Main problem with GDPR criticism and press reporting about GDPR is that virtually all of it is based on second-hand knowledge and hearsay. I would really suggest to get the official PDF and read it. It is readable (for a legal text) and immediately clears up lots of common misconceptions like e.g. the collection/use confusion.
I had to study up on GDPR for a past job, and after reading the full thing several times over combined with reading various people's interpretations of it, I came away feeling like it was a generally sane piece of legislation that was overall reasonable about the trade-offs and requirements it imposed.
Since then I've heard many people complaining about the effort required to deal with or work around GDPR constraints, including in one case a data scientist complaining about needing to get consent to use certain data sources for something that wasn't the product being sold to the user. Frankly, I was happy about it, because that's privacy working as expected.
This has been exactly my experience. As a data scientist (not a lawyer!) I had to ensure that some of our existing data processing pipelines complied with GDPR (and make sure we could comply with its reporting requirements.)
I found the Articles well-structured, easily understandable, and overall plainly reasonable. In my experience, those who complained about the 'bureaucratic overhead' of making their pipeline compliant were those who were in charge of processes that clearly violated the spirit of the law, trying to press them into the letter of the law somehow.
I feel like there's a kinda silly trend towards the idea that regulation should never be burdensome, that something's wrong if compliance efforts are more onerous than annual training and automated enforcement. It comes from a good place - we do need to be cautious of regulatory capture through creating so many burdens that small companies can't afford to comply. But the loudest complaints always seem to be along the lines of "it's unfair that it's harder to do these things GDPR is trying to discourage".
As an American expat who has had to implement GDPR policies while working in Europe I know how it works I've read the damn thing. I'm back in the US and the amount of Americans who try to tell me about it, never having read the damn thing, drives me up the wall.
This is because people in the US are used to dealing with legislation that means almost nothing until it gets interpreted by the courts, and no one wants to be that first test case so their lawyers take the worst-case approach. Just like many years of effort have been expended on just one paragraph from Sarbanes Oxley.
Second is that there is an opinion some have (based on some recent cases) that European courts hate American companies and will throw the most extreme penalty at them that they can get away with.
Third, from an end-user's standpoint, who here isn't sick and tired of having to click on the "Accept cookies" link all the time? Personally, if I have issues with specific cookies, I'd rather handle that automatically via client-side techniques.
This article is written very strangely. For example
> One last bit: Richard Stallman argues that “improving efficiency” of a system must not be a justification for collecting personal data.
> Article 5(1) already provides that personal data must be “collected for specified, explicit and legitimate purposes.” Therefore, it seems that Richard Stallman’s interpretation of this principle means that “improving efficiency” may never be considered legitimate. Do you agree
What is the author trying to say here? Its honestly confusing. Is he trying to say that Stallman's point about the law allowing broad collection of data is wrong? Or is he trying to say Stallman is being unreasonable in his demands of the law?
Sorry that it's not clear. Happy to take suggestions for clearer language. Maybe this part should just be removed as it is maybe a bit off topic.
I am trying to lay out what principle Richard Stallman is advocating for exactly, when he says that it is never okay to collect data for the purpose of improving efficiency of a system.
The principle that RMS is pushing for here, seems to be that only “legitimate” purposes should be allowed. And RMS seems to think that “improving efficiency” is not a legitimate purpose.
So, I added this part in the post because in all fairness, if RMS thinks that we should consider that improving a system is an illegitimate purpose, then I think we finally found an actual critique of GDPR that is actually advocating for something not already in the GDPR.
But honestly, I think this is just too radical. I think that, provided the right protections are in place, the goal of improving a system has nothing illegitimate per se. I actually prefer to interact with improved systems, and if some personal data may be necessary for that, let's allow it and put the right safeguards.
Update: just "Improving a system." without more explanation is not very "explicit" - it should be put in context and more detailed, and information about the explicit purpose must be disclosed to users (see Art 5(1) and 13 of the GDPR).
Improving efficiency could mean anything, efficiency of what? It's the thing being made efficient that needs to be evaluated for appropriateness, so I'm with Stallman on this (an infrequent but not unknown occurrence).
