> The very people who comply with and execute the GDPR consider it to be positive for their company, positive for privacy and not a pointless, bureaucratic regulation.
It's their job to do GDPR, of course they consider it a positive.
> It's their job to do GDPR, of course they consider it a positive.
No, actually it is annoying to do. But it is extremely positive. The two things do not conflict.
It's annoying for restaurants to maintain the high level of hygiene that the laws enforce. But I expect most people in the restaurant business see it as a positive (and I'm not going to the restaurants that don't...)
> Not just regulators, I'm a developer in the EU and I find GDPR a great thing. I have yet to find a fellow developer here that disagrees.
I know lots of developers who are still today incredibly furious about the legal effort that complying to GDPR requires (even if they - typically - don't intend to track users).
> I find GDPR a great thing. I have yet to find a fellow developer here that disagrees.
Besides compliance costs, operational complexity, impact on small businesses, inconsistent implementation across EU Member States, and extraterritorial reach and global compliance challenges...
IMO a lot of the text in the law is extremely vague and subjective, while simultaneously sounding very longwinded and authoritative.
> Consent should be given by a clear affirmative act establishing a freely given, specific, informed and
unambiguous indication of the data subject's agreement to the processing of personal data
Notice it says “should”, not shall. Does this mean consent is technically optional? What is their definition of informed, affirmative, or agreement?
Requiring companies to remove individual records from backups also quickly proves to be a practical impossibility.
And it’s ironic to me that the law requires you to have even more centralized control over personal data from start to finish than they have now. To me this is a bit alarming from a security AND privacy perspective.
> The requirement to notify regulators of data breaches
Here’s a scary thought… what if they just stopped acknowledging breaches in the first place and claim they weren’t aware of it? What if they actually were unaware because the system was designed that way? There’s no law against being oblivious to breaches.
Other undefined terms such as “undue delay,” “likelihood of (high) risk to rights and freedoms” and “disproportionate effort” will require further clarity by the courts or regulators, or time for specific market practices to develop.
They don’t even define what a website is. Does that require HTTP be used to qualify? Or HTML? What about FTP or other protocols?
Also, it forces even non-EU platforms with zero domestic presence to risk being blocked due to not complying with rules that don’t even apply to them. Seems like net neutrality is fundamentally incompatible with GDPR in some ways. What if the US blocked EU sites for not being free enough?
> Notice it says “should”, not shall. Does this mean consent is technically optional? What is their definition of informed, affirmative, or agreement?
It looks like you are reading from the preamble, not the provisions. The purpose of the preamble is to describe the general intent behind the regulation or directive, not the technical requirements themselves. When national regulators of member states create the laws that are legally-binding within their jurisdictions, they might refer to the preamble to check that the spirit of the law is compatible with the original European text. The preamble can also inform judges in the situation that a case is taken to one of the European Union's courts. When one finally gets to the provisions, there's even more introductory text, but it's a lot more terse than the preamble.
> Notice it says “should”, not shall. Does this mean consent is technically optional?
Does it mean you never actually read the law? Does it mean you assume that the words of an HN user are a direct quote for the law? Does it mean that any statements you make about the law are false and misleading because you never read the law and rely on misinterpretation of the words of strangers to paint a picture of what the law is about?
The law does not deal in "should"s.
Scroll down to "suitable articles" to see what the law actually says, and not what you think it says: https://gdpr-info.eu/issues/consent/ Start with definitions and work your way through the referenced articles
To clarify, if I'm not mistaken, out of 422 shoulds in the document 420 are in Chapter I, "General Provisions which:
- spells out more-or-less in layman terms why the law exists, its scope and applications
- definitions that will be used throughout the document
There are two shoulds used in the rest of the regulation, in Article 47.1(j). IMO that has to be shall, too, but it's in a large list of other binding corporate rules, so it's not too bad.
> Besides compliance costs, operational complexity, impact on small businesses, inconsistent implementation across EU Member States, and extraterritorial reach and global compliance challenges...
In my experience the compliance cost really isn't that big for the vast majority of businesses. Where it does get trickier is if you're collecting a lot of data relative to the size of your customer base e.g. facebook, google etc. and in those cases I think some extra eyeballs on how data is handled is sensible.
Pretty much everything GDPR gets you to do is good practice, so if as a business you can't comply then imo your business is on shaky ground. For example:
- Right to be informed -> have a privacy policy which explains what data you collect, what it's used for, how long you keep it, when you delete it and so on.
- Right of access - > have a mechanism for providing users with a copy of their data.
- Right of rectification -> have a process where you can update customer data.
[1]
> There’s no law against being oblivious to breaches.
Im not sure where you got this idea from. One of the seven key principles of GDPR is "Integrity and confidentiality (security)" or more explicitly "You must ensure that you have appropriate security measures in place to protect the personal data you hold." [2] Being oblivious to breaches clearly goes against this.
> Also, it forces even non-EU platforms with zero domestic presence to risk being blocked due to not complying with rules that don’t even apply to them.
GDPR applies to the resident who's data you are processing, so if as a business you wan to deal with those customers you need to deal with those laws. Seems reasonable enough to me.
> Being oblivious to breaches clearly goes against this
I don't see how it does. Even "ensuring appropriate security measures" is subjective in the first place, plus as we all know, no amount of security is perfect and breaches will always happen either way.
Even if you took enough subjectively appropriate security measures, and it still happened anyway, there's nothing that guarantees you'll even know about it in the first place.
It's their job to do GDPR, of course they consider it a positive.