This might be a bit of a weird question, but how do you remember which information needs to be deleted when you're at the point where you need to use backups?
You would keep a list of unique identifiers (opaque) that were deleted and filter data out prior to rewriting/restoring it. It’s cumbersome but not impossible.
The gist seems, if you are sticking your fingers into your ears hard enough and shouting loud enough, it should count, maybe, in at least most European nations.
>Why not throw your trash on a neighbor's lawn? Why not enslave your workers so you don't have to deal with turnover and hiring replacements? Why dont you stop paying taxes so you don't have to do work to get the same amount of income as you would without taxes?
None of those examples make sense from a classical economics perspective, nor would they be considered sustainable from a game theoretic perspective either.
Meanwhile, not complying with the GDPR doesn't seem to have any obviously severe economic/game-theoretic consequences if you're not based in the EU, or don't already have a large profitable presence there. So it's a bit disingenuous to just lump it in with all those other behaviors.
>None of those examples make sense from a classical economics perspective, nor would they be considered sustainable from a game theoretic perspective either.
Please explain how. Not complying with the GDPR doesn't have any obvious consequences because every company that sells user data is pushing their negative externalities onto others. The GDPR is trying to make it so that the people creating the negative externalities are the ones paying for them
Assuming you legitimately want to know, and aren't just trying to ask a pointed rhetorical question, ok:
>>Why not throw your trash on a neighbor's lawn?
Because unless you like having other people's trash on your lawn, a simple tit-for-tat strategy in game theory would suggest that it's in your best interest to not do that yourself either. In other words, the most sustainable course of action in this case is to follow The Golden Rule ("do unto others as you would like them to do unto you").
The thing with the GDPR, is that the parties involved in the game are you and the EU government, and you not complying with the GDPR by just refusing to serve EU customers doesn't put you in line for any kind of equivalent retaliation if you delete all your EU user data first.
>>Why not enslave your workers so you don't have to deal with turnover and hiring replacements?
Because in a developed free market economy, that business strategy is doomed to fail, since your workers can choose to go work somewhere else that has more favorable conditions, and will likely warn any potential future workers against working for you. If you maintain these sorts of business practices long enough, eventually your pool of workers to choose from will shrink to the point where you'll no longer have enough viable candidates to replenish your workforce.
Similarly, if your business is in fact collecting sensitive data and abusing its use of it for shady purposes, your customers will eventually start looking for a way out of dealing with you (as is possibly the case with facebook right now).
However, the key distinction that seems to be missed by a lot of people here, is that not complying with the GDPR does not inherently guarantee that a business is either collecting dubious data, nor that it's doing shady things with it. And this is a result of the fact that companies around the world are not obligated to conduct business in the EU. If they magically were obligated somehow, it'd be a different story, but that's never going to be the case.
For example, if a new business starts up in the US right now, it will not actively have any EU user data yet, but could still opt to not comply with the GDPR purely because of the overhead costs, and just block EU users altogether in order to avoid any hassles in the future. Does this mean that the business is doing questionable things with user data? Obviously not, since it hasn't even had a chance to collect any data yet, but clearly it positioned itself in a way that it found to be the most advantageous for its given resources, at the detriment of any potential future EU users, without risking any obvious repercussions other than having a slightly smaller potential market. If all of its competitors decide to comply with the GDPR and serve EU customers however, then the strategy could turn out to be a losing one, but it's far from a given that this will happen.
>>Why dont you stop paying taxes so you don't have to do work to get the same amount of income as you would without taxes?
Because not paying taxes will get you jail time and/or non-trivial fines in pretty much every country you could possibly be based out of. I know there are quacks in the US that claim you can "legally" not pay any income taxes, but none of those crazy arguments have ever stood up in court, and have historically landed tax avoiders that tried to argue for them in jail. Regardless of how you feel about taxes, needlessly incurring large fees and/or landing yourself in jail, just isn't gonna be good for business, so it's in your best interest to pay them even if you're a raging psychopath/narcissist.
