General Data Protection Regulation

What's happening in your world? Discuss it here.
Forum rules
Play nice. We will be watching

Re: General Data Protection Regulation

Postby cmsellers » Sat Jun 02, 2018 9:36 pm

blehblah wrote:Yes, the regulations apply to US companies who act in the EU.

Yes, and if it stopped there I wouldn't had nearly as much of an issue with it.
Unless you're saying that accepting data from EU IP addresses is "acting in the EU," in which case A. this is no more acting in the EU than receiving a letter or phone call from someone in the EU and B. it doesn't matter, the law applies to data from Europeans living in the US as well.

blehblah wrote:The idea of applying laws to citizens of countries who are essentially third-parties is a specialty of the United States. Multiple wrongs don't equal something that is right, but the US isn't in a solid position to lecture on this. The US will happily throw people in jail for violating sanctions in actions which are undertaken by non-US citizens outside of the US.

First of all, this isn't the US lecturing anybody, it's me as an American citizen complaining about the EU. I personally dislike when the US applies its laws to actions taken outside the US, even when these laws pursue admirable goals. However all the laws that I know of which apply outside the US only apply to actions taken by US citizens and permanent residents. I know of no US laws which apply to people who have no personal connection to the US.

blehblah wrote:That concept isn't new; US companies have used it, for a long time, to shut-down file sharing sites which break US copyright laws.

Most countries have adopted the Berne Convention, and under pressure from the US and EU (don't pretend this is all on the US; the EU is even worse here) they've usually adopted most of the worst aspects of US and EU copyright law beyond it. When foreign file-sharing sites are shut down, it's under the laws of the host country. Now, those laws are typically the result of pressure from the US and EU as conditions for trade deals, and their enforcement is the result of further pressure from the US and Europe, and I don't like that, but this isn't the US enforcing its laws on foreign citizens living in foreign countries.

blehblah wrote:Free speech? Eh, I don't see how that enters into it. Sorry.

You don't see how regulating what information American companies and even private citizens are allowed to keep, collect, and publish abut EU citizens is an infringment of free speech? Even when said law applie to the political views of said EU citizens?
  • 4

User avatar
cmsellers
Back-End Admin
Back-End Admin
 
Posts: 9316
Joined: Sun Apr 14, 2013 7:20 pm
Location: Not *that* Bay Area
Show rep
Title: Broken Record Player

Re: General Data Protection Regulation

Postby RatElemental » Sun Jun 03, 2018 7:18 am

One site just banned all EU citizens and now refuse EU citizens making new accounts until/if they can update everything to comply with this.

So I guess that's also an option.
  • 5

You just started to
Read the Haiku that you have
Just finished reading
User avatar
RatElemental
Frequent Poster
Frequent Poster
 
Posts: 165
Joined: Mon Mar 24, 2014 1:28 pm
Show rep

Re: General Data Protection Regulation

Postby cmsellers » Sun Jun 03, 2018 10:34 am

random_nerd wrote:One site just banned all EU citizens and now refuse EU citizens making new accounts until/if they can update everything to comply with this.

So I guess that's also an option.

Multiple sites have done this, however it still isn't in compliance with the regulation, since if an EU citizens creates an account while living abroad or using a VPN and lies about being an EU citizen, the GDPR still applies to their data. It also shouldn't be necessary in the first place.
  • 4

User avatar
cmsellers
Back-End Admin
Back-End Admin
 
Posts: 9316
Joined: Sun Apr 14, 2013 7:20 pm
Location: Not *that* Bay Area
Show rep
Title: Broken Record Player

Re: General Data Protection Regulation

Postby blehblah » Sun Jun 03, 2018 6:01 pm

I didn't realize it applies to EU citizens who aren't in the EU. I got the part about a company operating from the EU and the citizen is somewhere else. I get what they're trying to do by making it apply to EU citizens, regardless of where they are, and that's pretty ambitions. Then again, the whole thing is pretty ambitious.

The example of receiving a phone call or letter from geography Y when one is in geography X is an interesting one.

Let's say in X, things like wire fraud, or meddling in federal elections of X, are illegal. Because the person on the other end of the letter/phone call/illicit connection to a political party email server/Twitter bot is in Y, and none of those things are illegal in Y, usually doesn't matter. Country X will still charge thirteen, give or take, people of breaking laws in country X.

Of course, if you're a well-heeled, and well-connected, Russian, it's A-OK (which is the flipside of having to worry about being accused of fabricated crimes if you piss-off your powerful connections).

