Putting aside the data collection for a moment, I really appreciate that the data watchdog (data protection supervisor) for the EU actually has the ability to find this data, has the authority to force the deletion and the policy makers and agencies actually appear to be willing to even entertain discussing where the boundary between privacy and security should lie.
It’s refreshing, especially in comparison with how things are done in my country.
The cases that make the news with 100 million dollar fines to trillion dollar companies are just the ones in which the prosecution can't even reach someone at the company cause 100 million dollars is a drop in the bucket not worth looking at.
Most of the time, when somebody contacts you because of these issues, you have 30 days to comply, and if you discover that the problem is bigger than anticipated, these deadlines can be negotiated.
The point of the laws in the EU isn't to collect fines, but rather to make sure that everyone complies. You don't win much by going to trial and letting the other party explain why complying in 30 days is physically impossible.
So as long as the other party is willing to comply, the first attorney letter get things moving, and then the issue is resolved.
> The cases that make the news with 100 million dollar fines to trillion dollar companies are just the ones in which the prosecution can't even reach someone at the company cause 100 million dollars is a drop in the bucket not worth looking at.
Is this true? I thought they were based on a % of global revenue and that definitely hurts.
That's the upper limit, not a minimum requirement. Levying the full 4% of global income is something that's reserved for those who blatantly refuse to comply with orders of their respective DPO or repeat offenders.
The maximum fine allowed by GDPR is "10 million or 2% of global revenue, whichever is higher". The goal is to ensure the GDPR "has teeth" even against companies for who 10 million is a drop in the bucket.
Keep in mind that large parts of the GDPR were already law in many EU countries, meaning there's years worth of enforcement activity that you can lookup to see how similar laws were enforced.
And mostly that has not been "handing out the biggest fines possible" and more "fines scaled to how grossly you violate the regulation". Companies who try their best to follow the law, have good processes and respond promptly, get a slap on the wrist or even just a warning if they remedy the issue fast. Companies that blatantly violate the law and stonewalling regulators get the harsh fines.
The purpose of these laws isn't to penalise, its to ensure compliance. Giving them some time to figure out what they can and can't keep is a fair compromise. Anything else is really just bullying .
If they were fined, people would be here saying "just the cost of doing business".
As far as I understand that is what everyone caught violating these laws gets at first, a warning pointing out the issues and a time frame to fix those. The real trouble only starts if you fail to meet the deadline or get caught again afterwards.
> Is it really so refreshing that they get away with breaking regulations, seemingly without any sort of penalty?
It doesn’t appear that they’re getting away with anything? It’s the first offence, so they get a reasonable period to address the issue and fix things. Give them not enough time and they complain about the regulators being unreasonable.
And it’s certainly refreshing compared to what happens in other America or Australia which is “basically nothing”.
I strongly disagree. Due to institutional closeness I don't think the watchdog is independent enough. It won't be more than a fig leaf and will not be able to resist surveillance ambitions. Could as well be controlled opposition even if this lead to a change.
Sure, better than doing nothing, but if you accept this as is you have been served a bad deal.
Almost by definition a regulatory watchdog must also be government. Do you have an alternative? Giving private organizations this power ISDS-style seems worse on every level.
How exactly do you prove something was deleted unless you know exactly how many copies there were, where they are stored, watched the destruction yourself and then verified after that the data was not recoverable through practical means? Reading something on the internet about someone supposedly deleting their data is not impressive.
I'm not sure fines really tell the story here. Have big companies had a significant change in behavior as a result? Have major actors in any space (say) deleted data they'd gathered without legal basis?
At least they must now put effort into their reasons for collecting data, and share this data with the subject; which was previously impossible or unfeasable. In that regard there have been significant changes.
Anecdotally, I have seen a significant uptick in cookie banners that are significantly more compliant. Sadly most companies still ask for things they do not need, but at least they aren't on by default anymore and the dark patterns are declining.
My reply is essentially the same as to your sibling comment—yes, the situation does improve moving forward, and yes that's great; I'm not arguing it's bad. I'm just saying I have yet to see much evidence of retroactive corrections like deletion of existing data.
This link always gets posted but if there's anything it proves is that the GDPR has a major enforcement problem. Your link shows that to date, ~1.4B euro worth of fines has been dished out - this is across all companies and countries in a span of 4 years.
How much do Google and Facebook individually earn from illicit data collection & processing in just a single year? Significantly more than that. So far the only fine for Facebook is 51k (for a technicality, not actually related to their continuous GDPR breaches) and Google 50.6M which is more sizeable but still a drop in the bucket compared to their revenue.
