Come on. Intentions are never noble. All politicians have their respective owners. Be it officially through lobby groups or unofficially by local oligarchs without middle men.
Too many, yes, but far from all. At least our politicians are less aligned to lobby groups than the companies behind those groups, be they small or Google-sized.
Am I a career politician? But actually you might be right - just noticed Massie[0]. If he was to act like a typical politician he would let the food shortage strike and only then go solving it to gather extra points. Rand Paul also seems to have something like a conscience. Guess when such people would have any say on real matters though. Never. And with nation states still being the main actor, there is no such person in Brussels, unless we count the hell-raising clowns like Korwin-Mikke and Farage who raise hell for the sake of raising hell.
This is an absurd argument repeated so many times I don't know at which point you stop to keep falling for bs your politicians and legal systems come up with.
We will improve next time. We will improve next time. We will improve next time.
Why do you let someone exist after so many times the same? Change the institutions first rather than keep trying with failed engine. The structure. The elections. Power distribution.
Changing chasey won't do when the engine and transmission is broken.
That might have been the initial intent of the GDPR, but it's not the outcome. The problem isn't the human rights, but the bureaucratic, legal and compliance nightmare it creates for small business.
IP blocking is easier than mangling every business and technical process to follow it.
- for the customer all the hoops he has to jump through now to get serviced because corporations implemented those in order to be "compliant" (e.g. I just tried to get detailed information for an expected UPS delivery - instead of a simple click it requires registration with "UPS My Choice", meaning one page for logging in with FB/Google/Amazon/Twitter or a new account, one page for detailed disclaimer and terms, one page for country/postcode input, one page with my detailed name, address, e-mail, phone number, more T&C acceptance, ...)
- for the company to design, evaluate with a lawyer all these procedures and related customer services.
Perhaps you will never be in the position to see it from a small company's side, but don't deny that you're as annoyed as everyone else with all the explicit consent forms.
It's about the work needed to comply vs. the risk vs. the possible benefits.
1. Work to read an interpret legislation means lawyers. If you think you understand a law because it "seems" to be simple to understand you are fucking wrong. Words in law tend to mean different things and refer to other laws, precedents, principles and treaties.
2. The benefits are often small for international businesses. EU customers? Do you care? Probably not.
3. The risks are MASSIVE for breaking the GDPR.
So, in cost/benefit, it's a massive "I'm not touching that".
GDPR did a lot to shift the window back and put the behaviour of the big adtech companies in the sunlight for a while.
The enforcement side is definitely lacking, and black mirror might still have done more to shift opinion, but it's not all bad.
Consumers all over the world now have the ability to request data takeouts and deletions, etc. And anecdotally I've noticed more and more sites honouring the opt in requirement for 3rd party tracking scripts.
It's a solid improvement over the status quo of 2017.
Not later than this morning I wanted to access a forum post. So I go to the privacy page (as a popup proposed me) and then arrived to a page with the list of all the « partners » with access authorized by default.
Around 50 of them. No button to refuse all and had to do it one by one. And I visit sites like that every day.
I agree that there have been a lot of progress but we are still far from completion.
I don’t know, this article maybe makes sense through an american lens, i’m open to that idea.
From my view, GDPR has had a few impacting benefits to me personally already.
I’ve been notified of security breaches 3 times now that i’m confident either wouldn’t have been reported or would but 18 months later. I’ve been able to move my ISP as a result. Getting closer to that idea that customers will punish you if you mess up - in this case i was able to learn about their mistake thanks to GDPR.
I agree. Additionally the added ability to get my data back via take-out features from most services has been a general boon for me, and a major upside to the law. A far more important feature of the GDPR in my eyes than vindictive punishments.
It doesn't take too much searching to discover where GDPR benefits the consumer. Facebook basically wrote a big announcement about it two months before GDPR came into effect: https://about.fb.com/news/2018/03/privacy-shortcuts/
Of course they don't reference GDPR specifically, but it's all basically new tools that allowed them to handle GPDR requirements automatically rather than having to handle a deluge of access requests and otherwise manually which would have been much more expensive.
Yes and no. I can't lie, I was really hoping for a significant company to be put up against a wall and shot, maybe a major retailer that won't let you check out online without giving a phone number or whatever. The notion of data being a toxic asset[1] still hasn't really sunk into the higher ranks of most large orgs.
However, I've found GDPR deletion requests to be a pretty strong cudgel. For the last 10 years or so I've been sending deletion requests for accounts when I no longer need them. Prior to GDPR, about 50% of responses would be along the lines of "in the nicest possible way, we don't care about you enough to do that so please fuck off". Reading between the lines, I assumed that about 50% of websites were implemented poorly and didn't properly support deletion.
Post GDPR, all but one request have been given a polite "we have done as you have requested, we hope to see you as a customer again". GDPR has both legitimized the process of requesting that your data has been deleted after you're finished using a service, and has legitimized the concerns of all those developers who were never able to get engineering time to properly support account deletion.
So it's been a success, it could be succeeding more but I'm not unhappy. I would still like to see at least one company get ICBM'd in order to remind larger entities that they've got responsibilities to society too, not just their shareholders.
I think the analogy falls apart when you consider the movement/creation of singular objects (like your phone or your money) versus new/copied objects (a copy of his birthday on your singular piece of paper).
If you create a replica of a taxi you rode in, you own that copy.
If you take a photo of someone, you own that photo.
If you write that person's birthday down on a piece of paper, you don't own their birthday now. You own the piece of paper with their birthday written on it, and they have no claim to that paper or what's written on it.
If you go through someones wallet and write down all the details required to open a bank account in their name, you do not suddenly own all those details, and you may not do with them whatever you wish as if you did.
Opening a bank account using those details is identity theft, because they are not /your/ details. No one cares if you owned the paper you wrote them down on.
That's just colloquial terminology. GDPR terminology is "personal data" concerning or referring to the "data subject". That stalls the ownership question. And yes, when "personal data" regarding an EU "data subject" is stored on someone else's hard drive, that "data subject" has certain rights in the EU.
These are colloquially interpreted as "you have rights to your data". Naturally, your address is not generally copyrightable (another notion of ownership of data) but it can be "personal data" that relates to you.
The GDPR being meant to spite Google (rather than, you know, protecting privacy) is an unfounded conspiracy theory. Claiming the EU tried to support a US company by harming its (European) competition doesn't even deserve that level.
GDPR is heavily based on the old German "Bundesdatenschutzgesetz" (Federal Data Protection Act). There is little new in it that wasn't the law in Germany already, only now it carries way higher penalties.
The law was passed in 1977 in its first form on the federal level, was already in effect on state-level in 1971, and thus is older than Google by a few decades.
Main Problem with the Big Companies is that these are located in Ireland.
The Commissioner there has no resources [0] to pursue these cases but he can't be bypassed when it comes to fees (at least convention of the other Commissioners if not by the GDPR itself).
The other Commissioners are becoming more and more upset with this and planing to institute a board to overrule Ireland's Commissioner. But all of this is very slow...
You can't imagen the frustration over this on part of the other Comissioners
Want to second this. There's been a lot of criticism of the Irish commissioner's approach, both from Data Privacy advocates here in Ireland (e.g.: Digital Rights Ireland), and at the EU level.
> The other Commissioners are becoming more and more upset with this and planing to institute a board to overrule Ireland's Commissioner. But all of this is very slow...
Interesting, do you know of a news article or something similar about this?
A lot of this gets into whether you think punishment is the desired outcome or behavioral changes.
There has been a real and definite shift in the industry post GDPR away from "we might need this data someday" to "please delete it at the first opportunity".