>Not complying with the GDPR doesn't have any obvious consequences because every company that sells user data is pushing their negative externalities onto others.
Not complying with the GDPR != selling user data.
This argument is moot because it doesn't logically follow that not complying with the GDPR necessarily produces these "negative externalities" that you're referring to. Therefore, it doesn't explain anything about why not following the GDPR doesn't have obvious consequences. Refer to my hypothetical startup example above for elaboration, because this is an example of conflating "data collection/dubious practices" with "GDPR compliance", which are two very different things.
>The GDPR is trying to make it so that the people creating the negative externalities are the ones paying for them
I agree that that's what it's trying to do. Unfortunately, it seems like it might be having some unintended consequences along the way regardless.
>Because unless you like having other people's trash on your lawn, a simple tit-for-tat strategy in game theory would suggest that it's in your best interest to not do that yourself either.
That's why company's trash the commons instead of someone's direct property, and then zealously guard their property rights. With actual trash it's dumping into a river instead of a front yard. With personal data they spend millions to suck up and infer personal data and then spend more millions guarding all of their information with lawyers crafting NDAs, obfuscateing their information with accounting tricks, and suing people or trying to bring criminal charges against people who gain access to their information.
When a company puts a secret tracking pixel on a website that users don't know about, it's good business. When an individual puts a secret program in an email the company doesn't know about, that's hacking and they need to go to jail.
>Because in a developed free market economy, that business strategy is doomed to fail, since your workers can choose to go work somewhere else that has more favorable conditions, and will likely warn any potential future workers against working for you
I'm not sure you know what enslave means. People wouldn't be allowed to leave.
To the rest of your point there, the argument that, "the market will respond to people's preferences" doesn't work with such one sided information. Sure people are leaving Facebook, but to go where? Instagram, another Facebook property that steals data? Snapchat, a different company this time but still stealing data. Cambridge Analytical has had to close up shop due to outrage, so they just reopened under another name so that most people will be unaware. Same with Blackwater -> Xi -> Academi. The entire Industry is engaging in these tactics and only dealing with the cost of renaming or a PR push because it is so lucrative. The GPDR is the EU's attempts to make it not lucrative anymore and allow for other business models to now be viable because they don't have to deal with shitty companies making a ton of money off of stealing data from people.
>Because not paying taxes will get you jail time and/or non-trivial fines in pretty much every country you could possibly be based out of.
And now not following the GPDR will get you serious fines followed by jail time if you continually flaunt the regulators. Literally everytime you said "pay taxes" in that paragraph could have been replaced with "comply with GPDR" and it would have been just as accurate
>This argument is moot because it doesn't logically follow that not complying with the GDPR necessarily produces these "negative externalities" that you're referring to.
It's not moot. Even if you don't sell the data, you are creating a pool of user data that is valuable to steal, and the constant stream of breaches from companies ranging to startups to enterprise is evidence that security is extremely difficult if not impossible. Look at the Equifax breach. They didn't have to sell any of that data for the breach to have caused actual damages to both users who had done business with them, and people who had never even entered into an agreement with Equifax. That is a negative externality generated entirely by the company.
The GPDR allows individuals to now say, "no I don't trust you to hold my data".
>I agree that that's what it's trying to do. Unfortunately, it seems like it might be having some unintended consequences along the way regardless.
Everything humans do has unintended consequences, that's a feature of not being omniscient, but using that as an argument for not trying something like the GPDR is disenguous.
If this was the governments first warning shot against data collection companies I'd probably be in the camp that thought it was going to far. It's not though, there was the cookie law, the DPD, and warnings from the government. The corporations have ignored the intent of all of them and gone on with business as usual. So now that trying a weaker form of regulation has already been done and failed the options are to let companies continue as usual and continue to harm society, or create a regulation that has actual teeth to it and starting doing a governments job of protecting it's people. Everyomes entitled to their opinion, but I am firmly in the camp of actually forcing companies into stopping this practice
>I'm not sure you know what enslave means. People wouldn't be allowed to leave.
