This was sent to me off-group. Take it as a post from Kim:
Good morning Ian
I saw your comment on the GENBRIT message board. I couldn't reply via
the board because I'm not a subscriber to the mailing list as I find it
easier just to check the archive every week, but as a business
consultant with a GDPR accreditation (a bit like a Brownie badge, but
there you are...) this is my two penn'orth. Please feel free to ignore,
but if you want to quote from it in a post that's fine.
The short answer to the actual question is yes, a living person will
have the right to have their posts on a message service deleted. Sadly
we will not only be able to have the silly ones deleted - the right
conferred is to have 'all' data deleted (drat!). There is an exemption
if the removal would be impossible, and I suppose Ancestry could argue
that because of the 'threaded' nature of messages, and the fact that
people don't always reply to the thread but start a new one, it is
impossible. It will be interesting to see how that pans out. Under the
right of erasure the data controller (Ancestry) also has to notify any
other person or organisation who 'processes' the data. However, GDPR
doesn't apply to individuals using data for domestic purposes (eg
hobbies) so there's no need for Ancestry to ask other private users to
delete anything.
GDPR only confers rights on living people. Somebody asked whether that
meant data could be reinstated by the controller after the person has
died. Yes, it could, but I doubt if anyone would bother unless it was
something really juicy. The controller would have to assure themselves
that whatever was reinstated did not contain data on any other living
person.
Ancestry are, of course, headquartered in the US. They have not (yet?)
signed up to the EU-US Privacy Shield, which is the leading mechanism
for transferring data between the EU and the US. It's up to individual
corporations in the US to register if they want to, and many large
corporation have. However, I do understand why Ancestry haven't done
this yet because they will not be absolutely sure what they are signing
up to - the GDPR allows member countries to add to/modify some of the
details of the rules in a limited way, and the handling of sensitive
data is one of those areas. The UK government has issued a 'Statement of
intent' but the text of the UK bill will not be out for another couple
of weeks.
'For our customers in Europe, we are adhering to the requirements set
forth in the EU’s Data Protection Directive 95/46/EC on the onward
transfer of personal information from Europe. One of the mechanisms for
onward transfer, the Safe Harbor framework between the EU and the United
States was invalidated by the European Court of Justice on October 6, 2015.
Recently, the EU Commission has adopted The EU-US Privacy Shield
framework for transatlantic data flows. We are presently reviewing the
new framework. In the interim, we continue to rely on another EU
authorized mechanism to transfer data outside of the EEA, the Standard
Contract Clauses, which include contractual commitments by Ancestry
European entities and our US affiliates, along with other processors
outside the EEA, when processing European personal information on our
behalf, to uphold European data protection standards with respect to
personal information of European residents in our care.
Ensuring data protection and security for our members’ personal
information is important to us.'
Hope this is of interest.
All the best
Kim Groothuis