GAO Gives Congress Go-ahead For a GDPR-like Privacy Legislation (zdnet.com)

← Back to Stories (view on slashdot.org)

GAO Gives Congress Go-ahead For a GDPR-like Privacy Legislation (zdnet.com)

Posted by msmash on Friday February 15, 2019 @09:32AM from the now-we-wait-for-stars-to-align dept.

An independent report authored by a US government auditing agency has recommended that Congress develop internet data privacy legislation to enhance consumer protections, similar to the EU's General Data Protection Regulation (GDPR). From a report: The 56-page report [PDF] was put together by the US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress. Its reports are used for hearings and drafting legislation. The House Energy and Commerce Committee, which requested the GAO report two years ago, has scheduled a hearing for February 26, during which it plans to discuss GAO's findings and the possibility in drafting the US' first federal-level internet privacy law. If the committee's members would be to follow GAO's conclusions, a GDPR-like legislation should be coming to the US.

54 comments

Min score:

Reason:

Sort:

a bi-partisan government agency? by Anonymous Coward · 2019-02-15 09:35 · Score: 0

So there's partisan government agencies?
1. Re:a bi-partisan government agency? by Anonymous Coward · 2019-02-15 09:50 · Score: 0
  
  I know, right!?
  The fact that it is called the Government Accountability Office should already be enough to say it is there to hold members of the government accountable. Truth is, there are a lot of politicians out there who try to discredit the GAO because they actually call out their BS, so it's important to remind folks that the GAO is actually there to help them.
2. Re:a bi-partisan government agency? by Anonymous Coward · 2019-02-15 09:53 · Score: 0
  
  Not all agencies meet the high neutrality standards shown by Ajit Pai and the FCC. Net, net, it could happen.
3. Re: a bi-partisan government agency? by Anonymous Coward · 2019-02-15 10:02 · Score: 0
  
  Boners
Well, shit. by Anonymous Coward · 2019-02-15 09:51 · Score: 0

I had high hopes that the US wouldn't succumb to the mass stupidity that is expressed in the GDPR. More useless overlay DIVs.
1. Re: Well, shit. by Anonymous Coward · 2019-02-15 10:40 · Score: 0
  
  I think there is some good in the idea of it, but I do agree that it will likely only improve things a little while starting to form a bureaucracy that's hard for everyone but the largest stakeholders (Facebook, Google, etc) to navigate.
2. Re:Well, shit. by Anonymous Coward · 2019-02-15 13:13 · Score: 0
  
  Why don't you think about your life a little bit further than some overlay DIVs.
3. Re: Well, shit. by Zmobie · 2019-02-15 18:18 · Score: 3, Informative
  
  Except it really isn't that difficult to comply with GDPR regulations. I've had training on it since I work for an internationally present company, and it basically amounts to only a few tenants for most software.
  First, gather only information necessary to perform the tasks or services being offered. Any information gathered should be clearly stated in a way the user can understand and they should have easily accessible and granular controls for that information (i.e. don't bury the privacy toggle under 100 menus that don't even seem related) unless it is absolutely essential for basic operation. Finally, the user has a right to that information and should be able to get a copy of all of the data related to them and easily be able to request the irreversible deletion of that data at any time.
  There are other recommendations and compliance guidelines, but none of it is that complicated. Really it just protects users from having massive data harvesting efforts go on without their consent, gives some teeth to the courts to enforce the restrictions, and creates transparency about what a company is actually doing. I'm really not sure why people are so against it. Small companies don't even have the resources or wherewithal to be violating a large portion of the regulation without ill-intent from the start, and the violation penalties are based on the size of the company, users affected, and scales down based on their revenue. Hell, it hasn't even changed most of our development process at my job because we weren't violating this shit to begin with.
4. Re: Well, shit. by Anonymous Coward · 2019-02-15 20:28 · Score: 0
  
  Thaf's exactly what it's meant to be: create a financially unsurmountable barrier for anyone but the big players. If you were the government, would you want to deal with a multitude of small businesses that do not understand or want to understand your worldview, or just a few very big businesses whose heads understand and appreciate power?
5. Re:Well, shit. by Anonymous Coward · 2019-02-16 01:28 · Score: 0
  
  Here is how much the GDPR has improved my life:
6. Re: Well, shit. by DeVilla · 2019-02-21 08:58 · Score: 1
  