The problem with requirements to be explicit is that they just turn into dense legalese. You say "efficiency of what" thinking they're going to list a specific thing, but then they list every specific thing. Is it software or hardware? No, software and hardware. Is it efficiency in runtime performance or in user interface behavior? Both.
Asking animal, vegetable or mineral doesn't actually make it more specific if they can still get to "all of the above" by just listing every option individually.
I always chuckle when I see comments made. You can feel that they don't understand the concepts behind laws like the GDPR. Also they don't understand principles based regulation.
The UK data protection authority (ICO) has also announced huge fines against British Airways and Marriott - but these fines are not in effect yet - unsure how high they will be exactly if any.
Funny/sadly enough this can be said for a lot of critique on EU regulation, regardless of country of origin (but let's be honest: the UK tabloids are the worst of the bunch).
> people... criticize X for its pitfalls, while calling for what’s actually in X
My experience says this is true for a lot of things where I'm a subject-matter expert. I suspect it's also true about several of my own criticisms of things where I'm not an expert, but it's difficult to find out.
I'd argue a better title would be "The EU GDPR as understood by Americans".
The current title seems to imply an authoritative, true explanation of the GDPR by Americans, while the article is all about how the GDPR is frequently misunderstood on the other side of the pond.
The points in the post are really about GDPR basics. I'm not actually trying to explain or interpret anything. Instead, I am mostly paraphrasing, if not merely quoting the GDPR directly (and linking to the authoritative source - check for yourself).
The more blatant example is probably the first one, about "data use" v. "data collection".
There's just no way that the statements about GDPR "missing the point of data collection" can be characterized as a misunderstanding of the text itself. The text has explicit references to data collection all over, including in the definition of the most important word, i.e. "processing".
So I think that, as these examples show, it's not really about misunderstanding on the other side of the Atlantic. I think it's more about baseless misconceptions and myths being thrown out here and there. Ask yourself: Why?
> as these examples show, it's not really about misunderstanding on the other side of the Atlantic. I think it's more about baseless misconceptions and myths being thrown out here and there. Ask yourself: Why?
That's just how discourse works these days. The bigger and scarier the strawman, the more people click on it.
So I have asked myself: why? But after 10 minutes I didn't come to a conclusion :) so could you share what you're after or give me a hint? Are you suggesting there's an anti-EU/anti-GDPR/anti-whatever campaign of sorts going on that makes people biased, or, more realistically, an intent to discredit GDPR by US advertisers who fight against similar legislation in the US? That may very well be the case, but I haven't noticed on HN specifically where the pro-GDPR camp seems to be (slightly) in the majority if I'm not mistaken. Or maybe you're criticizing snake oil businesses selling GDPR compliance solutions which aren't (as discussed elsewhere in the thread), betting on people being too lazy to read the GDPR when the GDPR law text is quite understandable as you rightly point out? Genuinely don't understand the general direction of your suggestion.
> Are you suggesting there's an anti-EU/anti-GDPR/anti-whatever campaign of sorts going on that makes people biased, or, more realistically, an intent to discredit GDPR by US advertisers who fight against similar legislation in the US?
I mean, in one sense, _obviously_. Most of the fearmongering around the GDPR comes from the ad industry (and to some extent from other impacted industries like the shadier parts of the debt collection industry, but they're much smaller and less noisy). I doubt there's an origanised conspiracy to discredit it as such, but most of the anti-GDPR talking points do ultimately come from the ad industry.
And this isn't that surprising, arguably. For most companies, the GDPR essentially means, at most, "your business model is fine, but your process is flawed; fix it". For large parts of the ad industry, it means "your business model is flawed; change it". Note that a lot of the ad industry complaints are around consent; either that it has to be asked for in the first place or that it's too hard to give accidentally. Well, yes, that's the point.
> I'm not actually trying to explain or interpret anything. Instead, I am mostly paraphrasing
Yes, this is what I meant - apologies if this was worded poorly (edited it now). I was indeed referring to American's (wrong) understanding/interpretation of the GDPR you are referring to rather than your own article's interpretation of it.
> I think it's more about baseless misconceptions and myths being thrown out here and there. Ask yourself: Why?
