This all is a reflection of the old talks about the costs of doing technical things right. One way of looking at them is that if something works for business, we should not pursue better software architecture or improve security or usability. Another way is to analyze and estimate the technical debt and eventually start paying it. This is exactly what happens with privacy now: business may cry about "removed incentives", "prohibiting costs", "eliminated opportunities" and other BS, but in the end it's just a compliance debt that they are not willing to pay. GDPR identified that debt and the mechanisms for claiming it, that's it. After the dust settles, there will be plenty of best practices and educated people which will make compliance easy, certain business models unpractical and the business will go as usual. Yes, compliance isn't a piece of cake, but there's nothing written in that law which a sane engineer or manager would not implement. Even the right to be forgotten makes sense: information about past crimes distributed via search is a kind of extrajudicial punishment which makes it much harder for people who already served their sentence to find a job and return to normal life. It's a job of a government to prevent them from committing another crime, it's not a job of a search engine or a news website.
I don't think the law is ambiguous. It's usually the situation when GDPR is already violated or going to be violated and data processor wants to find the least expensive solution to reduce the risks. In other words, it's not "How we should do it?", but rather "How difficult it will be to challenge our solution X in court? What our chances to win?" THIS is ambiguous, but it's the same with any regulation.
It is all about risk, ambiguity and individual circumstances. I dont think that is bad, but there is no clear record of what it even is we are meant to protect.
If you're in the business of "doing free services so you can skim GB's of data from users" or you "sell wholesale data collected without notice", the EU doesn't want you.
If you're doing a good job of keeping user data private except at the direct request of a user in a plain-language direct permission, then you're doing a good job to the GDPR. Slipups happen, and as long as you do your best to stop the bad thing, limit the breach, notify users, and be a good steward for their data, then it's all good.
As a US citizen, I try to make a point to only work with companies that adhere to the GDPR. I know they don't have to do so with me. But it tells me their internal processes are set up to respect the user's rights. And well, running dual systems for different compliance regimes is a tough sell - its easier to do 1 big system.
> as long as you do your best to stop the bad thing, limit the breach, notify users, and be a good steward for their data, then it's all good
If that regulator happens to like you. There is no schedule of offenses and penalties and due process, only an absurdly high maximum for selective enforcement.
And there are a lot of regulators. Some of them a lot more combative than others. That is my main reason for dislike for the regulations.
Overall I support the regulations, but I really wish the penalties had more documented structure than “We will fine you anywhere from 0 to an 8 digit number (in our case) depending on what we think is right”.
There is due process. If you think a regulator's decision was illegal, you can escalate to the courts. Some member states may not have the best justice system, but that's what the ECJ is for.
There is no explicit schedule – that could be gamed – but that doesn't mean regulators can act arbitrarily. Punishments have to be proportional to the infraction, similar cases have to be treated similarly... The GDPR just does not spell out how public authorities work.
It actually does say that punishments have to be proportional IIRC. I'm not sure if that actually makes a legal difference or if it was included to make the GDPR easier to understand.
And you pay for the lawsuit out of your own pocket. Now you need to run a business and fight a very expensive legal battle against the government. That same government that regulates your business.
I don't see why this changes anything. Lawyers still cost a lot of money. They might not seem like they cost a lot of money to Americans, but that's because Americans earn a lot more money.
>So what? If you have a grievance with an entity, that's the entity you have to fight a lawsuit against.
One of the grievances people have against GDPR is that they don't like how GDPR's enforcement depends so much on the individual person at DPAs. You'll still have to deal with the person afterwards that you sued.
Yes. Each party paying their own fees is a uniquely American thing.
> I don't see why this changes anything. Lawyers still cost a lot of money.
Prohibitively high lawyer fees are a uniquely American thing. The ECHR guarantees practical and effective access to the courts.
> One of the grievances people have against GDPR is that they don't like how GDPR's enforcement depends so much on the individual person at DPAs. You'll still have to deal with the person afterwards that you sued.
That Americans have against the GDPR. Given that the people who actually have experience with European authorities and law don't see these issues, it's very likely they don't exist.
You don't necessarily have to deal with the same person. Even if a DPA always assigns the same person to you, there is no oversight, that person is petty and cares more about harming you than about their job: We have rule of law and a functioning court system. And I can't help but find these continuing insinuations that we don't pretty insulting.
Precisely this. The cost and complexity of complying with GDPR is directly proportional to the scale and complexity of your data processing operations. If you comply with the principles of the legislation - collect the minimum possible amount of data, store it for the minimum possible time and process it only in ways that are essential - then compliance is very straightforward. Things only become ambiguous when you're trying to do something that the GDPR doesn't want you to do.
What's written on that web pages is clear enough for me and it's the same as my own understanding of personal data. It is rather abstract and I can admit that it may be not easy to understand for others without some good examples. But it's a complicated topic in general, that has to be studied beyond reading a single article or text of EU law.
