
USA needs law 'a lot like GDPR' says Salesforce CEO Marc Benioff - LinuxBender
https://www.theregister.co.uk/2018/05/30/salesforce_q1_2019/?
======
wyldfire
A consumer protection law like GDPR would probably be a good thing for US, but
it's hard not to see this as SFDC saying, "As a multibillion-dollar SaaS
vendor, we welcome regulation that might slow down or prevent a competitor
from unseating us."

~~~
epicmellon
That's exactly what this is. GDPR is untenable and creates magical rights
where none exist. You don't own information about you. Data is data. The only
reasonable thing I can see out of it is getting companies to clarify
(simplify) their EULAs.

~~~
lawlessone
>You don't own information about you.

What are your credit card numbers? :)

~~~
sandworm101
CC numbers are something that you definitely do not own. You do not own your
credit cards. They are the property of the corporations who issued them to
you. That's why they can cancel/alter/confiscate them without going through
the courts.

Same too for credit ratings. The right to view and alter them comes from
various other common law rule (ie slander) but the credit rating itself
belongs to the corporation that generates it.

------
neya
I think this has been discussed before - The whole foundation of SalesForce is
absolutely tracking every inch of a user, who you were what whitepaper you
downloaded, where you're from, which stage of the funnel you're in, which
industry you belong to, what's your company size, what's its revenue and the
list goes on..

So, this is pretty ridiculous coming from a CEO of such a company, but hey,
any publicity is good publicity, right?

~~~
tarr11
I don't think he's lying. But the reasons he wants GDPR are probably just as
calculating as you would expect:

1\. They already had to do most of this work for GDPR already so the cost will
be lower

2\. By saying this, he can be invited to meet with legislators who will shape
the law.

3\. Smaller competitors or startups will be discouraged from entering the
market due to an increased regulatory environment (similar to PCI)

it's still probably a good idea but skepticism (and even cynicism) is
certainly warranted

~~~
3pt14159
There are three reasons in addition:

1\. Insulating himself from future lawsuits. Judges look very favourably
towards corporations that try to work with regulators before a crisis.

2\. Legislating a fix reduces market demand for a technical fix. Imagine a
world where a competitive platform to the internet / the web arises. In such a
case if the public feels safe because of legislation then they're less likely
to abandon the previous web.

3\. Realistically speaking any action that would be devastating for Salesforce
would be devastating for the US economy / intelligence apparatus; so either
way there is going to be _some_ measure of tracking for _some_ amount of time.
The real issue that Saleforce needs to handle is to ensure that it's ahead of
its competitors and to do that it needs to see where the regulatory
environment is going and plan its strategy around that.

~~~
curun1r
> ...would be devastating for Salesforce would be devastating for the US ...
> intelligence apparatus

GDPR exempts law enforcement and the court system so I'm not sure why we'd
expect US legislation to be any different.

~~~
3pt14159
Much of the data that our intelligence agencies collect is through
collaboration with private industry. If Salesforce employs hundreds of people
to clean up data then that (and other companies like them) going away would
make a measurable difference to what the intelligence agencies are capable of
doing.

------
fhrow4484
There has already been a lot of discussion about GDPR in the recent weeks, but
one thing that shocked me is that the regulation is seriously described like
this:

From [https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/individual-rights/right-of-access/) :

> The GDPR does not specify how to make a valid request. Therefore, an
> individual can make a subject access request to you verbally or in writing.
> It can also be made to any part of your organisation (including by social
> media) and does not have to be to a specific person or contact point.

> A request does not have to include the phrase 'subject access request' or
> Article 15 of the GDPR, as long as it is clear that the individual is asking
> for their own personal data.

> This presents a challenge as any of your employees could receive a valid
> request. However, you have a legal responsibility to identify that an
> individual has made a request to you and handle it accordingly.

In a normal world, I think only officers or registered agents can be addressed
legal requests, how here any government though it was a good idea that "any of
your employees could receive a valid request" and that it's a legal
responsibility to handle it correctly. This is just mind blowing to me.

~~~
marten-de-vries
Your customer service should know how to deal with product warranty. Or should
be able to handle a request to cancel an online purchase for 14 days after the
order ([1]). How is making a request to access your personal data different?

[1]:
[https://europa.eu/youreurope/citizens/consumers/shopping/gua...](https://europa.eu/youreurope/citizens/consumers/shopping/guarantees-
returns/index_en.htm)

------
kodablah
Let's try something different. How about a smaller law requiring transparency
first (not even the ability to delete or how to handle the data or that you
have to have a certain appointed position or any other nonsense). Just
transparency at first. The transparency requirements can be detailed, as food
labeling is, but it doesn't need to require companies to provide users their
data (just yet). Then, begin PSAs and public education awareness campaigns
that show some of the harms of over collection of data, overuse of social
media, lax approaches to information protection, acceptability of ad blocking
solutions, etc (EDIT: rethinking this, I would no longer recommend this, at
least at first). Then work on a law defining culpability of data breaches
(i.e. data escaping its now-more-transparently defined intention). Also,
consider grants to companies providing healthy privacy practices in the social
media space (these should be small, measured, and for non-profits only of
course). But I would just consider it, I wouldn't actually give them out just
yet.