Indeed it is, however misconceptions/myths can be referred to as misunderstandings. I'm sure there are business interests at play and why there's a lot of bad advice being thrown around in an attempt to demonize the GDPR and make it seem more annoying than it actually is, but if we were to only assume good faith then I think it's fair to call it a misunderstanding.
Locally (Poland) I had a feeling that a lot of the misconception was fueled by people trying to sell consulting on GDPR, when majority of the situation could be summed up as "remember the GIODO (polish PII protection agency) rules that you ignored so far? Now they have teeth".
But if you sold it as something more complex than "PII is like nuclear waste, you want to avoid it", then you couldn't sell high-priced "GDPR transformation services" or get lots of ad views on your spiffy web page :/
There is a lot of money to be made in GDPR-related consulting peddling non-compliant snake oil. GDPR compliance is actually quite simple, however it is often detrimental to the business, so it's near-impossible to do "honest" GDPR consulting because you'd be telling your client things they don't want to hear and they would rather go to someone else that tells them what they want to hear, even if they don't actually solve the underlying problem of compliance.
That's the only reason I can think of why non-compliant consent management solutions (such as TrustArc) are thriving despite even a casual read of the regulations would immediately point out that they are not compliant and thus do not help to achieve the desired goal of GDPR compliance.
Unfortunately there is no enforcement at present so there's nobody out there to set the record straight and scare companies into compliance (potentially getting them to sue the consultancies for their non-compliant solutions).
At the same time, looking at all "parties" trying to track me on random website, my core question ends up being "why the everloving fuck why?".
A lot of actionable data for many a business can be safely separated from PII. Simultaneously I have hard time understanding why a simple website might need 20-50 different tracking services, all 3rd party. In my experience, that's the typical kind of business that was targeted by dishonest "GDPR consulting".
For majority of businesses that I talked with, GDPR compliance could be handled by implementing a set of rules that fit, normal font, on A4 page. There are few that truly required more, but those also had that data as crucial data, and that's where good honest consulting could do a lot of good.
This is kind of silly. The title implies “... by dumb Americans.” Sure, GDPR applies to more than just EU citizens, but why would you expect Americans to know about it in the first place? It might be more interesting to here how EU citizens explain it, or how EU citizens explain driving on the opposite side of the road.
> It might be more interesting to here how EU citizens explain it, or how EU citizens explain driving on the opposite side of the road.
There are only three countries remaining in the EU that drive on the left side of the road: Ireland, Cyprus, and Malta. A very small minority of EU residents could "explain" driving on the left side of the road, whatever that means.
> why would you expect Americans to know about it in the first place
These are quotes from influential people directly commenting on the GDPR, criticizing it for things they mistakenly believe it does/doesn't do. This article isn't the first to claim that these specific Americans should know about the GDPR, they themselves are claiming they know about it.
Weird article. After reading it I agree more with the points it's trying to refute.
You can't use the existence of a 1995 law to prove the GDPR doesn't have problems. The whole reason the GDPR got written was because the 1995 law was ineffective.
The GDPR adds new requirements on top of the 1995 law. Privacy advocates don't think these requirements help privacy much. Businesses claim that it makes it harder to do business (but they say that about any legislation). You can argue about who is right but neither side particularly likes the regulation.
The biggest group of people who do like the regulation seem to be EU citizens who want a reason to feel superior to Americans. It's unfortunate nationalism. We're all on the same side against the large corporations.
> Businesses claim that it makes it harder to do business (but they say that about any legislation).
To be fair, it tends to be true of any legislation. Even if all you're doing is passing a law ordering them to do what they were already doing, now they've got to pay lawyers to tell them that and auditors on a recurring basis to make sure it continues to be true even if it would have regardless.
And then the cost of that gets passed on to customers and employees, because laws apply to everybody which means raising prices due to compliance costs isn't a competitive disadvantage when everybody does it. (Or they don't apply to everybody and give advantage to foreign competitors.)
The costs also disproportionately impact small businesses, because the compliance cost is a fixed amount whether you have a million dollars in revenue or a billion, so regulation is effectively the most regressive form of taxation. (Compare this to taxing Facebook and using the money to fund privacy-protecting open source technologies.)
