Reminds me when the EU "Fixed" Cookies and now we have these stupid click-through warnings everywhere that have pretty much ruined the user experience. Root cause: people passing laws they have idea what about.
That's actually a good idea. It's really frustrating how (in other types of news) a lot of buzz can be generated and then just silence and we forget it all and move on. But it's not really something that would sell well. Not many people care about yesterday's news, people want to know what's coming next and not what came out of some magazine's prediction several years ago.
There is a bit deja vu, since at that time we were pointing out similar flaws in the DPD (lack of enforcement, lack of clarity, govt inefficiencies, the inability for proponents to separate intent from reality, etc).
Sadly, there is an absolute "for or against" mentality out there. You can't make it clear that the implementation of such a law would be poor enough to not justify it being enacted in the first place lest you are told "well, should we do nothing?". We can easily start with easy-to-understand/implement transparency requirements (maybe even just as guidelines or requirements for a form of certification at first while encouraging technical solutions in the meantime). Never-realized scary fines might as well have never been brought forth.
I thought that’s what everyone thought back then. At least all my friends were like, the lawyers will have a good time and be the only ones benefiting from this
I have been habitually sending "I have finished using your service, could you please delete my account" emails since around 2008 or so.
Prior to GDPR, 9 replies in 10 would be polite but dismissive responses, basically telling me that I'm making an unreasonably burdensome request.
Post GDPR, everyone responds with a message stating they have followed my request in a timely fashion.
Am I disappointing that GDPR has not fined Facebook into oblivion? Yeah. I was hoping for global scale schadenfreude as much as the next person.
However, GDPR has fundamentally normalized the notion that peoples relationships with companies need not be permanent, and that submitting to eternal spam is not the accepted price of buying a flight online. GDPR has established in law that it's totally reasonable for people to not want to give their local gym an iris scan in order to enter the gym and work out, and it is indeed the gym owner who's the arsehole in that situation. This grants leverage against the arsehole.
In that respect, it's been a smashing success. There is much we could improve on, but on the statement "it only benefited the lawyers"...hard disagree.
That might be how you feel. For me, GDPR and the “Cookie Law” have been amazing, as they make it incredibly easy to detect which websites and businesses you should avoid.
I do however wish they’d be a lot more aggressive with the fines.
Nothing says GDPR is something that can't be improved upon. Better enforcement, refinement of laws, everything is possible. It has to begin somewhere and that beginning is rarely perfect. Every failure is also an opportunity to learn what to do better. As some other people have commented, the intent is right, the execution has to be improved. Edit: Fixed grammar and some words
Tracking should be opt-in and consent should be freely given. If your notice is annoying enough that most people click accept (or if clicking decline is harder) then you are already in breach.
A lot of websites also consider analytics cookies as essential and don't provide a way to decline those which isn't compliant either.
These websites can be detected very easily by running a web scraper and looking for one of these non-compliant "consent management" solutions (looking at you TrustArc) and fining every single company that uses it.
Informally, EU citizens own their personal data, and only ever grant revocable licenses to it.
More precisely, to collect any personally identifiable (PII) of an EU citizen, you need their consent. PII includes things like name and email, but also anything like an IP address that can be used to "unmask" a person. Consent must be freely given and can be withdrawn at any time. If requested by a citizen, you must turn over or delete any PII of the inquirer. You must do your best to keep the PII safe, and follow security best practices - and in case of a data breach you must inform the data authorities and affected citizens. You may only ever hand over data to other companies (sub processors) if you have a contract guaranteeing that they will also abide by the above constraints (nice little GPL-esque twist there).
I hate the barrage of popups from websites trying to weasel out of it in order to continue business as usual with ad-tracking. But at its core, the GDPR is actually a pretty good piece of legislation - we now have a right to be forgotten anywhere.
The rules are very clear once you look past the fear-mongering. Don't stalk people, and if you want to stalk them you need to ask them nicely and allow them to decline. Don't be careless with user data so you minimize the likelihood of a breach, and if you do get breached then report it to the regulator and cooperate with them.
