Europe's General Data Protection Regulation Makes Privacy Global

Legislation needs support from a lot of different places, and individuals learning more about how it could be if they were EU citizens can only help. And as Geoff noted, small businesses will just put GDPR protections into place for everyone since it won’t be worth doing things different for EU and non-EU users. So GDPR likely will improve privacy for everyone, at least in small ways.

Here’s the latest example from today’s email. Companies are taking GDPR seriously.

2 Likes

I’m with you on the Patriot Act for sure, but I don’t see these things as exclusive. I believe the GDPR is a good thing for privacy and I hope it will also benefit me even as a US citizen. Sure, getting rid fo the PA might do more for me, but hey, I’ll take whatever I can get. The EU is acting and I get the GDPR. I’m not holding my breath for a repeal of the PA. At the very least by the current administration, they for sure couldn’t care less about my privacy.

I think this here might be a nice example of how GDPR is already protecting people all around the world, not just in the EU.

1 Like

That’s indeed good news, though not actually required by GDPR. Still, I think it’s fair to say that part of the impetus for this move is the attention on privacy being caused by GDPR right now.

Still, Apple has been making a lot of hay in distinguishing themselves as a privacy focused company recently, presumably in part because they think the market will reward them.

Good for them, even if it doesn’t.

Although I really did intend to disengage from this conversation, I don’t understand how a law that enables individuals to personally determine what data is collected about themselves and manage the data that has to do with a bill intended to prevent terrorism and money laundering that requires documentation and subpoenas? Public security and individual privacy are very distinct and separate issues, and whether or not I agree with the Patriot Act is irrelevant here.

The Patriot Act is the law the government uses to collect insane amounts of personal data about you. You have no right to object to it, and you have no right to know what they have collected or what they are doing with it. You have no right to request a copy of that data and no way to request that they delete it.

I suppose some people simply think that anything that governments do is ipso facto good and justified. Or perhaps they believe that the government never misuses data to the harm of citizens, such as creating extra-judicial no-fly lists with no appeal process.

Those are the only ways I can think of that would make sense of somebody trying to defend both GDPR and the Patriot Act, even though they are completely at odds with each other. (By the way, I’m not trying to imply that you’re doing that.)

1 Like

The Patriot Act is the law the government uses to collect insane amounts of personal data about you. You have no right to object to it, and you have no right to know what they have collected or what they are doing with it. You have no right to request a copy of that data and no way to request that they delete it.

Under very limited circumstances, this used to be true, but they never collected anything resembling “insane amounts of personal data about you.” The very limited circumstances were narrowed even further after the FBI executed a little over 24,000 requests in 2010, which is a lot less than the amount of information Facebook, Google, Snap, internet service providers, etc., etc., collect from billions and billions of individuals every second.

Any information gathered via the Patriot Act information limited an is also sealed from unauthorized personnel until it is released by a court. Until then, it is not shared with third parties outside the US intelligence and law enforcement services, and probably would not be unless requested by the Freedom Of Information act.

"After the Patriot Act expanded the scope of NSLs as described above, their use began to rise. The Department of Justice reported to Congress that in 2010 the FBI made 24,287 NSL requests (excluding requests for subscriber information only).

NSLs give rise to privacy concerns and, according to critics, the potential for abuse, for several reasons. First, the FBI may issue NSLs on its own initiative, without the authorization of any court. (This was true even before the Patriot Act.) Nothing in the Patriot Act provides for any judicial review of the FBI’s decision to issue an NSL. Second, the NSL statutes impose a gag requirement on persons receiving an NSL. In addition, the Attorney General Guidelines and various information sharing agreements require the FBI to share NSL information with other federal agencies and the US intelligence community.

The Reauthorization Act tried to redress some of these concerns. It provided a right to judicial review of NSLs and a right to petition a court to lift the gag order. The Reauthorization Act also provided criminal penalties for violating gag obligations with the intent to obstruct an investigation.

So where does this complex statutory scheme leave cloud users? While the use of NSLs is not uncommon, the types of data that US authorities can gather from cloud service providers via an NSL is limited. In particular, the FBI cannot properly insist via a NSL that Internet service providers share the content of communications or other underlying data. Rather, as set forth above, the statutory provisions authorizing NSLs allow the FBI to obtain “envelope” information from Internet service providers. Indeed, the information that is specifically listed in the relevant statute is limited to customers’ name, address, and length of service.

