The biggest issue I have here is this: the EU is unable to uphold their own laws. They do things violating their own rules. They are unable to either patch their rules or stop the violation.
I have seen similar things in German legislation, where the government tried to pass data retention laws that were cancelled by the constitutional court over and over again.
The rules of business in the EU are such that the user has to have a certain control over the data a company has on them. The US rules giving law and intelligence access to this kind of data are fundamentally incompatible with that.
Either the EU changes their rules, the US changes theirs (granting EU citizens some form of recourse) or the companies change where they store their data.
Instead, they write agreements that will never hold up in court.
It’s an agreement to change the rules, obviously. So I don’t quite see what other form this should or even could take.
And, FWIW, some back-and-forth with the constitutional court is entirely normal and expected. It’s not a crime or otherwise dubious to have a difference of opinion on the most complicated legal issues.
I very strongly disagree with your second paragraph. All the laws I know of in Germany that had trouble with the constitutional court were highly dubious. I think a law overturned by the constitutional court should be the end of a ploticians career or at least be the first strike. It's a complete failure to uphold the very thing they are sworn into an it's a complete failure in their own profession.
I can see that there might be complicated legal issues were my opinion would be wrong, but the stuff I know about (data retention laws and fission fuel tax) were absolutely abhorrent displays of incompetence and disrespect of the constitution.
Agreed. Legislation should be clearly within the consitition, beyond any doubt. Back and forth with the constitutional tribunal pushes the boundaries of the constitution, and risks the tribunal conceding.
In addition, the tribunal many times can't enforce violations of the spirit of the constitution, only blatant concrete breaches.
And remember, the constitution was an agreement signed by many groups, and every single clause of it represents the result of negotiations and struggles.
Changing the constitution means overriding that consensus.
> The biggest issue I have here is this: the EU is unable to uphold their own laws. They do things violating their own rules. They are unable to either patch their rules or stop the violation.
I think that's a feature not a bug. The EU believed that privacy is a basic human right, and codified that right into law. But the EU isn't a single minded entity, it's a huge, entirely unique, multi-national government. The natural result is that it behaviour can be contradictory and inconsistent at times. But the codified rights make it possible for the judicial system to step in and correct the errors as they happen.
Eventually the EU will develop a cultural in-grained understanding of privacy and GDPR. Then we'll see the end of these silly violations, and the continual need for the judicial system to step in and correct the legislative system. Until then, at-least the EU isn't afraid to empower its citizens to hold it to account.
They are kind of useful to levy billions of dollars from a handful of US companies. Laws are absurd, over complicated, and unevenly applied, but at least they finance the Brussels bureaucracy.
I wonder if the Catholic Church applies the laws of data protection. If they retain or delete the records of the approximately 80% of baptized population.
Privacy Shield died because the US explicitly believes in citizen rights, not human rights:
> Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.
It's easy to be cynical and blame the EU for being bureaucratic, but in this case the EU is actually doing its job: protecting its citizens from the abuses of foreign governments who won't grant us equal human rights.
The big question is what's the origin of these laws, given that people add little value themselves, as expressed by their own choices, to privacy and conservative data management?
I wonder if the EU citizens have special needs virtually every other citizen in the world doesn't have?
Or is the EU trying to establish a power position versus american companies?
I wish we asked the citizens, who do you want to trust your data to, Google, or the government?
Q: "Do you wish to exercise your right to be forgotten, in your relation with the government?"
A: "Yes, I don't want the government to know who I am"
> I wonder if the EU citizens have special needs virtually every other citizen in the world doesn't have?
The EU believes that privacy is a human right that everyone should have, GDPR is just the law the helps to ensure that right is upheld. It provides a framework for companies and governments to process data in way that ensures that a person right to privacy is respected.
> I wish we asked the citizens, who do you want to trust your data to, Google, or the government?
What has this got to do with anything? GDPR applies equally to governments and companies. State governments and institutions in the EU have been sued on a number of occasions for violating GDPR.
> Q: "Do you wish to exercise your right to be forgotten, in your relation with the government?"
>
> A: "Yes, I don't want the government to know who I am"
GDPR does not provide a universal right to be forgotten. Legitimate interests governments to store a minimum set of data needed administrate functions like tax collections. But beyond those basic functions you absolutely have the right to be forgotten, and many of the aforementioned law suites revolve around individuals suing the state for retaining personal data inappropriately.
Going to make the assumption you're American. I would point out the US constitutions 4th amendment is meant to restrict your governments collection of data on its citizen in a similar fashion to GDPR. Only difference is that GDPR is modern legislation that deals with the internet, and restricts companies in addition to governments.