Countries are run by people who follow the law, not by those policing it. I mean, it takes long time for a new framework of law to settle in, it will gradually have an effect on industry practice and citizen's expectations.
We are "establishing new truths" here. I think it will have a good effect in the long run, even if it's not perfect.
I have not! And yeah, I can't recall the last time I heard about an organization actually purging large amounts of data in response to a government order.
I hate the perpetual law enforcement “needs this to protect you”. Seriously, if you have sufficient evidence to believe someone is a threat you should have sufficient information to get a warrant for the information you want.
Any other system is by definition warrant less surveillance, and therefore any data collection is a-ok because anyone “might” be a threat.
That’s why we made warrants required. It’s why needing warrants is literally part of the constitution.
Grumble grumble. Old man shouts at law enforcement.
Don't self-deprecate your very rational perspective with that last paragraph. You are spot on, and you don't have to be an old man grumbling at cops to think the way you do.
This thread is a shitshow of cynicism, everyone outdoing the others to come up with even more convoluted conspiracy stories how this isn't going to help or why it must be motivated by the data protection agency apparently being criminals themselves trying to erase evidence against them. It's quite a sad state of affairs, really.
Another conclusion one could draw from the story as reported is that, contrary to an untold number of assertions I've seen made on HN, GDPR does apply to governments and their institutions. It's a point made in just about every single other thread on the law, and one would expect someone noticing they were wrong, which would seem to be perfect basis for a useful comment. Alas, they all missed this story. I'm sure they'll be back.
A close cousin is, of course, the sense that such institutions will choose to ignore the law, as in any law, anyway, and without any risk of blowback or even chance of becoming a matter of public interest. The story itself would seem to contradict that notion to a certain degree, but that doesn't seem to diminish the opportunity of updating one's belief system with even more evidence supporting everything one has always known to be true.
It does formally apply do government institutions, but they have exemptions that their security neurosis will be as satisfied as if it would not apply.
The need for data collection is not even questioned and blindly accepted. That warrants a lot of criticism. What is surveillance if not an expression of cynicism?
> This thread is a shitshow of cynicism, everyone outdoing the others to come up with even more convoluted conspiracy stories how this isn't going to help or why it must be motivated by the data protection agency apparently being criminals themselves trying to erase evidence against them. It's quite a sad state of affairs, really.
It's sad that the EDPS would get dragged for this, we should be encouraging them. Other than that, if you have a thirst for privacy from government and lack dementia, there really is no such thing as too much cynicism.
> Another conclusion one could draw from the story as reported is that, contrary to an untold number of assertions I've seen made on HN, GDPR does apply to governments and their institutions. It's a point made in just about every single other thread on the law, and one would expect someone noticing they were wrong, which would seem to be perfect basis for a useful comment. Alas, they all missed this story. I'm sure they'll be back.
Law enforcement are all but exempt from the GDPR, which has nothing to do with this. I'm not 100% sure but I think they're referring to the Europol regulation[0].
> A close cousin is, of course, the sense that such institutions will choose to ignore the law, as in any law, anyway, and without any risk of blowback or even chance of becoming a matter of public interest. The story itself would seem to contradict that notion to a certain degree, but that doesn't seem to diminish the opportunity of updating one's belief system with even more evidence supporting everything one has always known to be true.
We've just learned that an EU wide law enforcement agency is ignoring the law governing them, are backchanneling with the Commission to get a new law on the books to whitewash the whole thing, and that the Commission is game. And there is nothing about this in any major newspaper in the member state I'm residing in.
Do I have the facts wrong? Because it seems nuts to suggest this would be a good time for people suspicious of law enforcement and the EU to take a moment to reflect.
Up to a handful of years ago police data was still mostly stored in CD's in a first world country like Italy (it was a fun lecture during a Computer Security in class where we had a few sessions with court experts about procedure).
It wouldn't surprise me that there are archive rooms lost to memory somewhere in Europol/Interpol full of CD's of data.
Also: that article's overloaded first sentence is NOT going to win any Pulitzers. And what kind of news article has an average sentence length of 29 words?
A sentence can be any length, there is no rule defining the maximum number of words that can be used to convey the point, however some experts use a sentence's word count to quantify elements of an authors intelligence, put simply its one way you can spot AI bots operating on social media.
Maybe time to revisit your assumptions. I'd grant the Guardian was still fairly decent under Rubsbridger, but under Viner its quality has dropped precipitously. Full 180 on Assange, dereliction of their previous general support for international and UK leftwing issues. Nowadays they are a joke, washy liberalism and snapping at the coat-tails of US democrat readers (if any). A taint which also loses readers and undermines the authority of their (better) climate writers, which is a shame.
