GAO Gives Congress Go-ahead For a GDPR-like Privacy Legislation (zdnet.com) 54
An independent report authored by a US government auditing agency has recommended that Congress develop internet data privacy legislation to enhance consumer protections, similar to the EU's General Data Protection Regulation (GDPR). From a report: The 56-page report [PDF] was put together by the US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress. Its reports are used for hearings and drafting legislation. The House Energy and Commerce Committee, which requested the GAO report two years ago, has scheduled a hearing for February 26, during which it plans to discuss GAO's findings and the possibility in drafting the US' first federal-level internet privacy law. If the committee's members would be to follow GAO's conclusions, a GDPR-like legislation should be coming to the US.
Re: Well, shit. (Score:4, Informative)
Except it really isn't that difficult to comply with GDPR regulations. I've had training on it since I work for an internationally present company, and it basically amounts to only a few tenants for most software.
First, gather only information necessary to perform the tasks or services being offered. Any information gathered should be clearly stated in a way the user can understand and they should have easily accessible and granular controls for that information (i.e. don't bury the privacy toggle under 100 menus that don't even seem related) unless it is absolutely essential for basic operation. Finally, the user has a right to that information and should be able to get a copy of all of the data related to them and easily be able to request the irreversible deletion of that data at any time.
There are other recommendations and compliance guidelines, but none of it is that complicated. Really it just protects users from having massive data harvesting efforts go on without their consent, gives some teeth to the courts to enforce the restrictions, and creates transparency about what a company is actually doing. I'm really not sure why people are so against it. Small companies don't even have the resources or wherewithal to be violating a large portion of the regulation without ill-intent from the start, and the violation penalties are based on the size of the company, users affected, and scales down based on their revenue. Hell, it hasn't even changed most of our development process at my job because we weren't violating this shit to begin with.
Re: (Score:2)
I don't really disagree with what you say, but I think it could be hard to retro fit into an existing service. It's well thought out and if you have it in mind, it's actually pretty useful for reasoning how how to protect the data and support the required functionality.
It's hard to say what would be most difficult since that is kind of dependent on the service in question. Me read though is that backups will be a general problem. It's not uncommon to store files for multiple users in one file system or
Re:Lawyers always win (Score:4, Insightful)
but since the "data controller" is completely liable, personally, under GDRP for any real or imagined breach
So they actually made somebody liable for data breaches?
Sounds good to me, whether big company or small. Let's do it.
Re:Lawyers always win (Score:5, Insightful)
It's not my problem if an outfit is too small to responsibly handle my data. They need to up their game on security or get out.
Re:Lawyers always win (Score:5, Insightful)
That, or stop asking customer tons of personal information then store it in an xls file accessible to everyone on the cloud.
That's by far the biggest win of GDPR. And small shops in EU didn't disappear due to GDPR. They just need to stop doing stupid things that will hurt them and their customers.
Re:Lawyers always win (Score:5, Insightful)
Boo-hoo, cry me a river. If safeguarding my personal information puts your business in the red, then maybe you should stop collecting so much personal information.
You want to hoover up every bit of PI you can find about me, you're on the hook to safeguard it. As it stands right now, there is no reason not to gobble up every little data point you can get your hands on, no matter if it's relevant to your business/service or not. When you lose it (you will) you lose nothing.
Over the past 5 years or so, have you noticed how every damn thing wants you to setup a profile? Notice how these profiles are asking all sorts of different data points that have shit-nothing to do with the provided service? Right now there is no reason not to ask for everything from sexual preference to political association, and turn around and sell to the first bidder.
There is freemium services, and then there is what we have now. Something has got to change. If I have to click through a "we use cookies" banner from time to time, and in return, my valuable personal information is treated with a little respect.... I'm ok with that.
Re:Lawyers always win (Score:4, Informative)
I call your bullshit. I know what the regulation requires and this is nothing but a bunch of arguments that some asshole executive at Google would parrot out. Small companies can easily comply with a large swath of the regulations without that much more effort. Most of my software and infrastructure I have at my HOUSE, developed exclusively by me, can comply with the regulations. The only people that have issues with this are people that were recklessly throwing out hot garbage to snag a quick buck at someone else's expense, companies that make most of their money from dragnet style data collection of users, or people that heard some talking head drone on about "undue hardship and government overreach."
I plan to start a software company (without some random jackass giving me free money) within the next decade and I fully support these regulations being implemented in the US.
Re: (Score:2)
Did you read half of what I said? I have actually had full training on what this legislation entails and how to comply with it. You are completely idiotic if you think this is going to harm a bunch of clubs and not for profits.
First, private citizens don't determine if someone was acting recklessly, they still have to follow the EU version of due process. Second, how much data do you think these clubs are collecting on members? If you have a damn sign up form and take down information about a person you
Re: (Score:2)
Except I work for a POS manufacturer and actually write software for a living. What part of I have had actual training on this do you not understand? You know what go ahead and continue to buy into the false bill of goods you're being sold and ignore people that have literally years more experience in a field than you do. I'm sure you know better after reading the Wikipedia page for 10 minutes.
Re: Lawyers always win (Score:2, Informative)
This is incorrect. The data controller generally refers to the organization that is responsible for processing personal information. Some companies are however required to have a data protection officer.
GDPR is essentily the general principles for privacy that have been codified into law. It probably improves privacy a lot over a few years. It is complicated, but in a few years it will probably be natural to always consider privacy.
I work as a data protection officer myself.
Re: (Score:3)
Just because the recommendations were "in flux" doesn't magically absolve potential liability. You are not a US criminal lawyer. And reasonable effort is decided by a judge and/or jury - not a CEO, a lawyer, or the public, unwashed masses of social media. And it can be decided many years after the fact, since the law is now on the books. The fact that you don't know, for sure, exactly HOW to follow it doesn't mean you're absolved from needing to follow it anyways.
Re: (Score:3)
OR, you could just not collect personal information. Yeah, I know, radical solution.
Re: (Score:3, Insightful)
Why the fuck to people want more government?
People don't want more government. They want big corporations to stop fucking them. Unfortunately, the only way to do this is to get the government involved.
Hurray!!! (Score:2)
Quacks around the country rejoice!
It is hard not to be a conspiracy theorist... (Score:1)
Ah , the My Campaign Needs More Dollars Act (Score:2)