In fact, "big tech" has figured out how to get around the rules by exploiting the lack of enforcement. The majority of big tech is knowingly not GDPR-compliant.
I work as a developer in the European public sector, we already took privacy and security rather serious because the laws governing it had always been and are still tougher than the GDPR.
I actually like that the EU is doing something, and I guess this is the best you get from a bureaucracy, but what it’s changed is that we document everything. Whenever I build anything that moves privacy data, even if it’s just hooking up a new system to our ADFS which accesses employee names, I need to fill out 4 forms and write a risk assessment. It all goes somewhere I suppose, I’m not sure because once I file them I never hear anything about it unless my wording wasn’t good enough.
As far as security goes, it hasn’t actually changed anything. I guess it does if you weren’t taking security very serious before, but the idea that we as developers will think about security first or design better systems if a bunch of lawyers force us to fill out forms and write essays on what can go wrong... I just can’t wrap my head about why anyone would actually believe that stuff.
Like I said, it’s a great idea, on paper, but the bureaucracy that is enforcing it is just so clueless. Passing inspections is more about having the right answers and documentation than having actual security, so it’s no wonder that the outcome is full of mixed signals and weird enforcement.
Still better than nothing, in my opinion, and it’ll probably get better with time.
There is a privacy benefit to adding friction to spreading personal data around everywhere. At the margin, some services will decide not to bother processing non-essential personal data just to avoid the paperwork. And really, that's one of the excesses that GDPR was a reaction to: that the "default" was "track everything in case the data magically becomes valuable," and now the it's become "perhaps not."
The fears about GDPR when it passed, if I remember correctly, were mainly around arbitrary draconian enforcement. This article seems to only be talking about under enforcement. The causes of this under enforcement seem fixable. Ireland, putatively afraid of the big tech companies choosing to put their Europe HQs elsewhere, has been dragging their feet on privacy investigations. But the investigations are happening. Then there are some countries not putting enough money into it. The rest seems to be the various countries not being in alignment. For a sweeping, two-year-old regulation that has spent about an eighth of its life in the time of a major global crisis, this doesn't strike me as all that shocking.
Does anyone have any actual examples of draconian fines being handed out for good-faith misunderstandings of the regulation? Big Tech has professed confusion over how they're supposed to comply, but it seems to me like like they would simply prefer not to.
I don't think it really helps and I suspect that is because users themselves really don't know what is actually happening behind the scenes and no amount of banners or otter things changes their level of knowledge.
And I fear even if they know, users don't care and are happy to click past a banner / trade their privacy for free things.
GDPR seems to play out as a strangely legally mechanical beast that people are largely disconnected from.
> users don't care and are happy to click past a banner / trade their privacy for free things.
The GDPR explicitly mandates that consent should be freely given (it should not be more difficult to decline than to accept) and that consent should be informed, so you can't bury the information in 30 pages of ToS or privacy policies.
The problem is that there is currently zero enforcement around those things. I'd argue that this is very bad for the intent of the law because even when enforcement starts happening and declining consent becomes possible users would've already been trained to just click accept to everything.
GDPR is poorly designed. It deliberately uses super vauge and imprecise wording. That is bad enough when operating in a common-law legal system where that is the norm. It is inexcusable in the Civil Law system that much of Europe operates in.
Consider you offer the ability to users to voluntarily submit reviews of restaurants. One reviewer complained that person seated at table next to them was excessively noisy, and that upon asking the waitstaff to do something about it, they did nothing.
It is actually entirely plausible for a company like Facebook to have enough information to be able to determine exactly who that other person is, given that review. For example if say both posted images of their receipts to Instagram. Why would they do that? Beats me, but plenty of people do things like that. Under a wide but not at all implausible reading of the personal information definition in the GDPR, that review qualifies as personal data of the person at the other table. The definition of personal data is "any information relating to an identified or identifiable natural person". And that review does include information about a natural person, and we have shown that the person is theoretically identifiable by Facebook.