Is there a more recent storage medium with a single size (ish, 650 vs 700 is close enough)? USB drives come in all sizes, and DVD and Blu-Ray come in single and multi-layer. It's also the last time most people interacted with the media for storage, rather than buying pre-pressed copies.
I struggle to think of a better measurement unit for a lay person.
There really isn't is there? Interesting observation.
The closest thing I can think of is 1T laptop drives.
Now I know that sounds dumb decause 1T is really just a number and you might as well just say the real number instead some other number, also, why add the pointless word "laptop"?, but the point is to make the number meaningful by comparing it to something a person actually has some concept of. I have no idea what 4 petabytes means really, but I have a some idea what a gigabyte means, and from that at least a hint of what it means that my 1T laptop drive is only 20% used.
So "1T laptop drives" is actually a more meaningful unit than petabytes.
Don't bother pointing out that laptops come with different size drives, or that probably today most people don't even have a laptop but just a phone, and have no idea how much storage it has in any real undrstanding kind of way. I know, I know. Just proves your original point.
Most people don't even know the size of their laptop drive. Only measurement they know is if it is full or not, and it can even take them time to realize this.
It's certainly a bad technical measure, but then stacks of CDROMs could all be super sparsely populated, those human capillaries going around the world are stretchy, etc. I think it's a reasonable metric for huge quantities of data when communicating to the general public - you can specify the movie to narrow it too.
So "the LHC produces 90 Petabytes of data per year, that's the same amount of data as streaming Avengers Endgame in 4K high-definition 40 million times! Bet their ISP wishes they hadn't offered them the unlimited data package!!" yadda-yadda?
A self-appointed police organization pretends they need to harvest 4 petabytes of citizen data to "fight terrorism".
Not legitimized by any constitution, no defined responsibilities, these Brussels organizations (sorry, the Hague!) appoint each other and assign themselves budget, and the bureaucracy grows every day.
When they are "appointing each other" they are, by definition, not self-appointed. And Europol doesn't appoint anyone, nor does is assign any budgets outside its own purview. So I'm at a loss at what you're actually trying to say.
I was recently informed that I have a Europol entry. The British Embassy said they were forced to make an entry since I had been accused of a crime in the USA, although the charge never came to trial.
What’s unlawful for the NSA to collect is defined by US law, not EU law. I’m sure they could ask the US nicely, and the NSA may even pretend to listen to their complaints for a little bit :)
It’s unlawful worldwide to use EU citizen data without GDPR.
I don’t know how EU pulled that off, but the work of the NSA is illegal just like Google storing EU citizen’s data in USA without GDPR enforcement is illegal too. Not to say it’s applicable.
In fact, you could break the US law from abroad. Ask Assange.
Seems like scaremongering to me and it is surely not enforceable in NZ. It will put people off going to Israel when you have anti free speech laws and you might cop a fine because of some old reddit comment.
I wonder if this could be used to get US credit agencies to stop storing data. Many people with EU citizenship end up with data in US credit agency files.
Step 1: Declare yourself the lawful sovereign of your citizens in customary international law and be accepted as that both internally and globally.
Step 2: Define a fundamental (constitutional) human right to data privacy, see charta of fundamental rights of the European Union Article 8
Step 3: Create regulations that define how to lawfully handle the data of european citizens (-> GDPR, Police Directive, ...) and what happens if one disregards the fundamental right.
Honestly the whole thing becomes much easier to understand if one substitutes any other fundamental right, like the right to bodily integrity. A foreign corporation is not allowed to harvests our citizens organs without lawful basis (like written consent), even if it claims the law of its home country allows it to harvest organs as it pleases.
Except the EU can’t enforce GDPR against NSA, so who cares?
And, realistically, the EU can’t enforce GDPR outside the EU. If somebody in the UAE, for example, were to hoover up all the EU citizen data they can get their hands on what is the EU going to do? Send a strongly worded letter?
<mockingly> And, realistically, the USA can’t enforce its constitution outside the USA. If somebody in South America, for example, were to harvest all the US tourists organs they can get their hands on, what is the USA going to do? Nuke it? </mockingly>
yes, sending a strongly worded letter is exactly what the EU would do. And then it will send another letter. And it will try to work out a diplomatic solution with the UAE such that they enforce respect for eu citizen rights, or even better, join the growing number of nations that have data privacy as a fundamental right. They may even threaten some sanctions if the whole thing is big enough.
