
The GDPR as accidentally explained by people in the US - M2Ys4U
https://hroy.eu/posts/gdprExplainedByUS/
======
corty
Main problem with GDPR criticism and press reporting about GDPR is that
virtually all of it is based on second-hand knowledge and hearsay. I would
really suggest to get the official PDF and read it. It is readable (for a
legal text) and immediately clears up lots of common misconceptions like e.g.
the collection/use confusion.

Pick your favourite language [https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX%3A...](https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX%3A32016R0679)

~~~
munchbunny
I had to study up on GDPR for a past job, and after reading the full thing
several times over combined with reading various people's interpretations of
it, I came away feeling like it was a generally sane piece of legislation that
was overall reasonable about the trade-offs and requirements it imposed.

Since then I've heard many people complaining about the effort required to
deal with or work around GDPR constraints, including in one case a data
scientist complaining about needing to get consent to use certain data sources
for something that wasn't the product being sold to the user. Frankly, I was
happy about it, because that's _privacy working as expected._

~~~
hdkrgr
This has been exactly my experience. As a data scientist (not a lawyer!) I had
to ensure that some of our existing data processing pipelines complied with
GDPR (and make sure we could comply with its reporting requirements.)

I found the Articles well-structured, easily understandable, and overall
plainly reasonable. In my experience, those who complained about the
'bureaucratic overhead' of making their pipeline compliant were those who were
in charge of processes that clearly violated the spirit of the law, trying to
press them into the letter of the law somehow.

------
voxic11
This article is written very strangely. For example

> One last bit: Richard Stallman argues that “improving efficiency” of a
> system must not be a justification for collecting personal data.

> Article 5(1) already provides that personal data must be “collected for
> specified, explicit and legitimate purposes.” Therefore, it seems that
> Richard Stallman’s interpretation of this principle means that “improving
> efficiency” may never be considered legitimate. Do you agree

What is the author trying to say here? Its honestly confusing. Is he trying to
say that Stallman's point about the law allowing broad collection of data is
wrong? Or is he trying to say Stallman is being unreasonable in his demands of
the law?

~~~
simonh
Improving efficiency could mean anything, efficiency of what? It's the thing
being made efficient that needs to be evaluated for appropriateness, so I'm
with Stallman on this (an infrequent but not unknown occurrence).

~~~
AnthonyMouse
The problem with requirements to be explicit is that they just turn into dense
legalese. You say "efficiency of what" thinking they're going to list a
specific thing, but then they list every specific thing. Is it software or
hardware? No, software and hardware. Is it efficiency in runtime performance
or in user interface behavior? Both.

Asking animal, vegetable or mineral doesn't actually make it more specific if
they can still get to "all of the above" by just listing every option
individually.

~~~
simonh
That's easy. If the justification isn't clear, then the answer is No. It's
their responsibility to provide a clear and valid justification.

------
thierryzoller
I always chuckle when I see comments made. You can feel that they don't
understand the concepts behind laws like the GDPR. Also they don't understand
principles based regulation.

------
covidien
Has gdpr been enforced at all since inception? Is there a public listing of
cases and punishments?

~~~
robin_reala
Yes to both questions:
[https://www.enforcementtracker.com/](https://www.enforcementtracker.com/)

------
M2Ys4U
The full title is

"The GDPR as accidentally explained by people in the US who criticize the GDPR
for its pitfalls, while calling for what’s actually in the GDPR"

but HN doesn't allow titles to be that long.

~~~
Nextgrid
I'd argue a better title would be "The EU GDPR _as understood_ by Americans".

The current title seems to imply an authoritative, true explanation of the
GDPR by Americans, while the article is all about how the GDPR is frequently
misunderstood on the other side of the pond.

~~~
hugoroy
Hi - author of the post here.

The points in the post are really about GDPR _basics_. I'm not actually trying
to explain or interpret anything. Instead, I am mostly paraphrasing, if not
merely quoting the GDPR directly (and linking to the authoritative source -
check for yourself).

