from an online service provider, basis (b) will apply, at least to some information. If there is evidence of criminal activity, basis (c) may well apply, as it also will for much routine record keeping. Any in many such cases, basis (e) or (f) will also apply.

In short, article 6 does not create a "haven for online criminals/hackers".

In a comment on another answer the OP writes:

The offender has the right to not be identifiable and he can't be denied this right

That is simply not correct. Nothing in the GDPR says anything of the sort. It is true that consent may not be forced, but if a user requests a service that service may require the user to identify him- or herself. For example, one cannot order physical goods without giving a name and a shipping address. And the provider may retain PI and even PII when it has a "legitimate interest" in doing so, although if challenged it must justify that legitimate interest.

David Siegel
  • 115,406
  • 10
  • 215
  • 408
4

Consent is only one of the 6 GDPR grounds. Necessity is another. Since a provider provides an on-going service, it needs a contract, and the contract by necessity needs to name the parties of the contract.

MSalters
  • 6,749
  • 16
  • 23