undefined | Better HN

0 pointsCaptainNegative4y ago0 comments

A high level overview may be possible, but any amount of actionable detail is impossible for laymen and lawyers alike. The GDPR is intentionally vague; there are entire academic papers from respected researches dedicated to trying to parse individual sentences from the document. See e.g. Cohen and Nissim's 33 page article on intepreting the sentence

> To determine whether a natural person is identifiable account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.

https://arxiv.org/pdf/1904.06009.pdf

Turns out writing vague laws lets you turn entities you don't like into cash cows.

0 comments

mhitza4y ago

I think actionable details are left vague as to not create legislation that's left behind by technological advances.

You're right, that personal identifiable information is a hot topic. Partly because you need immense foresight (a.k.a. impossible) to see how multiple data points can be correlated to identify someone, but also because you need to be aware of large-scale actors (e.g. state supported dragnet surveillance).

As an industry I don't think we have reached yet that discussion point, when we still have common basic practices we need to change. For example, I know that most small/medium companies don't even attempt to anonymize their database dumps. Those are the issues we have to focus on first, and those actions become clear to any developer that reads the GDPR for the first time. It's actionable insight without being explicitly stated.

I think that the GDPR is *incompatible with the web 2.0 model, and the internet as it exists today*, and I also think that is a good thing! It should push us to build services that in the end treat all users data as personal information, and lead to anonymous internet services by default.

I have my own laundry list of things I dislike about GDPR, which makes compliance harder than it should be. One such example is that IP addresses are "an exercise left to data controllers to anonymize", where I hold the belief that the legislature should have forced ISPs to be the ones to anonymize user IP addresses (anonymize things at the source). That way data protection agreements would not be even necessary when you use a CDN in front of your website (for example). By the same token, browsers should be forced to use generic User Agents, as those leak platform information like crazy.

I also disagree that "vague laws lets you turn entities you don't like into cash cows", because what I see most common is that companies get a slap on the wrist (so to speak) and fines are not always the first recourse, only affecting those that are majorly negligent and repeat offenders.

These laws are not draconian tools to suppress digital products, but to protect users from life affecting data leaks, automated decision making and profiling, which we've seen to be objectively bad in the past.

But as you can tell this is my highly subjective take on the issue. I might be completely wrong in my belief after all.

j / k navigate · click thread line to collapse