[peoplewindow]

How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.

The rules are so vague that any firm could be argued to be in violation. And the EU acts as judge, jury and executioner. It looks like a way to tax the SV tech firms without needing a treaty change. After all there's no practical difference between a tax and a law that everyone is guaranteed to always be in violation of that has huge fines attached. The money all goes straight into EU central coffers.

[ncallaway]

> How is the law reasonable? It's not even clear what is allowed under it and what isn't. The EU refuses to clarify anything, the only time any decision will be made is by courts, if there's an actual dispute in progress.

How is that different from a US law like HIPAA? The structures of the law seem largely the same, in that they give you guidelines to follow, but provide no clarity about what specifically is required by it and what isn't.

Understanding HIPAA has largely come from companies doing their best to comply with their understanding, and clarifications tend to come from courts when there's an actual dispute in progress.

Then, the US (through it's various district courts, circuit courts, the supreme court, and regulatory bodies) acts as the "judge, jury, and executioner".

[peoplewindow]

HIPAA and other mega-regulations like them have the same problems. And they do cause people to just give up rather than deal with the risk. I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.

But this specific thread is about EU social network privacy fines, not US healthcare privacy fines.

The US courts aren't quite the same. They're a lot more independent. The ECJ has a history of surprising things, like hearing cases where one of the appellants wasn't aware he was involved in a court case at all and both sides turned out to be the same law firm, or simply voiding parts of the treaties they found to be inconvenient to the EU, or inventing new 'rights' on the fly (legislating from the bench). Like the right to be forgotten, which was invented by the judges in response to a lawsuit and required massive responses similar to the creation of entirely new regulations.

The Supreme Court is generally much better about following the Constitution, not inventing new laws on the fly and ensuring the cases before them are actually legitimate.

[ethbro]

> I've listened in on various conversations around health products over the years. HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.

As someone who worked extensively on HIPAA covered data and systems, there are only three options here.

Option 1) Mandate no data protection. This is how you end up with hidden security dumpster fires like Equifax, when public companies are involved (cost of security vs profit).

Option 2) Strictly mandate how companies must behave to be compliant. Example: DoD (I believe?). Legal requirements always lag technical best practices.

Option 3) Generally mandate what compliance results in. Example: HIPAA. Results in lack of clarity and legal challenges.

Of these options, I'll take (3) every time.

If a startup isn't willing to make a best effort to comply (which is specifically worded into HIPAA and substantially reduces penalties), then I'd rather they not be able to touch my health data anyway...

[dmix]

HIPAA (and PCI compliance) has done little to prevent 1) in practice, especially when balanced against the huge costs it has on industry and the 'hidden' cost of crippled innovation.

You can't measure the true cost of hundreds of thousands of projects and startups that were never realized because HIPAA scared them away...and this is stuff that would have saved billions in healthcare costs, improved the public's health, and supported research/processes that could save lives.

Saying it's only a dynamic between "profit vs security" completely downplays the utility of technical progress in health care. This isn't just about quarterly profits of large mega-corporations.

As someone who started off working in the health space I can assure you I personally gave up on multiple potential projects because of HIPAA. And know of countless others who have to in spaces that seem "crazy" no one has yet built software for.

And I say this as a complete paranoid hawk on information security and privacy rights...

[ethbro]

I hear you that it makes things more difficult, but I think it's hard to overstate how terrible & uninterested conservative revenue stream businesses (e.g. insurance, utilities) are at keeping up with IT trends.

Based on what I saw in a couple of the top 5 largest insurance companies, these are IT departments that would be storing personal data in databases open to every employee of the organization, were there not a law discouraging them doing so.

Why?

Because IT isn't their business. That perspective is changing (gradually), but the resistance to anything aside from business as usual is staggering.

[BurningFrog]

Sure, but the other side of the equation is an unknowable number of thousands of lost lives and billions of dollars, because of medical advances that were never made.

There are other important values than privacy in the world!

[ryandrake]

As a consumer, my view is: if a potential idea is abandoned out of fear of HIPAA then HIPPA is working and I am thankful that that idea went nowhere. Soon, s/HIPPA/GDPR

[tehlike]

This. I am not a hipaa expert or anything, but if a company is not making an effort to protect the data, they dont deserve to make money off of products touching that data.

