Photo of Terence Eden. He has a beard and is smiling.

EBCDIC is incompatible with GDPR

Ā· 30 comments Ā· 800 words Ā· ViewedĀ ~39,779Ā times.

Welcome to acronym city!

The Court of Appeal of Brussels has made an interesting ruling. A customer complained that their bank was spelling the customer's name incorrectly. The bank didn't have support for diacritical marks. Things like Ć”, ĆØ, Ć“, Ć¼, Ƨ etc. Those accents are common in many languages. So it was a little surprising that the bank didn't support them.

The bank refused to spell their customer's name correctly, so the customer raised a GDPR complaint under Article 16.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Cue much legal back and forth. The bank argued that they simply couldn't support diacritics due to their technology stack. Here's their argument (in Dutch - my translation follows)

Dutch text and a diagram.

Bank X also explained that the current customer data management application was launched in 1995 and is still running on a US manufactured mainframe system. This system only supported EBCDIC ("extended binary-coded decimal interchange code"). This is an 8-bit standard for storing letters and punctuation marks, developed in 1963-1964 by IBM for their mainframes and AS/400 computers. The code comes from of the use of punch cards and only contains the following charactersā€¦

(Emphasis added.)

EBCDIC is an ancient (and much hated) "standard" which should have been fired into the sun a long time ago. It baffles me that it was still being used in 1995 - let alone today.

Look, I'm not a lawyer (sorry mum!) so I've no idea whether this sort of ruling has any impact outside of this specific case. But, a decade after the seminal Falsehoods Programmers Believe About Names essay - we shouldn't tolerate these sorts of flaws.

Unicode - encoded as UTF-8 - just works. Yes, I'm sure there are some edge-cases. But if you can't properly store human names in their native language, you're opening yourself up to a lawsuit.

Source

GDPRhub - 2019/AR/1006

Dance

Reactions

Share this post onā€¦

30 thoughts on ā€œEBCDIC is incompatible with GDPRā€

    1. Lee Willy Minifees says:

      As far as I know, most countries have laws that regulate what you can put into your legal name.

      Reply

  3. says:

    EBCDIC has many code pages, just like DOS, and by selecting the correct one you can encode characters from any European language you want. So the bank's argument is not completely correct.

    Reply

    1. Dror Harari says:

      Correct but given that there are EBCDIC code page for every country which are not consistent (even the encoding of simple characters like $ may change from one country to another), this prevents a central application from supporting multiple code pages (sets of characters). You would need to store, along with the name, the code page that is used and then add program code to deal with that, something that is not practical.

      Suing for this under GDPR makes zero sense. If your bank is an ancient dinosaur, switch bank.

      Reply

      1. @edent says:

        "If you're being discriminated against, just take some time, money, and effort go where you won't be."

        How about "Not supporting a diverse range of customers doesn't make sense. If you can't do that, shut down your organisation."?

        Reply

  5. Jan says:

    Iā€˜m happy. It feels like revenge served very cold. I tried to open a Barclays account in 2006 and have a German last name with an ƶ. The Lady at the bank said she had to spell the name exactly as on my id. I said, use an ƶ. She said I donā€™t have one on my keyboard. I said then use oe instead. She said she couldnā€™t, because she had to spell it exactly like it was on my id. And on and on.

    Reply

    1. JuggleT says:

      if it is a german id just show the machine readable part there the name is written with ae, oe, ue or ss

      Reply

      1. Jan says:

        Didnā€™t know, thanks! Itā€™s 15 years ago, so I doubt Incan still find herā€¦

        Reply

      2. Erkin Alp GĆ¼ney says:

        Same in Turkish IDs. Machine readable portion spells my last name as Gueney.

        Reply

  6. says:

    Wow. This is mad bonkers, and I shall be raising this with several places that canā€™t get my name right forthwith!

    Reply

  7. Jan (2) says:

    "Unicode - encoded as UTF-8 - just works. Yes, I'm sure there are some edge-cases. But if you can't properly store human names in their native language, you're opening yourself up to a lawsuit."

    Those edge cases are for a large part in human names. There are rare Chinese characters that are not in unicode, those are rare because they are only used in a few names. And one can question if a language like Chinese with a long tail of very rare characters is not effectively an open-ended set. Someone invented those characters in the past, so why won't that process continue?

    All of that is not really relevant to the legal question as judges tend to take into account what is reasonable in the current day and age, which according to this court is to support at least accents.

    Reply

    1. Erkin Alp GĆ¼ney says:

      In Chinese, you could at least use a combining backspace to split characters into two existing ones and thus overtype two characters together.

