Furthermore, you cannot contract away criminal liability if any exists.
The fact that 100% of its users, except the litigant, skimmed through the EULA and did not notice anything does not relieve the company from the responsibility.
that is defined as extortion, but labled as onboarding.
That's opt-in, not opt-out.
pre-checked "yes" is called "opt-out"
GDPR tried. And the narrative around GDPR was deliberately completely derailed by adtech.
Lack of enforcement didn't help either
The problem is not the GDPR, the problem is the surveillance industry that wants to grab as much data as possible and try to do as much malicious compliance as possible.
In a perfect world, yes. In the real world, there is an entire industry of lawyers who will smother your competitors with bogus requests because GDPR requires you spend time and resources to investigate and respond to each and every complaint regardless of merit.
The costs are often worse on industrial side because the data is so much larger and faster than web or mobile data.
The trouble started when lawyers correctly noticed that these are incidentally capable surveillance systems even though that isn't how we use them or what they were designed for.
GDPR frames everything in the context of a person's data. There is no "person_id" or similar field in these data models. That isn't the purpose of the data, it would be expensive to extract it, and then it would create obvious liability under GDPR. This makes the idea of finding a person's data expensive -- brute-force search on huge data volumes.
Compounding this, these data systems are often operational and some of the data may be in situ at the edge because it is too large to move all of it. The power and compute budget may not exist to find a person using brute force.
AFAICT, current best practice is to maintain a polite fiction that people aren't being tracked because that is not the intent. No one thinks that would stand up to serious legal scrutiny though. If the regulators come after you then plead best effort based on the technical infeasibility of doing anything else.
Forget tracking workers' movements and stuff like that because that's even more complicated (the data is tied to a person, but only in their capacity as an employee and not as a private individual).
Focus on a case like a cluster of sensors attached to various equipment powered by electric motors, or using RFID to detect when a pallet enters the warehouse. Let's say that all goes to a cloud platform and I store it, I build a bunch of derived analytics stuff from it, and I send it up to Anthropic (with no-train-on-me-pls contract clause) for my cool new AI insights engine.
Does GDPR apply at all to that? I would have assumed it doesn't have any relevance whatsoever, but you're implying that it does. Or are you specifically talking about the case when individual employees are the data collection subjects, like a fleet management platform with a telematics component?
--- start quote ---
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. 3In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
--- end quote ---
IANAL, but this basically covers all your bases, together with https://gdpr-info.eu/art-32-gdpr/
Unless, of course, your industrial-scale data collection actually collects significantly more data than you let on, and extraction of personal data is not as hard as you make it sound
The GDPR is there to protect your personal/sensitive data, or data that can personally identify you. If has nothing whatsoever to do with data capture from industrial machinary.
I remain astounded how ignorant some people are of basic GDPR principle: protecting your _personal_ data.
How is this not your personal data?
Exploitation of these types of data sources has been demonstrated for 15+ years at this point. Abuse is often impractical for technical reasons but GDPR doesn't give you free pass on collecting personal data just because you aren't using it like personal data.
Many systems were not explicitly designed for surveillance, and are. Because many systems collect too much data to begin with.
Hence the problem: people who collect too much data claim that GDPR is complicated, complex, convoluted, impossible to comply with... instead of changing what data they collect, and how.
Additionally, people confuse the complexity of human endeavours with the complexity of the law. GDPR itself is neither complex nor complicated. It doesn't try to carve out exceptions, rules, and regulations for every possible activity humans may attempt. Then it would become impossible to understand or comply with.
As is, it has enough carveouts for industries which require more data than strictly necessary, called "legitimate interest" (which still doesn't allow you to just use this data willy-nilly). E.g. banks collect significantly more data about customers than strictly necessary (because KYC, fraud, security etc.), and store that data for significantly longer amount of time than allowed by privacy-related laws (because they are governed by bank laws of respective countries). It doesn'tmean they can sell that data or spy on users.
Same here. It's not on the law to tell you exactly how to operate your "industrial-scale operation". It's on you to fix your shit, stop collecting more data than necessary, have data protection in place, delete data after a reasonable time, anonymize data etc.
