[eldavido]

This might sound a little mean, and I don't mean it to be this way, but this is a really naive viewpoint.

Look at any profession -- accounting for instance -- and they have all sorts of stuff like this. As an example, there's a concept in accounting of "materiality" - basically, something that's big enough to matter. Materiality is what lets fortune 500 companies present their financial statements rounded to the nearest thousand dollars. When you're talking about tens/hundreds of millions, individual dollars just don't matter.

Whether or not something is "material" is a matter of professional judgment, to be made in the context of a large body of professional knowledge, history, prevailing industry standards, economic/cost considerations, etc, basically that thing called "experience" that we so often toss under the bus in SV.

Perhaps the biggest difference between law and code, which are in many ways quite similar, is that law is highly reliant on context. For a court to determine whether "appropriate security" and "appropriate technical measures" are followed, they would solicit testimony from experts in the field (people like us) to determine whether they felt whether someone took "appropriate security". So ultimately it's a matter of opinion, but one made with context and expertise.

It works surprisingly well.

EDIT: For really complicated stuff, implementation is often delegated to an agency, such as the FCC, to create specific guidelines like you want. But this is the job of executive action, which is easy to change, not statute (on-the-books laws), which is much harder to modify once passed.

[noxToken]

One thing I think a lot of people don't realize is that the more specific a law is, the more it becomes like a zero-tolerance policy. Allowing for ambiguity, as you said, allows for the law to be enforced with context.

A contrived example: I could try to look up some tax information on the IRS website. An error occurs, and the server spits out a bunch of log data not meant for the public. This data happens to contain sensitive URLs. I navigate to one, and it gives me unfettered access to the server. So long as I stop here and report it, I should be in the clear.

I don't. I look around a bit to see if I can help include additional details when I contact the proper person. I haven't actually done anything bad per se, but now I'm knowingly accessing a government computer system without proper authorization. A law with proper specificity would say that I should be jailed for looking around. Common sense says that though I should have close the tab, but I was only doing my best to help. And since I never did anything detrimental, I should be in the clear.

[dc2]

I do understand this.

I am just wondering what happens when there is a vested interest in attacking or suppressing the company involved.

For example, if a company becomes unpopular on social media and by "public opinion" (such as Facebook right now), a court can feel pressured into a slanted decision. Given that so much is now based on opinion, what defense does the company have?

It seems that if someone had the intention to nail a company on GDPR as a PR attack, regardless of the amount of effort the company put in, they almost certainly could.

(I don't work for Facebook)

[ryanobjc]

Perhaps you could describe how you would pressure a judge successfully?

I often see comments like this, abstract what ifs without any details on what.

So, try to illustrate what might happen. Also, describe what protections the judges might have against this. It’s a useful mental exercise and you might realize that it’s a fair bit harder than posting on 4chan or Twitter.

[dc2]

See reply to Tomte on that.

[Tomte]

That's why we have independent judges.

"Pressuring a judge" would be an impressive feat. They are generally obnoxiously aware of their untouchable status.

And if society's stance really changes, we want the courts to take that into account. Again. feature, not bug.

[dc2]

Well I'm talking about exactly that - social pressure.

Just because popular opinion (aka the vocal social media / news / social media echo chamber) approves of something, it doesn't mean it is correct.

Governments and courts have definite pressure to legalize marijuana, for example. That pressure is based on popular public opinion. Therefore approving it gives that legal body or state acceptance / goodwill. This is an incentive that goes quite far.

It can also be popular to smash a company.

[slovette]

I don’t think this deserves to be down voted. It’s a valid perspective I think shared among those that are, perhaps, removed from legal specificities and their make-up.

I also think this point resonates fairly well in smaller courts (read as maybe more rural areas) where the legal system is closely tied with the social system of the area and there are indeed LOTS of incentives to introduce, we’ll calm them, ‘alternative judgements’.

All that said, I think law has to be appropriately ambiguous in order to remain relevant and applicable through change and societal adaptation in norms. Hence, case by case context.

This is why it looks to contain so much flex in the language. Right and wrong is implicitly an ambiguous and ever changing notion, described and defined only by the same body of individuals that mutually agree to uphold it. It’s fluid.

However, I also see the perspective that the fluidity of societal definitions and the increasing ease through technology to greatly influence a vast chunk of that populations opinion, can make these things misalign with ethical appropriateness. See the Nissan.com website case or any other number of court cases that clearly concluded under the coercive pressure of the more powerful/wealthy party.

[Sir_Substance]

>For really complicated stuff, implementation is often delegated to an agency, such as the FCC, to create specific guidelines like you want.

If you start at around article 43 and work your way onwards, over the next 20 or so articles the GDPR document goes on to specify that all nations should set up organizations to perform this task and that these organizations have a responsibility to create and make available such specific guidelines.