Punishment is always the desired outcome in the journalist world. If something dramatic does not happen, then from the perspective of NY Times nothing has happened at all. There is no story, no people to smear that were the villains, no heroes to glorify that fought for GDPR. The reality is, that the mundane often impacts our lives much more than the exciting. Small incremental changes that we do not notice shape our reality. The same way that NY Times slowly became a parody of itself, the GDPR slowly changes the web. I still think that we need more time to put this into perspecive and we need more initiatives that build on top of GDPR really stands for.
The point is that we often overlook the things that really shape our reality. What every ideological and/or political movement knows is that no one will fight the ideology if it's fed in very small increments. We will simply overlook it as insignificant. If you try to nitpick on small things then you're sure to become the laughing stock. It's the same mechanism, but for once it works in our favor.
I was a bit sad when I saw the initial downvotes, since this account was already 4 times below zero points in total and I don't think there was anything that broke the rules in that comment. I guess I was looking down on NYT, but at this point the collapse of journalism is not an opinion, but a measurable truth. You can just measure it by average salary in the domain. I don't think there are any sources lately that you can trust 100%.
>I don't think there are any sources lately that you can trust 100%.
That is exactly backwards. The journalism never was truthful; instead it was full of lies by omission, manipulation to push a narrative, and plain mistakes made in the rush to be the first to publish.
What changed[1] is the seasoned staff is now largely gone and replaced with low-paid youth fresh off of the school. It's through the lacking experience and missing professionalism that the mask slips, and we now get to see how the sausage is made.
Paradoxically now that we get to see how bad it gets at times, the spotty trustworthiness becomes a known quantity, and so we can handle it better.
I mostly agree, but I think there was a bit of a difference in quality up until about 15 years ago.
This was due to the nature of the competition between news outlets. It you have only few suppliers in any domain, then a possibility of a "price war" is relatively small. It's much easier to predict how our counterparts will behave and dumping prices hurts all the participants. It forces the competition to move to different areas - like marketing and quality of service.
Once there were more competitors, due to the internet being a thing, all bets were off. No one could hold to their position just because he was considered more reliable by a marginal degree.
>I think there was a bit of a difference in quality up until about 15 years ago.
Going by those excellent charts[1], there were two distinct "kinks" in intensity of change; around 2000 and around 2015.
>the internet
The best explainer I've seen thus far is that loading articles with keywords improves searchability and readership metrics. My far fetched hypothesis is that it is a side effect of the present form of search - dominated by one vertical that has strayed far, far away from the original Page Rank idea.
You've been paying a man to warn you if there are tigers on the main street. Every day for the last 10 years he's been telling you there are no tigers on the main street and you've taken the main street or he's told you there are tigers there and you've taken the side street. Today he said that there was a tiger on the main street but you took it anyway and didn't see the tiger. Has his trustworthiness collapsed or was he always scamming you?
Does it really matter? It sounds like a philosophical question without any real meaning to me. I can overtake the turtle even though he moves. I can tell that I should not trust this particular man from this point on. It's very easy to lose reputation and very hard to build it.
Of course; a tiger keeps hidden and attacks humans from behind.
Jokes aside, your fable is excellent and I hope to use it in the future.
Other than that, I have no useful answer beyond re-iterating my earlier assertion: the media was always bad. Now we can see it better than before.
Perhaps the tiger was a red herring all along. There just might be a fat cat getting fatter in the city hall that we were too distracted to pay attention to.
IMHO GDPR has been (as of yet at least) a net loss to society. It hasn't, and probably never will, change the status quo of the biggest data hoggers (Facebook, Google et.al). It have increased my annoyance on the web with even more crap interruptions about cookies etc. It has increased administration in so many places in our society where data is collected in totally non-harmful ways with no real functioning opt-out, like phone numbers in kids football associations or contact info for parents in schools etc. Remember that even data stored on papers are covered by GDPR.
I think my gripe is that organisations becoming "GDPR compliant" mainly has created systems for collecting consent or focusing on which cloud platform to not use, rather than creating any real change by e.g not using systems with piss poor security to begin with.
Almost like if we created regulation around banning bad roads, and all that happened was that people had to start signing papers saying they accepted the risk of bad roads.
But I guess it will take some time to see real change, hopefully it will come someday.
>Almost like if we created regulation around banning bad roads, and all that happened was that people had to start signing papers saying they accepted the risk of bad roads.
Really?, did you not see the popups with the giant list of "partners" that have access to your data, you need to click on the show details button but now you can see the shit, where in your road example people would not see the wholes in the road.
I mean it's nice that it's transparent and even opt-out. But would be interesting to see the stats of how many people click the details-link on pages like https://www.elle.com or even http://techcrunch.com.
My hunch is that its way less than 0.01%.
Imho it would been as effective, and much nicer, if they could just assume consent and have a setting accessible via the footer. The small small percentage of people caring about it enough to be bothered would find it as easily, and the rest could just go about their day as before.
You only click Accept once and you never see that popup again on that website. Do you also dislike that all emails have now one paragraph on how to unsubscribe and should be a small link hidden somewhere in the footer?
Yes, but I think I have clicked on at least 10 accept/close/ignore/okay buttons today. As I have almost every day, it's a never ending battle. Multiple machines, mobile devices, cookies do sometimes expire (ironically), I might clear my cookies etc.
Further, the cost of one paragraph in flowing text is quite different to blocking modals or boxes going along with your scrolling blocking large portions of the screen.
Why not toss in a 100 page EULA on every page while we're at it?
I strongly believe that the effective outcome (i.e how "much" people are tracked on the web) would be identical if GDPR had a provision that allowed sites to a) track as before by default and b) provide opt-out and transparency via a footer link, similar to German laws about Impressum.
Most people won't opt-out, nor read details, but all people have to click accept all the damn time.
I would argue that those buttons train consumers for worse in the future. Next time it will be a button that says we retain access to your mind while you are using this service and all the consumers will just agree like they did before.
It's as flawed as false sense of security or all tos are legally enforceable click check mark buttons. They aren't. Stop trying to pretend they are and cause a chilling effect in people. It's
social_manipulation!
So yeah I absolutely hate that banner. it's terrible.
>Next time it will be a button that says we retain access to your mind while you are using this service and all the consumers will just agree like they did before.
This is not true for all users, some users will always click on the big blue button and the problem is not GRPR but shit designers, like PayPal is pushing me into some new thing with a page with a giant blue button and a super small "No now" link, shit companies will always be shit , they will always screw you but this time GRPR forces them to be transparent on how bad are they screwing you.
The popups are annying but you know what, some users are deciding to click NO, and go to a different web page. So if news website A has annoying popups and shit design with tons of ads users will find eventually the website with less ads and popups or will install an extension that block all the tracking and ads. So if the GDPR popup will convince some people to install ad blocking to block the popup and the tracking then is great.
Power users like myself are running with JS off and white-listing good websites to allow JS. If some link shared here is not opening then I just read something else.
GDPR has caused significant behavioral change for many companies. There hasn't been much high-profile enforcement yet, granted, but I'm not sure that that's actually that unusual for an (in EU terms) shiny new regulation.
People keep saying this, and to some extent it's very true, I've witnessed it myself in companies. But I mean, the aim of GDPR was never to make resonable data collection that is done in a safe way by "the good guys" hard.
The question is rather how many companies that pre-GDPR stored my data in ways I (as a technical person) would consider unsafe, or used it in ways I would consider "bad", that have changed their ways.
My local bowling alley still stores my password in plaintext and use an outdated Wordpress-plugin for bookings, and Google stills knows as much about my behaviour online and IRL.
