
Europe’s new data protection rules export privacy standards worldwide - nudpiedo
https://www.politico.eu/article/europe-data-protection-privacy-standards-gdpr-general-protection-data-regulation/
======
schmm
Shameless plug, but if you're in the SF Bay Area and want to learn more about
GDPR, we're throwing an educational event on Wednesday 2/7: "GDPR: 4 letters,
big trouble? Get up to speed on EU data privacy regulation"
[https://www.eventbrite.com/e/gdpr-4-letters-big-trouble-
get-...](https://www.eventbrite.com/e/gdpr-4-letters-big-trouble-get-up-to-
speed-on-eu-data-privacy-regulation-tickets-42104744424)

------
franciscop
What a utter non-sense tone for the article!

> Europe wants to conquer the world all over again.

So Europe makes new regulations that improve the life of european people and
they try to spin it up as a global domination move. As a European I am really
happy that I am more protected. If a company wants to make business with me I
expect them to follow the local regulations! That is not a new world order
plot, cmon.

Stronger regulation some times is better when made with the citizens in mind,
see the TTIP. Why would we (europeans) want to reduce our food quality
regulations? Why wouldn't we want a better data protection?

Specially after Equifax scandal, I am so happy that things are changing over
Europe.

Edit: specified better what I think is non-sense

~~~
willow9886
This is just one line in the article--it's meant to grab the readers
attention.

The rest of the article provides real substance. Silly to claim the who
article is nonsense based on one line.

~~~
franciscop
I would have thought the same if the rest of the article didn't try to prove
how it is a world domination move (just a few examples):

> Data protection is a good example of Europe trying to extend its influence
> over other countries

> In response, legislators worldwide are scrambling to update their domestic
> legislation

> the upcoming data protection changes risks being viewed as yet another
> diktat handed down by former colonial powers in

> We’re already seeing a number of countries falling in line with Europe

------
anonymousDan
I thought this was an interesting angle:

"U.S. policymakers argue that American data protection standards, enshrined in
the constitution and enforced aggressively by the Federal Trade Commission, do
more to guard against misuse than European standards, which often can be more
bark than bite."

Can someone more familiar with the US constitution elaborate on what exactly
it says about data protection?

~~~
nickonline
They didn't do much about equifax so I'd be very suspicious of such statements
about American data protection standards.

~~~
x0x0
Nothing in the gdpr would ban equifax. Creditors will continue to have the
right (legitimate interests) to create, submit data to, and use credit reports
in decision making.

GDPR would have attached more liability to equifax (though 4% of global
revenues really isn't that much), including a much shorter timeline on
reporting the breach.

~~~
athrowaway3z
[https://www.eugdpr.org/key-changes.html](https://www.eugdpr.org/key-
changes.html)

Apart from the fine and the notification of the breach. Equifax would have
been different because of.

\- Consent : " companies will no longer be able to use long illegible terms
and conditions full of legalese " \- Right to Access : " Further, the
controller shall provide a copy of the personal data, free of charge, in an
electronic format. " \- Right to be Forgotten \- Data Portability \- Data
Protection Officers

But Europe ( the countries that i know about ) have different requirements
rules for credit bureaus all together. So AFAIK there is little incentive for
Equifax to hold European data at all.

~~~
x0x0
The majority of those rights don't apply for reasons that should be obvious if
you had even a modest understanding of the gdpr (see legitimate interest
basis) and other related legislation. It is distinctly not helpful to spew
misinformation on HN.

So that people don't rely on your lack of understanding of the gdpr:

* consent isn't required; it's merely one basis to permit processing

* since consent isn't required, it will be an extraordinary stretch to exercise a right to be forgotten. In fact, credit reports are probably one of the canonical cases where LI override most rights of the data subject.

* data access is not new; see DPA

* Equifax does, in fact, have an EU business; it is in the UK. And has offered £2 access to credit reports since 2010-ish. I recognize 2 > 0, but it is not significantly different.

------
bjelkeman-again
Power and influence flow through the end of a pen rather than a gun. Very EU.
Considering the generally poor state of data privacy and use of data about
people, I must admit I think GDPR is for the good.

------
Slansitartop
I do like the idea of a world where nations compete with themselves to offer
the best data privacy protections.

------
willow9886
I had just posted this GDPR guide with steps to implement the mandatory data
protection:

[https://news.ycombinator.com/item?id=16310501](https://news.ycombinator.com/item?id=16310501)

~~~
nudpiedo
It actually looks like a good guide... enough to get started in the topic...
at least until I saw the question on how to implement GDPR:

"If you’re not sure about their compliance, time to act. You’ll need to
contact them and make sure they confirm they’re GDPR complaint. That image
needs to be 100% completed."

------
olivermarks
[https://www.eugdpr.org](https://www.eugdpr.org) as they didn't provide link
in article

~~~
pwtweet
That website is run by a private company. A lot of the information on that
website is wrong.

