I'm pretty unclear from your post how GPDR is different from any other compliance standard
Overall, many of the 'problems' here seem natural, signs of it working, and even good?
Ex - variety: I would expect a bank vs a retailer vs a startup to have significantly different implementations of GDPR. Even within the same industry & weight class, I would expect different companies to have different risk appetites -- that's ultimately a commercial decision -- and thus different takes on what they consider appropriate risk-adjusted compliance
Ex - certainty: While I am a (strong!) advocate of making checkbox compliance provide an optional automatable conformance testing API, I also recognize that making such an interface a hard requirement would lead to excessive rigidity. The real world has ~400 million companies with all sorts of edge cases who benefit from ambiguity & interpretation in policies. The compromise here and elsewhere has been the same: As you get bigger, bring in security experts and auditors. If you've done anything like SOC2, HIPAA, etc, it seems normal, and in my experience, successfully reveals issues that get fixed / starts the paper trail for corporate malfeasance?
Ex - GCP: I would think a bank better understand how its cloud data processor is working enough to answer basics like where customer data is flowing, whether another country or company sees it, etc? And if not, that's a pretty core problem both with the bank and the cloud data processor?
I'm not sure what the problem with the cookie thing is. Companies can choose not to track, improve their EULAs, etc. Maybe it's that it's too easy for companies to just do a popup and trick/force users into being tracked... and you want something stronger than gpdr?
> I'm pretty unclear from your post how GPDR is different from any other compliance standard
I never said it was different, I said it is a dumpster fire. Most regulation being dumpster fires does not somehow absolve the GDPR from being a dumpster fire.
> I would expect a bank vs a retailer vs a startup to have significantly different implementations of GDPR.
Maybe we are using different definitions of the word interpretation, but if nobody knows how to comply with your regulation because they don't understand what it means, it is bad regulation. Regulation that is entirely open to interpretation is a massive "do not invest" red flag to businesses, which incidentally, is one of the reasons why innovation in the EU is so bad.
> I also recognize that making such an interface a hard requirement would lead to excessive rigidity.
If compliance is uncertain it makes business more expensive and wasteful. If nobody knows whether they are complying with regulation and the only way to find out is litigation, it is bad regulation.
> Ex - GCP: I would think a bank better understand how its cloud data processor is working enough to answer basics like where customer data is flowing
There is much more to GDPR than to what country data is flowing. Again, I don't know how to express this more clearly: National agencies neglected their responsiblity in setting out certification processes. As useless as they were at their job, at the very least they could see this is needed, they just did not do their job because they had no incentive to do it.
> I'm not sure what the problem with the cookie thing is.
It could have been implemented by browsers as a header in HTTP requests. Having a popup on every site is not a clever strategy.
The cookie law, and none of the other related privacy laws, say anything about cookie banners. They only state that users must be given clear explanations and a chance to consent (or not).
Scummy companies took the path filled with the darkest of patterns because they want to suck up as much data as they can to sell to 3rd parties. You'll notice Github for example doesn't have any kind or banners or popups about cookies, and they're GDPR compliant.
I suspect the next course of action will be that the EU tightens what the law means - aka no, selling my data to 1100 "partners" isn't legitimate interest. But this isn't a failing of the GDPR, it's a failure on the part of the scummy companies that just can't help but poke the nest for every crumb of data.
> Scummy companies took the path filled with the darkest of patterns because they want to suck up as much data as they can to sell to 3rd parties.
I take exception to that. I have worked for many companies that are not in the least bit "scummy" and have popups. Even our government sites here in Norway have the popups [1]. All this points to is again that the regulation is bad.
And again, because of the lack of certification, it's not possible to claim that GitHub is compliant. All you can say is that a court has not found them non-compliant yet. That is not the same as being compliant.
I'm not sure what you're looking for, given how the rest of compliance works? What is the compromise?
I suspect people would hate it even more if every company needed to go through an official gov GPDR certification. In the US, SOC2, and EU, ISO, are voluntary (not gov), and generally doesn't happen till most companies hit 8 figure revenue (and earlier in enterprise).
What I would expect to start happening is, similar to FedRAMP or UK's CHECK, govs will accredit third-party firms for auditing. Companies can - and typically do - already use these without gov's blessing for SOC2, ISO, yes, GPDR. Certification by a 3PAO is not indemnity, just a good faith positioning for when the enforcement agency gets a complaint and audits on related topics. (And in the case of inept management who doesn't cheap out, a wakeup.)
In areas like bank regulations, the gov is even more high-touch, and I really wouldn't wish that on the 400M businesses out there.
Regulation that is clear, in the sense that people can know whether they are complying with it or not and know how to become compliant with it. I explained the problems with GDPR at length now, I think it's pretty clear I don't want the problems.
I also want the national agencies to do what their job is — not their job according to me, their job according to the EU, which is defining certification that is acceptable to them. What about my expectations are unclear?
> In the US, SOC2, and EU, ISO, are voluntary
How are these relevant here? How does these being voluntary make GDPR less of a dumpster fire? GDPR is not volutary, in case that was unclear to you at this point.
So okay, other things — not the GDPR — are not dumpster fires, and how GDPR would not be a dumpster fire if it was different. Agreed. I did not say anything about SOC2 and ISO, and I did not say GDPR would not be a dumpster fire if it was different. My concern with GDPR is not it's acronym.
But the EU won't fix it, they never fix anything — they have no incentive to fix it, in fact, Eurocrats are incentivized to not fix it. They just keep smearing more crap on the crap sandwich.
Overall, many of the 'problems' here seem natural, signs of it working, and even good?
Ex - variety: I would expect a bank vs a retailer vs a startup to have significantly different implementations of GDPR. Even within the same industry & weight class, I would expect different companies to have different risk appetites -- that's ultimately a commercial decision -- and thus different takes on what they consider appropriate risk-adjusted compliance
Ex - certainty: While I am a (strong!) advocate of making checkbox compliance provide an optional automatable conformance testing API, I also recognize that making such an interface a hard requirement would lead to excessive rigidity. The real world has ~400 million companies with all sorts of edge cases who benefit from ambiguity & interpretation in policies. The compromise here and elsewhere has been the same: As you get bigger, bring in security experts and auditors. If you've done anything like SOC2, HIPAA, etc, it seems normal, and in my experience, successfully reveals issues that get fixed / starts the paper trail for corporate malfeasance?
Ex - GCP: I would think a bank better understand how its cloud data processor is working enough to answer basics like where customer data is flowing, whether another country or company sees it, etc? And if not, that's a pretty core problem both with the bank and the cloud data processor?
I'm not sure what the problem with the cookie thing is. Companies can choose not to track, improve their EULAs, etc. Maybe it's that it's too easy for companies to just do a popup and trick/force users into being tracked... and you want something stronger than gpdr?