This means if that other person asks for all their personal info from the site, technically that review should be included. But most likely even Facebook does not yet have the ability to automatically identify this other individual. However, the regulation does not specify any applicable exception, so if you fail to turn over that data (despite having no way of knowing that review pertains to this specific individual), the supervisory authority could still legally fine you.
Would you ever be fined for that? No of course not. Strictly speaking nothing in the wording of the regulation would prevent them from doing so. But obviously they have so many bigger concerns, and are unlikely to bother interpreting things so widely.
After all, there is not a single large company that operates in Europe that is fully compliant with the GDPR if interpreted widely. There quite simply cannot be, since the costs of actually identifying everything that could count as personal data under a wide interpretation and ensuring the company can always look up 100% of it without ever missing any would bankrupt every such large company.
And that is only touching on one little aspect of the GDPR, and one that is unlikely to actually be a major deal. Much worse is how vague the "legitimate interests" reason for processing is. That is the reason that many companies are relying on for much of their processing, and nobody can say with any certainly what cases are included in that, and what are not.
So obviously the best the companies can due is attempt to follow the spirit of the regulation rather than the letter. But of course, if you do that, you cannot be entirely sure the regulators will agree with you.
I'm not sure we can jump to that conclusion. If the outcome of the GDPR was bewilderingly out of left field, and totally unpredictable, perhaps we could pass this off as being a big-hearted failure.
The thing that I struggle to get past, though, is just how many of us warned of these outcomes _before_ the regulations were implemented.
I fear very few had their heart in the right place. After all, it's pretty evident now, that those of of who saw this as a corporate effort to erect unnatural barriers to entry were correct. The people who designed the GDPR aren't idiots - they knew what they were doing too.
I'm happy to see this as the top post on Hacker News, though would wonder if anyone would be able to provide me with a summary of the article since $399 is a bit steep for me (as in, I can afford it, but it's obviously WAY too much for what's promised by the title).
I'd also be interested in case anyone has any thoughts on what the short or long-term outcome of the situation would be. Come to think of it, I'd like it if someone could give me a rough outline of GDPR at all.
I'm a software developer working in Britain, and I reckon the local consequences are "the lawyers make lots of money", but am always keen to hear other viewpoints.
At the moment, lawyers and all the scummy industry around the GDPR (whether it's advice/consulting or "consent management") are indeed the only ones making the money.
There is very little enforcement and flawed solutions from the aforementioned industry are allowed to proliferate despite not actually being compliant (the majority of "consent management" solutions are in breach, so they are making money while not even helping their client become compliant).
We value your privacy. Like, it's valuable. We sell it for money. We're going to nag you until you click this button so we can't get in trouble for profiting off the data you give us.
Good legislation is important to let us penalize bad actors—does any one know of any accounts of some bad actors getting stopped by the GDPR?
What do you guys think: are there laws that should be in place to incentivize privacy-preserving tools?
> We're going to nag you until you click this button so we can't get in trouble for profiting off the data you give us.
That is explicitly against the regulation. Consent should be freely given otherwise it's invalid.
The problem is that there is no enforcement around this (despite it being very easy to detect this behavior at scale by running a web scraper) so they keep doing it and profiting off it.
Guys, we have a lot of European customers and we completely ignored GDPR rules. After it was introduced, only 2 potential customers asked us about it and we just moved their emails to trash. Not worth the hassle! There is nothing they can do anyway to force it if you are not living within the EU (unless there is a special agreement between your country and EU). I even know some startups who are located within the EU, but still don't care about GDPR :D
This has been a constant headache, not the rules or how to apply it, but our customers still act like there isn't such a thing like GDPR, and actively demand, DEMAND that we put in place functionality that is in clear violation of GDPR, and when you try to inform and explain to them who things work they get mad at me and threaten that they will get a more professional shop to do things for them shrugs
Beyond the impact of crushing knowledge transfer, it’s going to kill a lot of people.
