Comment by jwr
3 years ago
I find the EU approach so much better. Your personal data (which means anything that can be used to uniquely identify you as a person) is your property, and the default is "no permission to use".
3 years ago
I find the EU approach so much better. Your personal data (which means anything that can be used to uniquely identify you as a person) is your property, and the default is "no permission to use".
Yeah. Information should be a massive liability. The more they know, the more it should cost them. These companies should be scrambling to forget everything about us before we're even out the door, not amassing information into huge dossiers to sell to the highest bidder. The unapologetic audacity of these people never fails to impress me.
GDPR has a major problem though. It allows use of data for "legitimate" purposes. Of course, all of these businesses think of themselves and everything they're doing as perfectly legitimate. I wouldn't be surprised if some lobbyist worked that loophole in.
> Of course, all of these businesses think of themselves and everything they're doing as perfectly legitimate.
That wouldn't be a major issue if privacy authorities actually a) acted on complaints in a timely manner, b) issued the "effective, proportionate and dissuasive" fines that the law requires.
Most importantly, I believe some DPAs have already stated that "legitimate interest" cannot justify online advertisement. Now they "just" need to take a snapshot of the most popular 10000 websites in their country, then start issuing fines.
That's presumably the default in the US too, but the workaround is for companies to have you agree to some fine print, which nobody reads. When you request a mortgage quote, submit a job application, submit a credit card application, etc., they just bury in there "you're agreeing give us permission to use your SSN to verify the information you've given" and they're golden.
The only way around would be some regulation like GDPR, but then we end up with something like cookie banners that are only annoying and don't give you a reasonable option to opt out. Just like if you want to get a mortgage, you can't opt out if every single lender does it.
In Germany we have our own data kraken though. See Schufa. Even with GDPR you're basically forced to hand data over to them.
That's a view through rose-colored glasses, GDPR isn't that powerful (and it only applies to user-supplied data, not all personal data). As a relevant example, in Sweden your taxable income is public information.
> As a relevant example, in Sweden your taxable income is public information.
Same in Norway. However taxable income does not equal salary. And at least in Norway, you can log in and see who requested the tax data about you, and companies can't mine this data.
The main problem with GDPR is that it is hard to enforce because the enforcing authorities are overworked, focusing on the wrong things, and bogging themselves down in their own bureaucracy.
> only applies to user-supplied data, not all personal data
I don't believe this is correct: https://gdpr-info.eu/art-4-gdpr/
Maybe you're confusing this with the different lawful grounds for processing, and the fact that consent has quite strict requirements but there are other lawful grounds that don't require consent? https://gdpr-info.eu/art-6-gdpr/
> in Sweden your taxable income is public information.
GDPR protects against automated personal data processing, not against publishing of public - by the law - data.