As someone who's been running small tech businesses in the UK for a while, I think it's also fair to say that the GDPR was unusually onerous even for government regulations. Over the past decade or more, only the VAT mess was comparable for anything coming out of the EU that I've been involved with. The similarities in those two cases are striking.
Each was meant to address a legitimate and well-established problem with how big businesses operate. Each also caused disproportionate expense and hassle for small businesses, even if those businesses weren't the intended targets and what they were doing was basically OK before.
Each had significant ambiguities that were either open to interpretation or missing key details, and so probably needed expert advice on compliance in many cases.
Each required businesses to change their record-keeping, documentation and processes for compliance, even if the substance afterwards was still much the same as before in each case.
Also, in each case enforcement seems unlikely for smaller businesses, so those who either didn't know about the new rules or wilfully ignored them gained an advantage over their competitors who were making a good faith effort to comply. I don't like good people being penalised just for trying to run their businesses legally and responsibly.
The biggest group of people who do like the regulation seem to be EU citizens who want a reason to feel superior to Americans. It's unfortunate nationalism.
I'm not sure nationalism has anything to do with it. To most of the world, life is not primarily a competition with the US, and the kind of "superiority" that some Americans value is not an aspiration but a warning.
I think it is more likely that many Europeans simply place a higher value on privacy than some of our friends from across the pond. This is a matter of culture and our culture is influenced by some painful lessons about what can happen if too much privacy is lost. For historical and geographical reasons, I suspect most people in the US and their near ancestors have never experienced the dangers that all of us over here have been taught about, sometimes from first-hand accounts.
>The biggest group of people who do like the regulation seem to be EU citizens who want a reason to feel superior to Americans. It's unfortunate nationalism. We're all on the same side against the large corporations.
But you have an even extreme law in US for health data, you protect your health data that is generated in the health care system but if you google some symptoms, buy online some health products, read/watch some health related pages you are fine to be analyzed and sold to advertising? There is the example with the supermarket that detected some girl is pregnant in "leaked" the data to her parents and that is fine for you = but if a doctor would have done the "leak" it would have been a serious issue.
GDPR is not as extreme as HIPAA it just makes all personal data "problematic" and you can't do whatever you want with the data in secret.
GDPR surfaced all the hidden shit to the surface, many wanted the shit to stay hidden, now people can see that not only websites sell my data to a third party, they are greedy you want to sell it to 100+ different third parties - it makes you stop and think if maybe you want to close this tab or use a private window.
HIPAA is a facet of the general disease in the US healthcare system. The compliance cost is enormous but the industry doesn't object, it even benefits them, because it's all getting billed to insurance and the more everything costs the higher the base cost they get to multiply by their profit margin. Meanwhile the insurance is heavily subsidized by employers due to tax incentives, and the employees/citizens don't even realize how much it's costing them because there are so many layers of indirection.
From my perspective as an outsider I see the regular US citizens loving HIPAA, seems to me to be p[laced in the same category as guns and free speech (even more I never seen someone arguing that health data should be sold to the highest bidder and in secret) were for guns and free speech there are people that want more limitations.
Of course, because they're seeing the benefit and not the cost. It's like asking people if they want free video hosting without mentioning that you're tracking everybody who uses it. People say yes.
So your point is that HIPAA is bad, your doctor should be able to sell your data? My point was that your browsing data is similar to health data, it could even contain health data so it should be a trail of who is collecting what and is sharing with whom and why. I won't believe the argument that implementing transparency for what you collect and sell is too expensive.
My point is that HIPAA has absurdly high compliance costs. It's like buying an apple for a million dollars. The problem isn't that apples are bad, but we sure shouldn't buy any more for that price.
Isn't the cost an implementation detail? The laws do not requiere things to be expensive and there might be a need for more regulations to fix the costs with better defined standards,software,procedures etc.
> Time will tell how effective the GDPR is going to be [...] Nevertheless, we should acknowledge the fact that EU law has got many of the foundational principles around data protection right.