In companies with world-wide products/solutions/support, older employees tend to have a broad base of knowledge and learning from being exposed to all customer experiences and issues. Now, everything is in a protected silo and new employees will only learn through a soda-straw looking glass. Older employees are learning to say “not my problem” when getting cleared to look at something overseas because there are 3 layers of data protection officers and it cant be proven there’s not 1 bit of PPD in that 10GB dump.
Some day soon, an industrial or other large-scale accident will kill people and someone in the back office will say “That team didn’t know about X? Doh!”
If you use an AdBlocker, you can add the list called "EasyList Cookie" and it will remove some of the annoying cookie notifications, but even with that list a lot of cookie notifications will be showed.
GDPR was known to be, is known to be, and will known to be a shit law that's not tied to reality. It did have some good (allowing you to know what they have on you in general, and asking them to delete some of that), but the rest is just bad, bad, bad.
I wish people would be rational when supporting privacy increasing things. GDPR could have been much better and it saddens me that it was ruined, and defended by, zealots.
A person commented and asked me about suggestions, but deleted his comment before I could answer so here it is anyways:
Super quickly (I'm sure you have heard of, or can quickly use a search engine to find the commonly listed issues):
Damages: damages need to be scaled according to the company size, severity and amount. GDPR was created to punish Big Players, but the wording that would have fit them is equally (and should be, laws should be equal) applied to small companies resulting in an impedance mismatch. Frankly, the damages are too small for the Big Players, but insane to the small ones. GDPR also does not apply to the state, but holy shit it fucking should!
Enforcement: it needs to be equally enforced and you need to be able to sue by yourself over it instead of just limiting it to a state organisation.
Data: it should be data that is directly tied to you, ie leave the normal web logs etc out of it. PII is just a sham as it's defined today. A factor of usage also needs to play into it, ie normal web server ip logs that are separate and don't feed into a user specific connection into a database should not be a consideration.
Access: access _needs_ to be able to be done online if the data is collected or transferred online. Ie no this "you need to physically mail us a certified mail with your id" shit. GPDR is a fucking failure in this aspect. Also no required strong authentication: access should be just directly through your account you can access normally without strong authentication.
Usage: GDPR does not allow you to trade tracking for access (ie monetisation of content is almost impossible if you care about user privacy): this is insane. GDPR also supposedly does not allow for those complicated "accept all or modify your preferences" windows, but it should have no saying in that: if a site wants to make the experience painful, that's up to them. It is up to the user to select if they want to use that site or not.
It is worth pointing out GDPR is really two sets of laws - one around data security and breaches, and another set of laws around privacy. It's the second set of laws that get the most criticism for their opaqueness, but I don't know if they are better or worse than the first.
They probably should have held off completely on the second set - the upcoming ePrivacy regulations are promised to actually do something, rather than just provide a really frustrating and opaque set of consent guidelines.
As it is now, the law doesn't require anyone to actually stop what they are doing. The only difference now is you have to retain a lawyer to do it.
[+] [-] volak|5 years ago|reply
2 years ago comments of "this will only benefit the lawyers" would be -50 points. Turns out... actually yeah.
[+] [-] exabrial|5 years ago|reply
[+] [-] bonoboTP|5 years ago|reply
[+] [-] kodablah|5 years ago|reply
Sadly, there is an absolute "for or against" mentality out there. You can't make it clear that the implementation of such a law would be poor enough to not justify it being enacted in the first place lest you are told "well, should we do nothing?". We can easily start with easy-to-understand/implement transparency requirements (maybe even just as guidelines or requirements for a form of certification at first while encouraging technical solutions in the meantime). Never-realized scary fines might as well have never been brought forth.
[+] [-] flemhans|5 years ago|reply
[+] [-] lcsmeeton|5 years ago|reply
I'm in no way affiliated with the magazine other than I accidentally bought a copy once and enjoyed it.
https://www.slow-journalism.com
[+] [-] _m7bj|5 years ago|reply
Prior to GDPR, 9 replies in 10 would be polite but dismissive responses, basically telling me that I'm making an unreasonably burdensome request.
Post GDPR, everyone responds with a message stating they have followed my request in a timely fashion.
