A critical reflection on GDPR
-
@ben_lubar said in A critical reflection on GDPR:
@pjh by the way, what does this entire thing fix apart from "users are not trained well enough to dismiss dialogues without reading them"?
Are you asking what it's SUPPOSED to fix, or about actual effects?
-
@gąska said in A critical reflection on GDPR:
@ben_lubar said in A critical reflection on GDPR:
@pjh by the way, what does this entire thing fix apart from "users are not trained well enough to dismiss dialogues without reading them"?
Are you asking what it's SUPPOSED to fix, or about actual effects?
I'll accept the answer to either interpretation of my question. Preferably both.
-
@ben_lubar said in A critical reflection on GDPR:
@gąska said in A critical reflection on GDPR:
@ben_lubar said in A critical reflection on GDPR:
@pjh by the way, what does this entire thing fix apart from "users are not trained well enough to dismiss dialogues without reading them"?
Are you asking what it's SUPPOSED to fix, or about actual effects?
I'll accept the answer to either interpretation of my question. Preferably both.
- Legal cosh to hit spammers with 'legitimate businesses in the EU' with.
- Bugger all.
-
@ben_lubar said in A critical reflection on GDPR:
@pjh by the way, what does this entire thing fix apart from "users are not trained well enough to dismiss dialogues without reading them"?
It trains politicians to write even more laws that are impossible to apply correctly (i.e. not only technically correctly, but even to follow the intent of the law). It therefore trains people to ignore what politicians are doing, and give more fodder for the "gubernment is Evaahl!11!" crowd. On the other side, it trains the snowflakes of the day to keep pestering politicians to get law tailor-made for their tiny concern.
But that's how our societies work now, so overall, it doesn't change anything.
-
@remi said in A critical reflection on GDPR:
But that's how our societies work
Maybe for the euros. Over in the US we're enjoying our nice comfy bed of small government.
-
@pie_flavor said in A critical reflection on GDPR:
@remi said in A critical reflection on GDPR:
But that's how our societies work
Maybe for the euros. Over in the US we're enjoying our nice comfy bed of small government.
Sure, keep thinking that. Tell me that you don't have laws written by out-of-touch politicians. Laws that are technically impossible to apply. Laws whose intent is impossible to follow. Tons of people who treat politicians as leeches and nothing more. "Gubernment is Evaahl!11!" crowd. Tons of special interest groups screaming as loud as they can to get laws for their own interest and fuck the rest.
If you think none of these are happening in the US, well, can I interest you in a nice bridge?
-
@remi We have laws written by out of touch politicians occasionally, but not to the extent you're describing. We don't have laws that are impossible to apply AFAIK. We don't have laws whose intent is impossible to follow. People treating politicians as leeches is a problem with the people, not with the politicians. Our 'Gubbermint is Evaahl!11!' crowd is what makes sure the government stays small. The special interest groups can scream as loud as they want to but unless they can actually get significant petitions together it doesn't really accomplish anything. What the hell do I want a bridge for?
-
@ben_lubar said in A critical reflection on GDPR:
@pjh by the way, what does this entire thing fix apart from "users are not trained well enough to dismiss dialogues without reading them"?
The current flurry of emails about mailing-lists are a one-off. They're a consequence of a change in how personal details can be collected, so that people now have to opt-in rather than opt-out and have to be told what an organisation will do with their information. It means that in a week's time companies will have to delete millions of records of people who didn't opt in again - that's a one-off benefit. (i.e. the average user who hates clicking through legalese and ignores the emails will be opted-out by default)
For an individual this is a positive change - it will cut down on the amount spam-advertising they receive from companies they once did business with.
The legislation is complex - but that's because it has to deal with lots of grotty little companies that want to do various evil things with customer data and will squirm around to find every loop-hole they possibly can. For the average EU citizen that's a good thing - it's not complex for me but it's marginally more complex for a company that wants to spam me.
For companies operating across national borders, having a common set of personal-data regulations will simplify things (rather than dealing with a myriad of slightly different national laws) so could end up being cheaper once the new processes are established.
-
@pie_flavor We're not in the garage so I'll refrain from being snarky, and I'm not really motivated to give you detailed counter-examples, but if you think that Europe is significantly worse than the US when it comes to how laws are written and applied and how people see politicians in general, I think you are greatly mistaken.
-
@remi USA is not perfect, but EU is absolutely much worse in this regard.
-
@pie_flavor There's nothing about the US government that I'd describe as "small" - it's spending is 36% of your country's GDP, which is comparable with Australia and higher than Switzerland. Regarding laws, well...
