← Back to context

Comment by DisjointedHunt

3 years ago

Bad law for the reasons above.

Ie, onerous toward regular businesses Ie, used to greatly expand bureaucracy and overhead Ie, used by unelected bureaucrats to wage battles of personal vendetta against specific companies instead of doing what laws do, which is set unambiguous standards for all

22 comments

DisjointedHunt

Reply
denton-scratch  3 years ago

In fact it's not at all onerous, unless you are determined to violate it's provisions. If your business doesn't depend on privacy violations, then the "bureaucracy" that GDPR calls for is trivially easy to implement. There are no licences, and no registration requirements. Provided you aren't playing fast and loose with the personal data of Europeans, you're fine.

There's no "personal vendettas" going on; can you substantiate that allegation at all? The GDPR applies to everyone equally. And unlike some laws, it's fairly easy to read; it's meant to be understood. Don't bother reading some biased summary of the Regulation; read the GDPR itself. That's the best guidance on the intent, and the best guidance on how to comply.

/me: former data protection officer at a web development outfit.

  • DisjointedHunt  3 years ago

    "iTs nOt aT aLl oNeRoUs" said the DPO. lol, what a clown. So all these companies scrambling to hire lawyers to document every single aspect of the "legal basis" or whatever nonsense is in the language are just crazy in your books?

    And that's just ONE sub clause of a hundred or so.

    The overhead is both in the arbitrary nature of the requirements (Good Laws are objective, not subjective) and the sheer lack of consistency in the enforcement is ridiculous for any European business. Consider the adequacy clause that's taken decades to litigate and is still fucking criminal as of this writing.

    Answer this simple question: "Can I, as a small business use AWS services that may or may not have a compute instance located in the EU?". You know pretty well what the answer is there, so, basically every small business in the EU is in violation right now. And it's bureaucratic assholery that keeps this deliberately inconsistent so they can choose to enforce it at any point of their choosing (read, a negative PR cycle) - Monarchy, inconsistency, arbitrary and ambiguous rulemaking that has tossed out the interests of businesses.

    The vendetta against Google is well documented and it's insulting for you to even say otherwise. Look at the most recent example of the CNIL (Frances privacy enforcement body, a part of the executive) choosing arbitrary standards and refusing to even elaborate on concrete standards for recommended analytics solutions that businesses may use. They have gone full psycho with not even wanting to give Google the opportunity to come into compliance with standards that they choose not to reveal and instead openly ask industry to turn Google Analytics off. Its ridiculous and bad for their own economies.

    • denton-scratch  3 years ago

      > Good Laws are objective, not subjective

      There's a difference between the way French and Germans write laws and the way we write them in the UK; I prefer the UK style, which leaves less room for interpretation.

      > basically every small business in the EU is in violation right now

      Only if they're handling personal data. Most small businesses don't.

      Sure, if your business is collecting personal data, then GDPR is a problem for you; in the same way as the Road Traffic Act is a problem if you're determined to drive uninsured. If you want to sail close to the wind, then it's probably wise to lawyer-up.

      And, of course, you don't have to use AWS.

      > And it's bureaucratic assholery that keeps this deliberately inconsistent

      That's not how I read it. The way I read it, GDPR is astonishingly lenient. Before they prosecute, they'll warn you; provide advice on how to come into compliance; and give you time to do it.

      > choosing arbitrary standards

      If GA involves depositing personal data in US jurisdiction, then you can't use GA in a GDPR jurisdiction. That's not vague or arbitrary. It may be - um - bold; But this law was flagged up years before it came into force. It's not as if the law came out of nowhere, and suddenly everyone's in violation.

      > Its ridiculous and bad for their own economies.

      Others have argued that GDPR is an attempt by the EU to steal Silicon Valley's breakfast, implying that it's good for European economies.

      6 replies →

mmarq  3 years ago

GDPR compliance is actually trivial to implement if you manage your users’ data in ways that wouldn’t surprise them negatively. There's not much more.

> unelected bureaucrats

Does the American elect the IRS or the FTC bureaucrat?

  • DisjointedHunt  3 years ago

    Well, read the thread above you. GDPR is so complex that even the people who passed it can’t tell you the scope given the intentional ambiguity.

    I have officials in the EU on the record that IP addresses are deemed personal information and if your business uses AWS and unintentionally passed IP addresses over to any resource in the US, you are technically in violation.

    Will you be hanged for this today? Probably not. But all it takes is one negative press cycle for the idiots there to interpret and enforce this as they have shown the willingness to do in the past.

    The point about unelected bureaucrats isn’t the unelected part. It’s the lack of oversight or consequence or clear demarcation of legislative power from the executive.

    The bureaucrats have taken it upon themselves to issue multiple specific rules that go over and beyond the text of any law. See the case of the CNIL in France. They had a court ruling around their rules for cookies on Google go against them and they continued to insist that they would enforce said law. They issued an “FAQ” on their website that indicated threatening language against businesses that flouted their previous comments that were now deemed incorrect by a court of law and had the audacity to press on.

    Like I said, the EU is an abusive monarchy

    • mmarq  3 years ago

      > I have officials in the EU on the record that IP addresses are deemed personal information and if your business uses AWS and unintentionally passed IP addresses over to any resource in the US, you are technically in violation.

      Of course, everybody knows that. You have to have good reasons to store people’s IP addresses (ie security logs, which must be disconnected from the tracking/telemetry system).

      > Will you be hanged for this today? Probably not. But all it takes is one negative press cycle for the idiots there to interpret and enforce this as they have shown the willingness to do in the past.

      If the regulator finds out that your analytics or recommendation system (which again is not the system where you store logs) is collecting and processing IP addresses without users’ consent, they will ask you to stop. If you don’t they will eventually fine you.

      > The point about unelected bureaucrats isn’t the unelected part. It’s the lack of oversight or consequence or clear demarcation of legislative power from the executive.

      GDPR has been made/negotiated by the European Parliament (which is elected directly), by the Council of the EU, which is composed by ministers of member states, and by the Commission (whose members are elected by the Parliament and the Council). These are the legislative and executive branches of the EU, not a bunch of unelected bureaucrats.

      If you were referring to the regulator, well, all regulator bodies are made of “unelected bureaucrats” by design (that’s why they are referred to as “independent agencies”).

      > The bureaucrats have taken it upon themselves to issue multiple specific rules that go over and beyond the text of any law. See the case of the CNIL in France. They had a court ruling around their rules for cookies on Google go against them and they continued to insist that they would enforce said law.

      It seems that you are very agitated because the CNIL (some unelected bureaucrats) imposed a blanket ban on cookie walls and then the Council of State (some other unelected bureaucrats) held that such blanket ban could not be imposed. An honest observer would acknowledge that these things happen everyday (the Council of State wouldn’t otherwise exist), the matter is quite complex and that the gist of the matter hasn’t changed: “in order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information”. So one may still be fined for a cookie wall.

      If what is upsetting you is instead a court case, the only one I could find is the recent 150mln€ fine that Google appealed on jurisdictions grounds and that was upheld, again, by the Council of State.

      Either way, I wouldn’t get too agitated about complex court cases in foreign countries thousands of kilometres from my home and whose language I don’t speak.

      > Like I said, the EU is an abusive monarchy

      I will point to Proposition 7 of Wittgenstein’s Tractatus and I won’t indulge you further on this.

      10 replies →