Am I disappointing that GDPR has not fined Facebook into oblivion? Yeah. I was hoping for global scale schadenfreude as much as the next person.
However, GDPR has fundamentally normalized the notion that peoples relationships with companies need not be permanent, and that submitting to eternal spam is not the accepted price of buying a flight online. GDPR has established in law that it's totally reasonable for people to not want to give their local gym an iris scan in order to enter the gym and work out, and it is indeed the gym owner who's the arsehole in that situation. This grants leverage against the arsehole.
In that respect, it's been a smashing success. There is much we could improve on, but on the statement "it only benefited the lawyers"...hard disagree.
[+] [-] Jommi|5 years ago|reply
[+] [-] abc-xyz|5 years ago|reply
That might be how you feel. For me, GDPR and the “Cookie Law” have been amazing, as they make it incredibly easy to detect which websites and businesses you should avoid.
I do however wish they’d be a lot more aggressive with the fines.
[+] [-] av501|5 years ago|reply
[+] [-] barking|5 years ago|reply
[+] [-] Nextgrid|5 years ago|reply
Tracking should be opt-in and consent should be freely given. If your notice is annoying enough that most people click accept (or if clicking decline is harder) then you are already in breach.
A lot of websites also consider analytics cookies as essential and don't provide a way to decline those which isn't compliant either.
These websites can be detected very easily by running a web scraper and looking for one of these non-compliant "consent management" solutions (looking at you TrustArc) and fining every single company that uses it.
[+] [-] XCSme|5 years ago|reply
https://chrome.google.com/webstore/detail/i-dont-care-about-...
[+] [-] ianlevesque|5 years ago|reply
[+] [-] briandear|5 years ago|reply
You are a software company. Unless the server has the virus, I really don’t care.
[+] [-] Causality1|5 years ago|reply
[+] [-] tjoff|5 years ago|reply
Be thankful that GDPR exposes them, and look for alternatives.
[+] [-] MattGaiser|5 years ago|reply
[+] [-] m12k|5 years ago|reply
More precisely, to collect any personally identifiable (PII) of an EU citizen, you need their consent. PII includes things like name and email, but also anything like an IP address that can be used to "unmask" a person. Consent must be freely given and can be withdrawn at any time. If requested by a citizen, you must turn over or delete any PII of the inquirer. You must do your best to keep the PII safe, and follow security best practices - and in case of a data breach you must inform the data authorities and affected citizens. You may only ever hand over data to other companies (sub processors) if you have a contract guaranteeing that they will also abide by the above constraints (nice little GPL-esque twist there).
I hate the barrage of popups from websites trying to weasel out of it in order to continue business as usual with ad-tracking. But at its core, the GDPR is actually a pretty good piece of legislation - we now have a right to be forgotten anywhere.
[+] [-] legitster|5 years ago|reply
[+] [-] yummybear|5 years ago|reply
[+] [-] Nextgrid|5 years ago|reply
In fact, "big tech" has figured out how to get around the rules by exploiting the lack of enforcement. The majority of big tech is knowingly not GDPR-compliant.
[+] [-] moksly|5 years ago|reply
I actually like that the EU is doing something, and I guess this is the best you get from a bureaucracy, but what it’s changed is that we document everything. Whenever I build anything that moves privacy data, even if it’s just hooking up a new system to our ADFS which accesses employee names, I need to fill out 4 forms and write a risk assessment. It all goes somewhere I suppose, I’m not sure because once I file them I never hear anything about it unless my wording wasn’t good enough.
As far as security goes, it hasn’t actually changed anything. I guess it does if you weren’t taking security very serious before, but the idea that we as developers will think about security first or design better systems if a bunch of lawyers force us to fill out forms and write essays on what can go wrong... I just can’t wrap my head about why anyone would actually believe that stuff.
Like I said, it’s a great idea, on paper, but the bureaucracy that is enforcing it is just so clueless. Passing inspections is more about having the right answers and documentation than having actual security, so it’s no wonder that the outcome is full of mixed signals and weird enforcement.
