General Data Protection Regulation

What's happening in your world? Discuss it here.
Forum rules
Play nice. We will be watching

General Data Protection Regulation

Postby cmsellers » Sun May 27, 2018 5:02 am

So the General Data Protection Regulation has come into effect. I first learned about this from Strant on Discord about a month ago, and after a discussion with him I was tentatively in favor, because it replaced the "right to be forgotten" with a more limited "right of erasure, because it required companies to disclose data breaches within 72 hours, and because I assumed that it only applied to companies that do business in Europe.

However after learning more about it, I'm absolutely appalled by this regulation. For one thing, 72 hours already seemed generous to me, but I realized that companies aren't necessarily required to disclose data breaches to users at all, negating what I thought was one of the strongest parts of the law.

Meanwhile, instead of regulating the activities of European companies with regards to their client base, which would be the normal thing, it regulates the activities of anyone worldwide, with regards to European citizens. There's so many worrying implications for how this could apply to US citizens, though obviously we'll have to see how this pans out, but it's still clear that the European Union is trying to apply its laws to the actions of United States citizens acting in the United States, and requiring things which are clear violations of the First Amendment.

Now, I'm hopeful that Congress will pass something like the SPEECH Act to cover any foreign law which would violate the First Amendment rights of American citizens and/or that Supreme Court would hold that foreign judgments from the GDPR are unenforcable, but in the mean time, many US companies, and even private individuals are attempting to comply with the GDPR due to chilling effects.

Meanwhile, it appears that law does not apply to the data of non-EU citizens (or at least non-EU citizens not resident in an EU member state), even if collected by EU companies.

As an American, I resent the idea that I'm obligated to follow EU laws for a personal website hosted in the US, but that I do not have the same rights as EU citizens when it comes to EU companies. I know that I'm going to catch flack for saying this because the intention is different, but this law reminds me of the unequal treaties that Europe (and the US) imposed on Asian countries in the ninteenth century: our citizens are untouchable in your countries, but your citizens don't get the same rights in our countries.

All-in-all, I've gone within a week from "I guess that on the balance this seems like a decent law" to "I am super pissed, fuck you European Union!"
  • 5

User avatar
cmsellers
Back-End Admin
Back-End Admin
 
Posts: 9316
Joined: Sun Apr 14, 2013 7:20 pm
Location: Not *that* Bay Area
Show rep
Title: Broken Record Player

Re: General Data Protection Regulation

Postby iMURDAu » Sun May 27, 2018 12:50 pm

In other words you're saying:

WE'VE UPDATED OUR PRIVACY POLICY

You say "Data Protection Officer", I start to think of Tron, Mega Man Battle Network, things like that.

I like that if stolen data is encrypted the 72 hour breach notification doesn't apply. Because if you steal something encrypted it will always be encrypted forever and ever, amen. But even if a company doesn't follow the 72 hour protocol there doesn't seem to be any repercussions. At least not according to the wikipedia page cmsellers linked to.

Where's Mr. MAGA at with the EU trying to force their laws on U.S. citizens? He's awful quiet about that.
  • 7

“This is going to become a bad meme,” Todd observed.
User avatar
iMURDAu
TCS Chomper
TCS Chomper
 
Posts: 6752
Joined: Fri Apr 19, 2013 10:08 am
Location: twitch.tv/beakstore
Show rep
Title: King of Fuh

Re: General Data Protection Regulation

Postby Windy » Sun May 27, 2018 3:18 pm

wtf I hate globalism now
  • 0

User avatar
Windy
TCS Junkie
TCS Junkie
 
Posts: 3127
Joined: Fri May 29, 2015 11:41 am
Show rep

Re: General Data Protection Regulation

Postby Absentia » Sun May 27, 2018 4:22 pm

Globalism? Americans being ruled by European laws they didn't get to vote on sounds more like colonialism.
  • 8

User avatar
Absentia
TCS Moderator
TCS Moderator
 
Posts: 1786
Joined: Mon Feb 09, 2015 4:46 am
Location: Earth
Show rep

Re: General Data Protection Regulation

Postby NathanLoiselle » Sun May 27, 2018 5:07 pm

The breadth of this law sounds alot like some laws (I don't remember which) that were passed when Obama was around. So all I gotta say is, nah nah nah nah nah.
  • 0

User avatar
NathanLoiselle
TCS Junkie
TCS Junkie
 
Posts: 4484
Joined: Wed Jul 09, 2014 3:49 am
Location: You'll Never Know!
Show rep

Re: General Data Protection Regulation

Postby Marcuse » Sun May 27, 2018 8:02 pm

Everyone who scoffed and guffawed when I pointed out that the EU acts in ways which are undemocratic and dictatorial when they have no right to be in regard to Brexit, pay heed. If you're outraged that this EU law might infringe on your American rights, remember that this is how Europe operates all the time. The simple fact is that for them the ends justify the means and they don't care that yours or anyone else's rights are ignored as long as they get to regulate everything.
  • 7

