Arthur T Knackerbracket has processed the following story:
In an earlier article, I discussed a few of the flaws in Europe’s flagship data privacy law, the General Data Protection Regulation (GDPR). Building on that critique, I would now like to go further, proposing specifications for developing a robust privacy protection regime in the US.
Writers must overcome several hurdles to have a chance at persuading readers about possible flaws in the GDPR. First, some readers are skeptical of any piece criticizing the GDPR because they believe the law is still too young to evaluate. Second, some are suspicious of any piece criticizing the GDPR because they suspect that the authors might be covert supporters of Big Tech’s anti-GDPR agenda. (I can assure readers that I am not, nor have I ever, worked to support any agenda of Big Tech companies.)
In this piece, I will highlight the price of ignoring the GDPR. Then, I will present several conceptual flaws of the GDPR that have been acknowledged by one of the lead architects of the law. Next, I will propose certain characteristics and design requirements that countries like the United States should consider when developing a privacy protection law. Lastly, I provide a few reasons why everyone should care about this project.
People sometimes assume that the GDPR is mostly a “bureaucratic headache”—but this perspective is no longer valid. Consider the following actions by administrators of the GDPR in different countries.
In other words, the GDPR is not merely a bureaucratic matter; it can trigger hefty, unexpected fines. The notion that the GDPR can be ignored is a fatal error.
Axel Voss is one of the lead architects of the GDPR. He is a member of the European Parliament and authored the 2011 initiative report titled “Comprehensive Approach to Personal Data Protection in the EU” when he was the European Parliament's rapporteur. His call for action resulted in the development of the GDPR legislation. After observing the unfulfilled promises of the GDPR, Voss wrote a position paper highlighting the law's weaknesses. I want to mention nine of the flaws that Voss described.
First, while the GDPR was excellent in theory and pointed a path toward the improvement of standards for data protection, it is an overly bureaucratic law created largely using a top-down approach by EU bureaucrats.
Second, the law is based on the premise that data protection should be a fundamental right of EU persons. Hence, the stipulations are absolute and one-sided or laser-focused only on protecting the "fundamental rights and freedoms" of natural persons. In making this change, the GDPR architects have transferred the relationship between the state and the citizen and applied it to the relationship between citizens and companies and the relationship between companies and their peers. This construction is one reason why the obligations imposed on data controllers and processors are rigid.
Third, the GDPR law aims to empower the data subjects by giving them rights and enshrining these rights into law. Specifically, the law enshrines nine data subject rights into law. They are: the right to be informed, the right to access, the right to rectification, the right to be forgotten/or to erasure, the right to data portability, the right to restrict processing, the right to object to the processing of personal data, the right to object to automated processing and the right to withdraw consent. As with any list, there is always a concern that some rights may be missing. If critical rights are omitted from the GDPR, it would hinder the effectiveness of the law in protecting privacy and data protection. Specifically, in the case of the GDPR, the protected data subject rights are not exhaustive.
Fourth, the GDPR is grounded on a prohibition and limitation approach to data protection. For example, the principle of purpose limitation excludes chance discoveries in science. This ignores the reality that current technologies, e.g., machine learning and artificial Intelligence applications, function differently. Hence, these old data protection mindsets, such as data minimization and storage limitation, are not workable anymore.
Fifth, the GDPR, on principle, posits that every processing of personal data restricts the data subject’s right to data protection. It requires, therefore, that each of these processes needs a justification based on the law. The GDPR deems any processing of personal data as a potential risk and forbids its processing in principle. It only allows processing if a legal ground is met. Such an anti-processing and anti-sharing approach may not make sense in a data-driven economy.
Sixth, the law does not distinguish between low-risk and high-risk applications by imposing the same obligations for each type of data processing application, with a few exceptions requiring consultation of the Data Processing Administrator for high-risk applications.