All in all, this can be done w/ steps that don't rock companies. Also, what
we're going to find out is that people are happy with the tradeoff that
currently exists and you can't legislate that away from them without pissing
them off.

------
jiggliemon
Can’t all this GDPR stuff be abstracted away into a framework? Or at least
some kind of pattern/generator tooling?

It seems like there’s room for an enterprise framework that does all the
compliance work for you (for US gov contacts, i18n, user info download etc).
Maybe calling it enterprise is a misnomer. Maybe it’s a spec that framework’s
can target or comply with?

~~~
Kalium
> Can’t all this GDPR stuff be abstracted away into a framework? Or at least
> some kind of pattern/generator tooling?

I understand why you think this way! It's an obvious approach, where there's a
bunch of stuff that needs to be done and it's the same everywhere. Why not
just have a framework that handles it all for you? It's so clear!

It's perhaps possible that many of the requirements of GDPR are beyond the
scope of what any kind of framework or code pattern or generator might be
reasonably expected to handle. Code cannot readily become a Data Protection
Officer or respond to inbound requests. Code cannot address the need to
identify and inform users affected by any breach. Code will likely struggle to
do the vendor assurance required of all your Data Processors.

You're absolutely right! There's _excellent_ reason to have the technical
requirements handled for you by a framework so you can focus on the important
parts of your business. It's just perhaps possible that this could be less
than the whole of GDPR.

~~~
jiggliemon
I get the process parts, that make more sense to have a human interface, can’t
be abstracted out.

However, maybe they can? Compliance as a service? Sounds like just the kind of
Bay Area centric idea that VC’s love to fund.

But it seems like there’s some commen sense patterns that our tooling should
take up. A framework can take up the transparency, and user control aspects.
Framework might be too narrow, platform might be more like it. Things like
Wordpress, Magento or Shopify can be “GDPR compliant”.

~~~
Kalium
You're once again completely right! Some of this could be farmed out with
compliance-as-a-service!

However, it's perhaps possible that certain parts of GDPR impact core
businesses processes involving the handling of customer data. None of this can
be farmed out in a hands-off manner. It requires deep integration into your
daily business. I cannot think of any framework that could handle such a
thing, or a compliance service that could handle it for you.

You could definitely offer GDPR-compliance Wordpress or Magento as a service!
It's just possible, however, that some things your customers could do with
your offering might hold the potential to violate GDPR. As a result, you could
not guarantee that you assume all the compliance requirements on their behalf
in all cases.

In short, you're right! There is definitely room for some compliance services
to be offered as a service! It's just, barely, possible that some small
fraction of the items concerned might not be well-suited to this approach is
all.

Have you considered reading the text of GDPR? You might find it to be an
educational and informative experience. I did.

------
ThomPete
For big companies, this is a small problem to implement. For small companies,
it's a big problem.

I am all for protecting the consumer but GDPR is going too far with what I
would call optics rather than actual consumer protection. I.e. things that
look and sounds like they are protecting the user when they are really just
adding more bureaucracy to the companies.

~~~
realusername
> I am all for protecting the consumer but GDPR is going too far with what I
> would call optics rather than actual consumer protection

Too far from what? Thanks to the GDPR, I received 100s of emails of services I
never signed up for who scrapped my details from LinkedIn with bots. The
industry went way too far with what would have been acceptable and that's why
we need laws like this.

~~~
ThomPete
The law could simply punish those who do harm. All you are getting now is
further boltering for those you end up being gamed to sign up for. I
understand the pupose and intent of the law but it could have been done much
more elegantly. Those who want to missuse your data will still do that they
will just find another way to do it.

~~~
realusername
> The law could simply punish those who do harm

That's exactly what the GDPR is doing I feel, you get punished for data
misuse, it looks a good idea to reduce this kind of abuse.

> All you are getting now is further boltering for those you end up being
> gamed to sign up for.

I did not get gamed to sign up, they just scrapped my data and added me to
their database, I did not do any action and they did not made me sign up with
a trick (I also had a few of those yes but the majority are just data
scrapping)

> Those who want to missuse your data will still do that they will just find
> another way to do it.

That's the argument you could make with every law basically. I also hear the
same argument for car speeding "they could just drive faster at another place
and not get caught". It's indeed true but it's not because there's still ways
of misuse that we should abandon everything.

~~~
ThomPete
No, it also requires companies to make a lot of bureaucratic exercises. If it
only punished for misuse and didn't put the bureaucratic burden on companies I
would have no problem with that. It's that it makes it burdensome for a lot of
companies who are aren't actually misusing your data. This is my main argument
and GDRP is only the beginning now EPR is going to be implemented making it
even harder to make it work in a digital economy.

------
mychael
The US needs a law that exempts American businesses from GDPR if they have no
presence in Europe.

