On 2022-07-22 at 16:20 -0400, Luis E. Muñoz wrote: > Going back to the example of an ESP, does the hash of the email > address equate the email address as per GDPR?
IANAL, but... GDPR is all about being able to identify someone, even if that would require help from someone else. So, the email Ursula.vonderLeyen@ec.europa.eu would probably be considering as identifying a person whereas press@ec.europa.eu would not. And collecting ec-president@ec.europa.eu in 2022, despite being a role account, would still be identifiable. Looking up the single person being president of the European Commission in 2022 is available to anyone, but employee1...@example.com, requiring a subpoena to Example.com HR to find who the employee 1234 is, would still be 'personal data'. Now, if we instead have the hash bbbaa1af939a01d0e22286c63827d936 If you can hash multiple emails until finding who that refers to, then it's equivalent to the email. But if it is also the hash of other email addresses jsmith@hotmail.example and janedoe@gmail.example then itwould be considered to be anonymized. Thus the point would be if the hash you used has enough collisions that the result does not allow identifying a natural person. Do note that even if it turns out to be considered personal data, you may still be allowed to process it. For example maintaining a list of do-not-sign-up list of spammers could be construed on the legitimate interest of ensuring network and information security. Or user consent to be included into a suppression list. In my opinion the case of MSBL's EBL is much simpler than all the above considerations, since IMHO the dropboxes used in fraud spam do not identify a natural person, and so they are should not be a concern. Best regards _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
