> If this is true, they are in major violation of Article 20 of the GDPR.
Is this reasonable, or trying to whip up resentment based on speculation? It partly feels questionable because the author is a US resident, and the company is a US company - of course that’s no reason not to discuss/comply with GDPR - but paired with the lack of specifics and the explicit speculation with words like “appears” and “likely knowingly” that have no accompanying proof, it feels like more hit piece than valid legal concerns.
There may be real, valid, and large reasons to have resentments here, I have no opinion on that. But LastPass doesn’t necessarily “have” everyone’s passwords, because many are encrypted and LastPass can’t decrypt them.
Does article 20 really apply to data encrypted such that the company has no access? That seems unlikely. Article 20 might require that LastPass export someone’s user profile and credit card information, but it was not designed as way for people to demand UI features they want or force companies to offer service for free, right?
Sure, but are they truly compelled by EU law to do this for people in the EU, to export encrypted data? GDPR applies to PII, and encrypted data the company can’t access is not personally identifiable information, and the company doesn’t necessarily “have” the unecrypted data. It seems like Article 20 does not automatically apply here. (This all aside from the question of whether GDPR applies to Americans using American services.)
Is this reasonable, or trying to whip up resentment based on speculation? It partly feels questionable because the author is a US resident, and the company is a US company - of course that’s no reason not to discuss/comply with GDPR - but paired with the lack of specifics and the explicit speculation with words like “appears” and “likely knowingly” that have no accompanying proof, it feels like more hit piece than valid legal concerns.
There may be real, valid, and large reasons to have resentments here, I have no opinion on that. But LastPass doesn’t necessarily “have” everyone’s passwords, because many are encrypted and LastPass can’t decrypt them.
Does article 20 really apply to data encrypted such that the company has no access? That seems unlikely. Article 20 might require that LastPass export someone’s user profile and credit card information, but it was not designed as way for people to demand UI features they want or force companies to offer service for free, right?