A consumer protection law like GDPR would probably be a good thing for US, but it's hard not to see this as SFDC saying, "As a multibillion-dollar SaaS vendor, we welcome regulation that might slow down or prevent a competitor from unseating us."
What you don't realize is that the lawlessness around user data hurts big corporations too. If you're a big corporation collecting significant data than you've taken on a significant liability but the nature of this liability is amorphous. How much will it cost you if your data gets hacked? What will be the impact if you share the data with a partner and the partner gets hacked? How much can you share in your api? What if you sell the data to a foreign firm and that firm turns out to be the Russian government? What happens when a client sues you and claims you caused harm to her because you have the wrong data about her?
Every corporation has to answer these questions but right now they have to do it with no real guidance from the government. This makes the data a ticking time bomb. It's not clear what can be done with it or even how much it's worth. It's not clear what best practices exist in terms of technologies and ethical guidelines.
That said nobody expects something like the GDPR too happen in America. Pretty much every other country will adopt similar laws though. If Americans are lucky they'll get some benefit from that.
Interesting you should use the hazardous materials analogy - Bruce Schneier made a pretty convincing case two years ago that data should be considered a toxic asset.
Or, in the US, you can just make your customers sign arbitration agreements and deal with it on a case by case basis without incurring any significant penalties. See Equifax, Yahoo, Apple, and pretty much every data breach ever. If those companies didn't have arbitration agreements, it's only because they are behind the curve on this trend of doing an end run around the judicial system. Sorry, I fail to see how this hurts big businesses in any of the ways you list.
I'm not seeing "significant liability" in how even major data breaches have been handled in the US so far. Where are the fines large enough to be noticed for gross negligence? Where are the prisons terms for the captains of industry that set the priorities and determine the budgets that inevitably lead to such negligence?
Equifax? Yahoo? Target? Heartland? TJX? eBay? JP Morgan Chase? Adult Friend Finder? Locationsmart and the cell phone carriers providing real time location information on all of their customers to third parties?
A CEO of a major corporation The Land of the Free™, wouldn't consider liability for negligent data handling very seriously given the government's seeming lack of interest in seriously prosecuting same. S/he'd probably even argue that investing more in security would lower profits and harm investors. And we can't have that.
> How much will it cost you if your data gets hacked?
If I understand it correctly (IANAL), there are no penalties for getting hacked. Rather there are penalties for not having proper procedures for how to respond to a hack.
> The data was taken from an underlying customer database that was part of TalkTalk’s acquisition of Tiscali’s UK operations in 2009. The data was accessed through an attack on three vulnerable webpages within the inherited infrastructure. TalkTalk failed to properly scan this infrastructure for possible threats and so was unaware the vulnerable pages existed or that they enabled access to a database that held customer information.
> TalkTalk was not aware that the installed version of the database software was outdated and no longer supported by the provider. The company said it did not know at the time that the software was affected by a bug – for which a fix was available. The bug allowed the attacker to bypass access restrictions. Had it been fixed, this would not have been possible.
That's not a GDPR fine, that's an ICO fine under a different (but similar and related) regulation (Germany and France have similar ones IIRC). The suggestion is that the US adopt GDPR-style regulation, which penalizes for infringement to procedures of data governance, NOT whether data is actually breached. (EDIT: obviously a breach will trigger a GDPR investigation)
The hope is that in a new regulatory landscape we will see the emergence of new companies. Just because the tech unicorns of the last 10-15 years, like uber and facebook, were backed on odious behavior doesn't mean that a more palatable business model won't be discovered.
Currently, honest companies that respect the user's data cannot compete with companies that try to profit as much as possible from our it.
I see this as similar to regulating pollution. Forbidding companies from cutting costs by polluting the air and the rivers allows for innovation and entrepreneurship in cleaner alternatives.
Apple can only do that because they rule their hardware platform with an iron fist.
They also position themselves as a premium product and do not / cannot compete with google in terms of price. While apple products (and iOS specially) are very popular in the US, here in Brazil you almost never see them.
How is an entrepeneur with a sense of ethics supposed to compete in the current environment? When there is no regulation, the people with less scuples are the winners, not the people with better product.
Off the top of my head, Obamacare led to the founding of Zenefits and other companies in that industry.
The EPA's exhaust regulations in the 1970s arguably birthed the catalytic converter industry.
If the regulation is costly enough or introduces sufficient compliance risk, the rise of an industry to help companies comply with it is almost inevitable.
Like I said the last time this subject came up, fine. That's totally fine. I don't care which incumbents will be okay in a world with better laws around privacy. I want better laws around privacy.
If your startup to unseat Salesforce requires doing tricky or infelicitous shit with my personal data, I don't want you to be able to operate, full stop. Your business shouldn't exist, if its existence requires schlepping or selling my data in a bad way.
The rights to privacy that some new laws could give us is simply more important than that.
What if my startup does not require tricky or infelicitous shit with your personal data, but due to strict regulation I now require to hire a full time lawyer just to redact the company terms and keep up with regulations, and since my company does not yet make any revenue and I have no investors that means a lot more risk on my side, which in turns leads me to not start or not go on with that company at all? And what if this decrease in garage startups leads to less competition and more concentration of power for the big companies, which then can happily lobby and influence laws to their own interests with no one to contest them? Is that the deal that we want in exchange for mildly inconveniencing Facebook and Google?
Let's take your argument point-by-point. Let's take the US perspective to start.
a.) You start a business in California and plan to do business that involves EU customers. If you plan on making actaul money you'll hire a lawyer for a reasonably small number of hours to incorporate, ensure you have trademarks covered, get your EULA in order, vet your corporate structure, etc. GDPR is just another thing to add to the hopper--it probably adds an hour or two to the whole process since legal procedures are pretty template driven. Most of the cost will be the lawyer briefing you on what to look out for. (Based on my admittedly quick reading of GDPR summaries.)
b.) There's already a net decreasing trend in startups in the US, but it predates the GDPR by many years. [0] If you are looking for culprits in the legal system you are far more likely to find them in US laws (or lack of them) than anything from Europe.
Taking the EU perspective, well, I've run a small tech business in France and GDPR seems like noise level compared to the other regulations you need to deal with there. (Hiring and firing being the biggest but there are others.)