It's such a shame that US government seems to be hellbent on ignoring or perverting the 4th amendment as much as possible. For some reason you seem to believe this intrusion is reasonable, and wish to inflict in on every citizen in the world.
>The EU believes that privacy is a human right that everyone should have
Specially from the moment that political position can procure them financial rents, and a good pretext to stop the penetration of american companies in the economy.
And no, I am from a country inside the EU, and I am appalled at how the Brussels bureaucrats keep interfering in my relations with companies.
When asked, 90% of people seaid no to "Do you ant to be tracked" popup that iOS introduced.
So yeah, it's clear that:
1. Most people do not want for companies to collect more data than necessary
2. GDPR in no way, shape, or form interferes with "you relations with companies" if those companies, you kno, actually followed the law. You'd get a simple "yes/no" question, you'd click yes, and everybody else would click "no".
EU governments rampantly spy on their own citizens and domestically held data in ways that would make US agencies blush. This is exposed over and over again but no one cares because everyone is fixated on the US.
Can your refresh my memory, of such illegal spying?
Also the GIANT difference is that US can legally spy on non US citizens, so even if I would complain that NSA hacked my company and stole a lot of people private data the Americans will just say "they did their job, all is legal" , there is need for an agreement so we respect each other citizens. if you think X is a terrorist and want to read his emails then does not matter if X is or not a US citizens you follow the laws and present a judge your evidence and ask for permission to spy.
Scrape a lil more off my backside, please. Of course I understand that as soon as I bend down, I have given consent and two enthusiastic thumbs up!
You could either enjoy the hint of vulgarity there or the lack thereof; otherwise lazy reading, imo. Unless you are of the opinion that the only way a company can make money is through intrusive/abusive data analytics.
Quick refresher on context: Under GDPR, personal data sent from the EU to another country must have some level of protections in that country. By far the easiest option is an "adequacy decision," where the EU says "that country has good data protections" and no extra work must be done. USA has jack-diddly-squat for data protections in most contexts, but Privacy Shield was the work-around where companies could opt-in to additional legal restrictions, and EU had an adequacy decision for companies that did so.
Schrems II is the EU court case that struck down the Adequacy Decision. The heart of the decision is the correct and accurate observation US law enforcement can compel a company to hand over data about an EU individual, and that EU individual has no recourse. There have been a series of court cases since Schrems II which expand upon the logical consequences of this ruling. Short version is, not only is the adequacy decision gone, but none of the other options in GDPR will work either. It is literally not possible to adequately safeguard personal data in the US, because there are no redress mechanisms to improper access from US law enforcement.
There have been high-level talks about "Privacy Shield 2.0," and there were some announcements from both US and EU government agencies about a milestone in those talks. The linked article is making it clear, correctly, that the observable substance of those agreements extends no further than the name "Privacy Shield 2.0" The details of how this agreement will work are important. There is no evidence that such details exist, even in the form of smudged handwritten notes on the back of a used cocktail napkin.
The EU and US have agreed that they would like it if something called Privacy Shield 2.0 were to exist in the future. That's great, I would like that as well. But we don't have one.
This article is content marketing from Simple Analytics. Their marketing spin is that if you're deciding what Website Analytics solution to buy, you should not pin your hopes on Google Analytics being acceptable under GDPR in the near- or medium-term future. As someone whose professional interests mean I pay a lot of attention to both GDPR and Google Analytics, I think that statement is accurate.
> It is literally not possible to adequately safeguard personal data in the US, because there are no redress mechanisms to improper access from US law enforcement.
Isn’t it possible by signing a DPA with the standard contractual clauses? (Of course it’s usefulness is limited mostly to B2B use cases)
Assuming a DPA + SCCs are signed, I suppose the redress mechanism would be a lawsuit.
No. Because the US courts have repeatedly declared that non-Americans have no due process rights. There is no contract or agreement an US company can provide or commit to that overrides US law.
US law is that data from non-Americans does not have 4th amendment protection, and so any US entity is required to hand over data on request. It may require an NSL, I really can’t recall, but an NSL is a rubber stamp that is no harder to get than a subpoena.
There is also no facility for redress in the event that a US entity illegally retrieves your data, largely because the aforementioned belief that US law enforcement is literally entitled to that data. In other words it is inherently impossible for any “illegal” search or retrieval.