> and Google stills knows as much about my behaviour online and IRL.
It probably doesn't, as fewer websites will be so blasé about pumping every piece of metadata they can think of into Adwords and Analytics APIs these days.
Google has lots of first party traffic. That's their big strength. Same with Facebook. That's why between the two of them they eat 2/3rds of every new ad dollar.
> The question is rather how many companies that pre-GDPR stored my data in ways I (as a technical person) would consider unsafe, or used it in ways I would consider "bad", that have changed their ways.
My local bank has, post-GDPR, started adding Google Analytics to their logged in client section. I've complained to them ("but we use anonymizeIp()") and to the data protection officials here in Germany ("how did you even see that? Can you explain again what is the issue?" and then they dropped silent).
You mean your government's enforcers are incapable of understanding the internet and the law, never mind the interplay between those two (because the wages the government pays guarantees that such people won't be working there).
Like everywhere else.
And this will never change.
The only thing the GPDR allows for is for governments to bury and destroy companies they don't like, which at this point is mostly the big internet companies, but that won't last.
> Like everywhere else.
>
> And this will never change.
I am quite used to hearing this from people who oppose GDPR, however I am yet to hear at least a single strong point made about what they would do instead.
Apathy due to not being able to do best is incredibly self-defeating. In my own personal take on this I think this is exactly what Google et al want you to do: being afraid to do anything because you haven’t yet found a way to perfectly resolve the situation.
It’s a policy issue, and thus if you knew how to resolve it in an ideal way there would be nothing to resolve in the first place. We’re not dealing with number theory where some brilliant mind can suddenly imagine a mental framework that will resolve our all sufferings.
Why would I be scared of Google/Fb/Amazon or other companies ? They don’t have power and can be sued effectively. Government departments cannot and have privileged acces to my data and keep getting caught letting their agents abuse it for the most trivial of reasons.
If Amazon violates my privacy I basically get better suggestions for a birthday present for my daughter a week before her birthday.
What I fear is the government passing my medical file to health care, police and insurerance companies. What I fear is an incompetently recorded and therefore wrong home moving record getting passed to the IRS and that resulting in an investigation, blocking my accounts. What I hate is a wrong camera match to my face resulting in the police wrongfully arresting or convicting me. What I fear is the police agggressively investigating me because they have some random tiny bit of “evidence” such as my cell phone being close to a crime, or because I dialed a wrong number that was involved in a drug case.
I therefore want the ability to permanently edit and erase my own medical record, as well as any other government record on me, from school data to ex spouses when a divorce is final. The ex spouse is allowed to have proof. City hall is not. I want the government itself to be liable for passing any info even to the police. I want contact tracing to be impossible even if it makes police 5% cheaper at the cost of allowing for great abuses. I do not want laws that cannot be enforced against government departments, I want it to be erased.
Compared to those threats, I don’t really care about private companies knowing I watched porn yesterday evening. Without effective protection for the Crown Jewels of my privacy I don’t care about tiny details.
It’s amazing how you took it as if I was arguing against corporations, when the gist of my argument is that somebody has to be developing the necessary legal framework of how to handle my data (by both corporations and governments). EU did, did anyone else?
> a present for my daughter’s birthday a week before
Can anyone on NH suggest whether this ever happened to them? This never happened to me practically so I think this is quite far away from reality.
1) laws or "frameworks" don't help against entities that cannot be sued effectively, and can even change the laws, and it's exactly those entities, and not small or even large companies that I feel worried about. And of course, it's these governments, not companies, that keep getting caught abusing, for example, medical records:
"What’s more harmful to patients being treated for drug or alcohol abuse: Risking their health by keeping other medical providers in the dark about their substance abuse treatment? Or risking their jobs, homes and child-custody arrangements by allowing potentially damaging treatment details to be electronically shared with an array of medical providers?"
(Never mind that if this goes for drug/alcohol abuse, the same goes for single mother families: do you let your kids broken arm get treated and risk youth services taking away the child, or do you let it go untreated, risking ... ? And of course there's the never ending list of government departments demanding access to this data, from the IRS to some department registering pets.
(I even object to DOCTOR's use of medical records. I was diagnosed with kidney stones. Now I can tell you, that HURTS. ESPECIALLY if for 2 weeks doctors refuse to test, instead giving some pain medication and sending me home asap. Why? You feel the pain in your abdomen, and I look like I'm maybe 25 years old. I eventually found out that these doctors refused to check for problems ... because pain in the abdomen is most often caused by heroine addiction causing constipation. If my medical record had even a little support for that conclusion, I could have died, slowly, in incredible pain. So no, I don't even want doctors to have access to my medical records AND I DON'T WANT THEM TO KNOW THEY DON'T HAVE ACCESS. Why? Because I don't want to die. No other reason)
2) The EU legal framework is even less effective than laws. GPDR enforcement on your behalf is impossible unless ... you convince a government employee to start the case on their behalf. These employees, of course, have since turned out to barely know what cookies are and have not really started cases, not even against companies. I can request for someone to sue their own employer on my behalf. This is a blatant conflict of interest, working against me and every individual or family.
Against government departments, of course, enforcement is nonexistent entirely.
So for me, as a PERSON, there is NO legal protection in the EU framework. None whatsoever.
So the only acceptable solution is to not let the government record or keep this information in the first place.
Everyone who has dealt with them knows Germany's enforcers are pretty strict. They're probably targeting the guys who are dangerous to people, with the really dangerous stuff: personally identifiable information. Unlike HN, the real world regulators don't just flip a shit because you included 3 octets of an IP address somewhere. They're spending all their time going after the guys who have names and phone numbers and emails.
I've dealt with them on multiple occasions, and either the strict enforcement is very different based on state, or it is as you say: if a small company sends an email to two people and doesn't use BCC, they'll be hunted down, but if a huge media company uses tracking beacons of non-EU-3rd-party adtech companies without disclosure or opt-in, they'll ignore it (source: reported literally this as well. They've chosen not to enforce the law, but instead asked the media companies how they'd like to go about this in the future. This affects millions of people per day.)
It's a mess, and it works like an hallucinated moat. If you obey the law, you have a strong disadvantage. If you don't obey the law, you have a strong advantage, and nothing will happen to you. Non-enforcement trains people to not honor the law, because they can't compete if they do.
Isn’t the whole point that you can stop them from collecting your data and also get them to delete your data if you want? Presumably you could get Google to delete all of your data. Is this not the case?
I don't actually know, honestly, what the point was/is exactly. Partly to affect long-term change in how personal data is viewed (less "gold mine, let's collect it all" and more "potentially toxic asset, let's collect as little as possible").
But also partly deletion and opt-out also of course, and that probably works well, for those who use it. But with the huge implementation cost (cited by PwC as upwards of 150 billion USD in the U.S alone [0]), I wonder what the price per delete request or opt-out is.
But Google now offers you the possibility to turn some things off, as well as to receive a copy of your data and delete it. Same for Facebook. This is an achievement of the GDPR.
I checked it out of curiosity, and it seems to me that your employer is dealing with medically-sensitive patient data; so how did undoing all your GDPR-related changes work? Are your employer and their customers GDPR-compliant? Do the patients know?
It's damn near impossible for very small organizations to follow the GDPR in good faith, especially without a lawyer. The intent is good, but not the execution.
What bs.
There's plenty arguments against it but people act like it's some arcane thick book with legalese written in runes.
That's very far from the truth and a quick read-trough the law to identify where it applies to you won't leave many with much if any questions
A quick read through doesn't necessarily make it easy to follow. For example, Sarbanes Oxley compliance is a huge business, that is fairly expensive for a company to implement correctly. And the compliance requirements of it stems from essentially one paragraph of law.
