The regulators have been running for two decades, and this is EXACTLY how they operate. Scepticism in this case is unreasonable, given the massive evidence base.
I do have some direct experience of working with EU data protection regulators. My experience has been that they vary wildly in "reasonableness". UK ICO is pretty OK, they want companies to succeed. France's CNIL is a joke. Petty, spiteful and utterly inconsistent. I watched as a company worked closely with them to get their sign-off on a change to their terms of service and privacy policy. CNIL were happy to be involved and taken so seriously, they were satisfied with the changes and even praised them in private. After the company announced the change, some journalists saw an opportunity to make some noise and did so. CNIL then immediately changed their mind and dished out a fine, despite having previously agreed to it. What a farce.
That's at the national level. I can give many examples of cases where the EU has been anything but reasonable.
The entire argument Jaques presents here boils down to his belief that everyone working in GDPR enforcement in the EU will not only be totally predictable and reasonable today but also going forward into the indefinite future.
As pointed out in the other thread, this belief is itself unreasonable, because the nature of the GDPR means that even in the unlikely even it's true today, if in 10 years a new Commission arrives and changes their mind they can retroactively decide that things previously allowed were actually illegal. The GDPR says virtually nothing about anything so they'd certainly argue such a thing was merely a "clarification" and not a retroactive change to the law.
There are plenty of examples of governments doing this sort of thing over time, including the EU, like with Apple's tax situation. Mr Mattheij appears to just write this possibility off entirely.
"his belief that everyone working in GDPR enforcement in the EU will not only be totally predictable and reasonable today but also going forward into the indefinite future."
EXACTLY! There seems to be an almost cultish devotion to the benevolent institution that it can do no wrong, neither now nor henceforth.
I understand WHY people have this belief. The EU is under constant attack at the moment from many sides, and people feel they need to defend it at all costs, even it they are wrong.
> The EU is under constant attack at the moment from many sides, and people feel they need to defend it at all costs, even it they are wrong.
As you mention that "they are wrong" in reference to saying that the regulators aren't to be trusted, could you explain how the Dutch regulator behaved badly?
I'm Dutch and have followed what they've been doing over at least 10+ years. I don't think I'm wrong in my assertion, but feel free to point out the details. Also, I'd like to know how often you've followed what the Dutch regulator has been doing. I get the feeling you're not aware of their name.
> EXACTLY! There seems to be an almost cultish devotion to the benevolent institution that it can do no wrong, neither now nor henceforth.
You have to trust someone. Either the vast expanse of companies clearly mishandling your data, or the "benevolent" body which so far at least has a fairly good track record. It's not perfect. It's dangerous to give them too much power because you don't know how they will change in the future. But at the end of the day, I'd rather trust a governmental body which is at least supposed to look out for my interests, rather than a company whose main motivation is to exploit me for every penny I have.
A fairly good track record in which its own member states are constantly threatening to leave and one has already successfully left. As an American lokoing in from across an ocean, it does not look like a stable region that I would put trust in
The EU is a funny place at the moment. Most politicians who seek prestige don't bother with the EU, they do national politics. Most national media does not cover EU material, but focuses on national issues. This leads people more focused on the bigger picture to seek out working at the higher level. On the other hand low performers are also sent to Brussels because "In Brussels no one can hear you scream".
Anti-EU sentiment is generally driven by national politicians who somehow always seem to cast blame on the EU when things go bad and take credit themselves when things go well. Even going so far as taking credit for implementing laws they were actually forced to implement by the union.
As a fellow American, that sounds like you need to reconsider your news sources. Brexit was driven by propaganda, not some principled opposition to intractable problems. The “EUrocrats gone wild” stories are popular in certain circles but there’s an entire cottage industry debunking them:
Again, that's taking a talking point as a given. Some people cited that or hypothetical cost savings as a justification but the claims tended to be based on urban legends or outright wishful thinking rather than actual analysis.
This seems like a very dishonest assessment. Are all the people who see this differently from you just brainwashed EU cultist who just feel the need to defend wrong things?
> if in 10 years a new Commission arrives and changes their mind they can retroactively decide that things previously allowed were actually illegal
A new commission can always change their mind and propose new laws that get voted in, as can any government. There is few things an elected body can't do, and even when there is safeguards then those can be removed given enough effort.
And this is not exclusive to them. Common law and to a degree Civil law are changeable in this way where a court can retroactively decide that things previously allowed were actually illegal by providing a mere "clarification".
In eu this mean several layers that can modify what a law actually mean. The government, the national courts, the EU parliament, and the EU court. In the US you got federal law, state law, city law?, and courts all the way to the supreme court, each which can in 10 years make a decision that retroactively decide that things previously allowed were actually illegal. It seems like a risk that is inherently part of the legal system everywhere.
I don’t really see what the alternative is. It’s painfully obvious that a regulation like this is needed. Like any regulation, there will be a period of bedding in while we work out the actual bounds and procedures required.
I’m curious then what your alternative proposal for implementing this regulation would be, assuming you think it’s something that needs to be regulated at all.
