I do have some direct experience of working with EU data protection regulators. My experience has been that they vary wildly in "reasonableness". UK ICO is pretty OK, they want companies to succeed. France's CNIL is a joke. Petty, spiteful and utterly inconsistent. I watched as a company worked closely with them to get their sign-off on a change to their terms of service and privacy policy. CNIL were happy to be involved and taken so seriously, they were satisfied with the changes and even praised them in private. After the company announced the change, some journalists saw an opportunity to make some noise and did so. CNIL then immediately changed their mind and dished out a fine, despite having previously agreed to it. What a farce.
That's at the national level. I can give many examples of cases where the EU has been anything but reasonable.
The entire argument Jaques presents here boils down to his belief that everyone working in GDPR enforcement in the EU will not only be totally predictable and reasonable today but also going forward into the indefinite future.
As pointed out in the other thread, this belief is itself unreasonable, because the nature of the GDPR means that even in the unlikely even it's true today, if in 10 years a new Commission arrives and changes their mind they can retroactively decide that things previously allowed were actually illegal. The GDPR says virtually nothing about anything so they'd certainly argue such a thing was merely a "clarification" and not a retroactive change to the law.
There are plenty of examples of governments doing this sort of thing over time, including the EU, like with Apple's tax situation. Mr Mattheij appears to just write this possibility off entirely.
EXACTLY! There seems to be an almost cultish devotion to the benevolent institution that it can do no wrong, neither now nor henceforth.
I understand WHY people have this belief. The EU is under constant attack at the moment from many sides, and people feel they need to defend it at all costs, even it they are wrong.
As you mention that "they are wrong" in reference to saying that the regulators aren't to be trusted, could you explain how the Dutch regulator behaved badly?
I'm Dutch and have followed what they've been doing over at least 10+ years. I don't think I'm wrong in my assertion, but feel free to point out the details. Also, I'd like to know how often you've followed what the Dutch regulator has been doing. I get the feeling you're not aware of their name.
You have to trust someone. Either the vast expanse of companies clearly mishandling your data, or the "benevolent" body which so far at least has a fairly good track record. It's not perfect. It's dangerous to give them too much power because you don't know how they will change in the future. But at the end of the day, I'd rather trust a governmental body which is at least supposed to look out for my interests, rather than a company whose main motivation is to exploit me for every penny I have.
A new commission can always change their mind and propose new laws that get voted in, as can any government. There is few things an elected body can't do, and even when there is safeguards then those can be removed given enough effort.
And this is not exclusive to them. Common law and to a degree Civil law are changeable in this way where a court can retroactively decide that things previously allowed were actually illegal by providing a mere "clarification".
In eu this mean several layers that can modify what a law actually mean. The government, the national courts, the EU parliament, and the EU court. In the US you got federal law, state law, city law?, and courts all the way to the supreme court, each which can in 10 years make a decision that retroactively decide that things previously allowed were actually illegal. It seems like a risk that is inherently part of the legal system everywhere.
It’s also the opinion of every regulatory lawyer!
I don’t really see what the alternative is. It’s painfully obvious that a regulation like this is needed. Like any regulation, there will be a period of bedding in while we work out the actual bounds and procedures required.
I’m curious then what your alternative proposal for implementing this regulation would be, assuming you think it’s something that needs to be regulated at all.
So, there's no opportunity for litigating using their previous statements? At least now I understand why you're on every GDPR thread.
Regulators can never be held to anything they say. When you ask questions, if they answer at all, it always comes with a disclaimer that it's merely "guidance" and not binding. If they later change their mind, it's always a "clarification" and not a change.
The sort of people who think vague regulations are a good idea are the sort of people who think regulators are staffed by people who are inherently good, so they're usually written to give regulators maximum power and minimum accountability. GDPR is a case in point. If you read the EU's documents on the matter closely, and I have, then you find that the EU refuses to even respond to questions at all. That's delegated to national regulators, but the EU is clear that those regulators don't have the power to issue binding declarations, only guidance. In other words, you can ask a regulator or a lawyer. Their opinion has no more or less weight than my own posts do. The only time binding decisions are made is during enforcement actions.
If 1) A new European Commission arrives and proposes a change in the law that is retroactive; AND 2) The European Parliament agrees with the change; AND 3) The Council of the European Union (ministers from every EU member state); AND 4) the Court of Justice of the European Union doesn't strike the legislation down
THEN you can worry.
Exactly 4 decades in France (it started in 1978).