      Reply

  8. says:

    This is not a technical limitation ā€” come up with an encoding just like UTF-8. Encode where possible in EBCDIC, but choose a bit to indicate higher chunks are available. Migrate legacy data to the new encoding, keeping an eye out for corner cases. Tricky bit is that these old bank systems tend to have fixed-width fields, which can mess with multi-byte encodings. I did something like this back when I worked on compilers for IBM as a work-around for our test suites sometimes having utf-8 filenames. Fairly easy to make a idempotent transformation. I should have gone full into consulting! sheesh.

    Reply

  9. Karl Williamson says:

    UTF-EBCDIC allows encoding all Unicode code points, similarly to UTF-8.
    https://www.unicode.org/reports/tr16/tr16-8.html
    There are modern Perl 5 releases available that support this which I run on z/OS; Python also is claimed to support EBCDIC, but I don't have experience with it regarding Unicode.

    Both EBCDIC 1047 and 037 code pages are isomorphic to Latin1. Almost all European languages should be directly encodable via these.

    Reply

  15. Dave Cridland says:

    The bank could just use punycode in EBDIC of course. Just try saying that out loud author throwing up a bit.

    Reply

  17. Blair Wyman says:

    A point worth mentioning, IMHO, is that this banking application
    was apparently designed and written in the 1990's, and has been
    serving its intended purpose for almost 30 years.

    If the Y2K or Euro character events did not break it --
    and I have no reason to suspect that -- this application
    may theoretically be unchanged since the day it was written.

    Is that a Good Thing? ...or a Bad Thing? I dunno.
    I just know it is a Thing.
    it is a Thing.

    Reply

  18. Timothy says:

    Jim Rees and others are correct, and the headline is incorrect. EBCDIC isn't the culprit. EBCDIC has had codepages for eons, and that'd be one classic way the bank could solve this problem -- or should have solved this problem decades ago. It's a well solved problem. Another way, probably better nowadays, is to use Unicode (UTF-8 probably). Whether it's IBM Z or IBM i, these systems definitely support Unicode and have since the 1990s. The implementation could be in hybrid-quick-hacky fashion. For example, put some "trigger/escape code" in the existing name field (with the current not great EBCDIC codepage choice) that then points to a UTF-8 encoded name stored alongside. It'd require an application code change, sure, but it's not rocket science actually.

    Here's the real headline: "Bank that won't change anything is incompatible with the GDPR."

    Reply

  19. JosƩ Ramƭrez says:


    JCS wrote:
    No oneā€”no oneā€”is going to be confused when they see ā€œJose Ramirezā€ instead of ā€œJosĆ© RamĆ­rezā€
    but the lawyers among us still think itā€™s a critical issue. This is the very apotheosis of a first world
    problem.


    Maybe you dont care, but I do!

    Reply

  20. says:

    @blog Update: it turns out that EBCDIC supports code pages INCLUDING one with all the diacritical marks the bank claimed it was impossible to support! It's been available since an update to the standard in the mid-1980s! (EBCDIC code page 435.)

    There's also UTF-EBCDIC, which allows EBCDIC to encode all valid Unicode character code pointsā€”over a million of them.

    Verdict: the bank in question has an incompetent IT department.

    | Reply to original comment on wandering.shop

Trackbacks and Pingbacks

  1. :