Is it really so hard to believe that people are all out of trust and goodwill at this point? It’s like having a classroom full of toddlers who all play with matches, and every few weeks they burn the whole school down. Finally the teachers makes rule: no one gets to play with matches. A couple of kids say they’re very responsible and never set fire to anything.
I could say the same thing in reverse about regulations. Every few weeks some regulation ruins the internet even more and finally people are sick of the regulations.
Name one way your life was ever negatively impacted, in a concrete way and not just in your head, by companies using your data to create value in the form of targeted ads and such to keep websites free. I'm waiting.
>Why do the rest of HN users have to educate you about the abuses perpetrated by various companies?
Burden of proof lies on the one making the claim.
>Facebook famously did an emotion manipulation experiment on 500k randomly selected users.
I don't really find that abusive or ethically troubling.
>There's a trial now alleging that Facebook used profile data to discriminate against older programmers in job postings:
Maybe this age discrimination, which was already illegal on its own, wouldn't have been possible to commit if the data didn't exist in the first place. That doesn't mean it's the tool's fault or that the tool should be illegal.
Equifax breach and stolen identities? Cambridge Analytica and the 2016 US Presidential election? Ashley Madison and affairs being revealed?
We can go back and forth about the best way to deal with this, but it's crazy to think that this systemic gobbling up of personal data doesn't have real consequences.
I don't see it as fair to say those are consequences of the companies being allowed to have the data in the first place. They're consequences of poor security. We don't blame spam on email or food poisoning on food, do we? A GDPR-like approach to solving spam would be outlawing all automated or business-related use of email.
I suppose you don't count strangers having my personal data as "concrete"?
But I can't think of any internet regulation that's ever harmed me. Which ones are you talking about?
Edit: I can think of a small number of regulations (much less than one per year) that cause problems, but they still don't meet the personal concrete harm threshold you've proposed.
> If your startup to unseat Salesforce requires doing tricky or infelicitous shit with my personal data, I don't want you to be able to operate, full stop.
Yeah, I'm onboard (like I said, I think the intent of the law is good) -- but regulatory compliance is expensive and in general creating a SaaS business is not. Compliance is more than just doing the right thing, BTW, it's creating processes, audits, attorneys, etc to prove that you're doing the right thing. One of SFDC's risks is that today a competitor could probably arrive and eat up their business by emulating their business model and undercutting their costs. They're very well placed to establish or enhance their existing regulatory compliance team(s).
There's a tendency to think of well-intentioned regulations that serve whatever purpose someone wishes to advance as cheaply and easily complied with by an honest actor.
This tends to not be maximally congruent with reality.
This is exactly why he's saying it. Anyone who follows Benioff and the Oracle ilk knows this. Which is why GDPR needs to be scaled appropriately so that it fosters innovation while still protecting customers interests. Having a lower bound of €10M in penalties with no respect to how much data the company holds is what makes this taxing for startups.
€10M is not the lower bound in penalties. It's the upper bound for breaches of data protection obligations (except for very large companies, with turnover >€500M/y).
"Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:"
What's the problem with that? The "whichever is higher" doesn't refer to the fine, but to the limit it can be "up to". Something a bit more verbose could have been easier to understand, true, but there's no doubt about what it means.
So then why not just set it to a percent of revenue? If you're just going to slap a small company with minimal turnover with €1k fines anyway, then why the need for the "up to €10M" amount?
What if the company has huge cash reserves/holdings but artificially low turnover?
Depending on how quickly regulators can act, and how they would determine the date of precedence for 'the preceeding financial year', it's just about conceivable that a company might have >1 year of warning to do some financial trickery to minimise their fines.
Having a range(0..max($turnover_amount, $fixed_amount)) reduces the scope for that sort of trickery.
This is exactly the opposite of what GDPR says. If I am Satan himself and I do terrible things with the data of millions of people the maximum possible fine available is €20m or 4% of turnover, whichever is higher.
There is no lower bound. When a penalty is applied they're likely to be about €1000. But often penalties won't be applied, the regulator will ask the company to come back into compliance and give advice on how to do so.
> of €10M in penalties with no respect to how much data the company holds is what makes this taxing for startups.
...and GDPR is full of caveats about how much data is held, and how it's held, and how the company responds after a leak.
> When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
> the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
> the intentional or negligent character of the infringement;
> any action taken by the controller or processor to mitigate the damage suffered by data subjects;
> the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
> any relevant previous infringements by the controller or processor;
> the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
> the categories of personal data affected by the infringement;
> the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement;
> where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
> adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
> any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
That's exactly what this is. GDPR is untenable and creates magical rights where none exist. You don't own information about you. Data is data. The only reasonable thing I can see out of it is getting companies to clarify (simplify) their EULAs.
> GDPR...creates magical rights where none exist. You don't own information about you. Data is data.
You could literally say that about any property right ever. For instance: common law creates magical rights where none exist. You don't own your toothbrush. Matter is matter.
The law can create rights. That's how most rights are created.
I'm a fan of privacy legislation, but your comparison is a little strained in my opinion.
You have to consciously decide to take me toothbrush, and it deprives me of it. But just seeing me walk by puts "my data" into your mind, and arguably doesn't harm me.
Clearly, when a phone network sells my location data to the highest bidder, I'm harmed. But they do need to know my location to provide me service.
In general, I think we want services to collect no more data than necessary, discard it as soon as possible, protect what they must store, and disclose it to others as rarely as possible. But all of those things are murkier than "don't take my toothbrush."
GP's point isn't that they're the same; rather, they're both arbitrary "rights" created by law. Why is it your toothbrush? Matter is matter. Data is data.
Obviously, we as a society have decided that property rights are more advantageous than not, and we're deciding the same thing about information rights. There's not anything inherent to either one that precludes us from regulating it.
I understood the point. I don't agree that rights are entirely arbitrary. The United States Declaration of Independence takes the view that government exists to protect the rights we naturally have.
> We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. — That to secure these rights, Governments are instituted among Men...
But I understand that "rights" such as copyright are somewhat arbitrarily bestowed.
My point was that a right to one's possessions is more obvious and definable than a right to one's data. My hands are mine. My toothbrush is mine because I made it with my hands or bought it with money I earned with my hands. Etc.
It's much more nebulous to say that I own information about myself. If you see me, is your knowledge of what I look like "mine"? What about if you write down what I look like? What if you take a picture? What if you write down a detailed account of all my movements and sell it? At some point it starts to seem wrong, but it's fuzzy.
