Without extremely aggressive changes to how we handle situations like this, it seems unlikely
A fine is a price, and there are basically no laws that put financial, let alone criminal liability for people behind the corporate veil or seizure/dissolution of a corporation that consistently breaks the law on the table
Whenever the GDPR is mentioned here, people more or less treat it as a sign of fascism. With that attitude from us, how can our rights on privacy be respected?
I'm extremely glad that the GDPR and NOYB.eu mean that car manufacturers can't pull that shit here. If I opt out, I'm opted out, or there will be big fines for them.
The problem with the GDPR is the overhead. If it was one line that said "you can't sell data on people without their explicit freely given consent" then anybody could comply with it by simply not selling data on people.
But it's a long piece of legislation and some of the requirements are time-consuming to implement even if you're not doing anything nefarious. "It is bad for innocent people to incur uncompensated costs" should be a primary principle in creating legislation.
> If I opt out, I'm opted out, or there will be big fines for them.
They're getting sued. If the plaintiffs win they'll have to pay. It's not obvious why this is worse or any less of a deterrent.
"Every contract, combination in the form of trust or otherwise, or conspiracy, in restraint of trade or commerce among the several States, or with foreign nations, is declared to be illegal."
> What's a contract? What's trust, or conspiracy? What's trade, or commerce, or a foreign nation? What does "declared" mean?
These have established meanings in existing law. What are you proposing as a plausible ambiguous interpretation of "declared"?
> This is the legal equivalent of "I can write Doom in one line, import doom; doom.start()".
That's two lines.
Also, it's not equivalent, because the original is actually a composition and not just a tautology. It's like saying that this one liner to find word frequencies in a file:
> What are you proposing as a plausible ambiguous interpretation of "declared"?
Is your argument that the GDPR can be one line because "data" already has an established meaning in existing law? The GDPR is large because all these things needed to be defined, and there are tons of edge cases, not because the lawmaker figured they'd add some extra fluff in there.
It's not being verbose or well-defined which is the problem. It's that the law isn't a single well-specified requirement but rather many independent ones that each have to be complied with separately, including by people who weren't doing anything untoward to begin with.
If you weren't doing anything harmful then your preexisting behavior shouldn't become unlawful.
Here's the GDPR in one sentence for you: "do not process data from people that haven't consented to that processing".
The rest of the text is about specifying the terms of art processing, data, people, and consent.
> If you weren't doing anything harmful then your preexisting behavior shouldn't become unlawful.
Exactly. Except that you do not get to define harmful, the law does. If you weren't processing any PII, then your preexisting behaviour did not suddenly become unlawful.
> It's not obvious why this is worse or any less of a deterrent.
I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US, and much less common (and hush-hush in the rare cases where it does happen) in Europe.
I'd also hazard a guess why it's less of a deterrent: the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower compared to the relatively high probability of a DPA going "WTF no" in Europe as soon as someone reports it.
> I'd say it may not be obvious why, but it's obvious that it is less of a deterrent, because this sort of data trading seems to be commonplace and semi-overt in the US
But that's because the US doesn't even have the law requiring express and freely given consent, so they just stick the consent in some agreement nobody reads next to a box you have to check. You could have that rule without having the whole GDPR.
In this case they apparently collected the data even if you never checked the box, which is just egregious and now they're getting sued.
> the risk, i.e. probability of successfully getting sued * cost of successfully getting sued, is likely much lower
Certainly this is not because plaintiffs would be unwilling to file claims if they could.
How? Who will represent that viewpoint in the halls of congress? The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
> The EFF is politically ineffective and always has been for reasons I don't understand, and no one else seems to care.
Going by the EFF's latest published financials (2022), they took in $23 million vs $16.6 million in expenses. Vs literal billionaires and nation states. Some of the billionaires have more money than the nation states do. David, meet Goliath.
I care. I give them my money. They seem to do a better job at advancing these interests than anyone else. I'm more in awe of their attempts to take on issues of this magnitude given their meager resources than anything else.