    EU å†…ć®éŠ€č”Œć§ć€ę°åć®ć‚¢ćƒ«ćƒ•ć‚”ćƒ™ćƒƒćƒˆć«ć‚°ćƒ¬ćƒ¼ćƒ–(Ć”)ćØć‹ć‚¦ćƒ ćƒ©ć‚¦ćƒˆ(Ć¼)ćØć‹ć€ć‚¢ć‚Æć‚»ćƒ³ćƒˆčØ˜å·ćŒć¤ć„ć¦ć„ć‚‹äŗŗćŒęœ¬åć‚’ē™»éŒ²ć§ććŖ恄态ćØć„ć†å•é”Œć«åÆ¾ć™ć‚‹čØ“čØŸćŒć‚ć‚Šć€ ć‚¢ć‚Æć‚»ćƒ³ćƒˆčØ˜å·ćŒē™»éŒ²ć§ććŖ恄恮ćÆGDPR(äø€čˆ¬ćƒ‡ćƒ¼ć‚æäæč­·č¦å‰‡)é•åć§ć‚ć‚‹ć€ćØć„ć†åˆ¤ę±ŗ恌2019å¹“ć«å‡ŗć¦ć„ćŸćć†ć§ć™ć€‚ ćƒ†ćƒ¬ćƒ³ć‚¹ćƒ»ć‚Øćƒ‡ćƒ³ę°(Terence Eden)ć®ćƒ–ćƒ­ć‚°ć«ć‚ˆć‚Œć°ć€éŠ€č”ŒćŒć‚¢ć‚Æć‚»ćƒ³ćƒˆčØ˜å·ć¤ćć®ę°åē™»éŒ²ć‚’ę‹’ēµ¶ć—ćŸć®ć«åÆ¾ć—ć€ć“ć®é”§å®¢ćÆEUäø€čˆ¬ćƒ‡ćƒ¼ć‚æäæč­·č¦å‰‡(GDPR)恮16ę”ć€ŒčØ‚ę­£ć®ęØ©åˆ©ć€ć‚’ę ¹ę‹ ć«čØ“ćˆć‚‹ć«č‡³ć£ćŸćć†ć§ć™ć€‚ 恓恮16ę”ćÆ仄äø‹ć®ć‚ˆć†ćŖ悂恮怂
    The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. ćƒ‡ćƒ¼ć‚æäø»ä½“ćÆ态ē®”ē†č€…恋悉态äøå½“恫遅껞恙悋恓ćØćŖ恏态č‡Ŗå·±ćØ関äæ‚恙悋äøę­£ē¢ŗćŖ個äŗŗćƒ‡ćƒ¼ć‚æ恮čØ‚ę­£ć‚’å¾—ć‚‹ęØ©åˆ©ć‚’ęœ‰ć™ć‚‹ć€‚å–ę‰±ć„ć®ē›®ēš„ć‚’č€ƒę…®ć«å…„悌恟äøŠć§ć€ćƒ‡ćƒ¼ć‚æäø»ä½“ćÆć€č£œč¶³ć®é™³čæ°ć‚’ęä¾›ć™ć‚‹ę–¹ę³•ć«ć‚ˆć‚‹å “åˆć‚’å«ć‚ć€äøå®Œå…ØćŖ個äŗŗćƒ‡ćƒ¼ć‚æć‚’å®Œå…ØćŖ悂恮ćØ恕恛悋ęØ©åˆ©ć‚’ęœ‰ć™ć‚‹ć€‚ äø€čˆ¬ćƒ‡ćƒ¼ć‚æäæč­·č¦å‰‡(ä»®čس)
    ć“ć‚Œć«åÆ¾ć—éŠ€č”ŒćÆ态1995å¹“ć«é–‹ē™ŗ恕悌恟ē±³å›½č£½ćƒ”ć‚¤ćƒ³ćƒ•ćƒ¬ćƒ¼ćƒ äøŠć®ć‚¢ćƒ—ćƒŖ悒ä½æć£ć¦ćŠć‚Šć€ć“ć®ć‚·ć‚¹ćƒ†ćƒ ćŒ1964-65 ć«åˆ¶å®šć•ć‚ŒćŸEBCDICć‚³ćƒ¼ćƒ‰č”Ø悒ä½æć£ć¦ć„ć‚‹ć“ćØ恋悉ꊀ蔓ēš„恫åƾåæœäøåÆčƒ½ćŖ恮恠态ćØ å¼ę˜Žć—ć¦ć„ćŸćØ恄恆恓ćØ怂 å®Ÿéš›ć®ćØ恓悍态EBCDIC 恫悂 Code page 37ćŖć©ć‚¢ć‚Æć‚»ćƒ³ćƒˆčØ˜å·ć«åƾåæœć—ćŸć‚»ćƒƒćƒˆćŒć‚ć‚Šć€ć“ć‚Œć‚’ä½æć†ć‚ˆć†ć«čØ­čØˆć—ćŖć‹ć£ćŸć‚·ć‚¹ćƒ†ćƒ čØ­čØˆć®å•é”Œć®ć‚ˆć†ć§ć™ćŒć€EUå†…ć®äŗŗ恮ē§»å‹•ćŒä»Šć»ć©ę“»ē™ŗ恧ćŖć‹ć£ćŸę™‚ä»£ć€ć‚¢ć‚Æć‚»ćƒ³ćƒˆčØ˜å·ć‚’ä½æ悏ćŖć„å›½ć®éŠ€č”Œć§ćÆå°‘ę•°ć®å¤–å›½åé”§å®¢ć®ć“ćØć¾ć§č€ƒćˆć¦ć„ćŖć‹ć£ćŸć®ć§ć—ć‚‡ć†ć­ć€‚ ęœ¬ę„ć®ę­£ć—ć„ę–‡å­—ć§ę°åć‚’ē™»éŒ²ć§ććŖ恄态ćØć„ć†ę„å‘³ć§ćÆę¼¢å­—ć‹ćŖ悒ä½æć£ć¦ć‚‹ę—„ęœ¬äŗŗćŖ悓恋ćÆēµ¶åÆ¾ć«ćƒØćƒ¼ćƒ­ćƒƒćƒ‘ć®éŠ€č”Œć§ćÆē™»éŒ²ć§ććŖ恄恠悍恆ćØę€ć„ć¾ć™ć‘ć©ć€ćć‚ŒćÆć¾ć‚ę—„ęœ¬ćŒEU加ē›Ÿå›½ć§ćÆćŖć„ć®ć§ćć“ć¾ć§ćÆč¦ę±‚ć•ć‚Œć‚‹ć“ćØćÆćŖ恕恝恆恧恙怂恧悂EUåŸŸå†…ć®åŠ ē›Ÿå›½ć§ä½æć‚ć‚Œć‚‹ę–‡å­—ć«éžåƾåæœćŖ恮ćÆ恠悁恧恗悇恆恭怂 今ćŖ悉Unicodećƒ™ćƒ¼ć‚¹ć§ä½œć‚‹ć§ć—ć‚‡ć†ć‹ć‚‰ć€EUå‘ć‘ć«ęä¾›ć™ć‚‹ć‚µćƒ¼ćƒ“ć‚¹ć§ć‚¢ć‚Æć‚»ćƒ³ćƒˆčØ˜å·ć‚’ę°åć«å…„ć‚Œć‚‰ć‚ŒćŖ恄ćŖ悓恦恓ćØćÆćŖ恋ćŖ恋起恓悉ćŖ恄ćØćÆę€ć„ć¾ć™ć€‚ć—ć‹ć—ć€ć†ć£ć‹ć‚Šå…„åŠ›ę–‡å­—ć®ćƒ•ć‚£ćƒ«ć‚æ恧A-Za-zćŖ悓恦恓ćØ悒恗恦恄悋ćØć€ć“ć†ć„ć†č‹¦ęƒ…ćŒę„ć‚‹åÆčƒ½ę€§ćÆååˆ†ć«ć‚ć‚Šćć†ć§ć™ć€‚ 判ę±ŗćŒč©±é”Œć«ćŖć£ćŸć®ćÆä»Šć§ć™ćŒć€åˆ¤ę±ŗč‡Ŗ体ćÆ2019å¹“ć«å‡ŗć¦ć„ćŸć‚‚ć®ć§ć™ć€‚éŠ€č”ŒćÆ25å¹“å‰ć®ć‚·ć‚¹ćƒ†ćƒ ć‚’ē›“恛恟悓恧恗悇恆恋恭? via Twitterå…±ęœ‰: Twitter Facebook