You may say these are both arbitrary. I don't think all rights are arbitrary, and to the extent that things are fuzzy, I think rights to physical possessions are less so.
But again, I'm in favor of privacy regulation. It's just less obvious what it should protect and how.
Maybe "sole ownership" is a better way to say it. If I have my toothbrush, you don't. My ownership necessarily means that you can't possess it without my permission. Also, if you take it, you can be made to give it back.
Data isn't that clear-cut. Your knowing my name and address doesn't take that knowledge from me. It's not obvious that you know it, nor how to make you "give back" that knowledge. So it's less clear what my ownership of that data would mean.
Unlike possessions, there's some fuzzy continuum from "clearly it's fine for someone to look at me when I walk past and know what I look like" to "clearly it's not fine for someone to track my every move and sell that knowledge for profit without my consent."
Patents are a great example of this, where we artificially limit an idea, creating an artificial monopoly for 20 years to incentivize inventions and to encourage people to share their ideas so progress is not lost.
Then when I thought about it I decided that essentially all “ownership” rights are like this. Intellectual property and physical property laws are artificial. There is no basic right, they are all rights created where “none exist”.
They can be useful though, and part of how we decide what kind of society we want to create. Seems like Europe has decided that privacy and control of data personal data is something they want.
I 100% agree. The problem is that practically rights have to be reasonably respectable (able to be respected) by people at little cost to them. Like, it's not difficult for me to not steal something from you. Erasing everything I ever wrote down about you is difficult.
But also:
> Seems like Europe has decided that privacy and control of data personal data is something they want.
The problem here is that governments allow people to claim rights without bearing the cost of that claim (or at least hiding the cost).
> Erasing everything I ever wrote down about you is difficult.
It is not difficult to avoid storing data you don't need.
You don't need a user phone number? Easy, don't ask for it.
Of course you argument is that it is difficult to change existing systems to follow this principle. Except that your starting position was that this regulation was about stifling competition, which is thus in direct contradition with this argument.
Existing systems were built on the assumption that "misappropriating" PII was a lucrative thing to do. This led to abuse from the industry.
Cambridge analytica is a good example. I guess considering this abuse may be different from a US customer point of view, but for my european sensibility, this is definitely abuse. Furthermore, that Facebook could harvest ghost profiles that could be used in this manner is problematic.
I think it is certainly possible to find cases of identity theft resulting from PII that were leaked in security breaches, made easier by overreaching data collection.
Not "hard" for us, no, even if an unnecessary burden. Now go make some small veterinary clinic with no "computer person" on hand, with a small website they had set up years ago that lets you schedule appointments, figure all this out. They'll probably either stay uncompliant or have to drop the website.
That's a shame, but it's a side effect of anything ever that requires an update. Any small business commissioning a site in 2019 will get something that's compliant, so it's not like this is a permanent drain.
Sometimes it's important to update regulations, despite the inertia of existing implementations.
Running a single server for a small business is hard anyway they’re occasionally going to need support.
As the first offense only seems to result in a warning, they have a chance to figure things out. Then is asking their webdev to schedule a cron job to delete logs really such a burden?
Your statement makes it sound like the GDPR applies to individuals doing everyday activities (or draws an equivalence). Just for clarity, I looked it up and it doesn’t appear to:
“This Regulation does not apply to the processing of personal data: (...) by a natural person in the course of a purely personal or household activity;"
So, it really only applies to companies, or if you’re processing a large amount of user data for a hobby project.
That being the case, it doesn’t feel like the bar to being able to respect the law is so very high. But I’d be interested in counter examples.
It's not surprising you fear it so much if you think it forces you to do all the stuff you've said. What is surprising is that almost everything you've said isn't in GDPR or has been exagerated beyond recognition.
Considering that these rules don’t apply to governments, and that European governments generally seem to be slipping towards jailing people for thought crime, I’m skeptical as to how serious they are about privacy and control of personal data.
European countries don’t typically have American-style free speech, no. People can and do get punished with fines and jail time in England for “insulting” various religions, for example. But this isn’t news to legal scholars or historians.. For all of America’s faults, free speech is one thing we do pretty well.
It's true that US free speech is generally more expansive than European free speech (though that's not universally true: Sweden's freedom of the press laws are more expansive than the US's, for instance), but it's important to note that it is in no way an absolute right even in the US. There are "time, place and manner" restrictions on free speech in the US (yelling fire in a crowded theatre, having to get permits for public protests, etc.) and there are whole categories of speech that are outlawed fully (like libel, slander and intimidation).
European countries draw a slightly different line than the US does (for instance including hate speech in the list of banned speech), but it's a difference in degree, not in kind.
Please if you can, give one example of a European government jailing someone for a thought crime. To save us both time and aggravation please keep the actual definition of “thought crime” in mind, and don’t conflate it with something people actually did.
France convicted 12 pro-Palestine activists for wearing "Boycott Israel" T-shirts.
Azhar Ahmed, a British Muslim, was charged with treason, and ordered to pay a fine and complete community service because of a Facebook post he made wishing "All soldiers should DIE & go to HELL"
Herve Eon was convicted in France for insulting former French President Nicolas Sarkozy by holding a sign that said “get lost, jerk”
And, despite your narrow definition, I posit that all of these are thought crimes in the common parlance, and even to your narrow definition, the first example showcases the assumption that being pro-Palestine is automatically anti-semitic, whether or not it actually is.
> Azhar Ahmed, a British Muslim, was charged with treason, and ordered to pay a fine and complete community service because of a Facebook post he made wishing "All soldiers should DIE & go to HELL"
Seriously, if you don’t know what something means, don’t use the the damned phrase.
“For insulting” “For wearing” are not thought crimes. A handy rule to detect a thought crime is this: unless someone was jailed just for thinking it wasn’t a thought crime.
I've read 1984, thanks. As I mentioned (in an edit) to my post; in the first case, they weren't convicted for wearing T-shirts, because wearing T-shirts is perfectly legal. They wee convicted because of the presumption of anti-semitism in the message on the T-shirts, which is neither obvious nor absolute.
You seem to be under the impression that the act of communicating thoughts in some way precludes it from being "thoughtcrime". This is a ridiculously narrow and pedantic definition; we can't read minds. The term as it's generally used means being punished for expressing a particular viewpoint.
It's not a narrow and pedantic difference at all! It's the entire thing!
