GDPR is 100% necessary and fundamentally a good idea. It has a lot of problems that just show how incompetent politicians can get on a bad day, but that doesn't invalidate the core idea.
You are living in a complex, mostly functioning nation state where the majority of conflicts is resolved in a civil manner. Not in a small tribal society where you might be murdered by someone physically stronger than you simply because he lusts after your partner. That simple fact proves how hyperbolic and naive your statement is.
Your statement is equally naive and hyperbolic. It's preposterous to think that humans haven't always had rules (well defined or not) to prevent petty BS from escalating. Of course the rules are different for a bunch of cavemen living in a group of <50 but rules and norms still existed.
I don't think that holds up to evidence. In tribes largely untouched by civilisation blood revenge is still fairly common. These are social norms, but without a neutral judge one party might execute revenge, the other party doesn't see their fault and instead retaliates, and you get an endless circle of bloodshed (which has killed entire tribes).
One of the major achievements making civilisation possible is a judge or court that can decide who is right and and who is wrong, preventing BS from spiraling in endless retaliation and counter-retatiation. In a small system that can work with just one universally respected person or person of authority, but once you scale it up to an entire country codified laws are incredibly useful for this. Codified laws means we need people making laws, which is exactly what the entire job of modern politicians is. Sure, we could have civilisation without politicians, but our countries would have to be a lot smaller than they are; a justice system without laws just doesn't scale.
> One of the major achievements making civilisation possible is a judge or court that can decide who is right and and who is wrong, preventing BS from spiraling in endless retaliation and counter-retatiation.
Well, no? Isn't that what is called "war"? You might argue that frequency of conflicts is lower, though I would be sceptical of that without further proof.
War happens, but places without a judicial system to solve conflicts between persons, families and regions don't seem to flourish, while many of the more prosperous regions and regions with the most wealth growth feature a judicial system that spans areas normally inhabitated by multiple countries (USA, China, EU, India).
Having a transnational judicial system in the EU (as the most recently formed example) allows coorperation and trade to a much greater extend. Sure, the EU might go to war at some point, but the circle of people and corperations you can trust to respect law and written contracts is very big, no matter if a war is going on or not.
While that's obviously a very good point, one could also argue that this is mostly due to law enforcement and culture. We live in a society where murdering someone gets you outcast pretty easily, and on top of that thrown in jail. Politicians ultimately only wrote down what is a large cultural consensus.
The problems start when politicians decide over smaller things that not everyone can agree on. I mean, damn, they'd be more than incompetent if they didn't get laws regarding murder right.
The latest screw-up of european politicians (the same who are responsible for GDPR) is the european copyright reform, which just shows a complete lack of both technical understanding and willingness to listen to experts who do understand the situation.
I'm not pretending the issues with politics and politicians do not exist, or that they are not enormous. However, a statement like "they have no good days" says more about one's own unwillingness to be politically active than anything else in my opinion.
wut? are we really comparing 21st century society with a tribal one?
by that measure we've solved pretty much everything.
when in reality the contrary is true: politicians are mostly career based opportunists and the inertial nature of our society pushes us to peace and prosperity.
..and how have politicians of the last, let's say 20 years, positively contributed to this? If the last good day was over two decades ago, I'm not sure how you're going to sell me this as a good thing.
Depending on where you live, politicians may have enacted any number of positive life improvements, like improved public transportation infrastructure, better regulations on working conditions, better pollution regulations, small business development programs, and on and on.
If you live in an area where absolutely nothing good has happened due to government in the last 20 years, your complaint about your local/regional government is entirely warranted.
Chalking it up to "politicians" as a whole is unhelpful; they aren't "all the same" (another thing I hear often), and if one thinks so, one is profoundly not paying attention.
It has a lot of problems that just show how incompetent politicians can get on a bad day
Mind elaborating on them?
The only potential issue, which I see, is some ambigiouty. However, I don't see how you could craft a legal frame work without some ambiguity, which needs to be resolved by the courts at one point.
Unless your business model is dreck, I really don't see any issues with the GDPR as such.
Maybe I'm just naively applying my programmers sense of beauty to legal stuff, but the main problem I have is complexity. I'm OK with google having to spend some money on lawyers to work out what they can and cannot get away with, but smaller busynesses seem to be pretty lost right now. This is partly because it's a new thing and we need to wait and see how judges ultimately interpret things, which will give people some more security.
A simpler, more elegant solution would have been better in my opinion.
Maybe I'm just naively applying my programmers sense of beauty to legal stuff
I see that happening a lot. Actually, it's more trying to apply tech skills to societal issues, often without really thinking through the consequences or the bigger societal impact. Sidewalk Labs Toronto experiments provides a nice illustration of such issues.[1], [2] & [3]
One of the buzzwords that really gets my blood boiling is "Government V2.0".
