> Therefore taking millions of photos in public of cars, and turning their license plate numbers into a database is legal, as is selling that information. It's all data gained in public.
One absolutely does not follow the other; there are all sorts of things that are legal only if done for certain purposes, only below a certain scale, etc. The idea that we must permit both or neither is a false dichotomy.
E.g. city employees who need to better understand traffic patterns originating from one neighborhood, to plan better public transit. Journalists who want to expose the congestion caused by Amazon delivery trucks. And so forth.
Is it database size? Commercial use? Whether license plates are hashed before storing? Hashed before selling the data to a third party? What about law enforcement with a warrant? Etc.
I think the wrong assumption you're making, is that there is supposed to be a simple answer, like something you can describe with a thousand words. But with messy reality this basically never the case: Where do you draw the line of what is considered a taxable business? What are the limits of free speech? What procedures should be paid by health insurance?
It is important to accept this messiness and the complexity it brings instead of giving up and declaring the problem unsolvable. If you have ever asked yourself, why the GDPR is so difficult and so multifaceted in its implications, the messiness you are pointing out is the reason.
And of course, the answer to your question is: Look at the GDPR and European legislation as a precedent to where you draw the line for each instance and situation. It's not perfect of course, but given the problem, it can't be.
Even if that results in a bunch of more detailed regulations, we can then understand the principles behind those regulations, even if they decide a bunch of edge cases with precise lines that seem arbitrary.
Things like the limits of free speech can be explained in a few sentences at a high level. So yes, I'm asking for what the equivalent might be here.
The idea that "it's so impossibly complicated that the general approach can't even be summarized" is not helpful. Even when regulations are complicated, they start from a few basic principles that can be clearly enumerated.
Delivery trucks are operated by corporations so don't have privacy protection (although the individuals driving them would from things like facial recognition). Traffic patterns can be studied without the use of individual identifiers. Law enforcement is moot because the juicy commercial surveillance databases won't be generated in the first place, and without them we can have an honest societal conversation whether the government should create their own surveillance databases of everyone's movements.
These aren't insurmountable problems. GDPR gets these answers mostly right. What it requires is drawing a line in the sand and iterating to close loopholes, rather than simply assuming futility when trying to regulate the corporate surveillance industry.
Not OP, but yes, I think it is not. At least, not legal in the same expansive way that you are implying. AFAIK private detective work is very much regulated, most likely because it is otherwise known as stalking.
And even the latter is fraught with hazards to liberty.
At a certain point, difference in scale becomes difference in kind. This is fundamental to the universe to the point of thermodynamics.
(To the example, how do you think it would go if you regularly hosted hundres of card games in respect of which you didn't take a cut?)
