Hacker News new | ask | show | jobs
by jib 2584 days ago
The regulation is very ambiguous.

Try to understand what is even personal data from this:

https://ico.org.uk/for-organisations/guide-to-data-protectio...

It is all about risk, ambiguity and individual circumstances. I dont think that is bad, but there is no clear record of what it even is we are meant to protect.
2 comments
crankylinuxuser 2584 days ago
It is and it isn't.

If you're in the business of "doing free services so you can skim GB's of data from users" or you "sell wholesale data collected without notice", the EU doesn't want you.

If you're doing a good job of keeping user data private except at the direct request of a user in a plain-language direct permission, then you're doing a good job to the GDPR. Slipups happen, and as long as you do your best to stop the bad thing, limit the breach, notify users, and be a good steward for their data, then it's all good.

As a US citizen, I try to make a point to only work with companies that adhere to the GDPR. I know they don't have to do so with me. But it tells me their internal processes are set up to respect the user's rights. And well, running dual systems for different compliance regimes is a tough sell - its easier to do 1 big system.

link
erik_seaberg 2584 days ago
> as long as you do your best to stop the bad thing, limit the breach, notify users, and be a good steward for their data, then it's all good

If that regulator happens to like you. There is no schedule of offenses and penalties and due process, only an absurdly high maximum for selective enforcement.

link
jib 2584 days ago
And there are a lot of regulators. Some of them a lot more combative than others. That is my main reason for dislike for the regulations.

Overall I support the regulations, but I really wish the penalties had more documented structure than “We will fine you anywhere from 0 to an 8 digit number (in our case) depending on what we think is right”.

link
afiori 2584 days ago
The negative outcome of more specific fines is that they get progressively easier to circumvent.
link
anoncake 2584 days ago
There is due process. If you think a regulator's decision was illegal, you can escalate to the courts. Some member states may not have the best justice system, but that's what the ECJ is for.

There is no explicit schedule – that could be gamed – but that doesn't mean regulators can act arbitrarily. Punishments have to be proportional to the infraction, similar cases have to be treated similarly... The GDPR just does not spell out how public authorities work.

It actually does say that punishments have to be proportional IIRC. I'm not sure if that actually makes a legal difference or if it was included to make the GDPR easier to understand.

link
Mirioron 2584 days ago
And you pay for the lawsuit out of your own pocket. Now you need to run a business and fight a very expensive legal battle against the government. That same government that regulates your business.
link
anoncake 2584 days ago
>And you pay for the lawsuit out of your own pocket.

Only if you lose.

> very expensive legal battle

EU ≠ USA

>That same government that regulates your business.

So what? If you have a grievance with an entity, that's the entity you have to fight a lawsuit against.

link
Mirioron 2583 days ago
Are you sure you only pay if you lose?

>EU ≠ USA

I don't see why this changes anything. Lawyers still cost a lot of money. They might not seem like they cost a lot of money to Americans, but that's because Americans earn a lot more money.

>So what? If you have a grievance with an entity, that's the entity you have to fight a lawsuit against.

One of the grievances people have against GDPR is that they don't like how GDPR's enforcement depends so much on the individual person at DPAs. You'll still have to deal with the person afterwards that you sued.

link
jdietrich 2584 days ago
Precisely this. The cost and complexity of complying with GDPR is directly proportional to the scale and complexity of your data processing operations. If you comply with the principles of the legislation - collect the minimum possible amount of data, store it for the minimum possible time and process it only in ways that are essential - then compliance is very straightforward. Things only become ambiguous when you're trying to do something that the GDPR doesn't want you to do.
link
ivan_gammel 2584 days ago
What's written on that web pages is clear enough for me and it's the same as my own understanding of personal data. It is rather abstract and I can admit that it may be not easy to understand for others without some good examples. But it's a complicated topic in general, that has to be studied beyond reading a single article or text of EU law.
link