Life and society is usally quite messy and attempting to optimize it very often yields rather undesirable consequences, or just outsources the externalities to other parts of society.
A simpler, more elegant solution would have been better in my opinion.
Sure, that would be nice. But I think that's extremely hard to do with crafting legal frameworks.
If tech has tought me anything in the last 20 years is that you will have people, entities and corporations just abusing the sweet bejeezus out of any loophole, which they can identify and get away with.
A simpler and more elegant solution wouldn't screw over small businesses and individuals as much. An individual running a forum from their basement has to follow the same rules that Google spends tens of thousands on lawyers fees to figure out. Maybe exemptions or less strict rules for smaller companies should've been added. The EU isn't exactly a bastion of internet technology enterprises, so we probably shouldn't throw the few that try under the bus.
An individual running a forum from their basement has to follow the same rules that Google spends tens of thousands on lawyers fees to figure out.
It's very, very unlikely, though, that the individual running the forum in his basement has to navigate the same legal minefields as Google or Facebook.
Implying that he has the same legal expenses as companies, whoms whole business model relies on getting around the GDPR seems to me a bit of a strawman.
It has the same issue as many laws that assert extraterritorial jurisdiction on internet entities: it isn't too difficult to deal with as long as only the EU has it, but if a bunch of other countries also adopted very similar laws it could be prohibitively expensive for small entities to deal with.
The main reason for that is Article 27.
For an organization that does not have a presence in the EU but for which GDPR applies, it seems to cost a minimum of around $500/year to comply. That seems to be the low end for the services that provide Article 27 representation.
That might not be too bad...as long as only the EU implements such privacy legislation. But several countries have talked about similar privacy legislation. If they all have something like GDPR's Article 27, it could quickly get out of hand.
You don't need an Article 27 representative if all of the following apply to your processing of personal data:
• the processing is occasional,
• it does not include, on a large scale, processing of certain special categories of data or personal data related to criminal convictions and offenses, and
• it is unlikely to result in a risk to the rights and freedoms of natural persons.
There's a lot of fuzziness in that. Even if other countries have similar exceptions, each country might resolve the fuzziness a different way, which could make it a major pain to figure out for which countries you need a representative.
My own biggest problem with the GDPR — other than the regulatory burden, which disproportionately imposes costs on small challengers and effectively protects large pre-existing firms — is the so-called 'right to be forgotten,' which is really a privilege to force others to rewrite history. Among other things, it effectively mandates mutable logs, which is horribly insecure (logs should be in principle even if not in fact immutable), and at a higher level it grants malefactors the ability to legally compel others to refrain from true speech about them.
I can agree with the motivation, but the law is not particularly well written.
If the EU passes a law and it takes armies of lawyers over two years of negotiating with the EU to find a compromise of what is and isn't included in the law (with the EU changing its stance regularly), then it probably isn't a good law.
It took a year and a half of wrangling for the EU to decide that internet advertising was not a "legitimate business interest" or "necessary to perform tasks at the request of the data subject" (despite the advertising being a primary source of funding to pay for the requested task). Then the entire internet advertising industry had just 6 months to design/implement/deploy a system that can meet the requirements and migrate all their users to the new platform (keeping in mind that their users have a financial incentive not to switch, since the old system is more profitable).
There's also the weird catch-22 of how it only applies to users with EU citizenship, but you can't collect, use, or store the information on whether or not they are an EU citizen without their permission.
> Among other things, it effectively mandates mutable logs
It does not. The Right to Erasure is much more restricted than many people seem to realize. If you can articulate an Overriding Legitimate Interest, and find a way to balance that against privacy, then GDPR gives you a pass.
While I don't believe it's been tested in court, the general belief is that the Right to Erasure does not mandate deletion from back-ups. It's generally believed that an acceptable practice is to keep a ledger of "forgotten" accounts off to the side (or their hashes or something), and make sure that your restore-from-backup process deletes those from prod after restore. I know that logs aren't back-ups, but the same idea should apply.
The issue with compelled censorship may have merit, but I haven't seen a concrete example where I agree that happens. Like I said, the Right to Erasure is more restricted than many realize. But, Europe also ranks the importance of speech rights slightly lower than we do in the States, so it's possible that certain Overriding Legitimate Interest arguments wouldn't fly.
Yes, but the GDPR was definitely done on a "good day", relatively speaking. You don't want to know about the bad days. Stuff like the Copyright Directive seems to be the norm, not an unhappy accident.