You seem to be under some mistaken impression that you can say whatever you want whenever you want in the United States. You can't. There are many categories of speech that are banned in the US as well: if I think to myself "Tom Smith is a liar and a drunkard and he's cheating on his wife", that's perfectly fine, but if I communicate that to a large group of people in order to stain his reputation, that's illegal.
See the difference? In neither the US nor the EU is thinking things illegal, but in both countries, expressing stuff can possibly be illegal. It's true that the US and the EU has slightly different categories of banned speech, but that's a difference in degree, not in kind. but neither region has anything close to "thoughtcrime". You have a poor understanding of these issues if you think that is the case.
There was no mind reading in 1984, this argument just doesn’t make any sense. As was pointed out above, the French pro-Palestine activists who were jailed didn’t communicate anti-Semitism directly. By simple being anti-Israel it was assumed that they are antisemites and this criminals. Technically this was done by saying their T-shirts were anti-Semitic, but they weren’t in any absolute sense. It all came down to what their thinking was assumed to be.
Comparing this to libel/slander is just absurd. It’s not a slightly different category, it’s such a massive difference that Europe has essentially outlawed aspects of political speech, which is the most important aspect of freedom of speech to begin with.
I'm not under that impression; I've spoken a lot here on HN about the limits of free speech. Legal limitations on freedom of speech almost always stem from pragmatic consequences, e.g. unfair damage to Tom Smith's reputation. When people speak of "thoughtcrime", they refer to cases in which expressing an idea itself is seen as reason for punishment, regardless of whether any consequences occur.
Here's my question: under your definition, how could "thoughtcrime" possibly be detected, let alone punished?
Man, you guys should really read 1984, it's a great book!
This is one of the central themes of 1984, that Ingsoc ("the Party") tries to control not just the speech and actions of their subjects, but their very thoughts. Literally: in 1984, having thoughts that goes against the party is illegal. That is why it's called "thoughtcrime", because it's the thought itself, even if it goes totally unexpressed in any way. Such crimes are punished by the "Thought police", who quite literally police thoughts. When a dangerous thought presents itself, you're supposed to use "crimestop", a technique for ridding yourself of that thought. Here's a quote from 1984:
> The mind should develop a blind spot whenever a dangerous thought presented itself. The process should be automatic, instinctive. Crimestop, they called it in Newspeak.
Oh, and yes: Newspeak! The language developed by the party with restricted vocabularies and grammar so that some thoughts will be literally unthinkable.
I took that quote from the wikipedia page on "thoughtcrime", which helpfully begins like this:
> A thoughtcrime is an Orwellian neologism used to describe an illegal thought. The term was popularized in the dystopian novel Nineteen Eighty-Four by George Orwell, first published in 1949, wherein thoughtcrime is the criminal act of holding unspoken beliefs or doubts that oppose or question Ingsoc, the ruling party. In the book, the government attempts to control not only the speech and actions, but also the thoughts of its subjects.
Feel free to look in any other dictionary or reference work, they will all say the same thing, some variation on "a thought that is illegal". I could go on with many more examples of how 1984 talks about thoughts (you should google "doublethink"! or maybe just read the book), but you get my point.
Your reaction, "how could 'thoughtcrime' possibly be detected, let alone punished?" is what the book is about. Every reader of 1984 reacts that way in the beginning, and the book is an exploration about what that very concept means, and what the implications are.
Look, the argument you are making is something like "European hate speech laws are an unacceptable abridgment of free speech and democratic rights". Which is a fine argument to make: I personally don't think so, but reasonable people can disagree on it and discuss it. What it is not is "thoughtcrime". It's just not what the term means.
If what you took from the book was "thoughtcrime is only when someone's literal thoughts are illegal, and whenever those thoughts manifest themselves, it's something else", then you are missing the forest for the trees. Is Winston arrested when he thinks subversive thoughts about the Party? Of course not; he's arrested when he colludes with whom he assumes are allies of Goldstein. By your own definition, there is no instance of thoughtcrime detected or punished in 1984. Even Parsons was actually reported by his daughter for denouncing Big Brother in his sleep.
I am not making any argument about European hate speech laws whatsoever. My issue is solely with the pedantic definition of the word "thoughtcrime" that is at odds with how it's actually used.
Expression of thoughts can definitely be a crime. Saying that you support X Y or Z organization or ideology can definitely see you jailed.
There is also a trend, even in the US, towards keeping some prisoners behind bars for thinking certain thoughts. Sex offenders in many US states can be held long after their sentences based on mental health determinations, determinations that turn on their response to questions: their thoughts. Whereas expression of thoughts can be clearly illegal (ie hate speech) simple consumption, reading, of such thoughts can land the reader in jail too. Governments aren't yet crawling into people's heads, but they are certainly willing to criminalize the communication of illegal thought.
This is why I said, “To save us both time and aggravation please keep the actual definition of “thought crime” in mind, and don’t conflate it with something people actually did.“
Thought crime = the thought itself is a crime, i.e. simply having the thought. Expression is a totally separate thing, and using “thought crime” this way is just announcing that you didn’t actually read 1984.
Governments aren't crawling into people's heads just yet, but they are certainly willing to criminalize the communication of thought.
No shit. Communication has been subject to government intervention and overreach since th dawn of recorded history. The 1st Ammendment in the US was created for a reason.
US has absolute free speech. Being from Europe, I tend to disagree with this form, as I believe meaningful free speech is precious, and we shouldn't allow some right wing extremists to take advantage and ruin it by using it as an excuse for hateful language that contributes precisely nothing to political debate.
The US does not have absolute freedom of speech. The canonical example of shouting fire in a crowded theater is illegal. You also cannot call 911 for non-emergencies, distribute child pornography, threaten or harass another person, defame an individual or organization, etc.
Within the last week the UK arrested and jailed a man for being a known right wing sympathizer in public. His crime? His mere existence might cause disruption.
Last year he livestreamed[1] inside an English court and called the defendents - before they'd been convicted - muslim child rapists. He was attempting to intimidate witnesses. He threatened violence to the defendents and to some witnesses. He was told to stop. He did not stop.
> The sentence, therefore, that I pass upon you, taking into account all of those matters that have been placed before me and your admissions entered via Mr. Kovalevsky, is one of three months' imprisonment which will be suspended for a period of 18 months. That will be suspended. There will be no conditions that need to be attached to that suspended sentence, but
you should be under no illusions that if you commit any further offence of any kind, and that would include, I would have thought a further contempt of court by similar actions, then that sentence of three months would be activated, and that would be on top of anything else that you were given by any other court.