Still better than nothing, in my opinion, and it’ll probably get better with time.
[+] [-] ThePhysicist|5 years ago|reply
[+] [-] lmkg|5 years ago|reply
[+] [-] hypersoar|5 years ago|reply
Does anyone have any actual examples of draconian fines being handed out for good-faith misunderstandings of the regulation? Big Tech has professed confusion over how they're supposed to comply, but it seems to me like like they would simply prefer not to.
[+] [-] duxup|5 years ago|reply
I don't think it really helps and I suspect that is because users themselves really don't know what is actually happening behind the scenes and no amount of banners or otter things changes their level of knowledge.
And I fear even if they know, users don't care and are happy to click past a banner / trade their privacy for free things.
GDPR seems to play out as a strangely legally mechanical beast that people are largely disconnected from.
[+] [-] buboard|5 years ago|reply
Are we discounting the possibility that users make a rational choice that we happen not to like?
[+] [-] Nextgrid|5 years ago|reply
The GDPR explicitly mandates that consent should be freely given (it should not be more difficult to decline than to accept) and that consent should be informed, so you can't bury the information in 30 pages of ToS or privacy policies.
The problem is that there is currently zero enforcement around those things. I'd argue that this is very bad for the intent of the law because even when enforcement starts happening and declining consent becomes possible users would've already been trained to just click accept to everything.
[+] [-] jsmith45|5 years ago|reply
Consider you offer the ability to users to voluntarily submit reviews of restaurants. One reviewer complained that person seated at table next to them was excessively noisy, and that upon asking the waitstaff to do something about it, they did nothing.
It is actually entirely plausible for a company like Facebook to have enough information to be able to determine exactly who that other person is, given that review. For example if say both posted images of their receipts to Instagram. Why would they do that? Beats me, but plenty of people do things like that. Under a wide but not at all implausible reading of the personal information definition in the GDPR, that review qualifies as personal data of the person at the other table. The definition of personal data is "any information relating to an identified or identifiable natural person". And that review does include information about a natural person, and we have shown that the person is theoretically identifiable by Facebook.
This means if that other person asks for all their personal info from the site, technically that review should be included. But most likely even Facebook does not yet have the ability to automatically identify this other individual. However, the regulation does not specify any applicable exception, so if you fail to turn over that data (despite having no way of knowing that review pertains to this specific individual), the supervisory authority could still legally fine you.
Would you ever be fined for that? No of course not. Strictly speaking nothing in the wording of the regulation would prevent them from doing so. But obviously they have so many bigger concerns, and are unlikely to bother interpreting things so widely.
After all, there is not a single large company that operates in Europe that is fully compliant with the GDPR if interpreted widely. There quite simply cannot be, since the costs of actually identifying everything that could count as personal data under a wide interpretation and ensuring the company can always look up 100% of it without ever missing any would bankrupt every such large company.
And that is only touching on one little aspect of the GDPR, and one that is unlikely to actually be a major deal. Much worse is how vague the "legitimate interests" reason for processing is. That is the reason that many companies are relying on for much of their processing, and nobody can say with any certainly what cases are included in that, and what are not.
So obviously the best the companies can due is attempt to follow the spirit of the regulation rather than the letter. But of course, if you do that, you cannot be entirely sure the regulators will agree with you.
[+] [-] AndrewUnmuted|5 years ago|reply
I'm not sure we can jump to that conclusion. If the outcome of the GDPR was bewilderingly out of left field, and totally unpredictable, perhaps we could pass this off as being a big-hearted failure.
The thing that I struggle to get past, though, is just how many of us warned of these outcomes _before_ the regulations were implemented.
I fear very few had their heart in the right place. After all, it's pretty evident now, that those of of who saw this as a corporate effort to erect unnatural barriers to entry were correct. The people who designed the GDPR aren't idiots - they knew what they were doing too.
[+] [-] stevenbruce569|5 years ago|reply
I'd also be interested in case anyone has any thoughts on what the short or long-term outcome of the situation would be. Come to think of it, I'd like it if someone could give me a rough outline of GDPR at all.