I have read GDPR and don't work in adtech. It is vague and it is pretty easy to find pathological scenarios that don't make much sense or impose an unusually high burden for no benefit. Every European law firm seems to agree with this assessment despite what proponents assert. Consequently, it forces a lot of expensive defensive activity in practice.
To some extent, it was just a failure of imagination on the part of GDPR's authors. Many things are not nearly as simple as it seems to assume and it bleeds into data models that have nothing to do with people.
It is what it is but no one should pretend it is not a burden for companies that have nothing to do with adtech or even data about people.
Congrats on gullibly believing the ad tech narrative.
YOUR collection of user's data is an overreach and breach of privacy. MY collection of data is absolutely necessary to grow my scrappy small business and provide value. I am a good person with good intentions, so its OK. You are a bad person doing bad things, so its not OK.
What is data processing essential for the services being provided? Many publishers assumed that getting paid was an essential part of providing a service, and it was not until 3 months before the implementation deadline that the committee clarified that getting paid is not included when you are being paid by a third party.
How are you to know whether or not the user is an EU citizen (and thus subject to the GDPR)? Is making that determination a service essential for providing your service? The answers apparently were "You don't" and "No", which would effectively make companies assume that the GDPR applies to everyone on the planet.
The GDPR also is fundamentally opposed to how things currently work in the internet, making almost all advertising on the web illegal overnight. It was too big of a change to happen at once, so it effectively only loosely enforced in practice.
I like the idea of the GDPR, but the implementation sucks.
What utter utter FUD
You are free to collect as much personal data as you want, PROVIDING you have my explicit opt-in informed consent to do so.
What about this is difficult to understand?
> How are you to know whether or not the user is an EU citizen (and thus subject to the GDPR)?
The GDPR provides _basic_ data safety and consumer protection. If you aren't protecting users private data regardless of where they live in line with GDPR principles (such as collecting it fairly, and not selling it to randoms) then you are playing fast and loose with your users private, sensitive data. In which case you need to _seriously_ consider if what you are doing is ethical.
> The GDPR also is fundamentally opposed to how things currently work in the internet, making almost all advertising on the web illegal overnight.
Utter Bullshit!
You are free to advertise as much as you like! But if you want to track me with your advertising (hello scummy adtech industry) then you need my explicit informed consent to do so. And so you should!
Again, what about this is difficult to understand?
It's interesting and revealing when someone responds to a law that says "You're not allowed to abuse users in countries X, Y, and Z" with "How can I figure out who's in the other countries, so I can abuse them?" instead of "I'll just stop abusing everyone, and then I don't even need to worry about where anyone is."
Whenever you find yourself asking "how do I toe as close to the 'illegal' line as I can without technically going over it?" I think it's time to ask yourself some pretty hard questions.
DPA won't punish you for not following EDPB's recommendations, they will punish you for breaking GDPR. You are free to ignore EDPB if you think your legal position is strong, but you carry the risk if you are wrong.
The rest of the "It'S So LaRgE AnD UndErSpEciFieD" is just FUD. The regulators don't just slap fines, they work with you to get you to comply, and they just want to see that you're putting in the effort instead of messing them about.
I have literally never been surprised by the GDPR. Whenever I thought "surely this is allowed" it was, whenever I thought "this can't be allowed", it wasn't. For everything in the middle, nobody will punish you for an honest mistake.
This is not too hard if you do proper engineering work ahead of time and are purposeful about how you move and manage data (step 1 is just not collecting it unless its vital). But the industry encourages us to be very bad about that because we gotta "move fast and break things or you're not gonna make it."
How do you know that? Again the law establishes a rules making body that can at any time change or add rules, and as far as I can tell there's no public review process.
Please quote the exact text of the law that you claim does that. And since the law has been in force for 10 years, perhaps you can point at the website of said body.
If you say "DPAs", then...erm... perhaps learn something about the world around you? Who do you think monitors compliance, say, for food, or for construction? It just appears out of nowhere? Same here
Just don't spy on people.