Ok, apologies for thinking we were discussing a more mundane/realistic scenario then. However that kind of slavery that you're talking about is very niche and not something that could be universally applied by any entrepreneur like you seemed to be suggesting. Furthermore, it'd be illegal pretty much everywhere, and you'd end up in the same sort of scenario of tax avoidance where it's still in your best selfish interest to comply with the law anyway.
>"the market will respond to people's preferences" doesn't work with such one sided information. Sure people are leaving Facebook, but to go where?
Going nowhere is also a feasible option by the way. People lived just fine without having any kind of facebook/snapchat/instagram/etc not that long ago, so there's no reason why they couldn't just go back to that if the alternatives are distasteful enough. I know that's certainly the path I've taken. It may be a minority stance still, but give it time, the markets don't just respond to abstract things like this over night. I'd wager that we won't be able to adequately gauge the real effects of these sorts of privacy breaches until at least a couple decades from now, because the whole questionable online advertising industry isn't just going to run out of money and disappear that quickly.
>And now not following the GPDR will get you serious fines followed by jail time if you continually flaunt the regulators.
Did you skip over the example in my comment of that not being the case? If you don't do business in the EU (e.g. by range-banning them), and aren't holding on to EU user data, then you're not facing any consequences, plain and simple. Doing that doesn't mean you're complying with all that the GDPR is requesting either, so you can't just hand-wave it away as if that were the case.
>Even if you don't sell the data, you are creating a pool of user data that is valuable to steal
Once again, not following all the little rules that the GDPR entails, and/or not doing business in the EU, does not logically imply that a company is even collecting sensitive data in the first place. A small static site could potentially still be non-compliant if all it does is collect ip addresses in its server logs, or uses a 3rd party analytics service of any kind (without keeping any of the actual data itself).
I'm not arguing that amassing pools of personal data are in any way a good idea for anybody, but that's a separate issue than the one of "is it worth it to comply with the GDPR?", which is how most entrepreneurs outside the EU will inevitably approach the problem, even if they weren't planning to collect data. For example, startups will now have to consider if they'll ever collect any kind of data at all, at any point in the future, before they even decide to start, just so that they know whether or not it's in their interest to try serving the EU market at all, even if they have no plans to collect data yet. You could argue that the GDPR will disincentivize such activity and make entrepreneurs think twice about it, but most likely, the path of least resistance for them will just be to range-ban the EU.
>but using that as an argument for not trying something like the GPDR is disenguous.
No one is saying the EU shouldn't have tried passing the GDPR. What's actually happening, is a discussion between businesses/entrepreneurs outside the EU about whether it's worth it to comply with the GDPR or not. I have yet to see anyone legitimately advocate for it to get repealed or anything like that. We're all just looking out for what the best strategy to take is now that it's in place, and it seems like people in the EU are getting upset that not serving EU users is even being taken into consideration as a serious option, when it's a perfectly rational course of action for any outside business to consider.
>Everyomes entitled to their opinion, but I am firmly in the camp of actually forcing companies into stopping this practice
Right, and I'm in the camp that it's your right to try and do so, but also I'm pessimistic about using force to achieve this as opposed to starving the market via ubiquitous ad blockers and things like ad-nauseum. Only time will tell if the approach was successful or not.
I mean yeah. I think it's leaving money on the table, but it's certainly a valid option as long as you aren't processing EU residents personal data in violation of the GPDR still and have money/assets flowing through the EU.
If you don't have anything within their jurisdiction there's not much they can do to you
You need backups of which information needs to be deleted. Or you can just store PII separately from the rest of your data so most of your backups don't need to be modified.
How long are you keeping backups in cold storage for - usually you'd want maybe 6 months there, but no more, otherwise it's just going to grow unbounded and become a financial burden.
That's certainly a valid point, but it still doesn't solve the problem of having to remember to delete something in the event of data loss.
As far as I can tell to comply with a deletion request with absolute certainty requires infallible storage (which would remove the need for backups) or modifying backups (which contradicts the concept of a backup). Maybe you can claim 'force majeure' at some point, but perfect compliance seems impossible.