[geofft]

> HIPAA is a common reason given for not getting into the healthcare space and focusing elsewhere. A lot of smart people and smart products that could have been focused on health just never turn up at all, because of the vagueness, poor drafting and expansive reach of such things.

Good? This sounds like the law is doing what it's supposed to be doing - it's not enough to simply be smart, you have to also be sufficiently willing to pay attention to detail such that you don't accidentally design your systems in a way that leaks personal data. If you find this burdensome, maybe the world is better off if someone else develops it instead. (There are enough newly launched healthcare startups - Clover Health, Oscar, and One Medical all come to mind without even thinking - that I don't think that it's completely stifling innovation, which would be a different story.)

As a person who is much better at being smart than at being reliable and careful, I am totally okay being regulated out of this space - I don't trust myself not to just forget about something. I worry consciously about edge cases in my code because I know I won't worry about them subconsciously. If I want to go into this space, I imagine that I can just hire someone who's good at the regulatory part and willing to focus on getting that stuff right.

I don't understand this idea that smart people should be entitled to develop and market products in whatever way they want, simply because they're smart. I'm sure the Therac-25 programmers were very smart.

[SmirkingRevenge]

I've worked in the healthcare space. HIPAA doesn't scare enough people/companies away. Not by a long shot.

Sensitive personal medical info was routinely sent, by major companies, over insecure FTP or even plaintext email, on a regular basis.

Anyone who has ever had medical benefits at any point in their lives most likely has their benefit information, along with socials and more, sitting unencrypted in databases of a plethora of small companies/medical/insurance providers whose only concern for security is a mandatory HIPAA CYA compliance lecture for their every couple of years. The rest of the time they go about sending socials and pmi through plain text email or just leave shit on their desks for anyone to pick up.

[makomk]

The firms that HIPAA scares away aren't necessarily going to be the ones that have the most dubious security practices. They're going to be the ones that have a choice between business models that involve healthcare and ones that don't, and the ones that don't think they'd make enough money to justify the exposure.

[jkaplowitz]

Legislating from the bench is not a bad thing, to the extent it doesn't contradict a fully valid statute. Indeed, most law in the US is judicially created, and always has been, dating back to the English common law system from which we inherited ours.

American courts continue to create common law today. This happens less at the federal level only because the scope of federal common law is narrower.

I too have concerns over the breadth of the EU right to be forgotten, but not over the concept that a court could combine premises with a process of reasoning to arrive at such a conclusion.

The Supreme Court's focus on ensuring that the cases before it are actually legitimate is primarily for three reasons: keeping their workload manageable, deferring controversial decisions they don't actually need to make, and complying with the Case or Controversy Clause in the federal Constitution.

Notably, the Case or Controversy Clause does not bind the state courts. Whether they are willing to issue advisory opinions or perform other duties is a matter of state law.

[tsbertalan]

If GDPR analogously has a chilling effect, reducing the proliferation of "social" products, I'd consider that a positive outcome. I don't really buy that any of these are "making the world a better place" as Zuck loves to say, though you might have a better case with the health products.

[Quanttek]

> ECJ

1) Despite the GDPR being a regulation, the national courts will decide first and oly if appealed enough times, the ECJ will decide as highest court

2) The EU judiciary is base don the civil law system. In the US or UK or other common law countries, you have much more "legislating from the bench". Inf act, most US laws are created by the judiciary.

[Joe-Z]

>The rules are so vague that any firm could be argued to be in violation.

I think that's a good thing. So the law has to be interpreted by precedence set by the courts.

If the text of is too specific you could have the opposite effect of companies weaseling through.

It is not a tax. It's pretty clear that the EU expects companies to treat private user data with respect. If your company cannot operate without exploiting this info, than maybe the world is better off without it anyway.

[btilly]

I think that's a good thing. So the law has to be interpreted by precedence set by the courts.

Most EU countries follow civil law, and precedence has a much more limited role than in common law countries. So it actually matters that the statutes be written clearly.

[tripzilch]

I think since the UK left, it's actually all of them?