> In short, Mr. Yaxley-Lennon, turn up at another court, refer to people as "Muslim paedophiles, Muslim rapists" and so on and so forth while trials are ongoing and before there has been a finding by a jury that that is what they are, and you will find yourself inside. Do you understand? Thank you very much.
What did he do after beign given this very clear instruction to not interfere with criminal trials? He did exactly the same thing again, and so his suspended sentence was activated, on top of the new sentence.
Note that he only highlights trials of child sexual abuse involving muslims. He kept very quiet when a senior EDL member was similarly prosecuted.
Interfering with ongoing trials and making threats of violence is as far from hought crime as you can get.
[1] There's been an element of "this would never happen in the US", so here's a video of someone being tased because they try to take a camera into court. https://youtu.be/A7U5eJN3hLI?t=2m0s
To me it seems the reason people are being so pedantic about the meaning of “thought crime” is that they’re actually glad this sort of thing happens. I don’t even agree with Tommy Robinson but this sort of thing is incredibly dangerous. We cannot be free if the state has the power to arrest people who disagree with them. Period. This must be an absolute right regardless of your fee-fees being hurt, or the next thing you know the West will be bankrolling the Israelis to genocide the Palestinians and it’ll be illegal for you to say anything about it.
Can you tell me which country allows people to threaten witnesses at trial?Which country allows reporters to call a defendent a muslim child rapist before the verdict is reached?
If it had been the other way around and some white guy was being called a “Nazi child rapist”, I’d expect them to get away with it in pretty much any western country. It’s true that his behavior was illegal, but the reason he was prosecuted was ultimately the content of his speech in my opinion. There have been other right wing figures who’s names I don’t recall who were also recently convicted, and they weren’t speaking in a court room at all. Other anecdotes mentioned above were French pro-Palestine activists.
You’re right that Robinson was in the wrong on this one and that he did commit a crime; I wouldn’t have used him as an example had he not been brought up specifically.
Even in the U.S., there are people actively lobbying to use the government, usually state governments, to restrict the BDS movement. In my opinion there’s been a lot of media attention around silencing right wing speech in order to get the left to comply in undermining the underlying legal principles. But at the same time, quieter work is being done to restrict left wing speech as well. This has already been put in place in Europe and there seems to be bipartisan support for it in the U.S.
I'd have a bit more sympathy if he hadn't previously done exactly the same thing, and been given a suspended sentence and a clear unambiguous warning from a judge not to do it again.
He's not being silenced because he's right wing. He's being silenced because he's jeopardising trials and threatening witnesses.
> You don't own information about you. Data is data.
This seems like a strange stance. Clearly some data is not just data and must be protected, for example Top Secret information. From a broad consumer perspective, we have FERPA and HIPAA, which place restrictions on educational and health information.
Have you considered the wild west of no data restrictions was the anomaly, not the other way around? Or, are you of the mind that HIPAA and FERPA should be scrapped?
Well, I liken it to window shades. You don't own the photons bouncing off of you so if someone looks in your window and the shades aren't closed, then they aren't stealing your image.
If they try to circumvent the protections you put in place, that's different. Same thing with data.
Taking such arguments all the way to the end, crime becomes only a theoretical construct that can never be practiced, i.g., the safe wasn't strong enough to withstand the explosion: the owner must not have wanted to protect the valuables within enough; someone gets killed: that individual didn't expend enough time and effort to hire sufficient body guards or invest in sufficient bullet-proof attire; a woman is raped: if she had fought back more, had known judo, had been carrying a 12-gauge pump shotgun, it would not have happened.
And this completely ignores the difference in scale between a single person looking through a single window and the aggregate data of millions upon millions of human beings.
Well, I liken it to doors. You don't own the air flowing through so if someone reaches in and grabs something, they aren't stealing it.
Here's a helpful tip: in our society, the responsibility is on the criminal for doing bad things, not on the individual for not going to enough lengths to stop the criminal.
It is a guaranteed right enshrined in the EU's Constitution[0] (Charter of Fundamental Rights of the European Union[1]). Specifically Title II Freedoms: privacy, protection of personal data.
That's like claiming the 1st Amendment in the US is just a "magic right."
See above my comment about practicality. It takes no effort for me to not violate your first amendment rights. It's a negative right, not a positive right.
There are plenty of rights that aren't "practical". The right to vote is a HUGE pain in the ass, you have to organize massive elections. Property rights means you have to have huge police forces. The right to protest comes with enormous practical difficulties. The right to education means that you have to have expensive public school systems. The right to an attorney in a criminal trial means that the court has to provide one, at some expense. All of these are "rights", in all modern free countries, and they are all "magical rights created by law". That's what a right IS.
You're making the wrong argument. You're saying "this is not a right that can logically exist", which is nonsensical. Of course it can. What you should be arguing is "this right is far too burdensome on society and should not have been passed". I personally disagree with that, but it's at least a valid argument.
It takes effort to set up server access log rotation. It takes effort for a non-technical person to make sure their wordpress installation isn't storing cookies or logs.
The GDPR doesn't require any of that. All you need to do is show a legitimate need to store data if challenged, and access logs have a legitimate purpose (diagnostic and abuse monitoring).
Larger businesses (250 employees or more) may need a privacy policy though.
A "consensus" reached by a bunch of programmers who haven't even read the law has no merit in this discussion. What's clear is that GDPR prohibits using IP addresses to target content at particular individuals. But we aren't talking about that, we're talking about generic access logs.
For example the law itself says: The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned.
The UK's IPO for one example definitely doesn't agree with your assessment of the GDPR and it is their job to help companies adhere to it.
Europe sure is fed up with free services and relevant ads. What motivated them to this point, who knows - were tracking ads coming into their houses at night and making a mess of their pots and pans? Do Europeans take some strange enjoyment in having to spend more money, the same as they do for everything from food to taxes?
Well, GDPR requires that you do those things. A clear EULA that says we don't do any of those things so if you don't like it don't use our service would still be illegal under GDPR, right?
You also oppose copyright, patent, trademark, trade secret and official secrets laws, I suppose. DATA IS DATA. There's no nuance possible. It's just DATA, completely removed from the human realm.