Let’s think outside the box a little. What we need is a general process whereby the public gets to decide if a business should exist. Too often companies just form, abuse us, and there is no way to stop them. What if, once a year, companies had to justify their existence in front of a citizen panel or a jury of random people or something? They’d need to demonstrate what good the public receives from their existence, or their assets get sold and the company dissolved. Why do we believe that companies simply have a natural right to exist as long as they can survive? Where did this come from? Companies should answer to the public!
> They’d need to demonstrate what good the public receives from their existence, or their assets get sold and the company dissolved.
If their assets get sold and one entity buys all of them then they could just carry on operating the same company with them. The most likely buyer for something like that would be a competitor. That seems bad.
Maybe we could require the opposite. Their assets get sold, but can't all be sold to the same party. You split the company up, e.g. by delaminating vertically integrated components into separate companies. That way it's easier to enter the market and compete with any of them because you don't have to replicate the whole stack, only that one component.
You might not even need to have a vote, just some rules for when this happens automatically, like when a company has more than e.g. 35% market share, because that's too close to a monopoly and you wouldn't want a trust to form. We could call this anti-trust.
> What we need is a general process whereby the public gets to decide if a business should exist.
So if I want to start a small business, say a mom and pop restaurant, the public has to approve it first? You must be joking. Most businesses are small businesses. Hamstringing them is a recipe for disaster. Our regulatory system already disadvantages small businesses in countless ways. Indeed, that's part of the reason why large businesses can get away with so much.
The public already has a way to disapprove a business: don't buy from it. If nobody buys what the business is selling, it goes out of business.
The real oversight the public should be exercising, but isn't, is to vote out of office politicians that allow large businesses to buy their way out of trouble.
> The public already has a way to disapprove a business: don't buy from it. If nobody buys what the business is selling, it goes out of business.
This “let the market decide” approach is clearly not working. It assumes that only the direct customers of a business are the stakeholders that matter, because they have the wallets to vote with. There are many, many companies that the general public do not buy things from yet suffer their harms. There are a lot of terrible businesses, large and small, that I don’t purchase from which I’d vote in a heartbeat to get rid of if I had the opportunity.
> There are many, many companies that the general public do not buy things from yet suffer their harms.
Examples, please? I find this claim extremely dubious.
> There are a lot of terrible businesses, large and small, that I don’t purchase from which I’d vote in a heartbeat to get rid of if I had the opportunity.
Of course, because you personally don't depend on those business for anything. (At least you appear to be assuming you don't--though you might indirectly. But let's assume you don't even indirectly.) What about the people who do?
You have to use a service that harvests your data for that to happen. That's your choice. Nobody is forcing you. There is certainly no need to have a public vote to outlaw the companies. (Now, if you were to propose that our lawmakers outlaw the ad-supported business model, so that companies providing the services that now harvest data to make money would have to make the users of their services paying customers instead...)
Also, do you buy anything that the advertisers who buy your data are selling?
All change is destructive. No matter how bad something is, someone depends on how it is right now. Someone will at the very least be inconvenienced by it changing
The fact is, no company actually primarily exists to employ people, and people lose their jobs to this basic fact all the time, sometimes for no reason other than that some investor expects extremely marginal gains from signaling that they are serious about cutting costs
Also, the dissolution of a company and dispersal of its assets could include allocations for severance pay to cushion the blow if that's a concern, which is not always available to people who are hit by random layoffs
Perhaps the threat of actual extreme punishment would incentivize companies to behave such that the punishment never gets invoked?
Currently the worst thing companies ever face is a little itty bitty fine and maybe a toothless regulator telling them “Pretty please would you mind not doing that again? If it’s not too inconvenient to shareholders that is…”
If con-gress was serious, theyd ban/restrict any social media that relied on tracking. Or better yet, they'd pass a bill restricting data brokers of any sort ala GDPR.
I agree data brokering of any kind should be completely illegal. I don't think tiktok is only being banned because of china though. I just think it's a bonus compared to bytedance legitimately being a malicious data-harvesting nightmare that also happens to own one of the most mentally damaging social networks of the decade
This is funny, but sadly true... I just told someone yesterday if lawmakers truly cared about all of this they'd ban all social media. Lobbyists and lawmakers will be eating well until then.
