Arthur T Knackerbracket has processed the following story:
In an earlier article, I discussed a few of the flaws in Europe’s flagship data privacy law, the General Data Protection Regulation (GDPR). Building on that critique, I would now like to go further, proposing specifications for developing a robust privacy protection regime in the US.
Writers must overcome several hurdles to have a chance at persuading readers about possible flaws in the GDPR. First, some readers are skeptical of any piece criticizing the GDPR because they believe the law is still too young to evaluate. Second, some are suspicious of any piece criticizing the GDPR because they suspect that the authors might be covert supporters of Big Tech’s anti-GDPR agenda. (I can assure readers that I am not, nor have I ever, worked to support any agenda of Big Tech companies.)
In this piece, I will highlight the price of ignoring the GDPR. Then, I will present several conceptual flaws of the GDPR that have been acknowledged by one of the lead architects of the law. Next, I will propose certain characteristics and design requirements that countries like the United States should consider when developing a privacy protection law. Lastly, I provide a few reasons why everyone should care about this project.
People sometimes assume that the GDPR is mostly a “bureaucratic headache”—but this perspective is no longer valid. Consider the following actions by administrators of the GDPR in different countries.
In other words, the GDPR is not merely a bureaucratic matter; it can trigger hefty, unexpected fines. The notion that the GDPR can be ignored is a fatal error.
Axel Voss is one of the lead architects of the GDPR. He is a member of the European Parliament and authored the 2011 initiative report titled “Comprehensive Approach to Personal Data Protection in the EU” when he was the European Parliament's rapporteur. His call for action resulted in the development of the GDPR legislation. After observing the unfulfilled promises of the GDPR, Voss wrote a position paper highlighting the law's weaknesses. I want to mention nine of the flaws that Voss described.
First, while the GDPR was excellent in theory and pointed a path toward the improvement of standards for data protection, it is an overly bureaucratic law created largely using a top-down approach by EU bureaucrats.
Second, the law is based on the premise that data protection should be a fundamental right of EU persons. Hence, the stipulations are absolute and one-sided or laser-focused only on protecting the "fundamental rights and freedoms" of natural persons. In making this change, the GDPR architects have transferred the relationship between the state and the citizen and applied it to the relationship between citizens and companies and the relationship between companies and their peers. This construction is one reason why the obligations imposed on data controllers and processors are rigid.
Third, the GDPR law aims to empower the data subjects by giving them rights and enshrining these rights into law. Specifically, the law enshrines nine data subject rights into law. They are: the right to be informed, the right to access, the right to rectification, the right to be forgotten/or to erasure, the right to data portability, the right to restrict processing, the right to object to the processing of personal data, the right to object to automated processing and the right to withdraw consent. As with any list, there is always a concern that some rights may be missing. If critical rights are omitted from the GDPR, it would hinder the effectiveness of the law in protecting privacy and data protection. Specifically, in the case of the GDPR, the protected data subject rights are not exhaustive.
Fourth, the GDPR is grounded on a prohibition and limitation approach to data protection. For example, the principle of purpose limitation excludes chance discoveries in science. This ignores the reality that current technologies, e.g., machine learning and artificial Intelligence applications, function differently. Hence, these old data protection mindsets, such as data minimization and storage limitation, are not workable anymore.
Fifth, the GDPR, on principle, posits that every processing of personal data restricts the data subject’s right to data protection. It requires, therefore, that each of these processes needs a justification based on the law. The GDPR deems any processing of personal data as a potential risk and forbids its processing in principle. It only allows processing if a legal ground is met. Such an anti-processing and anti-sharing approach may not make sense in a data-driven economy.
Sixth, the law does not distinguish between low-risk and high-risk applications by imposing the same obligations for each type of data processing application, with a few exceptions requiring consultation of the Data Processing Administrator for high-risk applications.
Seventh, the GDPR also excludes exemptions for low-risk processing scenarios or when SMEs, startups, non-commercial entities, or private citizens are the data controllers. Further, there are no exemptions or provisions that protect the rights of the controller and of third parties for such scenarios in which the data controller has a legitimate interest in protecting business and trade secrets, fulfilling confidentiality obligations, or the economic interest in avoiding huge and disproportionate efforts to meet GDPR obligations.
Eighth, the GDPR lacks a mechanism that allows SMEs and startups to shift the compliance burden onto third parties, which then store and process data.
Ninth, the GPR relies heavily on government-based bureaucratic monitoring and administration of GDPR privacy compliance. This means an extensive bureaucratic system is needed to manage the compliance regime.
There are other issues with GDPR enforcement (see pieces by Matt Burgess and Anda Bologa) and its negative impacts on the EU’s digital economy and on Irish technology companies. This piece will focus only on the nine flaws described above. These nine flaws are some of the reasons why the US authorities should not simply copy the GDPR.
The good news is that many of these flaws can be resolved.
(Score: 5, Insightful) by bloodnok on Monday September 30, @07:35PM (1 child)
I have read the article and am baffled. I think the author may be on to something with the fiduciary idea but the rest seems like an attempt to create something that claims to be data protection while allowing the perpetrators of shady data practices to continue what they are doing.
What the article recommends:
Really? Do you want the likes of Google to be involved in drafting data protection legislation? How could a company that wants to own all the world's data be expected to create legislation that would limit their collection and use of that data? If you gave them the legislation they wanted, you'd have no data protection, and if you didn't they wouldn't buy in to it.
And anyway, why would you even want their buy-in?
I like the fact that the GDPR equates data privacy to a human right. It makes things very black and white and makes the responsibilities of those holding data about you pretty clear. If they are not clear to your organisation, then it shouldn't be holding data on other people.
Yes, there may be problems with it but these can be addressed by amendments. If it is not possible to outsource data management to a responsible data management provider (according to the article), then maybe that should be looked at and appropriate changes made.
The GDPR gives individual netizens the right to limit what data about themselves is used for. If an organisation needs data about you to do something on your behalf, that is allowed. But they have a duty to protect that data, not share it with anyone that does not need it, and not use it for other purposes.
And of course, those individual netizens are fully able to deliberately share their data with Meta^H^H^H^H^H bad actors.
__
The Major
(Score: 5, Informative) by janrinok on Monday September 30, @07:46PM
I agree with you. This seems to be written in part to address the 'problems' that businesses have experienced with the GDPR. It wasn't wasn't written for their benefit but for individuals' protection.
It is is quite clear that personal data may be kept for those who can justify holding it but they have to be responsible for its protection. However, it cannot be passed to a third party without a clear justification on why that is necessary for the original purpose for which it was collected. Selling it or even moving it to another system that does not provide the same level of protection or fails to accept their responsibilities to the individual is NOT acceptable.
Personal data is not a money making scheme no matter how much businesses wish it to be the case.
I am not interested in knowing who people are or where they live. My interest starts and stops at our servers.