The FBI often seeks more, such as who sent and received emails and what websites customers visited. But, more recently, many service providers receiving NSLs have limited the information they give to customers’ names, addresses, length of service and phone billing records. “Beginning in late 2009, certain electronic communications service providers no longer honored” more expansive requests, FBI officials wrote in August 2011, in response to questions from the Senate Judiciary Committee.

Although cloud users should expect their service providers that have a US presence to comply with US law, users also can reasonably ask that their cloud service providers limit what they share in response to an NSL to the minimum required by law. If cloud service providers do so, then their customers’ data should typically face only minimal exposure due to NSLs."

https://www.mayerbrown.com/publications/the-usa-patriot-act-and-the-privacy-of-data-stored-in-the-cloud-01-18-2012/

I suppose some people simply think that anything that governments do is ipso facto good and justified. Or perhaps they believe that the government never misuses data to the harm of citizens, such as creating extra-judicial no-fly lists with no appeal process.

I am definitely not one of those people at all. And I am not one of those people who wears a tinfoil hat or believes in conspiracy theories.

Marilyn

1 Like

But feel free to keep believing that I’m just wearing a tinfoil hat.

The NSA’s authorization doesn’t come from the Patriot Act.

The problems with data collected by governments are distinct from the problems with data collection by businesses meant to be addressed by the GDPR.

Of course they are distinct. But the relationship between them is obvious.

And the connection of government surveillance to the Patriot Act (as well as several other laws) is acknowledged by all:

NSA data is not collected under the Patriot Act, it’s a whole separate shebang. And years ago I did read “The Puzzle Palace.” 95-99% of what the NSA collects is metadata, and if they detect a pattern they think is suspicious, they have to get a warrant or some kind of clearance to dig deeper.

I remember reading a few years ago that Facebook and a Google turned down a request to turn over info, but I don’t remember if became a big legal and political issue like Apple unlocking the iPhone. Maybe if the NSA wanted to buy the records and info, including the phone numbers, addresses and notes from their contact lists they would have sold it to them like they did to Cambridge Analytica.

About a year or so ago the US President signed a bill allowing internet service providers to sell any or all information they can collect about you without your permission. And net neutrality rules went bye-bye last year. AT&T had been selling ads even before they acquired Yahoo and AdWorks, and all the other big ISPs had also, but this made it possible to deliver more granular and targeted audiences for ads possible, as well the ability to sell the data itself.

The NSA, FBI and whatever else probably isn’t finding out near as much about you or me without a warrant or clearance as so many ad supported internet and phone companies already know or are learning. A big difference is that the NSA doesn’t keep the information for more than a week or two unless it’s suspicious. And if they listened to me talking on my phone to my BFF since Junior High today about why her lava cakes pancaked when she was baking them, I hope they will like my recipe that I sent her.

Marilyn

OK, folks, let’s stay focused on the GDPR.

Sorry about that. I deleted my previous post.

Seems like anyone with a mailing-list will have the member count reduced by 90% now as everyone has to ask people already on their lists to consent actively … . (Think I will skip it for my small lists myself, but see many now trying to deal with the problem and they fail.)

1 Like

Sounds rather reasonable to me. If somebody doesn’t consent to getting mailing list posts, why should they be on that list and get spammed? OTOH if I want to get mailing list posts, sending my consent is certainly no big deal.

1 Like

Well, it will apply to all mailing-lists whether or not the members on them have given consent or not earlier. It is both for good and bad: people won’t have to actively unsubscribe to lists they have gotten tired of & only need not to react, but “bad senders”(spammers) likely will not take them off their lists anyway. Less good for good e-mail list senders like TidBits who need to get renewed approval to send messages even if people have actively signed up on the list before - it might be easy to do the re-consenting, but in practise only a minor % will do so, but they might get back later on.

1 Like

Yes, undoubtedly it’s a good thing for the EU to force me to resubscribe to every email list I’m on because they decided that my previous consent wasn’t good enough.

Well I guess we can’t have it both ways. If I can’t be bothered to consent to TidBITS I have only myself to blame when I don’t get a new issue.

I teach at a College here and we had staff training on GDPR.

Quite a thing to consider, when you hold data on students from grades to notes to disciplinary decisions and outcomes of meetings. Boils down to

  • data is gathered for a purpose and usage cannot vary from that purpose without explicit clear consent.
  • Data which is sensitive has to have particular consideration.
  • Data should not be held beyond needed purpose’s timeframe.
  • Data breaches have to be acknowledged within 72 hours
  • Data requests (from users) have to be made available within a month.

Sounds good to me as a start. Quite common-sense.

Correct. And Tidbits has GDPR to blame for the loss of subscribers and subsequent loss of income.