Honestly, GDPR is fine. I love the power of interoperability it's given me. That part is wonderful.
But if what you're saying is so obvious, then GDPR experts should be very cheap. But they aren't. If you're so good at it that it's easy, why don't you just go make your million dollars as a consultant in the next couple of years?
I don’t know whether you’re naive or flippant, but the reality of transacting on the Internet requires companies to handle their customers’ personal information. “Explicit consent” (and the intricacies of how it can later be revoked) is only part of the voluminous surface area of the regulations.
GDPR certainly will have a chilling effect on tech startups. The jury is out on whether it’s a net benefit to society.
I do hope the GDPR has an extremely chilling effect on tech startups that are built around the idea of sucking up as much personal information as possible in order to monetize that data. E.g. "chilling" as in: either go bust or don't get funding in the first place.
That's the entire point of GDPR.
If you just have a user login, that's quite trivial to implement in a GDPR conforming way.
There's a HUGE middle ground between "just having a login" and "sucking up as much personal information as possible in order to monetize that data". Unfortunately, that's where most of the chilling effect will be.
As far as I can tell, everyone who supports GDPR knows nothing about it.
GDPR is vastly more complex than "if you just have a user login it's easy".
To pick just one non-login related problem that has cropped up for me in the past month, a job candidate got upset after a rejection and asked us to "erase him from our database" - probably meaning our recruitment mailing lists. But the recruiters decided this was a GDPR "right to be forgotten" request and proceeded to erase all mention of him from our applicant tracking database. I was then quite confused when he approached me and said he'd been interviewed, because as far as I could tell we'd never talked to him about it. Of course, the whole idea that job candidates can simply make a company "forget" that they interviewed them is absurd to start with but it's the sort of thing that happens due to GDPR.
And then there's the perenially enjoyable question of whether backups are now illegal, or to what extent they're illegal.
Oh, and please don't give me any lectures about how GDPR doesn't require this. GDPR is such a badly written piece of law that it's impossible to say what it does or doesn't require. Anyone who thinks they know just doesn't understand how the regulation works.
Already has, in fact. I was considering taking a personal project I’d been working on public and offering it to others. Whether paid or free, I fall under the requirements of GDPR. I spent quite literally hours reading through everything I could find about what exactly a company of my size (1) needed to do.
Even after I wrote the code to handle DSARs for me, I decided it just wasn’t worth it. In order to be comfortable I would need to hire a lawyer to review things (and continue to pay him to keep on top of changes as things make it through court cases), put together things like an official TOS, worry about whether I could include any analytics services in my product to see if customers were getting frustrated with a particular page... all to launch a free service with no clear path to recurring revenue. And that was on top of the existing worries of having customer data that I want to make sure is secure.
Europe (and increasingly the US) sees corporations as all being huge tax avoiding monoliths of evil. Well, legislation like this will eventually prove them right because only the Googles of the world will still be able to afford compliance.
Actually a lot of large companies are not compliant with GDPR on many levels and while in some cases that's not true, in many it's not necessarily due to malintent. A ton of data is collected by thousands of developers in their products all across the globe and the data is never really cleaned or checked in any way. And in some cases the data that is being collected is so enormous that no one can really answer for certain what goes in there. I know dozens of companies which have thousands of products and each one of them has at least one database behind it. I doubt anyone in the company will be able to tell what a product with 2000 users called Xx developed by two people in Sri Lanka for instance complies to all GDPR guidelines. Frankly most of the people in the company would go "Xx? What's that?". But that product could very well be storing users' location, IP address and so on without their explicit consent in /var/log/debug_connect.log on a server somewhere.
Frankly, I think advocates are just wrong about what GDPR means. A lot of people expected every tech company to face huge fines, because they got it in their heads that the regulation grants you a right to opt out of targeted ads, and as far as I can tell that's just not true.
The obvious explanation for why "no major fines or penalties have been announced against Facebook, Amazon or Twitter" is that those companies don't have any major violations.
What I don't like about the GDPR is how it handled cookies. We could have much tighter control and explicit consent at the browser level, which makes sense because it's a browser feature.
Instead of something useful like that, we have annoying popups on millions of websites.
As someone who has had to both communicate to clients what the rulings mean, and also implement these popups, I totally agree... (and I'm sorry for the the popups)
Consent at the browser level could be implemented in a consumer-friendly way by browser makers. It isn't and enforcing it with laws is stupid (and will lead to similar negative results as with GDPR). Ask your browser maker to fix this, but don't bother asking Google.
I wish we could at least get a browser-level setting to accept/decline all the cookie popups, but AFAIK there's no normalization across them that would make interacting with them in a general sense easy/possible.
Why didn't we just use the cookie settings we already had in browsers, again?
The cookie thing is a myth most likely perpetuated by the cancerous advertising/marketing industry in an attempt to make the regulation look more annoying than it is.
Cookies for strictly necessary technical reasons (like a session cookie set when you log in) or those that contain non-identifying information like language or font size do not require disclosure or consent.
Oh the other hand, any tracking technology that collects personal information (whether cookies, local storage, server logs or browser fingerprinting) for non strictly necessary purposes (like analytics, A/B testing or conversion tracking) needs explicit, opt-in consent, and as far as I know personal information includes IP addresses or anything that can be used to identify someone uniquely with reasonable accuracy (so browser fingerprints fall in this category too).
When consent is requested, it should freely given, so if saying yes is easier than saying no (which often requires unticking hundreds of checkboxes one by one or waiting 30 seconds for a fake "we are applying your ad preferences") then that consent is considered invalid and you may as well just not ask for it in the first place because you're in breach of the regulation anyway, but at least you wouldn't be annoying your users.
You know.... I'm still waiting for Adtech companies to request realtime log shipping on the backend. You'd set up each server type (Apache, HAProxy, Nginx, IIS, etc) as a log ingester type. And from there, you ask the server admin to install a telegraf like tool that securely sends data to endpoint.
Doing this would allow websites to remove all appearances of tracking code. It just wouldn't be there. Sure makes for some strong plausible deniability.
I'm sure the people working in Adtech (primarily google) have already thought of this long ago. It's only stopped by the fact that many websites are just frontends and have no backend access.
The real obstacle is that solution involves trusting the publisher. The biggest reason ads are so bloated these days is all the companies that advertisers, publishers and ad networks tack in to try catch anyone cheating anyone else (in terms of JS at least, obviously higher res video content also contributes, but at least nominally most ad companies try pick something appropriate for the connection as starting playback quickly is in their interest too)
It's too easy to perform click fraud when advertisers only rely on server logs and nobody would pay for advertising on such sites.
Advertisers pay because companies like Google are willing to fingerprint your hardware, run machine learning models on your mouse movement, analyze your browsing history and make you jump through captchas to ensure you're actually human.
Getting the strong impression many commenters here are reading the headline and not the article (and tbh it kind of buries the lede), so TL;DR:
> At the center of the dispute is Ireland, which has outsize influence over the law’s enforcement because Apple, Facebook, Google, LinkedIn and Twitter are all based there. The country is responsible for leading more investigations, 127, than any other country in Europe, according to Brave.
> [...]
> Last year, Ireland’s data protection regulator sought a budget increase of €5.9 million. It got a third of that amount.
> Helen Dixon, the chair of Ireland’s data protection agency, said she was frustrated by the budget restrictions but defended the work of her office.
> She graded Ireland’s performance an “A for effort” but a “C-plus/B-minus in terms of output.”