This post accidentally explains many Americans' issues with the GDPR. By focusing on intent and idealism to buttress justifications for the law's presence, proponents use righteousness as an excuse for heavy government interference. Almost everyone agrees with the ideals of data privacy. But recognizing reality, some advocate for not asking clearly ineffective institutions to police such things since often said technology laws and policing tend to hurt more than help. They also give a mandate for more government intrusion in technology (e.g. welcoming GDPR tacitly encourages the copyright directive) as policy makers can't help themselves. Rather, more measured approaches like education, consumer awareness, encouragement of alternatives, transparency requirements, and enforcement of existing statutes (fraud, personal info, etc) are leaped over.
Tech that people willingly trade info for (and arguably would do so regardless of awareness) is not analogous to food ingredients or medicine. You can't legislate every harm out of existence, and this is the fundamental difference in the two sides. One side is concerned with government oversight in these matters and where it leads, the other is not. Usually we'd say to each their own, yet we communicate on a global medium, so ideally we'd lean towards fewer restrictions (especially if you consider the legislative implementers on the American side).
The way the EU usually works is that they say "we are concerned about X, Y and Z's effect on our citizens" to industry, and industry responds "we'll self-regulate to ensure X, Y and Z do not have the effect you're concerned about". If self-regulation doesn't work out, a directive is passed.
Industry, in this case, didn't even try to self-regulate, so a series of directives with gradually more teeth were passed over the last 20-odd years.
> The way the EU usually works is that they say "we are concerned about X, Y and Z's effect on our citizens" to industry, and industry responds "we'll self-regulate to ensure X, Y and Z do not have the effect you're concerned about".
The problem in this context is identifying adtech as the industry rather than the adversary. It's like identifying a problem with spam and then asking the spammers to self-regulate. It's misapprehending the nature of the problem.
So then you say the spammers wouldn't self-regulate by not spamming so we're going to regulate email. Everybody hire a lawyer if you want to use email. And then the spammers still give you the finger because the internet spans the globe and they just set up in countries that won't enforce your rules, and the rules increase costs on everybody else.
What we need here are technical solutions. Browsers that resist tracking and fingerprinting. Technology to resist correlation attacks. The dissolution of unitary identity systems. More software that runs on your machine and not the adversary's machine. Make tracking too hard and there is no more tracking industry.
The thing most needed there is funding. There is profit in tracking and not so much profit in anti-tracking, so if you want anti-tracking then provide money for it. And for goodness sake stop passing laws against anti-tracking measures.
I'll point out that the EU Government has poured an incredible amount of money into the problem of "privacy and enhancing trust" and related topics - if you're in the EU, even as an individual developer you can likely get some of that money through NLNet. Unfortunately it's a hard problem and the other side has a lot of money too.
> If self-regulation doesn't work out, a directive is passed.
We can do better! Public education campaigns and support for alternatives for starters. The "they didn't fix the issues, so new laws will fix their issues" is myopic at the least, and potentially harmful if it doesn't fix the issues either.
Nobody expects that. It has become unfortunate that if you are not in favor for the GDPR as implemented, you must be against its principles and in favor of privacy-violating companies.
Public education campaigns don't work when the people they are educating have no power in a problematic relationship.
You can educate me about green energy all you want, but if all the power providers I can switch to are burning coal, you're just wasting your time and money.
Passing laws is the opposite of myopic behaviour. To put it bluntly - theft is outlawed, not something we discourage solely through, uh, education campaigns.
Actually more than that, but I'm just using one of the shorter timelines involved.
So if the rather hands-off approach didn't work, campaigns didn't work, capitalism didn't work because it was always on the side of violating privacy? Well there comes the hammer.
A significant part of the GDPR - and in fact the bit most software people complain about - is forcing the companies in question to educate the public on what their data is being used for.
That's not a reasonable approach to public awareness IMO. "Forcing" these private companies to do this and that is only going to result in it being done in the least meaningful way possible. It doesn't matter whether it's the DPD, the EU cookie law, or the GDPR. So much deja vu...
That's ok - if the company can't convince the user that it'd be good for them to opt in to all 200 "partners" they'd like to share data with, the user can click the big shiny "fuck off" button that's required to be there. It's not there, or not obvious? That's a GDPR violation.