Seventh, the GDPR also excludes exemptions for low-risk processing scenarios or when SMEs, startups, non-commercial entities, or private citizens are the data controllers. Further, there are no exemptions or provisions that protect the rights of the controller and of third parties for such scenarios in which the data controller has a legitimate interest in protecting business and trade secrets, fulfilling confidentiality obligations, or the economic interest in avoiding huge and disproportionate efforts to meet GDPR obligations.
Eighth, the GDPR lacks a mechanism that allows SMEs and startups to shift the compliance burden onto third parties, which then store and process data.
Ninth, the GPR relies heavily on government-based bureaucratic monitoring and administration of GDPR privacy compliance. This means an extensive bureaucratic system is needed to manage the compliance regime.
There are other issues with GDPR enforcement (see pieces by Matt Burgess and Anda Bologa) and its negative impacts on the EU’s digital economy and on Irish technology companies. This piece will focus only on the nine flaws described above. These nine flaws are some of the reasons why the US authorities should not simply copy the GDPR.
The good news is that many of these flaws can be resolved.
(Score: 5, Insightful) by Tokolosh on Monday September 30, @07:27PM (1 child)
https://en.wikipedia.org/wiki/Third-party_doctrine [wikipedia.org]
Nullify, make it fruit of a poisonous tree, put some real teeth into any contraventions.
Then, nullify parallel construction in the same way.
https://en.wikipedia.org/wiki/Parallel_construction [wikipedia.org]
The US government loves all the data the STASI companies collects and shares for them. It is not going to give this up. But if the State cannot use the data, it will support privacy. If you vote D or R, you are part of the problem.
(Score: 3, Insightful) by JoeMerchant on Monday September 30, @07:34PM
Without transparency there will be no enforcement of any privacy laws, anywhere.
🌻🌻 [google.com]
(Score: 5, Insightful) by bloodnok on Monday September 30, @07:35PM (1 child)
I have read the article and am baffled. I think the author may be on to something with the fiduciary idea but the rest seems like an attempt to create something that claims to be data protection while allowing the perpetrators of shady data practices to continue what they are doing.
What the article recommends:
Really? Do you want the likes of Google to be involved in drafting data protection legislation? How could a company that wants to own all the world's data be expected to create legislation that would limit their collection and use of that data? If you gave them the legislation they wanted, you'd have no data protection, and if you didn't they wouldn't buy in to it.
And anyway, why would you even want their buy-in?
I like the fact that the GDPR equates data privacy to a human right. It makes things very black and white and makes the responsibilities of those holding data about you pretty clear. If they are not clear to your organisation, then it shouldn't be holding data on other people.
Yes, there may be problems with it but these can be addressed by amendments. If it is not possible to outsource data management to a responsible data management provider (according to the article), then maybe that should be looked at and appropriate changes made.
The GDPR gives individual netizens the right to limit what data about themselves is used for. If an organisation needs data about you to do something on your behalf, that is allowed. But they have a duty to protect that data, not share it with anyone that does not need it, and not use it for other purposes.
And of course, those individual netizens are fully able to deliberately share their data with Meta^H^H^H^H^H bad actors.
__
The Major
(Score: 5, Informative) by janrinok on Monday September 30, @07:46PM
I agree with you. This seems to be written in part to address the 'problems' that businesses have experienced with the GDPR. It wasn't wasn't written for their benefit but for individuals' protection.
It is is quite clear that personal data may be kept for those who can justify holding it but they have to be responsible for its protection. However, it cannot be passed to a third party without a clear justification on why that is necessary for the original purpose for which it was collected. Selling it or even moving it to another system that does not provide the same level of protection or fails to accept their responsibilities to the individual is NOT acceptable.
Personal data is not a money making scheme no matter how much businesses wish it to be the case.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.
(Score: 5, Insightful) by pTamok on Monday September 30, @08:37PM
The fines are unexpected only if you have not been paying attention. Regulators are pretty forgiving , and give organisations the opportunity to correct things: but, the bigger the organisation, the greater the expectation that the organisation has the resources to do things properly. No fine should be unexpected unless wilful ignorance has been in play. As lawyers point out: ignorance of the law is no defence.