I'm a software developer working in Britain, and I reckon the local consequences are "the lawyers make lots of money", but am always keen to hear other viewpoints.
[+] [-] MattGaiser|5 years ago|reply
[+] [-] Nextgrid|5 years ago|reply
There is very little enforcement and flawed solutions from the aforementioned industry are allowed to proliferate despite not actually being compliant (the majority of "consent management" solutions are in breach, so they are making money while not even helping their client become compliant).
[+] [-] ashton314|5 years ago|reply
Good legislation is important to let us penalize bad actors—does any one know of any accounts of some bad actors getting stopped by the GDPR?
What do you guys think: are there laws that should be in place to incentivize privacy-preserving tools?
[+] [-] Nextgrid|5 years ago|reply
That is explicitly against the regulation. Consent should be freely given otherwise it's invalid.
The problem is that there is no enforcement around this (despite it being very easy to detect this behavior at scale by running a web scraper) so they keep doing it and profiting off it.
[+] [-] justignoregdpr|5 years ago|reply
[+] [-] HissingMachine|5 years ago|reply
[+] [-] luckylion|5 years ago|reply
[+] [-] schrototo|5 years ago|reply
[+] [-] hindsightbias|5 years ago|reply
In companies with world-wide products/solutions/support, older employees tend to have a broad base of knowledge and learning from being exposed to all customer experiences and issues. Now, everything is in a protected silo and new employees will only learn through a soda-straw looking glass. Older employees are learning to say “not my problem” when getting cleared to look at something overseas because there are 3 layers of data protection officers and it cant be proven there’s not 1 bit of PPD in that 10GB dump.
Some day soon, an industrial or other large-scale accident will kill people and someone in the back office will say “That team didn’t know about X? Doh!”
[+] [-] Antecedent|5 years ago|reply
[deleted]
[+] [-] paulie_a|5 years ago|reply
[+] [-] justignoregdpr|5 years ago|reply
[+] [-] emilfihlman|5 years ago|reply
I wish people would be rational when supporting privacy increasing things. GDPR could have been much better and it saddens me that it was ruined, and defended by, zealots.
[+] [-] emilfihlman|5 years ago|reply
Super quickly (I'm sure you have heard of, or can quickly use a search engine to find the commonly listed issues):
Damages: damages need to be scaled according to the company size, severity and amount. GDPR was created to punish Big Players, but the wording that would have fit them is equally (and should be, laws should be equal) applied to small companies resulting in an impedance mismatch. Frankly, the damages are too small for the Big Players, but insane to the small ones. GDPR also does not apply to the state, but holy shit it fucking should!
Enforcement: it needs to be equally enforced and you need to be able to sue by yourself over it instead of just limiting it to a state organisation.
Data: it should be data that is directly tied to you, ie leave the normal web logs etc out of it. PII is just a sham as it's defined today. A factor of usage also needs to play into it, ie normal web server ip logs that are separate and don't feed into a user specific connection into a database should not be a consideration.
Access: access _needs_ to be able to be done online if the data is collected or transferred online. Ie no this "you need to physically mail us a certified mail with your id" shit. GPDR is a fucking failure in this aspect. Also no required strong authentication: access should be just directly through your account you can access normally without strong authentication.
Usage: GDPR does not allow you to trade tracking for access (ie monetisation of content is almost impossible if you care about user privacy): this is insane. GDPR also supposedly does not allow for those complicated "accept all or modify your preferences" windows, but it should have no saying in that: if a site wants to make the experience painful, that's up to them. It is up to the user to select if they want to use that site or not.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] justignoregdpr|5 years ago|reply
[deleted]
[+] [-] Romanulus|5 years ago|reply
[+] [-] legitster|5 years ago|reply
They probably should have held off completely on the second set - the upcoming ePrivacy regulations are promised to actually do something, rather than just provide a really frustrating and opaque set of consent guidelines.
As it is now, the law doesn't require anyone to actually stop what they are doing. The only difference now is you have to retain a lawyer to do it.