The US government has also ruled the old workaround of keeping data of EU folk in the EU does not work: if the data is under the control of a US entity, then the data is subject to arbitrary demands from US law enforcement.
Even if you put those aside, the US doesn’t provide its own residents with the level of data protection ostensibly guaranteed by the EU. That’s unlikely to change as long as google, Facebook, continue paying to stop any data protection legislation.
The Schrems II ruling was that DPA+SCCs are insufficient for transferring data to a US company. You need to have "supplementary measures" in addition to the SCCs.
a lawsuit against the company that gave the data to the U.S government when compelled? I think they want a redress action that also allows you delete the data, but the U.S government isn't going to do that I guess.
The issue is that proving the non-respect of those norms is aleatory. Alphabet or Zoom might say "we do respect GDPR, we do not record calls, perform behavioral analysis on them etc", IF for some reason I discover a third party have something that can only came from Zoom I might suspect a privacy violation and so file a formal complaint, otherwise I'm almost powerless in 99% of the case. Surely reverse engineering is not illegal, good luck to do so for any services, including the giants like Android, including their baseband etc.
Such laws can only work with mandatory FLOSS and open hardware with verifiable builds. Only one absent and the norms are just smoke. Oh BTW USA or EU actors does not change much, formally the USA Patriot Act change things, but only formally because the business model of an USA actor is the same of an EU one.
Honestly as an EU citizen... On one side there is no real development of a better IT infra to surpass/came back the giant data-centers model, witch means toward a real old-new connected desktop-centric IT AND there are not real EU competitors for many services from USA companies, so one one side EU do not really want to led again in tech nor to create a new and better IT.
On the other side EU commission prove to be as oppressive and not representative of their Citizens interests as USA Gov for USA Citizens witch means that beside the formal democratic dress the substance is a neoliberal economically-driven dictatorship who tend as fast as it can to the Chinese model. We still have less ineffective justice, more protective norms, but differences are waning more and more. Swapping crappy and bad USA services that at least are battle tested with more crappy and even worse EU services does not help Citizens at all.
For me until enough intellectual and techies rise training enough common citizens to IMPOSE BY LAW mandatory FLOSS and mandatory open hardware that makes the actual model not really sustainable we will not get anything really better.
It's like those who flee GitHub for GitLab because "we do not want Microsoft" as if any other for-profit company would be better by magic. The real target should be surpassing the actual web model. not swapping an evil actor with another who being based on the very same principles will clearly be the very same.
It's not the EU who makes you do that, it's the companies making the website.
They could not use cookies, they could respect DNT browser setting, they could have not abused tracking technology, and they couldmhave chosen to comply with the law in a user friendly way, instead of user-hostile way.
They didn't. That's why now there is an imperfect law.
Without the urge of the companies to track everything they can, you wouldn't have to deal with cookie banners. The only fault the EU has is that the fines for companies are far, far too low and the enforcement is too slow and rare
Good news! It's not the EU at all. The websites you visit have the following alternative options:
* Serve static content with no user-tracking.
* Serve per-user dynamic content, where
* Perform tracking that is essential to the service provided. (e.g. Recording GPS coordinates are essential to the service that Strava offers to users, so no explicit consent is required. Recording GPS coordinates is not essential to the service that Google, Facebook, or Amazon provide, so they must have consent to collect GPS coordinates.)
So if a website is displaying a banner request to track you, it's because that website has made a deliberate choice not to use the other options available.
Not only that, but you have additional options as well.
* Hide each GDPR banner, such as using a custom filter in your ad-blocker. Consent to be tracked must be explicit, and ignoring/hiding a banner is not explicit consent.
* Click the "I reject cookies" button instead. The GDPR requires that it be as easy to retract permission as it is to accept. Since the website has an "I accept cookies" button that only requires one click to complete, they must also have a "I reject cookies" button.
> Click the "I reject cookies" button instead. The GDPR requires that it be as easy to retract permission as it is to accept. Since the website has an "I accept cookies" button that only requires one click to complete, they must also have a "I reject cookies" button.
The GDPR in no way requires cookie banners, that is the choice of the website you visited. Cookies required for functionality of a website do not require consent, privacy invading tracking cookies on the other hand do.
This is like blaming the government for making you look at black lungs on cigarette packages. It's not the government that's making you cough, they're just showing the result to you.
Are you blocking cookies by default? Quite often your consent is saved in a cookie.
There is of course also the possibility that the website operator is hoping that you get so annoyed that you consent to tracking sooner or later.
[0] https://noyb.eu/en/privacy-shield-20-first-reaction-max-schr...