Basically, the current Irish government administration, responsible for funding the DPC, is not a fan of GDPR.
For anyone interested in reading more about the Irish DPC's frustrations, Cianan Brennan[0][1] of the Irish Examiner is pretty dogged in his coverage of all things Helen Dixon & DPC (he's basically the main journalist covering GDPR in the main country tasked with enforcing GDPR), including her various[2][3][4] battles with the Irish government on their own GDPR-compliance.
sorry, but the Irish DPA is bought. Even with a low budget she could have at least start investigations, instead nothing.
The GDPR will be revised this year (I believe), the corrupted Irish DPA and the OneStopShop approach is the main issue. Other DPA‘s are furious btw.
What I really learned from GDPR and its rollout and its subsequent lack of enforcement is that laws written with regulators being the only ones able to enforce it are just political light shows, they achieve little of value. It is easy for a government to effectively sidestep not implementing the law by defunding the organisation that would do the enforcement or putting a person in charge who doesn't pursue the big breakers.
Since individuals can't bring GDPR lawsuits themselves for breaches and fines charged and governments have largely stopped effective enforcement it has become a pointless law. Any company complying now has missed just how little regulators care and are hampering their business for no good reason, it is still open season on customer data. It has the potential to charge in the future, a government change and some adjustments in the commissioner's office in a country could suddenly make the law come into effect but right now it's looking like companies have another half-decade of ignoring this law at least.
It could have been useful, in practice it just made websites more annoying to use and those complying fully are exceptionally rare.
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
We are moving into a world where every thing we do will leave a data history behind. To take a single example of a single act of buying a milk at the store: The store want a record in order to manage inventory, sale history and sale predictions. They also want location path data in order to determine effectiveness of product placements. Your bank want a record in order to facilitating money exchange and manage money laundering laws. The recipient bank want a record too to do the same for the store owner, but also to keep track of the market which the store is under. The government want a record in order to know how much money has changed hand and for what product in order to determine taxes for the seller and buyer. The mall want a record for the location of the store you bought the milk and how you traversed the mall to reach it in order to evaluate property values and advertise placements. Other milk producers and milk alternatives want a record in order to make a better case arguing for their competing product. The secret police want a secret record in order to verify that you did not buy something that could be made into a threat. The regular police want a copy of the record and a video record in case a crime happened while buying the milk. The local government want a location record in order to manage traffic of people who travel around in order to buy milk. The health department want a record to help researcher determine the potential benefit of milk drinkers.
GDPR is really just a small stop gap to manage a fraction of all the records we leave behind. It is unlikely to be the last one trying to create the laws needed to handle the fact that everyone a record of everything everyone does, but that we also likely going to end up where everyone has a record of everything everyone does because it saves money, makes strategies more efficient and reduces the need for manual labor. Unrestricted data records has a history full of recorded abuse, and a lot of current use today is explicitly designed to harm people by manipulation and predatory strategies. GDPR is a small step forward, but it is mostly just testing the water for the real legal work needed to make the behavior of all those data collectors safe enough that a person can do something as simple as buying milk at the store without exposing themselves to harm.
You completely missed the point: GDPR is not a "small step" in the right direction, but counter-productive and detrimental for future efforts. Big companies will manage to comply with the legal requirements but ignore the spirit and intention of the GDPR, small companies will have more stumbling stones in competing with big corporations.
Some people wish it to be, but it isn't just because they do.
In order to be a small step forward rather than backwards, it would have to show actual positive results. It doesn't, all major data leeches claim to comply with it while retaining more data than ever before, all small companies struggle with it without bad intentions. Don't be deluded by idealism, look at the facts. It's about as effective at keeping your data safe as cookie banners are in preventing cookies, while having similar adverse effects on everyone.
Maybe because the advocates aren't particularly bright to begin with?
GDPR has shown its teeth annoying the crap out of me with it's stupid privacy notices on the few EU-based sites I occasionally visit.
I recall many companies simply stopped doing business in the overregulated hellhole. So there are less choices, customers are worse off and so on - isn't that plenty of teeth?
IMO the only way GDPR would have worked the way its advocates hoped is if the enacting statutes created a private right of action. (I don't even know if private rights of action is a thing in the EU.)
In the US some (though not enough) consumer protection or civil right laws expressly grant plaintiffs the right to bring their own lawsuit in court. There are edge conditions depending on the laws or jurisdictions involved. For example, some laws provide a private right of action only if the state agents decline to pursue the case. While other laws may require the plaintiff to give notice to some agencies first.
Otherwise, laws that may look bold on paper become toothless based on inaction by the state agents that must enforce them. In contrast, if a law includes a private right of action and reasonable fee shifting provisions, private attorneys will pick up the slack and then some.
For example, in the US, the medical privacy regime, HIPAA, is considerably weakened by its absence (as far as I know) of a private right of action. For example, if your medical privacy is violated by your HR department or your doctor, you cannot sue under US Federal HIPAA laws, you need to sue under some other law and prove real damages. Note, there may be other laws that cover the same facts, such as, state privacy laws, or the like. And, in some circumstance, proven HIPAA violations may be used as evidence of negligence, or the like, to meet the requirements of the other laws.
I'm uncertain why the assumption is that GDPR was actually meant to appease advocates. It's pretty obvious that the law as it exists impacts foreign companies far more than EU companies. If the point of these laws was strictly for the benefit of European consumers then there'd be more dialogue around the value to consumers of having cheaper digital goods and services vs. the often abstract and vague benefits of GDPR's regulations. From this perspective, the ethical concerns seem mostly like a smokescreen to justify protectionist measures that will defend less efficient EU businesses in a manner similar to their current agricultural laws which exist mainly to protect the EU's wildly inefficient meat and dairy industries.
>IMO the only way GDPR would have worked the way its advocates hoped is if the enacting statutes created a private right of action.
Article 79
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
151 comments
[ 3.6 ms ] story [ 256 ms ] threadWho owns you, or do you consider yourself immune?
0. https://noqreport.com/2020/04/26/rep-thomas-massie-has-a-pla...
We will improve next time. We will improve next time. We will improve next time.
Why do you let someone exist after so many times the same? Change the institutions first rather than keep trying with failed engine. The structure. The elections. Power distribution.
Changing chasey won't do when the engine and transmission is broken.
IP blocking is easier than mangling every business and technical process to follow it.
- for the customer all the hoops he has to jump through now to get serviced because corporations implemented those in order to be "compliant" (e.g. I just tried to get detailed information for an expected UPS delivery - instead of a simple click it requires registration with "UPS My Choice", meaning one page for logging in with FB/Google/Amazon/Twitter or a new account, one page for detailed disclaimer and terms, one page for country/postcode input, one page with my detailed name, address, e-mail, phone number, more T&C acceptance, ...)
- for the company to design, evaluate with a lawyer all these procedures and related customer services.
Perhaps you will never be in the position to see it from a small company's side, but don't deny that you're as annoyed as everyone else with all the explicit consent forms.
The verbiage is so general and far reaching the other way that it’s impossible to know if you’re doing things right.
Unless you want to higher a legal team, for small businesses, it’s just not worth it.
The GDPR is very clearly written, as far as legislation goes.
It's really not hard to understand, unless you're wilfully trying to misunderstand it.
It's about the work needed to comply vs. the risk vs. the possible benefits.
1. Work to read an interpret legislation means lawyers. If you think you understand a law because it "seems" to be simple to understand you are fucking wrong. Words in law tend to mean different things and refer to other laws, precedents, principles and treaties.
