[Silhouette]

It would help if privacy policies were brief and clear.

And the way to do that is standardisation.

In many situations, at least here in Europe, you can go about your normal life without worrying too much about tricky contracts catching you out. There are consumer protection rules that restrict what can be done, prohibiting it entirely in some of the most serious cases, but also setting out reasonable expectations in some sense so that any business wanting to violate those expectations has to be clear about their alternative or might find it doesn't stand up if challenged.

One difficulty with the online world at the moment is that because it's very international in nature, even rules that apply across say the whole EU or at federal level in the US don't necessarily provide any guarantees to visitors of websites or recipients of emails because the business or other organisation they're dealing with might not be in the same jurisdiction as them.

On top of that, these big data-hoarding organisations pose an unprecedented threat to our privacy and ultimately to our freedom and way of life because there is an unprecedented amount of data collection and processing going on. Some things didn't really matter much at a small local scale, like the person passing you in the street seeing your face and knowing you were there at that moment in time, yet forgetting you a moment later. The exact same data points can matter a great deal more when we're talking about huge numbers of them being collected and collated by a single entity that can then process a more informative data set in ways that would never have been possible in the simpler case. Now the marketer or the government or the criminal who hacks the marketer or bribes the government official has a detailed record of your normal daily movements and any anomalies, or your spending patterns across everywhere you shop and everything that says about you, and so on.

We need a clear basic framework for what we as a society are and are not willing to permit in these areas, for how we trade off the potential advantages of organisations that might genuinely be trying to help us having access to more data against the potential risks of organisations that are not necessarily acting in our best interests having access to more data, even if in some cases they might be the same organisation using the same data in different contexts.

I personally regard the GDPR as a swing and a miss in this context. The intent might have been good, but it's so complicated and ambiguous that in many ways it creates problems rather than solving them. Crucially, that is particularly true for organisations that were trying to be responsible about how they work with personal data and privacy issues, which might have been looking to the GDPR and the national regulators for clarity about the ethics and legality of different practices with pros and cons.

So there have been some moves in positive directions recently, but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records. Does it really help anyone to declare obvious and indeed legally required behaviour like that, or is it just noise?

To pick a less obvious example, maybe we should have clear defaults about analytics. For example, perhaps a business is allowed to monitor how its customers are using its own hosted systems by default, but activities like accessing users' personal data uploaded to those systems for other purposes, exporting users' personal data from their local devices, or sharing any of this data with third parties requires explicit disclosure and maybe some level of consent.

Privacy policies could indeed be much clearer if only the exceptions to common sense had to be declared in some standardised way, and if an acceptable definition of "common sense" were itself provided somewhere through legislative or regulatory means.

[jinglebells]

The GDPR isn't a bunch of rules, it's a process. It's no different to your health and safety process. You define your process, what data you have and where it is and any risks.

Personally, with massive PII dumps getting leaked every week I'm not surprised governments are starting to act.

> but right now, if I'm selling you something online then I still have to state in my privacy policy that I'm going to keep records of money you pay me and I'm going to store those records for long enough to comply with my obligations around tax records.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

[jen20]

Quite: far too many people equate the "consent" basis for holding data as the _only_ basis for holding data. It is not, and and compliance with other laws is also a valid reason which _cannot be overridden by withdrawal of consent_.

[PeterisP]

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

If you have a legitimate basis to collect and store personal data for some purpose X, then that doesn't allow you to use the data you collected and stored for anything else - if you want to use the same data for some other purpose (like targeting ads or given them to your "partners" to target ads), then you need consent; and if you give them to your "partners" to allegedly execute that legal need X but it turns out that they're using it to target ads or reselling data, then you're liable for that.

[Silhouette]

Sure, but if we're talking about data usage for marketing and targeted ads, then generally consent would be the only basis that can apply.

That's debatable. The GDPR itself explicitly notes [Recital 47] that even direct marketing can constitute a legitimate interest.

However, there are specific provisions for that case, particularly the explicit provision [Article 21, para 3] that if the data subject objects to processing for direct marketing purposes then that is black and white and that processing must be stopped.

[PeterisP]

Yes you do [have to state that in your privacy policy].

Compliance with a legal obligation is valid grounds to store and process data, but the information requirement still applies - you need to inform the customer what you're collecting and why, you just don't need their consent in this case.

E.g. the GDPR article 13.1.d / 14.2.b - you need to inform the data subject about what exactly is your legitimate need that justifies the processing of data; and customers then can judge whether that need (and the collected data for it) seems reasonable or warrants a complaint to the regulator.

[Silhouette]

The GDPR isn't a bunch of rules, it's a process.

The GDPR is an EU regulation. An EU regulation is a bunch of rules that have direct legal effect across the Union.

No, you don't. That's covered by the rule "Compliance with a legal obligation" because you have to do it, but only store as much as you need.

That's a legal basis for processing, which you also have to disclose. It doesn't exempt you from disclosing other required information such as the types of personal data you're collecting or your policy on retention.