User avatar
Marcuse
TCS Sithlord
TCS Sithlord
 
Posts: 6592
Joined: Tue Apr 16, 2013 8:00 pm
Show rep

Re: General Data Protection Regulation

Postby Absentia » Mon May 28, 2018 1:00 am

cmsellers wrote:Meanwhile, instead of regulating the activities of European companies with regards to their client base, which would be the normal thing, it regulates the activities of anyone worldwide, with regards to European citizens. There's so many worrying implications for how this could apply to US citizens, though obviously we'll have to see how this pans out, but it's still clear that the European Union is trying to apply its laws to the actions of United States citizens acting in the United States, and requiring things which are clear violations of the First Amendment.


GDPR is potentially bad for American businesses, but American citizens don't have much to worry about.

I suspect that if an EU state called wanting to extradite a US national for "crimes" committed on US soil and protected by the US constitution, the State Department would have a good laugh and hang up the phone. The defendant could challenge the extradition order and probably win, to say nothing of how it would play in the media.
  • 9

User avatar
Absentia
TCS Moderator
TCS Moderator
 
Posts: 1786
Joined: Mon Feb 09, 2015 4:46 am
Location: Earth
Show rep

Re: General Data Protection Regulation

Postby Grimstone » Mon May 28, 2018 1:11 am

Image
  • 11

"The struggle itself towards the heights is enough to fill a man's heart."
User avatar
Grimstone
TCS Guerilla
 
Posts: 2160
Joined: Wed Feb 17, 2016 11:52 am
Show rep
Title: Creature of the Night

Re: General Data Protection Regulation

Postby iMURDAu » Mon May 28, 2018 6:52 pm

Marcuse wrote:Everyone who scoffed and guffawed when I pointed out that the EU acts in ways which are undemocratic and dictatorial when they have no right to be in regard to Brexit, pay heed. If you're outraged that this EU law might infringe on your American rights, remember that this is how Europe operates all the time. The simple fact is that for them the ends justify the means and they don't care that yours or anyone else's rights are ignored as long as they get to regulate everything.


"Of course you know, this means war!" - Groucho Marx
  • 2

“This is going to become a bad meme,” Todd observed.
User avatar
iMURDAu
TCS Chomper
TCS Chomper
 
Posts: 6752
Joined: Fri Apr 19, 2013 10:08 am
Location: twitch.tv/beakstore
Show rep
Title: King of Fuh

Re: General Data Protection Regulation

Postby cmsellers » Tue May 29, 2018 12:30 am

Absentia wrote:GDPR is potentially bad for American businesses, but American citizens don't have much to worry about.

I suspect that if an EU state called wanting to extradite a US national for "crimes" committed on US soil and protected by the US constitution, the State Department would have a good laugh and hang up the phone. The defendant could challenge the extradition order and probably win, to say nothing of how it would play in the media.

As I understand it, the GPDR isn't a criminal law. My larger concern would be whether, if a European court imposed civil penalties on a US citizen for actions committed in the US which violated the GDPR, US courts would find them enforceable. Since the Feds and state governments cannot pass laws that violate the First Amendment rights of US citizens, you would think that foreign governments cannot, but prior to the passage of the SPEECH Act that was a legit concern with libel laws.
  • 1

User avatar
cmsellers
Back-End Admin
Back-End Admin
 
Posts: 9316
Joined: Sun Apr 14, 2013 7:20 pm
Location: Not *that* Bay Area
Show rep
Title: Broken Record Player

Re: General Data Protection Regulation

Postby Absentia » Tue May 29, 2018 1:06 am

Okay, I'm not so familiar with civil law. I'm skeptical that American courts would be eager to let foreign courts undermine the First Amendment, but more importantly I'm confident that if there's a need for Congress to act there won't be any trouble motivating Republicans since regulations and Europe are two of their least favorite things.
  • 6

User avatar
Absentia
TCS Moderator
TCS Moderator
 
Posts: 1786
Joined: Mon Feb 09, 2015 4:46 am
Location: Earth
Show rep

Re: General Data Protection Regulation

Postby Krashlia » Tue May 29, 2018 2:11 am

Absentia wrote:Globalism? Americans being ruled by European laws they didn't get to vote on sounds more like colonialism.