2. The benefits are often small for international businesses. EU customers? Do you care? Probably not.
3. The risks are MASSIVE for breaking the GDPR.
So, in cost/benefit, it's a massive "I'm not touching that".
GDPR did a lot to shift the window back and put the behaviour of the big adtech companies in the sunlight for a while.
The enforcement side is definitely lacking, and black mirror might still have done more to shift opinion, but it's not all bad.
Consumers all over the world now have the ability to request data takeouts and deletions, etc. And anecdotally I've noticed more and more sites honouring the opt in requirement for 3rd party tracking scripts.
It's a solid improvement over the status quo of 2017.
Not later than this morning I wanted to access a forum post. So I go to the privacy page (as a popup proposed me) and then arrived to a page with the list of all the « partners » with access authorized by default.
Around 50 of them. No button to refuse all and had to do it one by one. And I visit sites like that every day.
I agree that there have been a lot of progress but we are still far from completion.
From my view, GDPR has had a few impacting benefits to me personally already.
I’ve been notified of security breaches 3 times now that i’m confident either wouldn’t have been reported or would but 18 months later. I’ve been able to move my ISP as a result. Getting closer to that idea that customers will punish you if you mess up - in this case i was able to learn about their mistake thanks to GDPR.
Of course they don't reference GDPR specifically, but it's all basically new tools that allowed them to handle GPDR requirements automatically rather than having to handle a deluge of access requests and otherwise manually which would have been much more expensive.
However, I've found GDPR deletion requests to be a pretty strong cudgel. For the last 10 years or so I've been sending deletion requests for accounts when I no longer need them. Prior to GDPR, about 50% of responses would be along the lines of "in the nicest possible way, we don't care about you enough to do that so please fuck off". Reading between the lines, I assumed that about 50% of websites were implemented poorly and didn't properly support deletion.
Post GDPR, all but one request have been given a polite "we have done as you have requested, we hope to see you as a customer again". GDPR has both legitimized the process of requesting that your data has been deleted after you're finished using a service, and has legitimized the concerns of all those developers who were never able to get engineering time to properly support account deletion.
So it's been a success, it could be succeeding more but I'm not unhappy. I would still like to see at least one company get ICBM'd in order to remind larger entities that they've got responsibilities to society too, not just their shareholders.
[1] https://www.schneier.com/blog/archives/2016/03/data_is_a_tox...
Much like how if I leave my phone in a taxi, either deliberately or accidentally, I don't own the taxi, but I do still own the phone.
If you create a replica of a taxi you rode in, you own that copy.
If you take a photo of someone, you own that photo.
If you write that person's birthday down on a piece of paper, you don't own their birthday now. You own the piece of paper with their birthday written on it, and they have no claim to that paper or what's written on it.
Opening a bank account using those details is identity theft, because they are not /your/ details. No one cares if you owned the paper you wrote them down on.
Comparison: The bank's hard drives hold my money, but it's still mine and not theirs.
These are colloquially interpreted as "you have rights to your data". Naturally, your address is not generally copyrightable (another notion of ownership of data) but it can be "personal data" that relates to you.
Even more, the IT privacy agency (CNIL) gave time to adv. parties to comply, as in « you can continue to do as usual for now » Big shame.
are you sure about this ?
- http://www.ab-consulting.fr/blog/gdpr/rgpd/rgpd-la-loi-franc...
- http://www.assemblee-nationale.fr/dyn/15/textes/l15t0113_tex...
This is a common misconception.
Directives need to be transcribed into national law but Regulations - like the GDPR - have direct effect and do not.
Regulations become the law of the member states as soon as they are passed, by virtue of the treaties.
The law was passed in 1977 in its first form on the federal level, was already in effect on state-level in 1971, and thus is older than Google by a few decades.
The previous European legislation on this was the Data Protection Directive from 1995, predating Google by three years.
The Commissioner there has no resources [0] to pursue these cases but he can't be bypassed when it comes to fees (at least convention of the other Commissioners if not by the GDPR itself).
The other Commissioners are becoming more and more upset with this and planing to institute a board to overrule Ireland's Commissioner. But all of this is very slow...
You can't imagen the frustration over this on part of the other Comissioners
[0] https://technology.ie/data-protection-commissioner-double-wo...
/r/nottheonion
> The other Commissioners are becoming more and more upset with this and planing to institute a board to overrule Ireland's Commissioner. But all of this is very slow...
Interesting, do you know of a news article or something similar about this?
[0]https://www.heise.de/ct/artikel/Auslegungssache-Der-Datensch...
There has been a real and definite shift in the industry post GDPR away from "we might need this data someday" to "please delete it at the first opportunity".
It's both, surely.
Behavioural change won't last unless there are punishments for non-compliance.
Perhaps because it's laying out a mundane case, rather than making bombastic claims...
I was a bit sad when I saw the initial downvotes, since this account was already 4 times below zero points in total and I don't think there was anything that broke the rules in that comment. I guess I was looking down on NYT, but at this point the collapse of journalism is not an opinion, but a measurable truth. You can just measure it by average salary in the domain. I don't think there are any sources lately that you can trust 100%.
>I don't think there are any sources lately that you can trust 100%.
That is exactly backwards. The journalism never was truthful; instead it was full of lies by omission, manipulation to push a narrative, and plain mistakes made in the rush to be the first to publish.
What changed[1] is the seasoned staff is now largely gone and replaced with low-paid youth fresh off of the school. It's through the lacking experience and missing professionalism that the mask slips, and we now get to see how the sausage is made.
Paradoxically now that we get to see how bad it gets at times, the spotty trustworthiness becomes a known quantity, and so we can handle it better.
--
[1] aside of the amusing tools like "NewsDiffs" (https://twitter.com/newsdiffs), or https://archive.is/
This was due to the nature of the competition between news outlets. It you have only few suppliers in any domain, then a possibility of a "price war" is relatively small. It's much easier to predict how our counterparts will behave and dumping prices hurts all the participants. It forces the competition to move to different areas - like marketing and quality of service.
Once there were more competitors, due to the internet being a thing, all bets were off. No one could hold to their position just because he was considered more reliable by a marginal degree.
Going by those excellent charts[1], there were two distinct "kinks" in intensity of change; around 2000 and around 2015.
>the internet
The best explainer I've seen thus far is that loading articles with keywords improves searchability and readership metrics. My far fetched hypothesis is that it is a side effect of the present form of search - dominated by one vertical that has strayed far, far away from the original Page Rank idea.
--
[1] use of progressive keywords in newspapers, a thread https://twitter.com/ZachG932/status/1133441085118853120
[1.1] more terms, NYT https://i.imgur.com/CZfsLsk.jpg
Of course; a tiger keeps hidden and attacks humans from behind.
Jokes aside, your fable is excellent and I hope to use it in the future.
Other than that, I have no useful answer beyond re-iterating my earlier assertion: the media was always bad. Now we can see it better than before.
Perhaps the tiger was a red herring all along. There just might be a fat cat getting fatter in the city hall that we were too distracted to pay attention to.
I think my gripe is that organisations becoming "GDPR compliant" mainly has created systems for collecting consent or focusing on which cloud platform to not use, rather than creating any real change by e.g not using systems with piss poor security to begin with.
Almost like if we created regulation around banning bad roads, and all that happened was that people had to start signing papers saying they accepted the risk of bad roads.
But I guess it will take some time to see real change, hopefully it will come someday.
Really?, did you not see the popups with the giant list of "partners" that have access to your data, you need to click on the show details button but now you can see the shit, where in your road example people would not see the wholes in the road.
I am fine with even more transparency.
My hunch is that its way less than 0.01%.