Decriminalize the Average Man
The average person unknowingly breaks at least three federal criminal laws every day.
https://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229
-
@gąska Depends whether you're talking about the EU or individual countries in the EU. The first one, yeah, I would agree with you, there are some fundamental flaws in it. The second one... depends on the countries, but those I know are very similar to what I know of the US.
-
@pie_flavor said in A critical reflection on GDPR:
@remi said in A critical reflection on GDPR:
But that's how our societies work
Maybe for the euros. Over in the US we're enjoying our nice comfy bed of small government.
Welcome to the 21st Century, time pod traveler!
-
@remi said in A critical reflection on GDPR:
"Gubernment is Evaahl!11!" crowd.
That
lgets hidden between thehand the!so that looked likeEvah!to me, which made my brain want to switch theisfor aforto make itGuberment 4 Evah!!!. And it was really confusing because it just didn't fit with what you seemed to be saying.
-
@japonicus said in A critical reflection on GDPR:
They're a consequence of a change in how personal details can be collected, so that people now have to opt-in rather than opt-out and have to
be toldignore and click through a dialog regarding what an organisation will do with their information.
-
Here's an interesting take:
Someone enters a religious order as a postulant or novice. His noviciate is terminated for some wrongdoing (such as sexual harassment). After some years, he applies to a seminary to become a priest. The seminary asks the order what the reason for his termination was, because it might disqualify him from becoming a priest.
Under the GDPR, can he request the deletion of his story from the records of the order?
-
@marczellm My guess is that former employers would be constrained in what information can be revealed without consent.
The bigger issue with your scenario though is that it sounds far too close to the dubious stuff that religious groups (of all types) have done for too long - covering up serious wrong-doing and 'handling' it internally.
The simple resolution of your scenario is to say that either the misdemeanour was trivial (and should therefore not have bearing on his future employment) or if it was serious enough to deserve barring him then it ought to have been reported to and investigated by public law enforcement from the outset - in which case a whole different set of data laws apply.
Data protection law is supposed to guard against employee blacklisting e.g. secret accusations that hang over someone forever and which can't be resolved.
-
@boomzilla said in A critical reflection on GDPR:
Welcome to the 21st Century,
timetide pod traveler!Time and Tide Wait For No Man.
-
@dkf said in A critical reflection on GDPR:
@boomzilla said in A critical reflection on GDPR:
"Welcome to the 21st Century,timetide podtravelereater!Time and Tide Wait For No Man.
Sheesh.
-
@blek said in A critical reflection on GDPR:
https://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp/1594035229
Have you actually read it? It's full of examples of "common, everyday activities" that are actually illegal... that nobody actually does as part of their common, everyday lives, or pretty much ever for that matter.
-
@masonwheeler I stabbed that lady 30 times, turns out that was a felony?! What a crazy world.
-
It just occurred to me that small Euro-countries with crappy economies could actually make a business supplementing their tax revenue by finding and fining GDPR violations. The fines don't go to the EU, but to the government that brought the regulatory case.
I predict in the next year we're going to see, for example, Greece start fining tech giants simply to fill their own coffers.
-
@blakeyrat There are small towns in the US that do that with speeding tickets (usually setting up huge swings in speed limit to prompt those tickets). And lots that get most of their revenue from nit-picking fines.
Different incentives, but still kinda
-
@benjamin-hall Correct, and I find that awful too.
-
@blakeyrat said in A critical reflection on GDPR:
@benjamin-hall Correct, and I find that awful too.
Yeah. Another example of that same horrible thing is civil forfeiture, especially when that money goes to the police department.
-
https://news.ycombinator.com/item?id=17095217
This conversation HackerNews is basically the same thing over and over again:
GDPR Fan: "The law is super crystal clear and easy to comply with."
Someone else: "What about (edge case)?"
GDPR Fan: "Well you obviously misinterpreted it!!!"Me (reading this): "If it's so crystal clear, why are there so many people who apparently 'misinterpreted it'?"
-
@blakeyrat the same could be said of discussion of any legislative change.
-
@japonicus Yah but this one seems to have a really strong Freelance Government Policy Defense Squad out on all the forums for some reason. Do Euro-people really like the EU government that much?
-
@blakeyrat ~ 50% of Brits will be quite stridently pro-EU because of all the Brexit shit (a belated case of only appreciating what you have when you're going to lose it
).More generally, this is legislation that is either neutral to or benefits individuals, and issues of personal data protection transcend traditional right-left political divides.
It's mainly companies that have to deal with some bureaucracy or rethink their business model that will see some negatives.