> Rather, more measured approaches like education, consumer awareness, encouragement of alternatives, transparency requirements, and enforcement of existing statutes (fraud, personal info, etc) are leaped over.
More measured approaches were tried and didn't work. Previous national laws and EU regulations were less intrusive, which didn't help anyone, the industry still complained back then and consumers were under a far worse protection. The ship for the industry to propose soft non-measures like education and volontary limitations has long sailed. Tech botched it so hard that the EU, usually unable to find any firm stance on anything, got its act together and created GDPR. Which, at the time, even surprised privacy advocates...
I'm not convinced public awareness campaigns and various support for alternatives were reasonably tried. Also, the firmness of one's stance isn't in its words.
> Rather, more measured approaches like education, consumer awareness, encouragement of alternatives, transparency requirements, and enforcement of existing statutes (fraud, personal info, etc) are leaped over.
The GDPR didn't come out of nowhere. There is a whole slew of prior legislation, of course (the Data Protection Directive is from the 90s, for instance), which was generally ignored by big players because it was fairly toothless (fines typically at most in the hundreds of thousands, etc). The industry had a _lot_ of warning, over three decades, that it would be regulated if it didn't improve things. It really has only itself to blame.
To tailor the argument for the audience, please stop bringing me tweaks on this same flawed implementation that is only adding complexity and bugs to the system while not even fixing the majority of original problems. I don't care what the Jira issue comment said this would do or what the PR issue said it would do, I am telling you how it is performing in production, how the last version of the same approach performed in production, and am asking for re-thinking the approach.
What you're saying is that somehow we should have continued doing things that didn't work at all, whereas GDPR actually got companies to care at least a little (seeing from both inside and outside). Yet you insist that instead of doing anything, we should think of the big pie in the sky and continue doing the same not-working alternatives.
Your argument would be more pervasive if it had any examples.
> You can't legislate every harm out of existence
Says country with highest murder rate among developed nations. (Ok, so not a fair comparison but the political argument is the same).
If there is anything US tech companies have shown us it is that the industry or consumers cannot handle data protection and privacy by themselves. There needs to be a good set of legislation to ensure it. Sure GDPR is a bit invasive and detailed in some areas - but the general idea and the way it works is good. To limit data collection, sharing and processing with rules is good. Unfortunately there are a few shortcomings to the law such as requirement to be explicit and notify about suppliers for data processors, documentation and deletion policies.
> Rather, more measured approaches like education, consumer awareness, encouragement of alternatives, transparency requirements, and enforcement of existing statutes (fraud, personal info, etc) are leaped over.
I can assure you that nothing has done more to educate consumers about data privacy than GDPR. Partly by media focus, but mainly by showing consumers what data they give away to companies by making this explicit. Regarding fraud it also has a positive impact as GDPR specifically requires encryption and other security measures. Companies might have not bothered to fix this before, but with GDPR fines of up to 4% of revenue they surely have.
> Ok, so not a fair comparison but the political argument is the same
It's not. We have to avoid these analogies, because for every legislative success one can point to, there is a failure one can point to. For every positive national statistic one can point to, there is a negative statistic one can point to.
> the industry or consumers cannot handle data protection and privacy by themselves
While true, that doesn't always imply extreme measures.
> but the general idea and the way it works is good
Most people agree with the ideals. I argue the way it works is not good, neither as codified nor as implemented. For example, transparency requirements can have value. But such a large unenforced (or worse, selectively enforced) collection of requirements is only adding complexity to the system while providing only negligible benefit.
> I can assure you that nothing has done more to educate consumers about data privacy than GDPR
Exactly. If the only tool you use is a hammer, it's going to also be the most effective regardless if it's the best tool.
> I argue the way it works is not good, neither as codified nor as implemented.
Do you have any proper arguments at all or are you just holding on to your ideology? I'm guessing you do not really know the details of GDPR since you haven't mentioned a single example or specific argument what is a problem in all the text you wrote in multiple comments.
+1. I was against GDPR explicitly because it was obvious something like the Copyright Directive would be next and now the EU is literally ending online freedom of speech.
Pick your favourite language https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...