  I don't really disagree with what you say, but I think it could be hard to retro fit into an existing service. It's well thought out and if you have it in mind, it's actually pretty useful for reasoning how how to protect the data and support the required functionality.
  It's hard to say what would be most difficult since that is kind of dependent on the service in question. Me read though is that backups will be a general problem. It's not uncommon to store files for multiple users in one file system or record for multiple users in one DB. If you save more than 1 month's worth of backups, you either need to nuke all you backups any time someone requests their data be removed or you need a backup strategy that backs up non-user and per-user data separately. You need to be able to discard all the backups for a user at once. And you need the remainder of the backup to still be consistent.
  Like the other problems, if you plan for it, you can probably implement a general solution, but I'm not aware of any back tools that would make this easy. And then there are offline backups. Do you have a separate tape per-user?
Lawyers always win by Anonymous Coward · 2019-02-15 09:57 · Score: 0, Insightful

Great, yet another piece of rulemaking that requires a lawyer to get paid. Yes, GDRP is a payday for lawyers, and doesn't do squat for privacy. Somewhere, buried in the boilerplate is a get out of jail free card, but GDRP requires you to have yet another lawyer, called the "data controller" on staff. That's kind of expensive for small businesses, but the point is to prevent small businesses from disrupting the marketplace. They'll tell you that the "data controller" doesn't have to be a lawyer, but since the "data controller" is completely liable, personally, under GDRP for any real or imagined breach, they better have studied the law very deliberately ... which is to say, they have to be a trained lawyer.
GDRP is a protectionist move, it's designed to protect large, ossified European companies from competition.
1. Re: Lawyers always win by Anonymous Coward · 2019-02-15 10:04 · Score: 0
  
  Sometimes you get the bear and sometimes the bear gets you
2. Re:Lawyers always win by Anonymous Coward · 2019-02-15 10:12 · Score: 0
  
  Well, that's the fucking way you want it, isn't it? You want everyone to be able to sue everyone all the time. That's the fucking foundation of your stupid country. But now you want it the other way?
3. Re:Lawyers always win by Waffle+Iron · 2019-02-15 10:14 · Score: 3, Insightful
  
  but since the "data controller" is completely liable, personally, under GDRP for any real or imagined breach
  So they actually made somebody liable for data breaches?
  Sounds good to me, whether big company or small. Let's do it.
4. Re:Lawyers always win by Anonymous Coward · 2019-02-15 10:24 · Score: 0
  
  Have you heard about the demand for "no taxation without representation"? This is very similar, because the GDPR is "liability without authority". The GDPR makes demands of businesses that small businesses cannot possibly satisfy without closing shop. In practice, most businesses just continue doing what they did before, but now they have this liability hanging over their heads. It's a massively stupid law that will only lead to further advantages for big business. It does not help with privacy, but it litters web pages with useless messages, which you can't disable unless you allow cookies (more overlays). It's one big giant clusterfuck.
5. Re: Lawyers always win by Anonymous Coward · 2019-02-15 10:24 · Score: 2, Informative
  
  This is incorrect. The data controller generally refers to the organization that is responsible for processing personal information. Some companies are however required to have a data protection officer.
  GDPR is essentily the general principles for privacy that have been codified into law. It probably improves privacy a lot over a few years. It is complicated, but in a few years it will probably be natural to always consider privacy.
  I work as a data protection officer myself.
6. Re:Lawyers always win by Waffle+Iron · 2019-02-15 10:51 · Score: 4, Insightful
  
  It's not my problem if an outfit is too small to responsibly handle my data. They need to up their game on security or get out.
7. Re:Lawyers always win by Guybrush_T · 2019-02-15 11:15 · Score: 4, Insightful
  
  That, or stop asking customer tons of personal information then store it in an xls file accessible to everyone on the cloud.
  That's by far the biggest win of GDPR. And small shops in EU didn't disappear due to GDPR. They just need to stop doing stupid things that will hurt them and their customers.
8. Re:Lawyers always win by WolfgangVL · 2019-02-15 11:19 · Score: 4, Insightful
  
