An anonymous person invited strange men to sex dates at Hilde’s home. She believes it is too easy to misuse other people’s identities online.
Hilde Bygdevoll experienced someone creating a fake dating profile in her name. The police did not find out who was behind it. Photo: Rodrigo Freitas
Sea view
Published: 12/02/2024 22:10
On Saturday, Aftenposten told about Hilde Bygdevoll. Someone created a fake dating profile in her name and invited strange men for sex dates at her home. One message stated that she fantasized about being gang-raped.
– If it is impossible for the police to obtain information about someone who creates a free profile, orders a murder or a gang rape and then deletes the profile, we have a huge problem. Then not only my privacy, but legal certainty in Norway, is at risk, says Bygdevoll.
The Norwegian Data Protection Authority: The privacy rules are not the problem
Tobias Judin is head of the international section in the Norwegian Data Protection Authority and Norway’s highest representative in the European Privacy Council.
– We know of someone who has been made aware that there are dating profiles they did not create. But this seems like a particularly vicious case, he says.
When the website C-Date received an email that Bygdevoll’s profile was fake, they could not find the profile. They think the user had deleted it. The company believes that EU privacy rules mean that they must delete all data about free users if they request it, unless the company is aware of a special reason for keeping it. Without personal data around the profile, the police did not proceed further and dropped the case.
Does this mean that the GDPR rules (General Data Protection Regulation, the EU’s privacy regulation) can protect criminal actors?
– No. GDPR is not the problem, says Tobias Judin.
– The EU rules are similar to the privacy rules we had before, which were already introduced in 2000. An important purpose of the GDPR is to balance privacy against other rights and values. The regulations do not say that privacy must always weigh more heavily.
Tobias Judin is head of the international section at the Norwegian Data Protection Authority.
Disagree about what the law says
C-Date refers to Article 17 of the GDPR legislation, which is called the right to be forgotten. They believe that it stands strong, and that it is in line with the privacy rules to collect as limited data as possible.
According to the Norwegian Data Protection Authority, the right to be forgotten has many exceptions and limitations. It is a right that you only have in some cases.
– If an online service has chosen to store certain data to prevent fraud, within what is proportionate and they have informed the users about it, people cannot usually demand deletion, says Tobias Judin.
– The GDPR rules explicitly state that you can take care of the information as long as necessary.
It is not the Data Protection Authority in Norway that supervises C-Date. He therefore speaks on a general basis.
Judin says they see some businesses using GDPR as an excuse for not having data. Other platforms take care of data even after a user has requested deletion, precisely to prevent fraud and crime.
– The legislation allows for that. The user can protest against the business retaining the data, but the protest must only be accepted if there are no more weighty and justified reasons for continuing to process the personal data. Preventing serious crime can be both justified and a weighty reason, he says.
C-Date has been presented with his statements. They stand by what they have said.
Fact
The right to be forgotten
This is what Article 17 of the GDPR/Personal Data Act says about the right to erasure:
The data subject shall have the right to have personal data about him/her deleted by the data controller without undue delay, and the data controller shall have the duty to delete personal data without undue delay if one of the following conditions applies:
a. the personal data is no longer necessary for the purpose for which it was collected or processed
b. the data subject withdraws the consent that is the basis for the processing, in accordance with Article 6 no. 1 letter a) or Article 9 no. 2 letter a), and there is no other legal basis for the processing
c. the data subject objects to the processing in accordance with Article 21 No. 1, and there are no more weighty justified reasons for the processing, or the data subject objects to the processing in accordance with Article 21 No. 2
d. the personal data has been processed illegally
e. the personal data must be deleted in order to fulfill a legal obligation in Union law or the national law of the Member States to which the controller is subject
f. the personal data has been collected in connection with the offer of information society services as mentioned in Article 8 no. 1
Sea view
A risk we have to live with?
The head of the Norwegian Data Protection Authority agrees that it is against Hilde Bygdevoll’s privacy that someone can pretend to be her. But what is the alternative? he asks.
– Dating is a bit sensitive. Do we want everyone to have to log in with BankID and leave many traces to search for a partner? It can also be perceived as a form of privacy breach, and in many cases we want to limit the possibility of tracking someone online. So this is not entirely simple, he points out.
Hilde Bygdevoll has become unsafe in her own home. The fact that her case becomes known, the Norwegian Data Protection Authority believes, can make companies become stricter in verifying that users are who they say they are. Photo: Rodrigo Freitas
Sea view
According to Tobias Judin, society often falls short when someone is exposed to online fraud. He believes that it is a risk that everyone has to live with to some extent, and that there is often a limit to what the police can do with crypto fraud, phishing or ID theft.
– You are powerless when all data is gone. This is what is so frustrating about cybercrime. The perpetrators are often good at erasing all traces. And the police cannot, or do not have enough resources, to uncover who they are. Even if C-Date had stored the IP address of all the users, it is still not certain that the police would have been able to identify them. The perpetrators can hide behind a rogue VPN provider who sits in a tropical island paradise and blows inquiries from the Norwegian police.
Judin nevertheless encourages reporting such cases as soon as possible.
– Then it is easier for the police to secure evidence. It is also important to include cybercrime in your statistics.
2024-02-12 21:10:36
#invited #sex #dates #Hilde #Bygdevolls #home #limit #police #theft #Norwegian #Data #Protection #Authority