  2. :

    Article 16 of the GDPR says, among other things, that
    The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
    A normal person would take that to mean you have the right to have substantive errors in your records corrected. Things like age, arrest record, employment record and so on. Errors that can cause actual harm if not corrected. A Brussels court has ruled that it also means that European Union citizens also have the right to have their name represented correctly. This is why everyone hates lawyers. The issue is that many names have diacritical marksā€”Erdős or Ceaușescu for exampleā€”and older computer systems are unable to represent them. This is a particular issue in the banking industry that, sadly, is often still running their businesses on last-century IBM mainframes that use the EBCDIC character encoding system. Itā€™s hard to imagine today but bytes werenā€™t always 8 bits, and ASCII, let alone UTF-8, wasnā€™t always the way characters were encoded. EBCDIC was IBMā€™s system and as the 800 pound gorilla they saw to it that EBCDICā€™s use was widespread. The problem is that its standard code page had no diacritical marks so JosĆ© RamĆ­rez is going to have his name encoded as ā€œJose Ramirezā€. Someone with way too much time on his hands decided that was intolerable and sued under Article 16. Now the Court of Appeals of Brussels has agreed and demanded that the bank fix things. Itā€™s hard to imagine a quick fix for this and itā€™s even harder to see how the fix is not going to cost hundreds of thousands of dollars. Of course lawyers donā€™t know or care about any of this. They just want it fixed. Now. Thatā€™s why we all hate them. If I were the bank, Iā€™d suggest that this particular customer find another bank but the lawyers probably wonā€™t like that solution either. Yes, yes. I know Iā€™m intolerant. I know Iā€™m not a European. I know my name doesnā€™t have a diacriticalā€”but itā€™s misspelled so often it might as well have. But, you know, a little common sense would be appropriate here. No oneā€”no oneā€”is going to be confused when they see ā€œJose Ramirezā€ instead of ā€œJosĆ© RamĆ­rezā€ but the lawyers among us still think itā€™s a critical issue. This is the very apotheosis of a first world problem.

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.

See allowed HTML elements: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">