The more blatant example is probably the first one, about "data use" v. "data
collection".

There's just no way that the statements about GDPR "missing the point of data
collection" can be characterized as a misunderstanding of the text itself. The
text has explicit references to data collection all over, including in the
definition of the most important word, i.e. "processing".

So I think that, as these examples show, it's not really about
misunderstanding on the other side of the Atlantic. I think it's more about
baseless misconceptions and myths being thrown out here and there. Ask
yourself: Why?

 _Edit: typos_

~~~
tannhaeuser
So I have asked myself: why? But after 10 minutes I didn't come to a
conclusion :) so could you share what you're after or give me a hint? Are you
suggesting there's an anti-EU/anti-GDPR/anti-whatever campaign of sorts going
on that makes people biased, or, more realistically, an intent to discredit
GDPR by US advertisers who fight against similar legislation in the US? That
may very well be the case, but I haven't noticed on HN specifically where the
pro-GDPR camp seems to be (slightly) in the majority if I'm not mistaken. Or
maybe you're criticizing snake oil businesses selling GDPR compliance
solutions which aren't (as discussed elsewhere in the thread), betting on
people being too lazy to read the GDPR when the GDPR law text is quite
understandable as you rightly point out? Genuinely don't understand the
general direction of your suggestion.

~~~
rsynnott
> Are you suggesting there's an anti-EU/anti-GDPR/anti-whatever campaign of
> sorts going on that makes people biased, or, more realistically, an intent
> to discredit GDPR by US advertisers who fight against similar legislation in
> the US?

I mean, in one sense, _obviously_. Most of the fearmongering around the GDPR
comes from the ad industry (and to some extent from other impacted industries
like the shadier parts of the debt collection industry, but they're much
smaller and less noisy). I doubt there's an origanised conspiracy to discredit
it as such, but most of the anti-GDPR talking points do ultimately come from
the ad industry.

And this isn't that surprising, arguably. For most companies, the GDPR
essentially means, at most, "your business model is fine, but your process is
flawed; fix it". For large parts of the ad industry, it means "your business
model is flawed; change it". Note that a lot of the ad industry complaints are
around consent; either that it has to be asked for in the first place or that
it's too hard to give accidentally. Well, yes, that's the point.

------
rman666
This is kind of silly. The title implies “... by dumb Americans.” Sure, GDPR
applies to more than just EU citizens, but why would you expect Americans to
know about it in the first place? It might be more interesting to here how EU
citizens explain it, or how EU citizens explain driving on the opposite side
of the road.

~~~
vinay427
> It might be more interesting to here how EU citizens explain it, or how EU
> citizens explain driving on the opposite side of the road.

There are only three countries remaining in the EU that drive on the left side
of the road: Ireland, Cyprus, and Malta. A very small minority of EU residents
could "explain" driving on the left side of the road, whatever that means.

~~~
pjc50
.. and those are entirely down to the British influence.

~~~
robin_reala
Although to be fair Sweden drove on the left without British influence until
other countries influenced them to change.

------
yoden
Weird article. After reading it I agree more with the points it's trying to
refute.

You can't use the existence of a 1995 law to prove the GDPR doesn't have
problems. The whole reason the GDPR got written was because the 1995 law was
ineffective.

The GDPR adds new requirements on top of the 1995 law. Privacy advocates don't
think these requirements help privacy much. Businesses claim that it makes it
harder to do business (but they say that about any legislation). You can argue
about who is right but neither side particularly likes the regulation.

The biggest group of people who do like the regulation seem to be EU citizens
who want a reason to feel superior to Americans. It's unfortunate nationalism.
We're all on the same side against the large corporations.

~~~
AnthonyMouse
> Businesses claim that it makes it harder to do business (but they say that
> about any legislation).

