undefined | Better HN

0 pointsDanBC7y ago0 comments

> This is an easy thing to say when you're not personally exposed to the risk.

No, it's an easy thing to say because we have over 20 years experiences of regulation around data protection. The regulators send a letter asking you to come back into compliance unless you've been really bad. They only move to fines if you ignore them.

Here's a company that was handling sensitive personal data (medical data). They have a legal obligation to register with ICO. They didn't do so. Imagine what would happen under HIPAA. Now read what happened in EU.

https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...

People freak the fuck out about the big fines, but they don't realise they're conditioned by the pathologicaly dreadful US system which aims to over-charge and over-sentence at every opportunity.

Here's some examples: The UK Criminal Prosecution Service sent some unencrypted DVDs through the postal mail. Those DVDs got lost. They got a fine.

Some time later they did it again - this time the DVDs contained interviews with children who were the victims of sexual abuse.

Think about this for a bit: no encryption, no secure mode of delivery, a repeat offence, incredibly sensitive personal data.

Sure this requires the maximum fine, right?

https://ico.org.uk/about-the-ico/news-and-events/news-and-bl...

No. Only £325,000 out of a possible £500,000.

0 comments

fcbrooklyn7y ago

In fairness, this story is consistent with my own (limited) experience dealing with EU law. A few years ago, I was trying to determine if an EU based company I was advising really needed to offer the now-ubiquitous cookie advisories. I met with some very high profile (and very expensive) lawyers, who told me that although I technically needed to include the various popups and advisories, I was not in any real danger, because of selective enforcement. Eventually, they changed their mind and we added the sliders anyway, but for a time, the law was stricter than the actual enforcement.

But I was an american being advised by a top tier british law firm. How is a random guy releasing free (or cheap) services on the internet supposed to deal with a situation like that? The arbitrary nature of the enforcement is exactly what makes this a problem. If there were strong penalties, but clear ways to remain in compliance, this developer might have made a different call.

If I know I'm technically out of compliance, and I don't have a high powered lawyer telling me it's not a big deal, then I'm not sleeping well. And if I can solve the problem once and for all by taking the unfortunate step of simply cutting EU residents off of the service, then I'm going to at least consider that option, and probably take it in the short term.

If the EU wants to reassure people that "The regulators send a letter asking you to come back into compliance unless you've been really bad. They only move to fines if you ignore them." then they would be well advised to make that very clear. If they don't, you're going to see more of this, and really, if it's true, why wouldn't they?

DanBCOP7y ago

I mean, I linked to an article where they do say this.

> The ICO said in a statement that it would only consider “enforcement action” if a company failed to register despite ICO advice.

And they keep saying this.

fcbrooklyn7y ago

So, imagine you're running a free service as a side project. And the state of Idaho introduces a law, that has federal teeth, such that if a resident of Idaho might use your service, you must register with the state of Idaho. Would you be happy about that? Is there any possibility that you might decide to simply block Idaho rather than deal with the hassle?

A better solution would be a webpage, hosted by the state of Idaho saying "Here's what we're after, don't do these things, and you're in no danger." Followed, hopefully, by a list of things that you weren't planning on doing anyway because you're not a jerk, and that are crystal clear so you don't have to speculate about how selective the attorney general of the state of Idaho is in prosecuting these sorts of crimes.

j / k navigate · click thread line to collapse

0 pointsDanBC7y ago0 comments

> This is an easy thing to say when you're not personally exposed to the risk.

https://www.bloomberg.com/news/articles/2018-04-26/u-k-healt...

People freak the fuck out about the big fines, but they don't realise they're conditioned by the pathologicaly dreadful US system which aims to over-charge and over-sentence at every opportunity.

Here's some examples: The UK Criminal Prosecution Service sent some unencrypted DVDs through the postal mail. Those DVDs got lost. They got a fine.

Some time later they did it again - this time the DVDs contained interviews with children who were the victims of sexual abuse.

Think about this for a bit: no encryption, no secure mode of delivery, a repeat offence, incredibly sensitive personal data.

Sure this requires the maximum fine, right?

https://ico.org.uk/about-the-ico/news-and-events/news-and-bl...

No. Only £325,000 out of a possible £500,000.

0 comments

fcbrooklyn7y ago

DanBCOP7y ago

I mean, I linked to an article where they do say this.

> The ICO said in a statement that it would only consider “enforcement action” if a company failed to register despite ICO advice.

And they keep saying this.

fcbrooklyn7y ago

j / k navigate · click thread line to collapse