What GDPR is doing is a parallel. It is saying that the data of EU citizens is protected regardless of where it is collected. The idea is that by accepting - a deliberate act - the data of an EU citizen, you are accepting certain responsibilities about safeguarding that data, and limitations on how you use that data. That is a shift in the concept of data ownership.

Free speech enjoys different protection in the US than other places. However, the classic example of yelling fire in a crowded theatre is pretty universal; indeed, free speech doesn't protect fraudsters, etc.

I think I laid-out this interesting example in another thread. Anyhow, a guy had a auto-defibrillator which produced data which was regularly collected by the company which built the defib. He was trying to correlate between the defib activity and other factors which he was recording, like sleep, diet, exercise, and so-on. He asked the defib company for the data from his device. They refused.

Legally they had every right to, because it was their data, not his. That strikes me as odd, but there it is.

What the US could do is improve their own data protection laws. Disclosure laws have been a good step. However, there has to be some sort of recognition that data about/of end-users, from which companies often derive revenue or other things of value (rewards programs, for example, are a fantastic way to know your customers very, very well, so you can better target them, thereby making more revenue) has value, and the end-users are owed a modicum of assurance that the data will not be abused, or lost.

The trick is we live in a world where data is the big prize. There are many reasons why Facebook wants to be the center of everyone's digital life, and Google is slap-happy to provide endless back-up of high resolution photos, and all for free. We are the product. Unfortunately, opting-out isn't realistic. Sure, one can simply not have a Facebook account, but one can't not transact via a bank (Equifax), or not have an Internet connection (net neutrality) without great effort.

In creating applications and services which collect data, GDPR asserts that organizations are entering into an agreement with end-users. Nobody accidentally collects end-user data (exceptions are myriad, because often, organizations don't completely understand what their logs contain). This pushes the onus back to organizations, which is, to me, a lofty and reasonable goal. It is saying, "Okay, if breaking the shrink-wrap, installing the program, or clicking on something is used by organizations as an implied or tacit acceptance of an organization's end-user license agreement, you are also accepting a burden - an end-organization license agreement, because ya'll are doing a really, really, like, incredibly, shitty job of protecting end-user data, and that ends, now."

I can see the free speech angle, even if I don't really want to, and holy-cow, are there ever massive problems. If I post the BlehBlah manuscript of life, the universe, and everything, using a social media service, but do it such that I, as an end-user, expect it to be shared with only a few other users of the same platform, to whom does that manuscript belong? If I post photos, 280-character micro-blogs, or a credit company is plugged into my bank, to whom does that data belong?

In the US, you also have this thing where an organization is technically a person, and thereby protected by the first major edit addendum update fix to the US constitution. Citizens United, or something. If the free expression of an organization is equal, across the board, to that of an individual, then my data - 42-manuscript, photos, credit details... all of it - is absolutely sellable, and loseable, by whichever company is clever enough to harvest it. Free expression, then, is the freedom to harvest and, via shit security practices or plain-old stupidity, data about me? I am not entirely comfortable with that.
  • 4

A quantum state of signature may or may not be here... you just ruined it.
User avatar
blehblah
TCS Junkie
TCS Junkie
 
Posts: 3895
Joined: Sun Apr 14, 2013 9:16 pm
Show rep
Title: Error General, Panic Colonel

Re: General Data Protection Regulation

Postby cmsellers » Sun Jun 03, 2018 6:56 pm

blehblah wrote:Let's say in X, things like wire fraud, or meddling in federal elections of X, are illegal. Because the person on the other end of the letter/phone call/illicit connection to a political party email server/Twitter bot is in Y, and none of those things are illegal in Y, usually doesn't matter. Country X will still charge thirteen, give or take, people of breaking laws in country X.

I don't know whether US wire fraud laws actually apply to people based in foreign countries, but either way, both of your examples involve foreigners committing fraudulent actions targeted against US citizens living in the US. It's the difference between writing an anthrax-filled letter to someone in Europe and receiving a letter from someone in Europe.

blehblah wrote:Free speech enjoys different protection in the US than other places. However, the classic example of yelling fire in a crowded theatre is pretty universal; indeed, free speech doesn't protect fraudsters, etc.

"Fire in a crowded movie theatre" is a bad analogy used for bad law which has since been discredited in the US.

blehblah wrote:What the US could do is improve their own data protection laws.

