UPDATED: GDPR (Briefly) Blocked Grocers From Accessing Lists Of 'At Risk' People In Need Of Food Packages
from the so-private-you-might-just-die-from-it dept
Kind of a major update here: it appears the GDPR was likely not to blame for the delay in grocers getting lists of vulnerable citizens in need of food deliveries. As is pointed out by DocGerbil in the comments, this more likely had some to do with a processing hiccup by the Department for Environment, Food, and Rural Affairs (DEFRA). DEFRA apparently had the data but had not turned it over as soon as expected, resulting in a slight delay in deliveries.
The Department for Environment, Food and Rural Affairs (Defra) confirmed it is "working with the retailers to get them the information they need".
Defra said by combining Government and supermarket data, it could "ensure essential items are delivered as soon as possible to the people with medical conditions that make them most vulnerable".
This is confirmed by sources other than the Telegraph, including a piece by The Guardian that explains data protection details were being finalized, which may have contributed to the delay.
Britain’s supermarkets have been warned against holding on to NHS data about vulnerable patients which they will receive as part of the government’s efforts to combat Covid-19 once the crisis has abated.
The retailers will this week begin contacting customers whose names are on a list of medically vulnerable individuals, handed over by the government.
But they must delete the data they have received when the coronavirus crisis has abated, the information commissioner warned. Until then, the information, which covers at least 1.5 million people, may be kept and used by the supermarkets to help prioritise deliveries to those most in need.
The delay may have been due to the UK's own Data Privacy Act, rather than the GDPR. What's said about the GDPR generally sucking still stands, but I will take the hit for what was written here, drawn from a report only quoting an anonymous source saying it was the GDPR standing between vulnerable citizens and grocery deliveries. My apologies to our readers, who certainly expect and deserve better.
Original post follows with references to the GDPR's culpability struck through to clarify, while still leaving my screwup on my permanent record, mainly as a warning to myself.
-------
The GDPR is a mess. Still. After nearly two years of existence, it hasn't done much to improve the privacy of the millions of Europeans it affects. But it has made big tech companies even more dominant and generated a hell of a lot of collateral damage.
The privacy law was created by regulators bursting with short-sightedness and good intentions. And, if we're honest, a lot of unmitigated hate towards powerful US tech companies. (Hate, let's continue being honest, many of these companies did little to mitigate.) Transferring the power of privacy back to the people sounds good on paper, but in practice, it results in things like EU regulators violating their own law and, um, trash cans being temporarily removed from post offices because of the personal data they "collected" without permission.
The unintended consequences of the broadly-written law have been discussed here at Techdirt with alarming regularity. Clerical mix-ups have resulted in people accessing other people's personal data. The law has reached across the pond to screw with US court dockets and vanish posts from American search engines. GDPR has even made Christmas more of a logistical nightmare than it usually is.
Now there's this: in the middle of a pandemic, GDPR is preventing food from being delivered to at-risk Europeans self-isolating to prevent exposure to the deadly coronavirus. [See update above] (Paywall-free link here.)
Supermarkets have been unable to get the names of 1.5 million vulnerable people being shielded from coronavirus to deliver food boxes because of EU data protection rules.
Grocers are waiting for a list of those self isolating for 12 weeks due to underlying health conditions so they can be prioritised for deliveries.
The details were expected to be handed over at the weekend, but insiders said they have been held up because of the European Union's general data protection regulation, which prevents mass sharing of information such as people’s names, addresses or emails.
Awesome. They can either eat or have their privacy protected. But not both. And they don't get to choose which option they get. The GDPR has already decided they don't get to eat until the government straightens this out. Multiple major grocers confirmed they had no access to lists of vulnerable residents in need of food assistance.
Fortunately for everyone involved -- especially those considered to be at-risk -- this has been sorted out. One day after the original reporting, supermarkets stated they had finally received the lists previously blocked by the GDPR.
While this is a surprisingly speedy turnaround, the fact is the blocking of at-risk residents' info never should have happened in the first place. While GDPR's goals are (mostly) good, the side effects of mandating broad restrictions on data-gathering and sharing screws with the interoperability of the private and public sectors. In the GDPR's case, it also screws with the interoperability of multiple public entities, making it a nightmare for everyone involved. Good intentions only get you so far. And those good intentions don't mean much when they're undermining the public's health and well-being.
Filed Under: at risk, eu, food, food boxes, gdpr, groceries, pandemic, privacy