In practice I doubt GDPR will make much difference to anyone. On past experience of data protection rules, the regulators are paper-tigers who never enforce fines; the worst spammers operate from outside the EU or use disposable shell-companies and the mega-abusers of data (facebook etc.) have clever enough legal teams to dodge the thing.
-
@japonicus said in A critical reflection on GDPR:
More generally, this is legislation that is either neutral to or benefits individuals,
In the US, small businesses (aka businesses run by individuals who will be negatively impacted by GDPR if they even think about having a website) employ more people than large businesses that have the resources to easily comply with GDPR.
If the goal here is to not impact individuals but to impact large business, I think the target was missed.
Unless more Europeople work for large businesses than small, I suppose, but that seems unlikely.
@japonicus said in A critical reflection on GDPR:
It's mainly companies that have to deal with some bureaucracy or rethink their business model that will see some negatives.
Your local Chinese restaurant needs to comply with this shit. They ain't got time for that; they got to get that order of mooshu pork out the door.
But guess what? Yang's Chinese down the street, Yang's kind of an asshole, he's gonna report your local restaurant to your country's privacy board just to get an edge up on his business.
I mean I'm coming from a US perspective, but I see lots and lots and lots of negatives to the law.
(And BTW, companies are run by individuals. So you can't say it doesn't impact individuals but does impact companies, that's silly.)
@japonicus said in A critical reflection on GDPR:
On past experience of data protection rules, the regulators are paper-tigers who never enforce fines; the worst spammers operate from outside the EU or use disposable shell-companies and the mega-abusers of data (facebook etc.) have clever enough legal teams to dodge the thing.
Yeah again, US perspective, but nobody here trusts the government to do the right thing. Sure you can "assure" me of this all you want, but the issue to me is that they have the power to levy those huge fines, and there's nothing in the text of the law saying they'll be generous towards small business, or that everybody gets a warning shot first. Nothing.
"Just trust us, wink wink" isn't exactly the kind of risk assessment I'm looking for when it comes to deciding to do business in the EU.
-
@blakeyrat GDPR increases the levels of theoretical fines significantly, but EU data protection laws are are already quite strict and despite being routinely flouted virtual no-one is ever prosecuted (or even investigated) - the current fines (which can theoretically be up to £500 000 in the UK) are largely irrelevant, because the penalties are almost never applied.
(note the bit where the regulator boasts that they fined a whole 23 companies in 2016 - a record high for them).
I tried to get my employer (a small not-for-profit) to take GDPR seriously - they have made some minor tweaks but are probably still not compliant, no-one senior is paying attention (even the individual who, as the nominal 'data protection officer', might face some personal liability).
-
@japonicus So, the government has means to massively fuck you over using a stupid regulation that does absolutely nothing close to its stated purpose, but that's fine because they probably won't use it on you? That seems like a short-sighted approach.
-
@japonicus said in A critical reflection on GDPR:
GDPR increases the levels of theoretical fines significantly, but EU data protection laws are are already quite strict and despite being routinely flouted virtual no-one is ever prosecuted (or even investigated)
Right but again, that's not written into the law. Which is the important bit.
This is just another "hey just trust me, nudge, nudge" argument. Which is not the kind of thing that convinces business people, at least not in the US.
-
@blek said in A critical reflection on GDPR:
@japonicus So, the government has means to massively fuck you over using a stupid regulation that does absolutely nothing close to its stated purpose, but that's fine because they probably won't use it on you? That seems like a short-sighted approach.
No, not me as a private individual - I'm not at risk directly (and my employer would be a very small blip on the radar)
I, like many (? most) people who are fed up with mis-use of data would be really happy if the rules were more stringently enforced. That would quickly make the most egregious offenders shut-up-shop and it's not that difficult for normal businesses (whose main operation is not spamming or data-sale) to comply.
e.g.
@blakeyrat said in A critical reflection on GDPR:Your local Chinese restaurant needs to comply with this shit.
It's quite unlikely that a local restaurant is affected at all, but for the sake of argument lets assume they have a mailing list for news and special offers. To the comply with GDPR the deadly-onerous thing they have to do is ask a customer if they want to be on the list; keep the list safe; don't sell the list and take that person off the list again if they ask. How dreadful. Obviously a governmental conspiracy. edit: ...and, for the sake of pedantry... they probably also have a list of employees with some personal details, they have to keep that safe too.
-
@japonicus said in A critical reflection on GDPR:
It's quite unlikely that a local restaurant is affected at all,
I'm not saying it's likely, but the problem is it's possible. Again: there is nothing in the legislation that exempts little spats like this Chinese restaurant duel.
