Generally I agree but I think the law should take a different slant. Rather then providing consumers recourse after their data has been collected we need to provide individuals the right to control what data will be collected. All devices should have a label describing what kind of data collection they do. This label should be on the packaging in easy to understand human terms (not buried in the EULA). Additionally devices would be put into classified into one of 4 different classes:<p>Class A - no data collection<p>Class B - anonymized statistics for diagnostics that cannot be used for marketing<p>Class C - anonymized usage statistics that can be used in aggregate<p>Class D - Targeted collection that can be used for targeted marketing<p>Consumers should have the explicit right to opt out of any and all data collection without risk of impairing the primary function of a device. For example there is no reason a TV should need to be anything beyond class A (maybe B). A smart speaker on the other hand needs to be a B maybe C. Nothing should need to be a class D.
I know the EFF opposes the right to be forgotten. I'm curious if there are any similar concerns with the GDPR.<p>The trouble with the right to be forgotten in censorship. The concept is nice, but in the end, the right to be forgotten can mean corrupt powerful people can censor their misdeeds.<p>I think something similar in the US would be problematic without our freedom of speech. Even if you get a criminal record expunged, anyone who scooped up that data, that was once public, does have the right to hold onto and sell it.<p>Not to say that's a good thing. It does encourage Labeling Theory, preventing people with criminal records from being able to find legit work (a counter example, the sex offenders registry in Australia is confidential. It can only be accesses for very specific things, like employment at a school).
Given the expense and difficulties of complying with these rules and enforcing them, we should seriously consider the opposite approach of radical transparency.<p>As the ability to collect and process data becomes cheaper and easier to deploy, it seems to me that trying to preserve an assumption of universal privacy and anonymity trying to swim up a waterfall. Cameras are becoming so cheap they're practically disposable. Facial recognition software and the big data tools to manage all this data are also becoming more widely available. Are we going to legislate against all that? It's one thing to monitor high profile corporations like Google and Facebook, but if surveillance is cheap enough, how do you make sure that <i>no one</i> is amassing reams of private information?<p>The worst case scenario is that while corporations and criminal organizations continue to discretely gather private data, the rich and powerful will be able to afford the cost of privacy but the rest of us won't have a grasp on who knows what about us.<p>The alternative to working against the tools that technology affords us is to work with them. In some cases this means embracing radical transparency. We define a narrow range of places that really are private, and assume that anything that happens outside of those spaces is public. For example, what happens inside of one's bedroom is private, but what happens outside of one's front door is public. This information wouldn't be available only to the powerful or well-connected, it should be available to everyone. In particular, society should keep a close eye on the richest and most powerful people. Not necessarily on their private lives, but certainly on their finances.<p>I'm not arguing that we should give up all privacy. Encryption works and is difficult to defeat, so we should default to encrypting all interpersonal communication. We don't need to give up privacy, but we do need to prioritize what aspects of our lives should remain the most private. I do think that if that we're going to expect twentieth century notions of privacy and anonymity with twenty-first century technology, we're going to have a very hard time of it.
For those interested in considering alternatives, I recommend giving the sci-fi book "Queen of Angels" by Greg Bear a read. [1]<p>That novel follows a police detective trying to solve a crime. A major source of tension is that all of the quasi-public data (public cameras, citizen movements, credit card use) is in the hands of a separate institution called Citizen Oversight. If I remember rightly, it was a separate, quasi-governmental (or non-governmental) body, broken down by region and with separately elected commissioners.<p>In the novel, the main focus is the relationship with the police, which was very tense; Citizen Oversight was very stingy with data. But you could easily imagine it having jurisdiction over corporate behavior around individual data. And having an active regulator whose job it is to enforce broad <i>principles</i> would have advantages over detailed rule-making fixed in laws. Especially so if they were part of a legally independent body.<p>It was definitely interesting to think about. And given that it came out in 1990, surprisingly prescient on the topic of data and privacy.<p>[1] <a href="https://en.wikipedia.org/wiki/Queen_of_Angels_(novel)" rel="nofollow">https://en.wikipedia.org/wiki/Queen_of_Angels_(novel)</a>
It's not the law that's the difference here. The clue is under the headline:<p>> The GDPR’s premise, that consumers should be in charge of their own personal data, is the right one<p>That's not just the GDPR's premise, that's the very foundation privacy as a civil right in Europe, and has been for a very long time.<p>The GDPR is just yet another attempt to force companies who have wilfully ignored the rights of millions of Europeans to start complying with laws we already had in place. It's not something new, just an iteration in enforcement.<p>America should make laws that suit America's values and principles, but as it stands, America has no deep concept of privacy. The GDPR is alien to American values.<p>(BTW, that quote is subtly wrong but illustrates the huge gap in perception: it should be "citizens", not "consumers"...)