Ye Olde Habits... A hard death they die.
  • 3

User avatar
Krashlia
TCS Junkie
TCS Junkie
 
Posts: 2155
Joined: Mon Feb 09, 2015 6:44 am
Show rep

Re: General Data Protection Regulation

Postby Marcuse » Tue May 29, 2018 5:16 pm

Though to an extent that civil law is already applied to companies like Google and Apple already. Google is owned by a US company, headquartered in the US and run by (probably mostly) Americans. It still got fined for its actions to bury competing sales platforms in it's searches by the EU. This isn't much different to that in spirit, except this time it's implemented too fast with not enough clarity on what should and shouldn't be affected and how that relates to non-EU users and providing a consistent service.
  • 1

User avatar
Marcuse
TCS Sithlord
TCS Sithlord
 
Posts: 6592
Joined: Tue Apr 16, 2013 8:00 pm
Show rep

Re: General Data Protection Regulation

Postby cmsellers » Tue May 29, 2018 7:16 pm

Marcuse wrote:Though to an extent that civil law is already applied to companies like Google and Apple already. Google is owned by a US company, headquartered in the US and run by (probably mostly) Americans. It still got fined for its actions to bury competing sales platforms in it's searches by the EU. This isn't much different to that in spirit, except this time it's implemented too fast with not enough clarity on what should and shouldn't be affected and how that relates to non-EU users and providing a consistent service.

It's entirely different, since Google and Apple both have EU subsidiaries which they use to hide a lot of their US profits. I initially assumed that the law would only be enforceable against companies which have some sort of presence in the EU, because that would make sense. Then I read that it would also apply to companies with no EU presence which market to people in the EU, which seemed like a stretch.

Then I saw that it applies to literally anyone who has data on EU citizens which could be linked to a specific individual, and that's what set me off. Theoretically, if you have a blog and someone from the EU posts potentially personally identifying information in the comments, you're obligated to delete it on request.
  • 2

User avatar
cmsellers
Back-End Admin
Back-End Admin
 
Posts: 9316
Joined: Sun Apr 14, 2013 7:20 pm
Location: Not *that* Bay Area
Show rep
Title: Broken Record Player

Re: General Data Protection Regulation

Postby blehblah » Sat Jun 02, 2018 8:58 pm

There are two lines of thoughts; data sovereignty, and data ownership.

Yes, the regulations apply to US companies who act in the EU.

https://www.forbes.com/sites/forbestech ... f357516ff2

A very important change in the GDPR that hasn’t received the attention it deserves has do with the geographic scope of this new law.

To quickly summarize: Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.

The second point is that a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects "personal data" -- EU-speak for what we in the U.S. call personally identifiable information (PII) -- as part of a marketing survey, then the data would have to be protected GDPR-style.



Many EU countries, Germany being a leader, have had strong data sovereignty regulations for - in Internet terms - a long while. The premise is simple; if you collect a bunch of data in country X, you can't do things with that data (like sell it) in country Y, according to country X, because it's legal in country Y.

Ownership of data is a whole other area. As citizens of the Internet, we all generate boatloads of data. You don't need to generate that data on the Internet, and you don't need to do it willingly. Equifax suffered a gigantic data breach. Having been on the Internet, ever, was not a requirement for being affected by that breach. By performing financial transactions, you generate data, which companies like Equifax collect. To whom does that data belong?

The idea of applying laws to citizens of countries who are essentially third-parties is a specialty of the United States. Multiple wrongs don't equal something that is right, but the US isn't in a solid position to lecture on this. The US will happily throw people in jail for violating sanctions in actions which are undertaken by non-US citizens outside of the US.

The stance of GDPR is that the person who is the source of the data in-question, as an EU citizen who is in the EU, has a modicum of legal protection of what is done with their data. The data sovereignty angle is that is does matter where the person who provides/creates the data is when it is created, because the act occurs in a geographic location. The concept of geographic location makes sense, even if it's an artificial construct in the Internet world.

That concept isn't new; US companies have used it, for a long time, to shut-down file sharing sites which break US copyright laws.

Free speech? Eh, I don't see how that enters into it. Sorry.

Another massive aspect of GDPR is that companies will be heavily fined for breaches. The message is clear; if you want to collect data generated by EU citizens, you had better take care of it. The current regulations in the US, as part of the wider impact on US-based organizations, have fines which are laughable, and the end-result of massive breaches of data from companies like Equifax, Home Depot, Target, and on and on and on, has been somewhere around zero.

No company has really suffered a free-market-imposed penalty high enough that they actually do a better job of protecting the data of end-users. Yahoo!, is a prime example. The cost of actually protecting the data is less than the cost of upgrading from doing a shit job of protecting the data to a fair job. As Bruce Schneier points-out, companies who specialize in data-collection, aggregation, and sales, aren't going to do a better job of protecting the data of individuals because individuals are, by-and-large, not the paying customer of those organizations.

The US would do every end-user (in the case of active data sharing, like Facebook) and meat-puppet (in the case of passive data sharing, like Equifax) a solid by passing regulations similar to GDPR. Don't hold your breath, because the US also has a uniquely wonderful political system in which large sums of organized money mean more than the needs and wants of mere plebs.
  • 1

A quantum state of signature may or may not be here... you just ruined it.
User avatar
blehblah
TCS Junkie
TCS Junkie
 
Posts: 3895
Joined: Sun Apr 14, 2013 9:16 pm
Show rep
Title: Error General, Panic Colonel

Next

Who is online

Users browsing this forum: No registered users and 27 guests