I agree fully, however the First Amendment would prevent passing anything like the GDPR, which I think is a damn good thing.

The way companies handle data breaches is a huge problem, however I'm not really happy with how the GDPR handles it either. If I were writing a law, I would require companies to fix data breaches within a relatively short time and notify end-users within a few hours after they're fixed. The GDPR allows companies to never inform end users as long as the breaches are fixed and the government is informed.

Your example of the medical device manufacturers not turning over data is an interesting one, since doctors are required to turn over all of your medical data on request. It sounds like there's a loophole where this doesn't apply to healthcare providers who aren't doctors, which should be closed. I can also see a compelling argument for compelling credit report agencies to give you all the data they have on you.

However these are fairly limited cases where the stakes are incredibly high. I don't see a compelling reason to require Amazon of Facebook to turn over all the data they have on you on request, and still less to require some random internet forum to delete all your posts on request. One of the fun side effects of this rule is that any random website which doesn't allow you to edit your posts after a set window is in violation of the GDPR, and any website which doesn't remove quotes of your posts from other users' posts on request is almost certainly in violation of the GDPR as well.

blehblah wrote:I can see the free speech angle, even if I don't really want to, and holy-cow, are there ever massive problems. If I post the BlehBlah manuscript of life, the universe, and everything, using a social media service, but do it such that I, as an end-user, expect it to be shared with only a few other users of the same platform, to whom does that manuscript belong?

With most sites it belongs to you, since it's not just your data but also your "intellectual property," however you typically grant them a perpetual, non-exclusive, royalty-free license to use it. However the GDPR also applies to fair-use quotations by third parties, and likely even to paraphrases. If I say "blehblah supports the GDPR," that's data about the political views of an identifiable person. As the law is currently phrased, it seems likely that if you were a European you could demand that Tess edit my post to delete that comment and if she refused she'd be in violation of the GDPR.
  • 5

User avatar
cmsellers
Back-End Admin
Back-End Admin
 
Posts: 9316
Joined: Sun Apr 14, 2013 7:20 pm
Location: Not *that* Bay Area
Show rep
Title: Broken Record Player

Re: General Data Protection Regulation

Postby Learned Nand » Mon Jun 04, 2018 7:40 am

cmsellers wrote:You don't see how regulating what information American companies and even private citizens are allowed to keep, collect, and publish abut EU citizens is an infringment of free speech?

Can you explain the bit I've emphasized here? I don't think that regulating what information American companies can keep and publish is, in general, a free speech issue; commercial behavior is currently subject to less protection under the First Amendment than private protected speech (and probably should be subject to even less protection than it currently is).

Regulating the behavior of private citizens could be a different matter, but I'm unclear as to how GDPR does that. Wikipedia says that the GDPR only covers "'enteprise[s]' ... engaged in 'economic activity'". If we're distinguishing between commercial activity which can be regulated by the government, and speech which can't, it seems like the GDPR is about the former thing, not the latter.
  • 6

Terry Pratchett wrote:The trouble with having an open mind, of course, is that people will insist on coming along and trying to put things in it.

Click for a Limerick
OrangeEyebrows wrote:There once was a guy, Aviel,
whose arguments no one could quell.
He tested with Turing,
his circuits fried during,
and now we'll have peace for a spell.
User avatar
Learned Nand
Back-End Admin
Back-End Admin
 
Posts: 9858
Joined: Tue Apr 16, 2013 9:18 pm
Location: Permanently in the wrong
Show rep
Title: Auditor of Reality

Re: General Data Protection Regulation

Postby cmsellers » Mon Jun 04, 2018 9:55 am

If that is true, then it seems likely the GDPR wouldn't apply to TCS after all, and the question of whether it applies to TCS was what got me investigating the scope of the GDPR in the first place.

However, it still seems like it could apply to blogs which are supported by ads or donations, especially if the owner makes a profit. And it definitely seems like it applies, for example, to the comments of NYTimes articles, or even to news articles which quote European citizens on political matters. I don't think any of these things are intended, but it's so broadly worded and overreaching that it's not at all clear it doesn't have these effects, and that is a serious problem.
  • 2

User avatar
cmsellers
Back-End Admin
Back-End Admin
 
Posts: 9316
Joined: Sun Apr 14, 2013 7:20 pm
Location: Not *that* Bay Area
Show rep
Title: Broken Record Player

Previous

Who is online

Users browsing this forum: No registered users and 18 guests

cron