Imho it would been as effective, and much nicer, if they could just assume consent and have a setting accessible via the footer. The small small percentage of people caring about it enough to be bothered would find it as easily, and the rest could just go about their day as before.
Further, the cost of one paragraph in flowing text is quite different to blocking modals or boxes going along with your scrolling blocking large portions of the screen.
Why not toss in a 100 page EULA on every page while we're at it?
I strongly believe that the effective outcome (i.e how "much" people are tracked on the web) would be identical if GDPR had a provision that allowed sites to a) track as before by default and b) provide opt-out and transparency via a footer link, similar to German laws about Impressum.
Most people won't opt-out, nor read details, but all people have to click accept all the damn time.
It's as flawed as false sense of security or all tos are legally enforceable click check mark buttons. They aren't. Stop trying to pretend they are and cause a chilling effect in people. It's social_manipulation!
So yeah I absolutely hate that banner. it's terrible.
This is not true for all users, some users will always click on the big blue button and the problem is not GRPR but shit designers, like PayPal is pushing me into some new thing with a page with a giant blue button and a super small "No now" link, shit companies will always be shit , they will always screw you but this time GRPR forces them to be transparent on how bad are they screwing you.
The popups are annying but you know what, some users are deciding to click NO, and go to a different web page. So if news website A has annoying popups and shit design with tons of ads users will find eventually the website with less ads and popups or will install an extension that block all the tracking and ads. So if the GDPR popup will convince some people to install ad blocking to block the popup and the tracking then is great.
Power users like myself are running with JS off and white-listing good websites to allow JS. If some link shared here is not opening then I just read something else.
The question is rather how many companies that pre-GDPR stored my data in ways I (as a technical person) would consider unsafe, or used it in ways I would consider "bad", that have changed their ways.
My local bowling alley still stores my password in plaintext and use an outdated Wordpress-plugin for bookings, and Google stills knows as much about my behaviour online and IRL.
It probably doesn't, as fewer websites will be so blasé about pumping every piece of metadata they can think of into Adwords and Analytics APIs these days.
So even if some sites are pulling out their GA, some won't and that's good enough for Google
My local bank has, post-GDPR, started adding Google Analytics to their logged in client section. I've complained to them ("but we use anonymizeIp()") and to the data protection officials here in Germany ("how did you even see that? Can you explain again what is the issue?" and then they dropped silent).
Nobody cares. Really.
Like everywhere else.
And this will never change.
The only thing the GPDR allows for is for governments to bury and destroy companies they don't like, which at this point is mostly the big internet companies, but that won't last.
I am quite used to hearing this from people who oppose GDPR, however I am yet to hear at least a single strong point made about what they would do instead.
Apathy due to not being able to do best is incredibly self-defeating. In my own personal take on this I think this is exactly what Google et al want you to do: being afraid to do anything because you haven’t yet found a way to perfectly resolve the situation.
It’s a policy issue, and thus if you knew how to resolve it in an ideal way there would be nothing to resolve in the first place. We’re not dealing with number theory where some brilliant mind can suddenly imagine a mental framework that will resolve our all sufferings.
If Amazon violates my privacy I basically get better suggestions for a birthday present for my daughter a week before her birthday.
What I fear is the government passing my medical file to health care, police and insurerance companies. What I fear is an incompetently recorded and therefore wrong home moving record getting passed to the IRS and that resulting in an investigation, blocking my accounts. What I hate is a wrong camera match to my face resulting in the police wrongfully arresting or convicting me. What I fear is the police agggressively investigating me because they have some random tiny bit of “evidence” such as my cell phone being close to a crime, or because I dialed a wrong number that was involved in a drug case.
I therefore want the ability to permanently edit and erase my own medical record, as well as any other government record on me, from school data to ex spouses when a divorce is final. The ex spouse is allowed to have proof. City hall is not. I want the government itself to be liable for passing any info even to the police. I want contact tracing to be impossible even if it makes police 5% cheaper at the cost of allowing for great abuses. I do not want laws that cannot be enforced against government departments, I want it to be erased.
Compared to those threats, I don’t really care about private companies knowing I watched porn yesterday evening. Without effective protection for the Crown Jewels of my privacy I don’t care about tiny details.
> a present for my daughter’s birthday a week before
Can anyone on NH suggest whether this ever happened to them? This never happened to me practically so I think this is quite far away from reality.
https://www.washingtonpost.com/national/health-science/peopl...
"What’s more harmful to patients being treated for drug or alcohol abuse: Risking their health by keeping other medical providers in the dark about their substance abuse treatment? Or risking their jobs, homes and child-custody arrangements by allowing potentially damaging treatment details to be electronically shared with an array of medical providers?"
(Never mind that if this goes for drug/alcohol abuse, the same goes for single mother families: do you let your kids broken arm get treated and risk youth services taking away the child, or do you let it go untreated, risking ... ? And of course there's the never ending list of government departments demanding access to this data, from the IRS to some department registering pets.
(I even object to DOCTOR's use of medical records. I was diagnosed with kidney stones. Now I can tell you, that HURTS. ESPECIALLY if for 2 weeks doctors refuse to test, instead giving some pain medication and sending me home asap. Why? You feel the pain in your abdomen, and I look like I'm maybe 25 years old. I eventually found out that these doctors refused to check for problems ... because pain in the abdomen is most often caused by heroine addiction causing constipation. If my medical record had even a little support for that conclusion, I could have died, slowly, in incredible pain. So no, I don't even want doctors to have access to my medical records AND I DON'T WANT THEM TO KNOW THEY DON'T HAVE ACCESS. Why? Because I don't want to die. No other reason)
2) The EU legal framework is even less effective than laws. GPDR enforcement on your behalf is impossible unless ... you convince a government employee to start the case on their behalf. These employees, of course, have since turned out to barely know what cookies are and have not really started cases, not even against companies. I can request for someone to sue their own employer on my behalf. This is a blatant conflict of interest, working against me and every individual or family.
Against government departments, of course, enforcement is nonexistent entirely.
So for me, as a PERSON, there is NO legal protection in the EU framework. None whatsoever.
So the only acceptable solution is to not let the government record or keep this information in the first place.
It's a mess, and it works like an hallucinated moat. If you obey the law, you have a strong disadvantage. If you don't obey the law, you have a strong advantage, and nothing will happen to you. Non-enforcement trains people to not honor the law, because they can't compete if they do.
But also partly deletion and opt-out also of course, and that probably works well, for those who use it. But with the huge implementation cost (cited by PwC as upwards of 150 billion USD in the U.S alone [0]), I wonder what the price per delete request or opt-out is.
[0]: https://truthonthemarket.com/2019/05/24/gdpr-after-one-year-...
Customers immediately complained.
For business reasons, we undid all of our changes.
Go figure...
Shocked. /s
it's 72 pages of extremely dense legal text, where meaning of every singe word is important
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
But if what you're saying is so obvious, then GDPR experts should be very cheap. But they aren't. If you're so good at it that it's easy, why don't you just go make your million dollars as a consultant in the next couple of years?
GDPR certainly will have a chilling effect on tech startups. The jury is out on whether it’s a net benefit to society.
That's the entire point of GDPR.
If you just have a user login, that's quite trivial to implement in a GDPR conforming way.
GDPR is vastly more complex than "if you just have a user login it's easy".
To pick just one non-login related problem that has cropped up for me in the past month, a job candidate got upset after a rejection and asked us to "erase him from our database" - probably meaning our recruitment mailing lists. But the recruiters decided this was a GDPR "right to be forgotten" request and proceeded to erase all mention of him from our applicant tracking database. I was then quite confused when he approached me and said he'd been interviewed, because as far as I could tell we'd never talked to him about it. Of course, the whole idea that job candidates can simply make a company "forget" that they interviewed them is absurd to start with but it's the sort of thing that happens due to GDPR.