What would your country do to protect your rights?
You can imagine generating an encrypted file 10^3 or 10^6 times larger than the data to be encrypted, with a pointer at the beginning giving the location of the start of the payload. The rest of the file could be encrypted randomness.
Transfer would be super slow but presumably the extreme file length would hinder decryption of the payload.
Of course the whole scheme would break down if the adversary knew the length/position of the pointer data.
You can do some really cool cryptography if you assume your adversary has limited space. Examples include non-transferable signatures and streaming programs that stop functioning when the stream stops (repugnant as a DRM but neat as a concept)
Take a wild guess: how many backups these mere 4000 TB already have all across the EU? I'd say at least 8, maybe 20.
Even if Europol miraculously agrees to delete one ZFS data pool, the other N-1 remain. So yeah, it's a PR theater. Pretty sure that the moment they found out what EDPS knows, a few sysadmins were ordered not to sleep until a big redundancy ratio has been achieved.
But it's still VERY impressive that a discussion about the tradeoffs between privacy and security is possible. That's a huge plus (if the discussion comes to being in the first place but still).
Yeah right, let's not hold our breaths thinking Europol will actually delete that data.Especially during covid [Pun not intended on a first thought, but at a second one: covid is the main scapegoat and excuse for extending the surveillance state through legal entities[i.e national ones], "semi-legal" ones like Europol, and legal(because we haven't fixed this yet) but indirect through governments buying data from companies.Much like 9/11 or even cracking down on terrorism in Europe post ~2015].
Also 4 petabytes is kind of nothing,granted you can do a lot with little to nothing when it comes to intelligence, we don't need corporation-sized exabyte oceans.
> The commission says the legal concerns raised by the EDPS raise “a serious challenge” for Europol’s ability to fulfil its duties. Last year, it proposed sweeping changes to the regulation underpinning Europol’s powers. If made law, the proposals could in effect retrospectively legalise the data cache and preserve its contents as a testing ground for new AI and machine learning tools.
> ...
> The tussle that followed is captured in a series of internal documents obtained under freedom of information laws. They show Europol stalling for time and the watchdog telling them that they have failed to resolve “the legal breach”. The police agency appears to be holding out for new EU legislation to provide retrospective cover for what it has been doing without a legal basis for six years.
> The European Commission’s nervousness over a public clash was enough to pull Monique Pariat, the EU’s director general for home affairs, into a meeting between the two agencies in December 2021. Sources said the watchdog had been encouraged to “tone down” its public criticism of Europol.
Typical. Any talk of privacy in EU circles is mere marketing speak, void of everything. Europol won't be deleting anything and the Commission has their back on it.
It's just amazing. Anytime I read something about the Commission and compare what I've just read with the priorities they themselves have announced, it becomes clear their stated priorities are complete fiction, something someone wrote just to fill a page. You can throw in a new set of stooges every now and then but I guess a rotten institution just stays rotten.
The EU has majority approval in every single member country and even the UK. In many cases, it gets 2/3 majorities.
Apart from survey data, there have been many referenda on EU membership or aspects of it over the years, with similar results.
Even for the most critical of countries, at the high point of anti-EU propaganda, opposition reached just a hair over 50%, which has turned out to be very unfortunate timing for the UK.
>The EU has majority approval in every single member country and even the UK
Yeah, just not the EU power centers (the Commission for one), which were never voted for, and increasingly moved state power over to bureaucracy and unelected shadow bodies.
>Apart from survey data, there have been many referenda on EU membership or aspects of it over the years, with similar results.
Yes. And when they failed, they were repeated to taste or merely ignored.
(And ahead of those, the EU bodies devoted lots of funds to "educational" campains on those matters to promote the desired results in the press, yielded bribes, sorry, developmental packages and exerted pressure, in a carrot and stick manner, to get nation states to vote favorably).
I wonder what their budget looked like for the data operations? It might actually be seperable if it is only a few years old and doesn't appear to be that black yet.
Simple: "high-level corruption" isn't part of Europol's mandate (see https://www.europol.europa.eu/about-europol), so it's unlikely that they have data on that in the first place.
The EU needs an anti corruption directorate just like the countries they accuse of corruption and delay entry to Schengen. The EPPO and OLAF only deal with fraud with EU funds. Maybe the scope of these institutions should be extended.
Understand the privacy need. But could that also meant the history will have a black hole as well. One of the major issue of the History is full of kings and queens but not US the ordinary folks. How to balance that ?
It’s refreshing, especially in comparison with how things are done in my country.