  Boo-hoo, cry me a river. If safeguarding my personal information puts your business in the red, then maybe you should stop collecting so much personal information.
  You want to hoover up every bit of PI you can find about me, you're on the hook to safeguard it. As it stands right now, there is no reason not to gobble up every little data point you can get your hands on, no matter if it's relevant to your business/service or not. When you lose it (you will) you lose nothing.
  Over the past 5 years or so, have you noticed how every damn thing wants you to setup a profile? Notice how these profiles are asking all sorts of different data points that have shit-nothing to do with the provided service? Right now there is no reason not to ask for everything from sexual preference to political association, and turn around and sell to the first bidder.
  There is freemium services, and then there is what we have now. Something has got to change. If I have to click through a "we use cookies" banner from time to time, and in return, my valuable personal information is treated with a little respect.... I'm ok with that.
  
  --
  You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
9. Re:Lawyers always win by Anonymous Coward · 2019-02-15 13:03 · Score: 0
  
  They'll tell you that the "data controller" doesn't have to be a lawyer,
  Data controller doesn't have to be a lawyer. ;)
  
  but since the "data controller" is completely liable, personally, under GDRP for any real or imagined breach, they better have studied the law very deliberately ... which is to say, they have to be a trained lawyer.
  The company is liable if it hasn't acted with the reasonable effort. The recommendations of applying the regulation were still in flux last time I heard.
10. Re:Lawyers always win by ceoyoyo · 2019-02-15 13:41 · Score: 2
  
  OR, you could just not collect personal information. Yeah, I know, radical solution.
11. Re:Lawyers always win by cdwiegand · 2019-02-15 15:13 · Score: 2
  
  Just because the recommendations were "in flux" doesn't magically absolve potential liability. You are not a US criminal lawyer. And reasonable effort is decided by a judge and/or jury - not a CEO, a lawyer, or the public, unwashed masses of social media. And it can be decided many years after the fact, since the law is now on the books. The fact that you don't know, for sure, exactly HOW to follow it doesn't mean you're absolved from needing to follow it anyways.
  
  --
  . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
12. Re: Lawyers always win by Anonymous Coward · 2019-02-15 16:25 · Score: 0
  
  in Soviet Russia...bear always wins
13. Re:Lawyers always win by Zmobie · 2019-02-15 18:26 · Score: 3, Informative
  
  I call your bullshit. I know what the regulation requires and this is nothing but a bunch of arguments that some asshole executive at Google would parrot out. Small companies can easily comply with a large swath of the regulations without that much more effort. Most of my software and infrastructure I have at my HOUSE, developed exclusively by me, can comply with the regulations. The only people that have issues with this are people that were recklessly throwing out hot garbage to snag a quick buck at someone else's expense, companies that make most of their money from dragnet style data collection of users, or people that heard some talking head drone on about "undue hardship and government overreach."
  I plan to start a software company (without some random jackass giving me free money) within the next decade and I fully support these regulations being implemented in the US.
14. Re:Lawyers always win by Anonymous Coward · 2019-02-15 19:07 · Score: 0
  
  The GDPR makes demands of businesses that small businesses cannot possibly satisfy without closing shop.
  [citation needed]
15. Re:Lawyers always win by Anonymous Coward · 2019-02-15 19:59 · Score: 0
  
  We are talking about administrative fees and compensations for damages, not criminal punishments. The showing of effort is something a company does to the supervising authorities since this is a regulation. Those authorities act by the power their respective governments have given them, so the actual result is depending on the behaviour of company, the individuals involved and the country in question. Also the EU regulation is working as the base level in some areas. Would a similar federal regulation in the US take a similar form? That I cannot answer.
16. Re:Lawyers always win by Anonymous Coward · 2019-02-15 20:29 · Score: 0
  
  Let the hate flow through you. It will be your problem when you've eliminated the small shops through stupid legislation. The GDPR is not about security, btw.. Nobody is liable for losing your data in a hack, provided they were allowed to collect that data. We're still being tracked everywhere. Nothing much has changed in the EU, except now there are tons of web site overlays telling us how our data is allegedly used. If you want web sites to constantly lie to you instead of showing you what you wanted to read, by all means, follow our lead.
17. Re:Lawyers always win by Anonymous Coward · 2019-02-15 20:34 · Score: 0
  
