|
Because I don't see anyone downstream agreeing with you, I just wanted to hop in and +1 that I think you're REALLY making good points throughout this thread. I think a lot of folks are having trouble imagining a world beyond "EU laws" and "US laws". If every national or even state/provincial government has its own data laws (we already have 5 states in the US with GDPR-like legislation, and more likely on the way), then we're just accelerating towards a fragmented internet __with no opt-out mechanism for the individual__. When (especially smaller) companies get weighed down by legal interpretations and the fear of violations, they're just gonna start blocking more and more clients from everywhere outside their jurisdiction. (Apologies to the world, but I literally work on software that makes it easier to resolve geolocation for web devs and, among some other reasons, one of the top ones is to block certain georegions.) Separately, while I'm all for internet privacy and am generally aligned with the _intent_ of GDPR, having had to meet its requirements at the highest level of scale, I have no qualms saying that it's truly a _terrible_ piece of legislation. Clearly whole sections were written without any regard for technical accuracy, and it leaves a number of ambiguities and contradictions within its language that continue to go without clarification. I don't feel like getting in the weeds here, but if you ever want to see people getting in the mud about how to actually comply with it, just go take a peek at the higher-comment threads in /r/GDPR. Personally, I'd much prefer a cascading set of standards coming from a technically oriented consortium of (ideally OSS) folks that could be enforced from the client side as much as possible, and then independently audited on the server side (like a UL certification, but for your server architecture). Most of us here are probably already using a ton of client extensions to enforce as much privacy as we can without breaking things, and if an OSS auditing standard came along for servers, it'd be sweet if I could e.g. set my browser to "EU data servers only" and have my browser give me an option to explicitly override it if I really need to (like we do today with bad SSL certs). As for the data export and deletion controls...I get the argument that's only enforceable via regulation and government enforcement. But given the ease of data replication and laundering (made even easier in a post-ML world), I'm not optimistic that you can actually "catch" people violating it except against the absolute largest corps ("yeah, we totallyyyyyy deleted all your data, for sureeee"). Feels like it's enforceable at about the order-of-magnitude of insider trading in the US. |