Furthermore, it imposes unbelievable costs on companies that in the end must be passed on to consumers. This is completely unnecessary legislation that will probably have no measurable positive effect at all. Bureaucracy and politics at its best.
Hah, no. I guess you haven't dealt much with regulators in the past.
Regulators can never be held to anything they say. When you ask questions, if they answer at all, it always comes with a disclaimer that it's merely "guidance" and not binding. If they later change their mind, it's always a "clarification" and not a change.
The sort of people who think vague regulations are a good idea are the sort of people who think regulators are staffed by people who are inherently good, so they're usually written to give regulators maximum power and minimum accountability. GDPR is a case in point. If you read the EU's documents on the matter closely, and I have, then you find that the EU refuses to even respond to questions at all. That's delegated to national regulators, but the EU is clear that those regulators don't have the power to issue binding declarations, only guidance. In other words, you can ask a regulator or a lawyer. Their opinion has no more or less weight than my own posts do. The only time binding decisions are made is during enforcement actions.
The EU HASN'T delegated everything to local regulators. Have you not come across the Article 29 Working Party, which is dedicated to standardising GDPR interpretations across the EU?
The successor of the working party is a new body called the "European Data Protection Board" (or sometimes supervisor). It will issue binding decisions but only on the matter of cross-border transfer disputes, not any other aspect of the new rules:
> The European Data Protection Board will not only issue guidelines on how to
interpret core concepts of the Regulation but will also be called on to issue binding decisions on disputes regarding cross-border processing.
So the EU will issue "guidance", but so will local regulators, however, it's ultimately the EU itself via the ECJ that decides what the law actually means in the end:
> It is important to recall that, where questions regarding the interpretation and application of the Regulation arise, it will be for courts at national and EU level to provide the final interpretation of the Regulation
That is, if the EDPB or a local regulator states that something is legal, that doesn't stop them later taking you to court over it and winning because ultimately their own advice is not legally binding (except, perhaps, in the cross-border case which is a special exception for some reason).
> The data protection authorities are the natural interlocutors and first point of contact for the general public, businesses and public administrations for questions regarding the Regulation. The data protection authorities' role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.
In other words local regulators are now essentially advocacy organisations that will be the first point of contact, but have no special powers to actually specify what is or is not allowed.
>if in 10 years a new Commission arrives and changes their mind they can retroactively decide that things previously allowed were actually illegal.
If 1) A new European Commission arrives and proposes a change in the law that is retroactive; AND
2) The European Parliament agrees with the change; AND
3) The Council of the European Union (ministers from every EU member state); AND
4) the Court of Justice of the European Union doesn't strike the legislation down
This is the main issue with this regulation in my opinion. Some of the recent statements by EU officials on that matter verge on absolutist notions of law: "Don't worry. Authorities will be lenient and benevolent." This is how absolutist kings argued why there shouldn't be a constitution or a state under the rule of law.
Law is by its nature open to interpretation and based on precedent. Otherwise there wouldn't be courts of appeal and supreme courts. What's so special about GDPR that makes you think it will be abused more than other laws?
Yes, common law and civil law systems have been converging to some extent. In common law systems you have increasing reliance on statutory law while civil law systems increasingly make use of precedents. Still, the basic principles remain.
- Scope outside of Europe – e.g. if a completely foreign entity that offers a Spanish or French translation of its service could potentially be covered by GDPR, even if they're not marketing to EU markets specifically. Too bad for Quebec I guess. Or what if you fly to speak at a conference in Europe – is that "marketing" to residents of EU? Depends on your slides? Or not? Who knows.
- Consent – does X fall under "legitimate interest"? Is it essential to providing the service? These are not easy to definitively answer for any non-trivial application. And it's not like you can just err on the side of caution – you are not allowed to ask for more consent than you need IIRC. And if the regulator (one of them) disagrees with you after you've spent a few years building a business relying on a certain interpretation, tough luck I guess, try again?
- How to deal with backups that contain personal information
> If a completely foreign entity that offers a Spanish or French translation of its service could potentially be covered by GDPR, even if they're not marketing to EU markets specifically.
No, the GDPR is clear that it is applicable if you are offering goods or services to Europeans. The fact you are speaking French in Quebec isn't relevant.
> Or what if you fly to speak at a conference in Europe – is that "marketing" to residents of EU? Depends on your slides? Or not? Who knows.
So, if you fly to the European conference and talk to a Europeam audience, you're not going to be covered by the GDPR until you actually supply goods or services within the EU.
> the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects
> In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union
> factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union
> So you can't just run your business from Canada with no special emphasis on EU and call it a day.
You really can, it says that it may make it apparent.
Does your use of English make it apparent that you are intent on selling to the UK? No. Italian, might I suppose. French wouldn't if you were based in Canada.
Also, must be nice to live in a country where the regulator is as benevolent and reasonable as is described in this article.
I think it's ok for foreigners to be skeptical of this promise, as the article implies that this reasonableness is not encoded in law.