Patents, yeah. Copyright and trademark are really about fraud than theft. Trade secrets are trade secrets: the violation comes from trying to circumvent security, not having the data itself. So I'd say it is very nuanced ;)
In copyright law you can still be caught holding illegally some data you obtained even if you did not personally steal the data and was simply given to you by the thief.
I swear I don't understand the point of this comment. What you say can be said about private property: it's just a social construct, dependent on government enforcement; or indeed about pretty much any law ever. We decided that people own information about them, and have a right to decide when and how to allow others to use it, and enshrined that right in law.
Note that in the US, you have certain rights over a variety of sorts of data - a large and well-known field being that of healthcare data about yourself.
CC numbers are something that you definitely do not own. You do not own your credit cards. They are the property of the corporations who issued them to you. That's why they can cancel/alter/confiscate them without going through the courts.
Same too for credit ratings. The right to view and alter them comes from various other common law rule (ie slander) but the credit rating itself belongs to the corporation that generates it.
I think this has been discussed before - The whole foundation of SalesForce is absolutely tracking every inch of a user, who you were what whitepaper you downloaded, where you're from, which stage of the funnel you're in, which industry you belong to, what's your company size, what's its revenue and the list goes on..
So, this is pretty ridiculous coming from a CEO of such a company, but hey, any publicity is good publicity, right?
1. Insulating himself from future lawsuits. Judges look very favourably towards corporations that try to work with regulators before a crisis.
2. Legislating a fix reduces market demand for a technical fix. Imagine a world where a competitive platform to the internet / the web arises. In such a case if the public feels safe because of legislation then they're less likely to abandon the previous web.
3. Realistically speaking any action that would be devastating for Salesforce would be devastating for the US economy / intelligence apparatus; so either way there is going to be some measure of tracking for some amount of time. The real issue that Saleforce needs to handle is to ensure that it's ahead of its competitors and to do that it needs to see where the regulatory environment is going and plan its strategy around that.
Much of the data that our intelligence agencies collect is through collaboration with private industry. If Salesforce employs hundreds of people to clean up data then that (and other companies like them) going away would make a measurable difference to what the intelligence agencies are capable of doing.
GDPR doesn't force consent. GDPR forces companies to think about the data they collect, and why they collect it, and what they do with it once they've got it.
They should be doing that wherever they are, otherwise you end up with eg Equifax leaking details of 130million users.
There has already been a lot of discussion about GDPR in the recent weeks, but one thing that shocked me is that the regulation is seriously described like this:
> The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
> A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
> This presents a challenge as any of your employees could receive a valid request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly.
In a normal world, I think only officers or registered agents can be addressed legal requests, how here any government though it was a good idea that "any of your employees could receive a valid request" and that it's a legal responsibility to handle it correctly. This is just mind blowing to me.
Your customer service should know how to deal with product warranty. Or should be able to handle a request to cancel an online purchase for 14 days after the order ([1]). How is making a request to access your personal data different?
Let's try something different. How about a smaller law requiring transparency first (not even the ability to delete or how to handle the data or that you have to have a certain appointed position or any other nonsense). Just transparency at first. The transparency requirements can be detailed, as food labeling is, but it doesn't need to require companies to provide users their data (just yet). Then, begin PSAs and public education awareness campaigns that show some of the harms of over collection of data, overuse of social media, lax approaches to information protection, acceptability of ad blocking solutions, etc (EDIT: rethinking this, I would no longer recommend this, at least at first). Then work on a law defining culpability of data breaches (i.e. data escaping its now-more-transparently defined intention). Also, consider grants to companies providing healthy privacy practices in the social media space (these should be small, measured, and for non-profits only of course). But I would just consider it, I wouldn't actually give them out just yet.
All in all, this can be done w/ steps that don't rock companies. Also, what we're going to find out is that people are happy with the tradeoff that currently exists and you can't legislate that away from them without pissing them off.
Can’t all this GDPR stuff be abstracted away into a framework? Or at least some kind of pattern/generator tooling?
It seems like there’s room for an enterprise framework that does all the compliance work for you (for US gov contacts, i18n, user info download etc). Maybe calling it enterprise is a misnomer. Maybe it’s a spec that framework’s can target or comply with?
> Can’t all this GDPR stuff be abstracted away into a framework? Or at least some kind of pattern/generator tooling?
I understand why you think this way! It's an obvious approach, where there's a bunch of stuff that needs to be done and it's the same everywhere. Why not just have a framework that handles it all for you? It's so clear!
It's perhaps possible that many of the requirements of GDPR are beyond the scope of what any kind of framework or code pattern or generator might be reasonably expected to handle. Code cannot readily become a Data Protection Officer or respond to inbound requests. Code cannot address the need to identify and inform users affected by any breach. Code will likely struggle to do the vendor assurance required of all your Data Processors.
You're absolutely right! There's excellent reason to have the technical requirements handled for you by a framework so you can focus on the important parts of your business. It's just perhaps possible that this could be less than the whole of GDPR.
I get the process parts, that make more sense to have a human interface, can’t be abstracted out.
However, maybe they can? Compliance as a service? Sounds like just the kind of Bay Area centric idea that VC’s love to fund.
But it seems like there’s some commen sense patterns that our tooling should take up. A framework can take up the transparency, and user control aspects. Framework might be too narrow, platform might be more like it. Things like Wordpress, Magento or Shopify can be “GDPR compliant”.
You're once again completely right! Some of this could be farmed out with compliance-as-a-service!
However, it's perhaps possible that certain parts of GDPR impact core businesses processes involving the handling of customer data. None of this can be farmed out in a hands-off manner. It requires deep integration into your daily business. I cannot think of any framework that could handle such a thing, or a compliance service that could handle it for you.
You could definitely offer GDPR-compliance Wordpress or Magento as a service! It's just possible, however, that some things your customers could do with your offering might hold the potential to violate GDPR. As a result, you could not guarantee that you assume all the compliance requirements on their behalf in all cases.
In short, you're right! There is definitely room for some compliance services to be offered as a service! It's just, barely, possible that some small fraction of the items concerned might not be well-suited to this approach is all.
Have you considered reading the text of GDPR? You might find it to be an educational and informative experience. I did.
For big companies, this is a small problem to implement. For small companies, it's a big problem.
I am all for protecting the consumer but GDPR is going too far with what I would call optics rather than actual consumer protection. I.e. things that look and sounds like they are protecting the user when they are really just adding more bureaucracy to the companies.