What is your opinion based on? Have you both read the law and attempted to bring an organization into compliance with it?
I have, and it is definitely ambiguous. To take a simple example, consider all of the cookie warnings that you now see. Intelligent and informed people disagree on whether they are required, enforceable, or sufficient.
I have to deal with compliance on daily basis. Cookie warning is a usually misunderstood idea of having user consent for storing and retrieving information from his device. The law applies to the local storage and other similar solutions too, and it is the intention to use this data that has to be explained if it’s not one of legitimate purposes for which consent is not required (e.g. session id cookies and auth. tokens). Since it is mandatory, it becomes an UX topic, not a legal one - how exactly to integrate the collection of consent to all possible landing pages of your website so, that user will be informed about it prior to any data processing.
This lw has been in effect in the form of various national laws for over a decade. GDPR is only slightly different from Swedish national Data Protection Law, for example. So yes, this entirely the tech’s fault and debt. We as an industry have ignored these laws for too long, and now crying because the debt is being collected. Boo hoo. Cry me a river.
You have to admire the EU's gumption: forcing the payment of technical debt with GDPR, and forcing us to face the hard reality of copyright law with Article 13 (hopefully leading us to abolish it after realizing how ridiculous it is when seriously upheld).
There's something so naive or earnestly human about them. If the U.S. kept being the only relevant legal force on the Western Internet, we'd mull around in gray areas forever.
On the side of where all the internet platforms are from, it is the US that's relevant. Maybe it's not a coincidence that the EU doesn't produce many internet platforms that are good?
And you attribute this to regulations rather than the ground truth that the EU is a hodge-podge of very different cultures, countries, languages and laws that only recently implemented a shared currency, and is totally unlike the huge, wealthy and comparably homogenous market that is the USA?
The scope of what is "personal data" under GDPR is much broader than you are assuming, you are only considering the obvious, simple cases.
It also covers an astonishing amount of industrial sensor data used solely for industrial purposes. Unfortunately, for many high-scale industrial sensor data models the technical infrastructure required for compliance literally does not exist. In some cases we don't even have the computer science required to build the compliance infrastructure. But the vast majority of people would be very upset if the business model of some of these companies became "unpractical" and had to go away because GDPR compliance is effectively impossible. No amount of trying to do the "right thing" will make these industrial companies compliant.
There is gross misconception that GDPR only affects ad tech companies or retail or companies with business models involving people. This is far from the case.
Can you point to something which supports this claim?
In all of my reading it's been personal data, and definitely wouldn't apply to the things people would usually associate with "industrial sensors" eg. Carbon monoxide levels in a space, or even occupancy data (eg. for lighting/HVAC control) so long as it simply reflects whether an area within a building is occupied.
What's the specific requirement, and what makes it unattainable?
The position taken by every legal team I've worked with is fairly simple: if a sensor platform allows you to incidentally detect the existence of an unidentified individual at a point in space and time, then that sensor generates "personal data". The reason for this is that it is well-known that it is possible to analytically reconstruct the identity of individuals detectable this way with sufficient data. This is consistent with e.g. how ad tech data is treated under GDPR, so it is typically used as the standard for determining if industrial sensing platform data is "personal".
What people don't immediately grok is (1) just how many industrial sensor systems there are these days operated by diverse organizations -- almost every sensor type on an autonomous car, for example, is also widely used in many other industrial contexts, (2) the scale of sensor coverage in most places people occupy indoors and outdoors, which is far beyond what they typically imagine, and (3) how many of these sensors can be used to incidentally identify the presence of a person at a place and time, sometimes in very non-obvious ways. A single sample from a single sensor may not be identifiable but multiple samples from multiple sensor modalities often is. And the sensor modalities used for industrial sensor systems are increasing in diversity and resolution very quickly, which makes it even easier.
Humans perturb the environment they move through, and we have enough environmental sensors now that we can often track those perturbations across the sensor modalities to create a fingerprint. People have a difficult time imagining how easy this can be in practice until they've seen it done.
Thank you for this very interesting example! However applying this regulation to industrial sensors then is still the only right thing to do. Technical progress must be constrained by the speed with which society can adapt to it and by all the related concerns: if there’s lack of understanding on how to make the technology compliant or there are complications, it’s just that the cost of the technology appeared to be higher than anticipated. Business has to deal with it, just like in all similar situations - see hardware vulnerabilities in Intel chips for instance.
What youre saying makes sense, and I still agree with the GDPR. For example:
Power is used by a house. The meter runs. You pay the bill. The house has an address and a point of contact.
Power is used by the house. Machine learning is applied to map each individual and how they live in said house. The data is then sold to target things the ML algo picked up. You pay the bill. The house has an address and a point of contact, along with a detailed profile of each human in said domicile.
Same sensors exist, yet one violates the GDPR and the other one does not. Can you guess which one?
