>EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.
Laughable really. How the hell do you reconcile all this data and make the bean counters happy that yes: this is the data we collected through the popups over the years.
This comment is being downvoted but I’m also wondering: how will this be enforced? Will authorities go and audit the data? How will they know where to look? Etc.
“Hey did you delete the data?”
“Yes, we deleted it”
would, indeed, be laughable. This is not to mention the problem of identifying “the data” which has certainly now been processed ad nauseum. I think the reason companies don’t take these things seriously is because they know they’ll get away with it, one way or another. You can’t expect to enforce any of this if you don’t also legislate the technical specifics of how data must be collected, stored and processed so that its provenance is maintained.
> how will this be enforced? Will authorities go and audit the data? How will they know where to look? Etc. “Hey did you delete the data?” “Yes, we deleted it” would, indeed, be laughable.
If you're not familiar with Northern European culture, I'm quite sure the companies can expect literal inspectors in their offices expecting clear answers to where the data is and what was done with it. They will be pleasant but firm, focused and unswerving. Infractions and evasions will be carefully noted. These notes will then form the basis of further lawsuits. These people are not fucking around.
> If you're not familiar with Northern European culture, I'm quite sure the companies can expect literal inspectors in their offices expecting clear answers to where the data is and what was done with it.
I'm fine with the state as my representative physically shutting down and fining companies that without consent collect data on me and my loved ones. So, no overreach.
How well-versed are they in file systems, database schemas? Will they look at source code? Will they understand it? How will they determine what data came from where?
All EU countries have a Data Protection Authority org, so yes the inspectors will have the capabilities to carry out these things.
Also this is not criminal law where someone is innocent until proven otherwise. Companies have to prove themselves that they comply with the law. Like food companies have to log cleaning to show they follow the food regulations, as one example.
How is anything enforced? I don't see this as much different from anything else that companies have to apply with. You can never reach 100% certainty that anyone complies with the law. Be it GDPR, work environment law, product health req, etc.
You do inspections. You demand proves of compliance, and when said proves are deemed inadequate you sanction them until something adequate is provided.
Like everything else with law its fuzzy and ongoing.
If you run a company that violates the GDPR, you might get sued and have to pay some fines. This is a calculated risk taken by many executives.
If you then get a letter from the regulator stating that you were in violation, and have to delete some data, and you answer that you did, and signed it -- then you're likely up to criminal charges if that was a lie.
This is not a line most executives are comfortable with crossing.
If any subsequent GDPR shenanigans come up, and they found you intentionally lied to the regulators, you're in some deep shit.
There might or might not be auditors visiting you after the first letter. If you lie and are found out, your career is over, and you might wind up in prison.
It's not perfect for enforcing privacy, but it's much better than not having such a ruling.
> There might or might not be auditors visiting you after the first letter.
The ICO in the UK doesn't work like that, AFAIAA. You first get a polite letter; then a firmer letter containing helpful advice on how to come into compliance.
After that, you join a huge queue of companies awaiting legal enforcement action. The ICO is deliberately underfunded; it always has been. The government passed data protection laws, but they reserved the power of enforcement to an agency that was crippled from the start.
I welcome this court decision, obviously.
[Edit] Most of the penalties levied by the UK ICO used to be against local governments and government agencies. They were rarely against commercial operations. I see that there are some companies (that I've never heard of) now appearing in the list.
You can enforce it by feeding a system with data, then checking if the data is in the system (e.g. by trying to buy the data, or pretending to be an advertiser).
Businesses cooking the books and lying to auditors is a tradition as old as time.
Enforcement isn't the real crux of the issue, it's that for some reason it's uncouth to come out and say: this regulation is targeting known liars that we should expect to ratfuck the system as hard as possible.
If that was the commonly accepted understanding of those conmen, enforcement methodology would get solved quickly. Which is why they work so hard to not be seen as ratfuckers.
Nobody's going to check that all the collected data has been deleted. But if it turns out that someone has retained data about me (or any other individual) that they claimed to have deleted, then they're in violation of a clear court order, and are eligible to be clobbered with a fine.
Well, that's their problem. They must delete the data or face legal consequences. That should act as a deterrent to future "too smart for their own good" ad people.
Laughable really. How the hell do you reconcile all this data and make the bean counters happy that yes: this is the data we collected through the popups over the years.