[btilly]

Nope, Ireland also has common law.

I don't think that there are any others though.

[tripzilch]

Oh, you're right! I remembered common law is basically English-speaking countries only, and I forgot about Ireland, oops :)

[peoplewindow]

Why have any law at all, by your logic? Just have a single law that says "Whatever we decide, is final" and make up all rulings and fines on the fly. No 'weaselling' is possible then. Only problem is, it's totalitarian. Nobody knows what is or is not allowed, there is no such thing as justice.

Law is meant to be precise. If it's not, then ignorance of the law does become an excuse and law loses its moral authority.

Unfortunately the EU does seem rather keen on laws so vague that they're impossible to understand - it's rule by law, not rule of law.

[ghaff]

Somewhat ironically, as it's the--presumably soon without the UK--EU we're talking about, but you're basically objecting to a Common Law system. Admittedly, in modern times, there's a lot less practical distinction between civil and common law jurisdictions than there once was, but nonetheless common law is "the part of English law that is derived from custom and judicial precedent rather than statutes."

[Joe-Z]

As mentioned in another reply, the actual laws will have to be implemented by the member states anyway. So the text for each country can vary and can be more specific.

As for your strawman that I somehow argued to abandon all law: I won't deal with that.

[Tomte]

No, they actually won't. The Data Protection Directive needed to be implemented by national legislators into national law, but the GDPR is a regulation which means it is directly binding law.

Only a few technical, minor points need to be spelled out in national regulations or laws.

[x0x0]

That's simply not true.

Each country (or state, in the case of Germany I believe) will have their own privacy commissioner with substantial leeway. Now technically these differences won't be implemented as laws, but there will be substantial differences between eg the French and the UK privacy regulators.

The GDPR also allows for individual states to strengthen its provisions, eg for genetic data.

[Xylakant]

“And the EU acts as judge, jury and executioner.”

That’s true only if you regard he EU as a single entity. Laws made via the EU will be turned into national law, and independent judges will judge all cases, up to the EU high court. By the same right you could call the US judge, jury and executioner on all laws and rules made and enforced by the US government (FACTA anyone?)

[peoplewindow]

No. That's not how the EU works. That's how a national government would work but not the EU.

The GDPR is not a directive so it does not have to be translated into national law. It is directly binding and applies immediately everywhere.

Fines have to be paid up front, before appeals are exhausted. Appeals can of course take years.

The EU courts have judges appointed by the same people who control the rest of the EU, and are ideologically aligned as such. They have a long history of legislating from the bench and making shocking and nonsensical decisions: consider the case where they simply voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK. The court simply decided it didn't like that bit of the treaty and so it did not apply. I do not regard the ECJ as a robust court. It will rule in whatever way is most favourable to the European project.

[pjc50]

No, the enforcement is through the national "supervisory authorities" such as the ICO. Most of the enforcement process is through national courts and the ECJ is only for the final layer of appeal. This very article says "German Court rules ..."

> voided the UK's opt out of new human rights related legislation, despite a very clear paragraph in the treaties saying they did not apply to the UK.

[citation needed]; did you read this in the UK press?

[peoplewindow]

See here: https://fullfact.org/europe/eu-and-human-rights/

In the section "Wasn’t the UK supposed to get an opt-out from EU human rights laws?"

The summary is, when the Treaty of Lisbon awarded the EU new human rights powers the UK and Poland negotiated an opt out which was written in the treaty. It was a part of convincing the UK government to accept the new treaty without granting a referendum on it, as they had previously promised.

The opt out is very clear, really as clear as lawyers can make such things. It says:

The charter does not extend the ability of the CJEU, or any court or tribunal of… the United Kingdom, to find that the laws, regulations or administrative provisions, practices or action of… the United Kingdom are inconsistent with the fundamental rights, freedoms and principles that it reaffirms

and

In particular, and for the avoidance of doubt, nothing in Title IV of the Charter creates justiciable rights applicable to Poland or the United Kingdom except in so far as Poland or the United Kingdom has provided for such rights in its national law

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2...

In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.

