[digging]

> It's hard to make collection, aggregation, and sharing of facts illegal.

Sure, but the US has a precedent in HIPAA. Not saying it's copy-paste, but... maybe it should be.

I would prefer the law be more restrictive than less, because I don't believe this is true:

> law is justifiably looking for a scalpel treatment here to address the specific problem without putting the quest to understand reality on the wrong side of the line.

I believe the law may use that noble goal as cover for the actual goal: restrict the ability of capital holders to accumulate capital as little as possible. Data sharing isn't a public good in any way. It's mostly not even useful for the targeting purposes it claims. It's extremely reckless rent-seeking that knowingly allows innocent people to have their lives wrecked by identity theft.

[shadowgovt]

As someone who helps care for elderly relatives with widely-dispersed out-of-state families, I can point to HIPAA as an excellent example of why crafting this kind of law is difficult.

I think we are going to discover, once people do the research, that HIPAA has done net harm by delaying flow of information for critical-care patients resulting in lack of patient compliance, confusion, and treatment error.

Yes, there is harm potential in insurance companies denying coverage or claims because they are privy to too much information about clients (a scenario that, I'd note, we could address directly by law via a national healthcare system or banning denial of coverage for various reasons) or by employers or hostile actors (including family) discovering medical facts about a patient. I have to weigh that harm potential against my day-to-day of having to fight uphill to get quality care because every specialist, every facility, and every department needs a properly-updated HIPAA directive for a patient (and the divisions between these categories aren't clear to the average non-medical observer).

[digging]

Huh, I wasn't aware of such a viewpoint. I've never had or heard of problems with HIPAA preventing timely or accurate care, even with my father going in and out of hospice toward the end of his fight with cancer. I'm really sorry to hear it. At the same time, I do have to wonder if that kind of problem genuinely outweighs the protection HIPAA has given millions of people against harms small and large. (I guess with the state of data privacy today, HIPAA may be basically useless, but that isn't exactly HIPAA's fault.)

[makmanalp]

> HIPAA has done net harm by delaying flow of information for critical-care patients resulting in lack of patient compliance, confusion, and treatment error.

You won't find any disagreement from me that HIPAA is very complicated. However there's a certain level of whining and foot dragging that happens in the industry that we should take with a massive grain of salt. There's so many HIPAA compliant and still convenient ways these days to have patient communications, but the industry doesn't want to invest and doesn't care about patience experience enough, and then go "sorry, HIPAA :-(((" every time.

With GDPR, after Schrems II happened and it became clearer that the EU-US Privacy Shield was no longer a valid workaround, I personally observed companies (including the one I was in) suddenly moving mountains to complete migration projects and privacy upgrades in just a few months that the industry previously deemed was technically unfeasible or impossible, cost prohibitive, business destroying, etc. And they still remained massively profitable and growing. If they had just done the right thing early on it wouldn't have been on such a tight deadline either.

That was the final straw for me in terms of being very firmly convinced that we should be telling companies to shut up and comply a lot more because they will never do the right thing on their own even if it wasn't /that/ hard. Another approach here is to start holding them liable for the personal costs of data breaches etc and let the incentives take care of themselves. In fact, why not a bit of both?