@japonicus said in A critical reflection on GDPR:
To the comply with GDPR the deadly-onerous thing they have to do is ask a customer if they want to be on the list; keep the list safe; don't sell the list and take that person off the list again if they ask.
Except their web server logs IPs, which are personal information, so they have to write tons of custom code to prevent their website from doing that. Somehow. Because no webserver does that out-of-the-box. And odds are, Chan doesn't even know it does that, because he just hired some high school kid to set it up. Oh and the high school kid set up Google Analytics too, there's another violation. Chan likes seeing the charts, and he has no idea that the way that data is collected is illegal now.
Sure, the newsletter he writes and he controls, no problem. I mean it's a headache he didn't fucking need when he's trying to get the mooshu pork out the door, but it's not a huge deal for a business that already has to deal with 500 other annoying government regulations.
But the other stuff? Yang's daughter knows all about computers, she's gonna find it and get the government to harass the shit out of Chan.
I'm just reading what the law says. This is not a far-fetched scenario; Yang would be 100% in his rights to call him his country's privacy enforcement agent and report Chan.
Oh and BTW, if Chan's restaurant website has a comments section, even one that correctly asks opt-in, and someone posts in there about labor union membership, Chan's now in violation unless he hires a Data Protection Officer. (And he has to hire someone, since it's also illegal for the DPO to have conflicting interests elsewhere in the company.) What about that little gem. I'm not even making that up.
(Now this is where you chime-in and tell me "IP addresses are only considered personal information in specific circumstances" but guess what? If you read the law, logging website traffic is definitely not exempted by those circumstances.)
(And this is just considering companies that are actually located in Europe and deal with European customers. The fact that the GDPR applies world-wide is a whole 'nother level of WTF.)
-
And that's not to say the US doesn't have crappy laws. I opposed the Washington State public smoking ban not because I necessarily disagree with banning smoking, but because the law was so poorly-written that if you were standing on a street corner with a cigarette, and a bus pulled up and opened it's doors, you were suddenly miraculously in a "public area" where smoking is banned and are suddenly in violation of the law-- even though you didn't even do anything. Badly-written laws suck, no matter how noble their intent.
And GDPR is a very badly-written law.
Sure we can (probably) trust the UK, Germany and France will probably do the right thing. What about Greece? What about Bulgaria? If I'm in the US I'm actually worse off than someone in Europe, because I have 28 different jurisdictions that can come after me, not just one.
What about fucking Malta? My business could be sued by the country that gave Joe Don Baker money to pretend to be a Cherokee sheriff shooting gangster thugs. Because they somehow thought it would make tourists want to come to their shithole island.
-
@japonicus said in A critical reflection on GDPR:
note the bit where the regulator boasts that they fined a whole 23 companies in 2016 - a record high for them
So enforcement is lax but arbitrary and random.
-
@japonicus said in A critical reflection on GDPR:
It's quite unlikely that a local restaurant is affected at all,
That's not how it's been explained here previously. The way it's been described, if a local restaurant in Podunk, Idaho (i. e., not in any way under EU jurisdiction), who has never even heard of GDPR, has a website and a single EU person happens to stumble across their website, and Apache logs their IP address (because that's PII) without explicit opt-in, they're in violation of EU law, and the EU could (try to; good luck collecting) fine them more than the total value of their business. And if they didn't pay, they could potentially be arrested when they go to B*****m on vacation next summer.
-
@blakeyrat said in A critical reflection on GDPR:
Except their web server logs IPs, which are personal information, so they have to write tons of custom code to prevent their website from doing that. Somehow. Because no webserver does that out-of-the-box. And odds are, Chan doesn't even know it does that, because he just hired some high school kid to set it up. Oh and the high school kid set up Google Analytics too, there's another violation. Chan likes seeing the charts, and he has no idea that the way that data is collected is illegal now.
Ok, I didn't know that ip logs had been pulled into this. That's silly and a bit of a nuisance. Based on a cursory bit of googling tonight I think that the consensus is that website logs are allowed (e.g. for business activities such as detecting malicious activity) but can't be kept for long and users need to be told about the logging on the website. (jury still seems to be out on whether logs ought to be encrypted - which would be a total pain in the arse).
If that's the extent of it then I'll need to tweak my server settings to cut down log retention time, but our hypothetical Chinese restauranteur is probably fine - he's using a typical cheap virtual web host provider who doesn't like storing log files, so already clears them after 30-days. He might need to tweak the privacy policy on his website and add some google-provided boiler plate text re. analytics (which google will already have harassed him about).