To be fair, it tends to be true of any legislation. Even if all you're doing
is passing a law ordering them to do what they were already doing, now they've
got to pay lawyers to tell them that and auditors on a recurring basis to make
sure it continues to be true even if it would have regardless.

And then the cost of that gets passed on to customers and employees, because
laws apply to everybody which means raising prices due to compliance costs
isn't a competitive disadvantage when everybody does it. (Or they don't apply
to everybody and give advantage to foreign competitors.)

The costs also disproportionately impact small businesses, because the
compliance cost is a fixed amount whether you have a million dollars in
revenue or a billion, so regulation is effectively the most regressive form of
taxation. (Compare this to taxing Facebook and using the money to fund
privacy-protecting open source technologies.)

~~~
Silhouette
+1 to all of this.

As someone who's been running small tech businesses in the UK for a while, I
think it's also fair to say that the GDPR was unusually onerous even for
government regulations. Over the past decade or more, only the VAT mess was
comparable for anything coming out of the EU that I've been involved with. The
similarities in those two cases are striking.

Each was meant to address a legitimate and well-established problem with how
big businesses operate. Each also caused disproportionate expense and hassle
for small businesses, even if those businesses weren't the intended targets
and what they were doing was basically OK before.

Each had significant ambiguities that were either open to interpretation or
missing key details, and so probably needed expert advice on compliance in
many cases.

Each required businesses to change their record-keeping, documentation and
processes for compliance, even if the substance afterwards was still much the
same as before in each case.

Also, in each case enforcement seems unlikely for smaller businesses, so those
who either didn't know about the new rules or wilfully ignored them gained an
advantage over their competitors who were making a good faith effort to
comply. I don't like good people being penalised just for trying to run their
businesses legally and responsibly.

------
kodablah
> Time will tell how effective the GDPR is going to be [...] Nevertheless, we
> should acknowledge the fact that EU law has got many of the foundational
> principles around data protection right.

This post accidentally explains many Americans' issues with the GDPR. By
focusing on intent and idealism to buttress justifications for the law's
presence, proponents use righteousness as an excuse for heavy government
interference. Almost everyone agrees with the ideals of data privacy. But
recognizing reality, some advocate for not asking clearly ineffective
institutions to police such things since often said technology laws and
policing tend to hurt more than help. They also give a mandate for more
government intrusion in technology (e.g. welcoming GDPR tacitly encourages the
copyright directive) as policy makers can't help themselves. Rather, more
measured approaches like education, consumer awareness, encouragement of
alternatives, transparency requirements, and enforcement of existing statutes
(fraud, personal info, etc) are leaped over.

Tech that people willingly trade info for (and arguably would do so regardless
of awareness) is not analogous to food ingredients or medicine. You can't
legislate every harm out of existence, and this is the fundamental difference
in the two sides. One side is concerned with government oversight in these
matters and where it leads, the other is not. Usually we'd say to each their
own, yet we communicate on a global medium, so ideally we'd lean towards fewer
restrictions (especially if you consider the legislative implementers on the
American side).

~~~
vertex-four
The way the EU usually works is that they say "we are concerned about X, Y and
Z's effect on our citizens" to industry, and industry responds "we'll self-
regulate to ensure X, Y and Z do not have the effect you're concerned about".
If self-regulation doesn't work out, a directive is passed.

Industry, in this case, didn't even try to self-regulate, so a series of
directives with gradually more teeth were passed over the last 20-odd years.

~~~
kodablah
> If self-regulation doesn't work out, a directive is passed.

We can do better! Public education campaigns and support for alternatives for
starters. The "they didn't fix the issues, so new laws will fix their issues"
is myopic at the least, and potentially harmful if it doesn't fix the issues
either.

~~~
grasshopperpurp
What's myopic is expecting people to "do better" when they make more money (or
even think they'll make more money) by doing worse.

~~~
kodablah
Nobody expects that. It has become unfortunate that if you are not in favor
for the GDPR as implemented, you must be against its principles and in favor
of privacy-violating companies.