~~~
lightbyte
That already exists, it's called GDPR. It doesn't apply to you if you have no
presence in Europe.

~~~
bulatb
Unless you track or profile natural persons within the EU, or you "envisage"
offering them services. Then you're in scope.

------
rhapsodic
I would like to see the US enact a law that says US companies must grant their
users in the US all of the benefits that they grant their non-US users under
non-US laws. So small US companies would still be able to avoid onerous non-US
laws by not doing business in those countries, but the big ones, who can't
afford to forgo the market in the rest of the world but who can afford to
comply with the laws there, will. And their US users will reap the benefits.

------
epicmellon
Can we just take a step back and admit that treating an IP address as personal
information is patently ridiculous?

~~~
Karunamon
Doubly so when legal precedent exists that IP isn’t sufficient enough to
identify a person.

~~~
bhaak
There's also legal precedent that IPs can be sufficient enough to identify a
person.

~~~
wooter
and its absurd, rejected, and overturned. if i use your laptop, am i you?

------
pojkofd00m
Ajit Pai disagree

------
olivermarks
comments on the register article are good IMO

------
wooter
as an american, no thank you. compelled speech is not okay

~~~
aoeusnth1
Is the HIPAA[1]'s privacy rule compelled speech? Do you believe corporations
have a right to unlimited surveillance derived from their right to free
speech?

[1] See
[https://en.wikipedia.org/wiki/Health_Insurance_Portability_a...](https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Privacy_Rule)

"The Privacy Rule gives individuals the right to request a covered entity to
correct any inaccurate PHI."

"The Privacy Rule requires covered entities to notify individuals of uses of
their PHI. Covered entities must also keep track of disclosures of PHI and
document privacy policies and procedures."

~~~
wooter
HIPAA does a lot of damage to innovation in healthcare research and industry.
Still, I don't know why you assumes every law that exists is perfect
justification for the a more expansive law. This is exactly why slippery slope
is not a fallacy. The state always wants more power under the guise of
providing safety.

------
greatamerican
Such a law will not survive a Constitutional challenge. Just rent seeking by
an incumbent.

~~~
CamTin
These recently-discovered European "rights" are probably non-starters, but the
ability to get a Google-takeout style package of your own data, and some
reasonably protections regarding consent and the way your data is used would
clearly Constitutional. We already force some industries to follow most of
these precepts in other laws that haven't been challenged: credit agencies
have to explain your credit score to you, HIPAA manages how medical data is
used. The core of GDPR is really just expanding those laws to all companies.

The only sticky one is really the "right to be forgotten," which just isn't a
right, and possibly has constitutional (1st amendment) problems.

IMO though, a "conservative GDPR" could get Republican backing by basically
framing it as a question about property rights, which their base is all about:
your data is valuable, and it's YOUR property, not Google's. Some of the other
provisions could be sold as a "sunshine law" for big business.

Also resumably, given US politics, there would be plenty of exemptions for
small businesses (and industries that have strong lobbying firms).

(note that I'm not a lawyer, so this may be bullshit)

~~~
hannasanarion
If you actually read up on the "right to be forgotten" you will see that "free
speech" is always an exception to it. You cannot demand to be forgotten in
order to censure others.

~~~
methodover
The American interpretation of “free speech” is much more broad than in the
EU. Here, laws banning hate speech or flag burning or corporate campaign
donations are unconstitutional for example. Libel lawsuits are much harder to
pull off here as well.

A law requiring businesses and individuals to delete any personal data at the
request of the data subject, as the GDPR requires, would have to be extremely
narrowly written to survive constitutional muster here, I think.

If I do business with you and write down your name, the GDPR requires that I
delete your name if you ask me to (and even if you don’t if our relationship
ends). That wouldn’t survive a First Amendment challenge here.

~~~
hannasanarion
GDPR doesn't require that you do that. GDPR has other exceptions that you
could plead very easily: undue hardship, archival, public interest, compliance
with other laws, scientific research, and establishing legal claims. What
would you need my name for if not one of those?

~~~
methodover
Maybe I want to remember your name because, let's say, I want to pray for all
my customers every Sunday. Or perhaps I want to try and memorize all my
customer's names so I can use your name when I see you come in my shop. Or
perhaps to track patterns of purchases by my customers. Or perhaps because I
think it's important to have a track record of everyone I've sold to, and
when, for purposes to be discovered later down the line that I can't think of
right now.

In America, I don't need a reason for writing your name down. In the EU on the
other hand, all personal data needs to be deleted, unless a specific
government-approved exemption applies, as you said.

Quoting the US Supreme Court, in Chicago v. Mosley, 1972:

> Above all else, the First Amendment means that government has no power to
> restrict expression because of its message, its ideas, its subject matter,
> or its content. To permit the continued building of our politics and
> culture, and to assure self-fulfillment for each individual, our people are
> guaranteed the right to express any thought, free from government censorship
> [1]

I'm pretty sure that if the GDPR was copied and pasted into a US law, the
Right to be Forgotten would be struck down as unconstitutional very quickly.

1\.
[https://supreme.justia.com/cases/federal/us/408/92/case.html](https://supreme.justia.com/cases/federal/us/408/92/case.html)