@blakeyrat said in A critical reflection on GDPR:
And that's not to say the US doesn't have crappy laws. I opposed the Washington State public smoking ban not because I necessarily disagree with banning smoking, but because the law was so poorly-written that if you were standing on a street corner with a cigarette, and a bus pulled up and opened it's doors, you were suddenly miraculously in a "public area" where smoking is banned and are suddenly in violation of the law-- even though you didn't even do anything. Badly-written laws suck, no matter how noble their intent.
And GDPR is a very badly-written law.But just as no-one's been prosecuted for smoking near a bus, similarly the more extreme and misanthropic interpretations of GDPR are unlikely to be a reality. Right now, data protection regulators don't even pursue the major crooks who are egregiously flouting current laws and pissing-off thousands of people - that might be down to under-funding, incompetence or laziness. Data-protection agencies are not suddenly going to go after every trivial infraction by a small business (they couldn't cope with the scale even if they wanted to).
They don't really need to contemplate the small fry when there are more big fish than they can ever cope with. That even assumes they want to abusively prosecute really small technical infractions - I guess I'm just less of a pessimist than you are
-
@japonicus said in A critical reflection on GDPR:
But just as no-one's been prosecuted for smoking near a bus, similarly the more extreme and misanthropic interpretations of GDPR are unlikely to be a reality.
Governments change.
There's a lot of stuff people took for granted in the US before Trump came into office. For example, that eventually something would be done with the DACA program and it wouldn't just expire.
The text of the law should assume abuses from the most hostile possible government.
@japonicus said in A critical reflection on GDPR:
I guess I'm just less of a pessimist than you are
Maybe; but this shit's important, and it's important to get it right. You've created legislation that enables basically ANY EU country's data protection regulator to fucking ruin any company they want. "Just trust us" isn't good enough, sorry.
-
@hardwaregeek said in A critical reflection on GDPR:
@japonicus said in A critical reflection on GDPR:
note the bit where the regulator boasts that they fined a whole 23 companies in 2016 - a record high for them
So enforcement is lax but arbitrary and random.
yes, but probably all of those 23 deserved it. The highlighted company in the article, (if it's the one I think it was) deliberately used the do-not-call register as a source of active phone numbers to cold-call. It probably didn't ever pay the fine as it declared itself 'bankrupt' and the directors shifted to a new shell operation...
-
@japonicus What you say sounds reasonable, but on second thought is wrong on some points.
- A religious order or priesthood that you are, or prepare to be a member of, is not an employer. Very far from it.
- Something may not be a crime but still a serious disqualification from performing certain religious services. Such as secret personal belief in a contradicting other religion or teaching. Or, in the case of the Catholic Church, being married, or being gay.
-
@blakeyrat said in A critical reflection on GDPR:
because I have 28 different jurisdictions that can come after me
Ugh, that's already been the case. Each EU member already had data protection laws, so all these awfully horrible things companies have to do now, like asking you to opt-in to their spam instead of opting out, were already the law in several different EU member countries.
If you cared about obeying the law, the situation just improved because previously you had 28 different legal regulations whereas now you get a unified one. And pretty much all it encompasses was already required somewhere before. It only makes it worse for you if you previously thought you'd get away with not complying.@blakeyrat said in A critical reflection on GDPR:
The fact that the GDPR applies world-wide is a whole 'nother level of WTF.
You keep repeating that like the US doesn't apply its laws world-wide.
-
@topspin said in A critical reflection on GDPR:
Each EU member already had data protection laws,
Right; but they didn't apply outside the EU.
@topspin said in A critical reflection on GDPR:
You keep repeating that like the US doesn't apply its laws world-wide.
Ah, compelling. The whiny 5-year-old strategy. "Tim did it first!!! <cries>". Compelling debate tactic.
-
@japonicus said in A critical reflection on GDPR:
that might be down to under-funding, incompetence or laziness.
"Or"?
-
@blakeyrat said in A critical reflection on GDPR:
The whiny 5-year-old strategy. "Tim did it first!!! <cries>".
But you're the one whining about the GDPR and how it does something you consider completely normal when the US does it.
-
@topspin Nothing I've posted in this thread constitutes "whining".
-
@blakeyrat
And maybe pigs will fly ...
Yeah ... very unlikely. There is always the EU court to slap that down if it should occur. And yes they really do fine member states regularly for not applying rules correctly.
-
@blakeyrat said in A critical reflection on GDPR:
there is nothing in the legislation that exempts little spats like this Chinese restaurant duel.
Obviously they shouldn't be exempted from the law by default shouldn't they? That would be equally silly. Then I will just keep my Leuven Analytica firm small enough to dodge the rule.
-