> I am all for protecting the consumer but GDPR is going too far with what I would call optics rather than actual consumer protection
Too far from what? Thanks to the GDPR, I received 100s of emails of services I never signed up for who scrapped my details from LinkedIn with bots. The industry went way too far with what would have been acceptable and that's why we need laws like this.
The law could simply punish those who do harm. All you are getting now is further boltering for those you end up being gamed to sign up for. I understand the pupose and intent of the law but it could have been done much more elegantly. Those who want to missuse your data will still do that they will just find another way to do it.
That's exactly what the GDPR is doing I feel, you get punished for data misuse, it looks a good idea to reduce this kind of abuse.
> All you are getting now is further boltering for those you end up being gamed to sign up for.
I did not get gamed to sign up, they just scrapped my data and added me to their database, I did not do any action and they did not made me sign up with a trick (I also had a few of those yes but the majority are just data scrapping)
> Those who want to missuse your data will still do that they will just find another way to do it.
That's the argument you could make with every law basically. I also hear the same argument for car speeding "they could just drive faster at another place and not get caught". It's indeed true but it's not because there's still ways of misuse that we should abandon everything.
No, it also requires companies to make a lot of bureaucratic exercises. If it only punished for misuse and didn't put the bureaucratic burden on companies I would have no problem with that. It's that it makes it burdensome for a lot of companies who are aren't actually misusing your data. This is my main argument and GDRP is only the beginning now EPR is going to be implemented making it even harder to make it work in a digital economy.
For a new company that hasn't built the product yet this is a small(ish) problem to implement. New products can bake in privacy thinking directly from the first line of code.
Who gets hit the hardest by this are small companies with legacy systems. Who don't necessarily have the budget to dive into the legacy stuff.
When a company collects data often times it's not to misuse it but to improve the experience for the user.
Again I have no problem with people being fined for misusing data I just don't see how this is going to hinder that it will, however, make it way more burdensome for companies to do anything innovative because they are suddenly liable. On the other side users who then end up actually agreeing one giving away data suddenly ends up much weaker because they gave consent. So it's just going to make things way more muddy IMO.
The EU gets to do this the same way that the US can use secondary sanctions to enforce its will on Iran despite the EU notionally still being in the JCPOA. There've been noises about protecting European companies doing business in Iran from US sanctions - note that they have been coming from people on the margins, this isn't going to happen. That kind of power is just the privilege of being a large, wealthy trading block and it's basically the reason the EU exists.
What would happen if The Netherlands or Poland tried to individually enforce a regulation as onerous as the GDPR on all companies holding data on their citizens? Nothing. Either companies would just withdraw from those markets or they would rely on the impossibility of enforcement. The EU is a sovereignty compromise that gives up some local de jure sovereignty for greater EU-wide de facto sovereignty.
GDPR only applies to American companies if they either have a presence in Europe (through an establishment or through a vendor processing personal data) or sufficiently deal with a clientele in Europe.
If the US tried to override the second part unilaterally, Europe would probably ban exempted companies from dealing with European customers unless they opted into GDPR or would otherwise fall out of scope without the exemption. They'd therefore have trouble dealing with European banks, shipping companies with a presence in Europe, etc.
Not to mention, what if Europe tried to exempt their companies from dealing with the annoying US laws? It would become a messy war of exemptions and consequences.
This game of "we're too special to have to follow your laws even if we want your customers en masse" is a dangerous game to play.
I would like to see the US enact a law that says US companies must grant their users in the US all of the benefits that they grant their non-US users under non-US laws. So small US companies would still be able to avoid onerous non-US laws by not doing business in those countries, but the big ones, who can't afford to forgo the market in the rest of the world but who can afford to comply with the laws there, will. And their US users will reap the benefits.
Why? For residential users a single IP address is connected to either a single person or a small set of individuals.
When websites use IP addresses as an authentication factor because they change so infrequently that it's when it does it's hard to argue that you can't identify users by the source of their traffic.
Plus the addresses themselves betray personal information. If you use my service I can know a great deal about you by your source addresses.
* You shop at Target, but sometimes Wal Mart when you're in a rush.
* You get coffee at the Starbucks on 5th every morning.
* You live on 2365 Chestnut Dr.
* I know where all your friends live and how often you visit them.
* You used to go to this one apartment a lot late at night, but not anymore. How are you dealing with the breakup?
* You work in the office building on Main.
* You went to a Mercedes dealership. You deserve it after all emotional stress you've been though.
* You went to a fancy restaurant yesterday, date night?
* You're coming from a couples retreat in Cali, I'm so happy for you! Getting back out there.
No, it is not ridiculous. Yes, an IP alone is probably worthless. But take an IP together with even a seemingly insignificant piece of information, and you have the potential to know a lot more. I think that's why the EU regulators decided to consider IPs as personal data.
Example: you run a website and in your log file you only collect IP addresses, apparently anonymous. Log lines come with a timestamp. You now know that a user at IP X visited your website at time Y. Sounds like this should be personal information in my opinion, and that log file should be protected.
The GDPR only does so when it can be used to identify a specific human, in which circumstance it's not ridiculous. It would be ridiculous as an absolute unqualified rule.
And then take one step forward and make them actually untraceable by requiring anonymization/obfuscation at the ISP level? Seriously the reason why GDPR considers them PII is because the ECJ has judged that if you have access to the ISP you can look them up.
I would guess most home internet users could be uniquely and instantly identified by their IP address. Google, Facebook, the NSA, Experian, Transunion, Equifax, no doubt many other entities could run this function: identify_home_user(1.2.3.4) and get your name, address, SSN, etc. Even if the identification is not unique, it probably narrows down to a married couple, rarely as many as 5-6 adults. That's pretty good ID from one number.
With nothing but an IP address it’s possible to purchase data append services that reveal a user’s email address, physical address and more. Large sites sell login data to data brokers, keying user account info to IPs. Marketers upload lists of IPs and get back an enriched list with a full profile. Obviously it can get fuzzy with multiple people under the same IP. But in many cases it’s all that is needed for identification.
Current guidance, although not definitive, is that IPs and similar identifiers are personal data iff the processor/controller can identify a natural person by combining them with other data it can legally access.
Not to conclusively for all time identify a person, but that's not what we're talking about. It's still PII: personally identifiable information. Things that can be used to identify a person.
A first and last name is also insufficient to identify a person, are you going to argue that names aren't personal?