Here is a correct explanation in English of GDPR from the Irish regulator:
[http://gdprandyou.ie/](http://gdprandyou.ie/)

Also the UK regulator: [https://ico.org.uk/for-organisations/guide-to-the-
general-da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/)

~~~
kasey_junk
One of the most “interesting” parts of GDPR is that it delegates enforcement
to ~25 member countries.

This leads to the situation where the interpretations can vary greatly from
country to country. We might see a very pro business Irish agency saying one
thing and the Danish saying another.

Remains to be seen if that will lead to compliance shopping like in some
finance regimes or if every enforcement group will get to come after every
firm.

~~~
x0x0
If and when a business has a lead regulator is discussed in the A29 WG.

------
vfulco
My hat is off to EU, doing what is right to protect individuals from the evil
do'ers/

------
TheMagicHorsey
I know the knee-jerk reaction on Hacker News will be that this is really a
positive outcome ... but I think people are not actually digesting the
consequences of the wholesale export of EU regulations across the world.

The EU has many regressive regulations based on outdated notions with regards
to the rights of individuals.

Just one example: in the US if someone is involved in egregious fraud (such as
ripping off thousands of individuals in a scam) then the US says that such
information constitutes news and that even if its old information from a
decade ago its relevant, and a platform like Kickstarter or Google can keep
the information online for users to assess before transacting with the
individual.

In Europe this could be deemed illegal. There's a right to be forgotten in
Europe. And sometimes even relevant and newsworthy information can be ordered
to be purged from databases.

The Europeans don't want companies or users deciding on the rules for
platforms. They want to make one rule and apply it across all platforms. Not
only that, they don't really think through the implications of some standards.
Like if there is a right to be forgotten, can companies like Kickstarter
really afford to scrutinize every request for deletion of data and use a
lawyer to determine if the request is justified? Of course not. They will just
make an algorithm and automatically delete the information. The value of the
platform in the long term will decline as fraud from years ago is purged.

There is a cost and benefit to all types of censorship. Censorship of
information about individuals isn't always just positive. There are lots of
serial fraudsters who get away with decades of shenanigans because information
about them is not readily available.

Also, and this is more controversial, I happen to think many types of privacy
(but not all) are really just cultural artifacts of right now and don't have
much utility from a political and economic perspective. Of course there is a
value to protecting the privacy of private communication to prevent the rise
of totalitarian states, etc., but some other kinds of privacy are really just
around to avoid personal embarrassment. But the standards for embarrassment
are always changing. At one time we were all running around half-naked and
fornicating in small tribes where there was literally no privacy. So there's
nothing innate in our nature that says that certain activities must be kept
private. Its merely custom that such and such activities can be used to
embarrass an individual.

In the future, it may be that even presidential candidates will have some
embarrassing selfies distributed online, and maybe even some dic pics or boob
shots from their youth ... and probably nobody will care much ... except to
say ... damn, my future president has a fire crotch ... or something like
that. But it will be said in passing, and nobody will care much. Just like
nobody gave two shits about Obama smoking choom.

~~~
harryf
Think your point that the value of different kinds of privacy varies with
cultural norms and as such, may be over-valued, is an interesting one but have
to object to this part - don't think it's a good example.

> Just one example: in the US if someone is involved in egregious fraud (such
> as ripping off thousands of individuals in a scam) then the US says that
> such information constitutes news and that even if its old information from
> a decade ago its relevant, and a platform like Kickstarter or Google can
> keep the information online for users to assess before transacting with the
> individual.

So long as it's profitable, scammers are going to find ways to scam no matter
what, such creating fake identities in this case. I'd rather trade that
against a teenager committing suicide because of revenge porn.

~~~
TheMagicHorsey
It's not as easy as you think to shed an identity and make a new one for fraud
when the identity is linked to real-world ID in many jurisdictions.

The teen suicide issue is unrelated. Facts, such as news stories about fraud,
are not the same thing as media, such as a porn video. Regulations can easily
bifurcate between the two so its a false tradeoff. What is telling is that the
regulators in Europe have chosen NOT to make this distinction. And in fact
they have EXPLICITLY protected people's right to purge news stories about
their fraud ... showing a disdain for making such a judgment in favor of
information freedom.

------
baxtr
This is interesting. Maybe one of the few things Europe contributes/exports
(in tech)

~~~
tomcooks
You can thank EU also for microusb being (having been?) a standard for all
smartphones and devices.

And don't forget those GREAT cookie privacy popups on every site you visit! /s

~~~
Slansitartop
> You can thank EU also for microusb being (having been?) a standard for all
> smartphones and devices.

I do. Say what you will about that connector, but it was definitely an
improvement over the situation that preceded its standardization.

