I think this is a very distinct difference between the EU with the scaremongering removed, and e.g. the US: My experience of the EU has been that they've consistently looked out for my interests. Even in the face of the local government (I live in the UK) that have kept fighting for positions I find abhorrent (e.g. UK governments keep complaining about having to abide by EU human rights regulations for example).
Yes, we shouldn't aim to give governments power to push things to an extreme, but on the other hand we should also ensure that they have the ability to actually react to serious abuses.
In particularly in the area of data protection, I don't know of a single example where the rules have been pushed to the extreme. If anything, as a private citizen I'm disappointed there's not been stricter enforcement. As someone who has had to deal with it on the corporate side as well, it's not been hard to comply with.
Enforcement here is generally always strongly predicated on not jumping straight to the strictest possible outcome, but in carefully considering how serious a transgression is. It's not that EU systems are inherently good, but that history and practice have shown that when they give flexibility, it takes serious abuses and ill intent to end up with the strictest reactions allowed, and there'd also be little reason to assume that anyone rushing to the strictest interpretations possible wouldn't get shut down hard by the courts.
Not sure id 100% agree and they are at the mercy of individual governments who have in some cases gone against the spirt of some of the eu regs for example Spain's implementation of TUPE.
You are transposing your like of certain EU institutions (human rights regulations) and grafting them onto this legislation. This isn't how it works, not least because there has been no case-law yet, so we have no idea how it will be interpreted. Therefore a legal compliance unit has no choice but to follow GDPR the letter, which is hugely difficult and bureaucratic. The notion that they are "good-natured" is meaningless in a legal sense.
It seems many commentators here are confusing criticism of the GDPR with criticism of the EU itself. Surely people are sophisticated enough to understand that they are 2 hugely different things, and that a robust criticism of regulations and laws are part of a healthy democratic society.
As mentioned elsewhere, these regulators have been operating for a very long time. Even when dealing with the whole Facebook / Cambridge Analytica they're moving quite slowly. There have been various legal changes regarding privacy in the past. E.g. for The Netherlands it is not allowed to have a checkbox on by default to sign up to a mailing list. There's a fine if you don't abide and this fine can be very hefty. In case of problems the regulator first reaches out, a fine is the very last resort.
There has been ample history on how these regulators have been working over the past 20-40 years.
The substance of this line of criticism is that yes, it's probably going to be fine. But if it's not, they can fine you at 4% of global turnover. They probably won't, but they literally can. "I read on a blog that they'd be nice and send me a warning first" gets you exactly nowhere in court ("very well, but what did your lawyer tell you?"). The article praises the GDPR for having teeth -- being timid can be something you are because that's your nature, or it can be something your are because you don't have teeth.
This is what risk is. Absolutely, don't panic. But responsibly managing risk means considering the 100% real and existing option of regulators abandoning their previous caution and trying out their new teeth. Perhaps they get reined in, but perhaps that takes 10 years, or perhaps it turns out to be politically convenient not to rein them in a all. There are 28 EU countries, so 28 regulators, only one ambitious rising star at one of which need to "break bad".
Yes, I agree that this is probably a very small risk. But having a calm and correct view of the fact that there is a risk is 100% the right move here. Something like every other lawyer in Europe is worried about this right now, and do think it's a bit of a big deal. Don't panic, but take the advice of a non-lawyer's blog over your actual lawyer's at your own extreme peril.
> "I read on a blog that they'd be nice and send me a warning first"
That's not what happened. Various people pointed out various cases where it's shown over the course of 20 years what happened. Ample history.
> Don't panic, but take the advice of a non-lawyer's blog over your actual lawyer's at your own extreme peril.
Are you from the US or EU? Immediately going to a lawyer seems strange and unique to me. Within a big company, yeah, lawyer. Anything else unless you're doing something specific I don't see why.
> Various people pointed out various cases where it's shown over the course of 20 years what happened
Yes, and other various other people are pointing out that now there's a new law that changes a lot of things, perhaps what happened in the last 20 years isn't a perfect guide for what's going to happen in the future.
> Immediately going to a lawyer seems strange and unique to me
I'm from the EU, and I go to lawyers for things much smaller than those that can get me fined 4% of turnover. And so should you, if you're serious about managing your risk. If your things are in order, it's not terribly expensive, and you get to lean on your lawyers professional liability insurance if things get weird regardless.
Yes, we shouldn't aim to give governments power to push things to an extreme, but on the other hand we should also ensure that they have the ability to actually react to serious abuses.
In particularly in the area of data protection, I don't know of a single example where the rules have been pushed to the extreme. If anything, as a private citizen I'm disappointed there's not been stricter enforcement. As someone who has had to deal with it on the corporate side as well, it's not been hard to comply with.
Enforcement here is generally always strongly predicated on not jumping straight to the strictest possible outcome, but in carefully considering how serious a transgression is. It's not that EU systems are inherently good, but that history and practice have shown that when they give flexibility, it takes serious abuses and ill intent to end up with the strictest reactions allowed, and there'd also be little reason to assume that anyone rushing to the strictest interpretations possible wouldn't get shut down hard by the courts.