To push back on the premise a little:<p>The intention behind the GDPR is good, but it still hasn't gone into effect yet, and it remains to be seen what the long-term effects of it are. It's really premature to draw any conclusions about its effectiveness, and history provides us with countless examples of far-reaching regulation that either failed to have the desired outcome, or in fact ended up exacerbating the very problems that it aimed to solve.<p>With a law as massive as the GDPR, it's going to take several years to really get a sense of what steady state will look like, and there are all kinds of ways it can backfire. I hope it won't, but there definitely is a strong, unfounded bias in discourse towards assuming that the GDPR will succeed in the goals that have been projected onto it.
I think the US implementing something similar is inevitable. If not by the government than by a privacy company (like PCI is for the card industry).<p>Already I've started to see contracts with credit card gateways include PrivacyShield clauses.<p>Personally, all products I build going forward will be GPDR and Privacy Shield compliant even though I am in the US. I recommend other entrepreneurs do the same because it is probably easier to consider it now than it is to do it later.<p>For example (to give context we have PCI requirements to) when someone makes a change to the code we have a impact assessment that needs to be filled out. Among those are the questions:<p>1. How will this change impact security?<p>2. How will this change impact customer privacy?<p>We fill it out for every single change request (even if the answer to both is "It doesn't) just to document that we are thinking about it and engrain thinking about it into the company culture.
> The legislation is far from perfect. At nearly 100 articles long, it is too complex and tries to achieve too many things. The compliance costs for smaller firms, in particular, look burdensome.<p>Not here, but I have seen many comments on other sites that imply this will be a burden on small companies implementing this and worrying about whether they are compliant with some rules that can be interpreted in different ways. Also answering requests for information which range from the benign and can be automated to the letter which caused a stir on linkedin [1] and can be viewed as complex and costly for a small business to answer.<p>The reason why I talk about small companies, in a lot of cases another already overworked person will need to wear another hat and may or may not do a good enough job. Verses the larger ones, they can implement a small task force and get this out of the way.<p>I know some commenters on HN would disagree with this and mention that these smaller businesses who don't adopt GDPR should go out of business. But I largely disagree. Businesses which close due to regulations, results in larger market shares to those left standing. Meaning that competition and what largely benefits the consumer dwindles down. Another knock on to this would mean that prices go up, due to those same regulations.<p>However, what I haven't seen talked about which I wonder if it will make the GDPR moot. Is that Trump is currently engaging in a trade war and I wonder if any lobbying attempts are being made for him to exempt US companies from it[2]?<p>[1]: <a href="https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/" rel="nofollow">https://www.linkedin.com/pulse/nightmare-letter-subject-acce...</a><p>[2]: <a href="https://martechtoday.com/president-trump-save-us-from-the-gdpr-horror-show-213403" rel="nofollow">https://martechtoday.com/president-trump-save-us-from-the-gd...</a>
GDPR seemed unnecessarily overburdensome and limiting last time I looked into it. I don't think we should have anything like it.<p>I don't really buy this concept that you have a reasonable expectation of privacy on other people's websites and the site owners don't own data collected on their services unless the EULA specifically says something to the contrary.<p>As a practical matter, if we make it even harder to target advertisements then we'll end up with even more of these "you've run out of articles" type sites. I don't want to have to pay the ISP and then also pay every individual website. Collect all the data on me you want to make it so.
Here’s what I’d like: any advertisement I see on the Internet should have a small pictograph/icon/link I can select that tells me—specifically—why I’m seeing that ad. Precisely what data points were used, was it remarketing, was it an uploaded list of email addresses, etc.
I worry about a GPRS-like law preventing innovation, for example because wouldn't it make IPFS-like storage, which relies on duplication and can't remove files, illegal:<p>[1] <a href="https://en.wikipedia.org/wiki/InterPlanetary_File_System" rel="nofollow">https://en.wikipedia.org/wiki/InterPlanetary_File_System</a>
Maybe America should wait a bit to see how it goes before jumping on the bandwagon. There isn't much to gain by adopting these (potentially beneficial) standards sooner rather than later.
As far as I'm concerned the Internet is public infrastructure and you should never expect privacy of your behavior in public places. Besides, "identifying" information should be useless, but it isn't today.<p>What if we stopped using "identifying" information as authenticating information? PII is only useful because the authentications systems we have in place are such sh*t. Changing this is a much more achievable scope, and would actually address the core value of stolen PII.
In the US is there a possibility of a 1st Amendment challenge? The act of recording information could be seen as speech or publication.<p>If we take computers out of the argument it would look like this: the government telling people that they can not take notes or make records of information that they hear. Case law has found, for instance, that photography in public (which is making records) can not be banned.
Why do they define small companies using the number of employees or money they make? In today’s world laws should me made based on the amount of data a company has. If they have data on upwards of 10 million they need to comply to all data protection and privacy laws. Companies should and will plan their funding and operations accordingly.