And then there's the perenially enjoyable question of whether backups are now illegal, or to what extent they're illegal.
Oh, and please don't give me any lectures about how GDPR doesn't require this. GDPR is such a badly written piece of law that it's impossible to say what it does or doesn't require. Anyone who thinks they know just doesn't understand how the regulation works.
Even after I wrote the code to handle DSARs for me, I decided it just wasn’t worth it. In order to be comfortable I would need to hire a lawyer to review things (and continue to pay him to keep on top of changes as things make it through court cases), put together things like an official TOS, worry about whether I could include any analytics services in my product to see if customers were getting frustrated with a particular page... all to launch a free service with no clear path to recurring revenue. And that was on top of the existing worries of having customer data that I want to make sure is secure.
Europe (and increasingly the US) sees corporations as all being huge tax avoiding monoliths of evil. Well, legislation like this will eventually prove them right because only the Googles of the world will still be able to afford compliance.
The obvious explanation for why "no major fines or penalties have been announced against Facebook, Amazon or Twitter" is that those companies don't have any major violations.
Instead of something useful like that, we have annoying popups on millions of websites.
Cookies (or, more specifically, data stored on end-user's devices) falls under the ePrivacy Directive from 2002(!)
The only real change that the GDPR has made to this framework is the definition of "consent".
Why didn't we just use the cookie settings we already had in browsers, again?
Cookies for strictly necessary technical reasons (like a session cookie set when you log in) or those that contain non-identifying information like language or font size do not require disclosure or consent.
Oh the other hand, any tracking technology that collects personal information (whether cookies, local storage, server logs or browser fingerprinting) for non strictly necessary purposes (like analytics, A/B testing or conversion tracking) needs explicit, opt-in consent, and as far as I know personal information includes IP addresses or anything that can be used to identify someone uniquely with reasonable accuracy (so browser fingerprints fall in this category too).
When consent is requested, it should freely given, so if saying yes is easier than saying no (which often requires unticking hundreds of checkboxes one by one or waiting 30 seconds for a fake "we are applying your ad preferences") then that consent is considered invalid and you may as well just not ask for it in the first place because you're in breach of the regulation anyway, but at least you wouldn't be annoying your users.
Doing this would allow websites to remove all appearances of tracking code. It just wouldn't be there. Sure makes for some strong plausible deniability.
Advertisers pay because companies like Google are willing to fingerprint your hardware, run machine learning models on your mouse movement, analyze your browsing history and make you jump through captchas to ensure you're actually human.
> At the center of the dispute is Ireland, which has outsize influence over the law’s enforcement because Apple, Facebook, Google, LinkedIn and Twitter are all based there. The country is responsible for leading more investigations, 127, than any other country in Europe, according to Brave.
> [...]
> Last year, Ireland’s data protection regulator sought a budget increase of €5.9 million. It got a third of that amount.
> Helen Dixon, the chair of Ireland’s data protection agency, said she was frustrated by the budget restrictions but defended the work of her office.
> She graded Ireland’s performance an “A for effort” but a “C-plus/B-minus in terms of output.”
Basically, the current Irish government administration, responsible for funding the DPC, is not a fan of GDPR.
For anyone interested in reading more about the Irish DPC's frustrations, Cianan Brennan[0][1] of the Irish Examiner is pretty dogged in his coverage of all things Helen Dixon & DPC (he's basically the main journalist covering GDPR in the main country tasked with enforcing GDPR), including her various[2][3][4] battles with the Irish government on their own GDPR-compliance.
[0] https://twitter.com/ciananbrennan
[1] https://www.irishexaminer.com/breakingnews/authors/cianan-br...
[2] https://www.irishexaminer.com/breakingnews/ireland/over-6700...
[3] https://www.irishexaminer.com/breakingnews/views/analysis/ci...
[4] https://www.irishexaminer.com/breakingnews/ireland/psc-data-...
AFAIAC they can go screw themselves. Taxes should be cut and not increased.
She's started plenty* of investigations but:
(a) for large cases, the legal resources of the defendant have to be considered and a case has to be viable. Building these cases takes time
(b) even for smaller cases, actual court procedures take (too much) time, so the cases she has taken are largely still in train
* A good portion of those cases appear to be directly against the Irish state, rather than any private corporation
https://www.enforcementtracker.com
Since individuals can't bring GDPR lawsuits themselves for breaches and fines charged and governments have largely stopped effective enforcement it has become a pointless law. Any company complying now has missed just how little regulators care and are hampering their business for no good reason, it is still open season on customer data. It has the potential to charge in the future, a government change and some adjustments in the commissioner's office in a country could suddenly make the law come into effect but right now it's looking like companies have another half-decade of ignoring this law at least.
It could have been useful, in practice it just made websites more annoying to use and those complying fully are exceptionally rare.
They absolutely can:
Article 79
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.
GDPR is really just a small stop gap to manage a fraction of all the records we leave behind. It is unlikely to be the last one trying to create the laws needed to handle the fact that everyone a record of everything everyone does, but that we also likely going to end up where everyone has a record of everything everyone does because it saves money, makes strategies more efficient and reduces the need for manual labor. Unrestricted data records has a history full of recorded abuse, and a lot of current use today is explicitly designed to harm people by manipulation and predatory strategies. GDPR is a small step forward, but it is mostly just testing the water for the real legal work needed to make the behavior of all those data collectors safe enough that a person can do something as simple as buying milk at the store without exposing themselves to harm.
It's an evolution of data protection rather than a revolution.
All of the fundamentals included in the GDPR were in the Data Protection Directive from 1995!
Of course, the extraterritoriality is new, the level of administrative fines is much higher, but it's not like this popped out of nowhere.
Some people wish it to be, but it isn't just because they do.
In order to be a small step forward rather than backwards, it would have to show actual positive results. It doesn't, all major data leeches claim to comply with it while retaining more data than ever before, all small companies struggle with it without bad intentions. Don't be deluded by idealism, look at the facts. It's about as effective at keeping your data safe as cookie banners are in preventing cookies, while having similar adverse effects on everyone.
GDPR has shown its teeth annoying the crap out of me with it's stupid privacy notices on the few EU-based sites I occasionally visit.
I recall many companies simply stopped doing business in the overregulated hellhole. So there are less choices, customers are worse off and so on - isn't that plenty of teeth?
In the US some (though not enough) consumer protection or civil right laws expressly grant plaintiffs the right to bring their own lawsuit in court. There are edge conditions depending on the laws or jurisdictions involved. For example, some laws provide a private right of action only if the state agents decline to pursue the case. While other laws may require the plaintiff to give notice to some agencies first.
Otherwise, laws that may look bold on paper become toothless based on inaction by the state agents that must enforce them. In contrast, if a law includes a private right of action and reasonable fee shifting provisions, private attorneys will pick up the slack and then some.
For example, in the US, the medical privacy regime, HIPAA, is considerably weakened by its absence (as far as I know) of a private right of action. For example, if your medical privacy is violated by your HR department or your doctor, you cannot sue under US Federal HIPAA laws, you need to sue under some other law and prove real damages. Note, there may be other laws that cover the same facts, such as, state privacy laws, or the like. And, in some circumstance, proven HIPAA violations may be used as evidence of negligence, or the like, to meet the requirements of the other laws.
Article 79
Right to an effective judicial remedy against a controller or processor
1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation.
2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.