A few years later the ECJ decided that the opt out was meaningless and voided it, under a new interpretation that they claimed meant they'd actually always had these powers, and therefore the treaty did not "extend" them, and so the opt out didn't "work" despite its apparently clear wording. They then began overturning UK laws.

It's unclear why the treaty had anything new in it at all if the courts had always had these powers of course, but this is how things go in the EU - no matter how plainly something seems to be written, no matter how clear the assurances seem to be at the time, the moment it becomes politically inconvenient to the project the rules are tossed out under bizarre and kafkaesque re-interpretations.

Same thing happened to Ireland with corporation tax. They were promised the EU wouldn't interfere with their tax policies. Then the EU decided low taxes were "state aid" and awarded itself the power to control Irish tax policy. Nobody had previously interpreted the state aid clauses that way.

[stordoff]

It's a decision that makes perfect sense if you read the preamble to the Charter (my emphasis):

> This Charter reaffirms [...] the rights as they result, in particular, from [various pre-existing sources].

The opt-out specifies that the Charter does not _extend_ the ability of the courts, but does not limit the powers that the ECJ already had prior to the implementation of the Charter. Even if the UK had a cast-iron opt-out (e.g. "The Charter, in its entirety, is not applicable to the UK, no rights are granted under it to UK citizens, and no court may refer to it in reaching a decision affecting the UK"), more or less the same results would likely be reached.

Also note Article 51(2): "The Charter does not extend the field of application of Union law beyond the powers of the Union or establish any new power or task for the Union, or modify powers and tasks as defined in the Treaties.". This is broadly similar to the UK/Polish opt-out, further suggesting that the Charter did not grant powers that the UK had not otherwise agreed to.

> In other words, this part of the treaty does not allow the courts to overturn UK laws. Stated twice, for clarity.

It does not grant them _new_ abilities to do so, and the second statement only refers to a subset of the rights considered under the Charter.

http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:120...

[doikor]

> They were promised the EU wouldn't interfere with their tax policies

EU promised not to meddle as long as preferential treatment wasn't given. As in if Ireland gave the exact same tax deal to every company in Ireland then it would have been fine.

(the no preferential treatment in taxation bit is part of getting access to the single market)

[madez]

The reason d'être of the EU is to unite, so I expect eventually all opt-outs to end or to become meaningless. Countries joining the project should have that in mind, and I think they all have and had, even if they're not talking too much about it.

[erfgh]

The text is indeed very clear and it clearly says the opposite of what you are suggesting here.

[dahauns]

>consider the case where they simply voided the UK's opt out of new human rights related legislation

Erm...you are aware that this case has nothing to do with the ECJ, but with the ECHR, which isn't even an institution of the EU, but of the Council of Europe* , which is an entity completely separate from (and older than) the EU.

* not to be confused with the European Council or the Council of the European Union. Yeah, it's a bit silly.

[stordoff]

The decision OP refers to is a ECJ decision on the Charter of Fundamental Rights (NS v Home Secretary), not an ECtHR decision.

[dahauns]

My apologies, I was indeed wrong.

[disgruntledphd2]

I think that this source suggests that this idea may have been a mis-representation by Michael Gove [0] during the course of a referendum (I was interested, as I wasn't aware of any such decision).

Then again, all's fair in love, war and referendums :)

[0] https://infacts.org/mythbusts/ecj-isnt-using-charter-fundame...

To be fair, the Google front page was split between two sides, which suggests that this may be an issue with some emotional salience.

[loup-vaillant]

> And the EU acts as judge, jury and executioner.

Now, now, you make it sound like a single human actually endorses those three roles. Any state (or group of states) is judge, jury, and executioner. I also write and dictates laws…

And that's okay.

[TheAceOfHearts]

The real world is very complicated. As time goes on, there will be lots of court cases which set a precedent.

Even though I dislike em, I think the laws surrounding fair use and copyright are another example. Due to its nature, it's incredibly difficult to provide exhaustive guidelines.

As long as these large enterprises engage in a good faith attempt at complying with the law they shouldn't end up receiving huge fines.

[petre]

Vague laws = arbitrary justice. They will aid the EU's squeezing money out of US corporations under the pretense that they're protecting the consumer.