It is by no means overly bureaucratic. How certain organisations choose to structure their compliance can be, but that is their choice. Compliance can be remarkably simple.
Protecting the fundamental rights and freedoms of natural persons (no air quotes needed) is precisely correct. Corporations are not natural persons, and it is stupid to pretend they are, or give legal persons the same rights without the same responsibilities and potential for punishment as natural persons. Giving organisations the ability to shelter bad practices behind corporate personhood is not a good idea.
So what rights are missing? As a general note, if anyone talks about 'enshrining these rights into law', you can ignore them, They don't know what they are talking about.( David Allen Green - The Law and Policy blog (2020-11-25): Why the phrase ‘to enshrine in law’ is a fraudulent device [davidallengreen.com] )
Just because it is inconvenient or expensive to generate the necessary data for training should not give people the liberty to ignore data protection rules. The "WAAAH! You've made it difficult/expensive for me!" argument is about wanting free privilege.
You just need permission to share. What's difficult about that?
This sentence is absurd - it starts of saying "the law does not distinguish between low-risk and high-risk applications" and ends by saying that you need "consultation of the Data Processing Administrator for high-risk applications". It does distinguish. Maybe not in a way you'd like, but it does. Writing the justification for high-risk processing is instructive, and meant to make people think.
Why should SMEs and startups get a free pass to ignore data processing rules? As for 'non-commercial entities', a data breach from a non-commercial collection of personal data is just as bad as from commercial entities. As for a private citizen exemption, do you really want billionaires amassing huge databases of personal data without oversight? Really?
Yes, this is a pain, because I have seen non-specialists ignoring their obligations because they think that by hiring a data processor they can shift the compliance responsibility. But there is a good reason for this: if you can't shift the compliance burden, you can't shift the blame either. You can employ third parties to help with your compliance: but the legal responsibility remains with you. This is by design.
Not really. Data regulators are cheap. It's not as if they need lots of special equipment or expensive consumables.
The GDPR is not as bad as painted. But there are a lot of corporates who really don't like compliance.
Personal data is not a free resource to be monetised. It is owned by the data subject, and you need a good reason to process it. Making money from it is not a good reason.
(Score: 3, Interesting) by tekk on Monday September 30, @08:52PM (1 child)
I'm not exactly a fan after going to that mentioned first article and all of the complaints essentially break down to "The GDPR is too hard, these shouldn't be considered basic human rights."
The only one I can kinda sympathize with is the complaint that GDPR is global. It does in fact suck that I have to consider the GDPR when I'm looking at my own projects based out of the US from a pragmatic standpoint of my having to do stuff. On the other hand it's not exactly bad to be forced to consider privacy and data usage from the start, so it's more of an annoyance that's worth the trouble.
(Score: 0) by Anonymous Coward on Tuesday October 01, @12:34AM
For those not in the US it's just one more world power you need to avoid pissing off. After all Assange was not a US citizen, was not in the US, and still the US gave him a lot of trouble. Kim Dotcom had his mansion in NZ raided.
Also if you never offer goods/services to EU people and never go to EU then the GDPR probably won't matter as much to you.
(Score: 4, Insightful) by Thexalon on Tuesday October 01, @02:36AM (1 child)
1. The companies being regulated will be invited to propose rules to their favorite (i.e. most bribed) Congresscritters.
2. Once a deal is made that satisfies all the companies being regulated (i.e. no real regulation on anything they actually want to do), the law will either get passed. How loudly this happens depends on the degree to which Congresscritters believe the public actually cares about the issue.
3. If any regulatory agency gets too close to bring an actual case against any of the companies involved in the original deal, the people at that agency involved in the case will be enticed to leave their jobs in favor of cushy no-show jobs at the company they were investigating.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1) by pTamok on Tuesday October 01, @06:23AM
Where is the '+1 Cynical, but reality-based' mod when you need it?