Is the HIPAA[1]'s privacy rule compelled speech? Do you believe corporations have a right to unlimited surveillance derived from their right to free speech?
"The Privacy Rule gives individuals the right to request a covered entity to correct any inaccurate PHI."
"The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures."
HIPAA does a lot of damage to innovation in healthcare research and industry. Still, I don't know why you assumes every law that exists is perfect justification for the a more expansive law. This is exactly why slippery slope is not a fallacy. The state always wants more power under the guise of providing safety.
if you don't want to agree to my terms of service, don't use my service. don't force me to implement features and increase costs on other voluntary users. don't use products you don't want to use, its that simple.
I disagree with the immediate labeling of a potential consumer protection law as "rent seeking." Such an attitude totally excludes any improvement in the consumer privacy situation, unless it's an act of benevolence from adtech; which is to say that it totally excludes any privacy improvement ever.
These recently-discovered European "rights" are probably non-starters, but the ability to get a Google-takeout style package of your own data, and some reasonably protections regarding consent and the way your data is used would clearly Constitutional. We already force some industries to follow most of these precepts in other laws that haven't been challenged: credit agencies have to explain your credit score to you, HIPAA manages how medical data is used. The core of GDPR is really just expanding those laws to all companies.
The only sticky one is really the "right to be forgotten," which just isn't a right, and possibly has constitutional (1st amendment) problems.
IMO though, a "conservative GDPR" could get Republican backing by basically framing it as a question about property rights, which their base is all about: your data is valuable, and it's YOUR property, not Google's. Some of the other provisions could be sold as a "sunshine law" for big business.
Also resumably, given US politics, there would be plenty of exemptions for small businesses (and industries that have strong lobbying firms).
(note that I'm not a lawyer, so this may be bullshit)
If you actually read up on the "right to be forgotten" you will see that "free speech" is always an exception to it. You cannot demand to be forgotten in order to censure others.
The American interpretation of “free speech” is much more broad than in the EU. Here, laws banning hate speech or flag burning or corporate campaign donations are unconstitutional for example. Libel lawsuits are much harder to pull off here as well.
A law requiring businesses and individuals to delete any personal data at the request of the data subject, as the GDPR requires, would have to be extremely narrowly written to survive constitutional muster here, I think.
If I do business with you and write down your name, the GDPR requires that I delete your name if you ask me to (and even if you don’t if our relationship ends). That wouldn’t survive a First Amendment challenge here.
> If I do business with you and write down your name, the GDPR requires that I delete your name if you ask me to (and even if you don’t if our relationship ends).
> The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
> the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
> the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
> the personal data have been unlawfully processed;
> the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
> the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
GDPR doesn't require that you do that. GDPR has other exceptions that you could plead very easily: undue hardship, archival, public interest, compliance with other laws, scientific research, and establishing legal claims. What would you need my name for if not one of those?
Maybe I want to remember your name because, let's say, I want to pray for all my customers every Sunday. Or perhaps I want to try and memorize all my customer's names so I can use your name when I see you come in my shop. Or perhaps to track patterns of purchases by my customers. Or perhaps because I think it's important to have a track record of everyone I've sold to, and when, for purposes to be discovered later down the line that I can't think of right now.
In America, I don't need a reason for writing your name down. In the EU on the other hand, all personal data needs to be deleted, unless a specific government-approved exemption applies, as you said.
Quoting the US Supreme Court, in Chicago v. Mosley, 1972:
> Above all else, the First Amendment means that government has no power to restrict expression because of its message, its ideas, its subject matter, or its content. To permit the continued building of our politics and culture, and to assure self-fulfillment for each individual, our people are guaranteed the right to express any thought, free from government censorship [1]
I'm pretty sure that if the GDPR was copied and pasted into a US law, the Right to be Forgotten would be struck down as unconstitutional very quickly.
The general claim people make suggesting things like Right To Be Forgotten or Right To Privacy is that it violates "free speech", and particularly, that via Citizens United, the US currently claims corporations have the right of free speech. Google believes, for instance, all limitations on how it provides search results as an infringement on Google's right to "say" whatever they want.
Of course, we already have a variety of limitations on free speech, plenty of laws that restrict what companies and and cannot disclose about other entities, and GDPR would be no different.
> [a] Right To Privacy is that it violates "free speech"
Copyright is settled law that definitely limits the kinds of speech people can engage in.
Couldn't you construct a right to privacy by first saying an individual has an automatic ownership right to certain kinds of personal data [1], and that data can't be used without an appropriately constructed license [2]?
[1] You might be able make this strong and compatible with the First Amendment, by treating machine-collected and person-collected data differently. A machine has no First Amendment right to speak about what it knows, while a person does.
[2] The "appropriately constructed license" requirements could include GDPR-like definitions of consent.
I, personally, do not believe there is any disagreement between the Constitution and GDPR. In fact, a right to privacy has long been inferred by combining traits of a few amendments: https://en.wikipedia.org/wiki/Right_to_privacy#United_States (Of course, that constructed right is a right to privacy specifically from government actions.) And generally, we've recognized that some rights such as speech, may need to have limits to avoid encroaching upon other rights, such as privacy.
The way that works (and in fact the way that classification of government secrets works in the US) is that this information is 'born secret'.
This information is has to be kept away from the public, including journalists, but there is no law preventing journalists from publishing information about someone's health. HIPAA doesn't cover journalists, it just prevents covered entities from giving journalists information.
I don't think things like GDPR and "free press" are in conflict like you think they are.... at least you haven't explained how they are supposedly in conflict.
HIPAA exists... and it doesn't prevent the press from using that information.
I'm not sure your really have a good grasp on what any of these laws actually do, let alone 'free speech'. You keep alluding to complications that don't exist and don't explain what you're talking about.
For "press freedom" defined as the writing and publishing of articles, it's unaffected.
For "press freedom" defined as literally any action a member of the press takes, sure it's affected, but that's a very flawed definition. It's not like drunk driving laws are an infringement on "press freedom", even though they occasionally affect members of the press.
First, the company decides whether the request needs to be complied with or not, and if the user doesn't like that decision, they can complain to the regulators who may choose whether the refusal is worth looking into.
Then I'm going to store all the information I want, for the purpose of expressing it to others. Oh wait, I can't do that? Somehow the EU has a different definition of "freedom of expression" in mind than what the words actually mean.