  Yeah, we'll ship your stuff to the Christmas elves, maybe they can deliver it you. Oh wait, we're legally required to collect and keep your data for a decade, including your payment data and the things you ordered, or the tax man will shut us down.
18. Re:Lawyers always win by Anonymous Coward · 2019-02-16 02:01 · Score: 0
  
  Well, I support GDPR-like regulation in the US now, for the single reason that it will fuck smug guys like you over. The GDPR has done absolutely nothing positive for anyone, but it is a huge drag on small businesses and even more so on non-profit clubs and associations. Not because they're doing anything different: The data is still collected, it is still processed the same as before, but everybody just hands out waiver forms left and right. This causes MORE data to be collected and is a great nuisance, just like the web site overlays that tell you about the data collection, which you can't turn off (the overlays and the data collection), because that would mean you would have to store cookies, which are used to track you MORE.
  The few people who realize how extensive their liability is have called it quits, especially those who did the accounting and organizing for local clubs. There will be waves of clubs disappearing when the first lawsuits start coming because someone has a grievance and uses the GDPR to get back at someone. All this for NOTHING. It doesn't help at all. The GDPR is braindead stupid legislation.
19. Re:Lawyers always win by Anonymous Coward · 2019-02-16 02:02 · Score: 0
  
  The GDPR makes demands of businesses that small businesses cannot possibly satisfy without closing shop.
  Or you can read GDPR and realize that small businesses doesn't even have the resources to violate GDPR.
  And all those useless messages you are complaining about, if you don't gather information about your visitors in a way that can be tied to their person then you don't need them.
  If any message like that pops up then the page you are visiting is gathering data on you to sell to advertisers.
  GDPR has no impact on business who doesn't engage in sketchy stuff to begin with.
20. Re:Lawyers always win by Anonymous Coward · 2019-02-16 02:06 · Score: 0
  
  That isn't a problem.
  You just can't sell that information to a third party and if your customer asks you what data you have on them you need to hand it over.
  It isn't hard to comply with GDPR, you just have to ask "is there an ethical problem with doing this" and not do it if there is.
21. Re:Lawyers always win by Anonymous Coward · 2019-02-16 02:18 · Score: 0
  
  Right, there is no problem if you keep that data in an online database, WHERE IT ISN'T SAFE, for ten years. There is a problem if you have to search an offline archive every time some uppity asshole decides they want to know all the data you store about them because the fucking law requires you to.
  You idiots think it's just super great that all the data collectors got what they had coming, but in reality this doesn't affect the trackers at all: You're still being tracked. It affects the many more businesses and people who only deal with data about you because that's the only way to do their job, who don't collect anything that they don't have to, but now have this additional liability hanging over their heads, who need to comply with information requirements, who don't have the systems to just spit out a complete dossier on you because their profession isn't fucking data hoarder.
22. Re:Lawyers always win by Anonymous Coward · 2019-02-16 02:30 · Score: 0
  
  If a small business "needs" to run 38 different third-party scripts, style sheets and IFRAMEs that add nothing functional to the website whatsoever and do nothing but scrape my data for profit, I would gladly set fire to those small businesses myself. Laws like this help me save on matches and kerosene.
23. Re:Lawyers always win by Anonymous Coward · 2019-02-16 03:23 · Score: 0
  
  The sites that ran 38 third party scripts now run 39, to inform you about the data collection and your rights under the GDPR. The sites I'm talking about aren't even collecting your data (except probably standard web server logs), but now they've added a big disclaimer about how they use cookies and record logs to maintain their web site. And you better allow those cookies to be stored, because what you get now when you delete cookies is that big fat disclaimer every time you visit the web site. The legislative found this information important enough that it couldn't possibly be "hidden" on the imprint page that every site is required to have. It has to be on every page, so it's an overlay now and you can't get rid of it permanently unless you allow the tracking cookies. And let's talk about web server logs: Really? That's the privacy violation, because there are IP addresses in there? Not the fact that ISPs are now required by law to give anyone with a reasonable claim your personal information in return for an IP address and a date and time, no warrant required?
  You have been fooled. The GDPR is just a way of making sure that all data handling will be done by big players, who can afford the lawyers to tell you to fuck off if you want to make sure your data is actually handled properly. Data is the new gold! The GDPR is as much about data protection as the GDR was a democratic republic.
24. Re:Lawyers always win by Anonymous Coward · 2019-02-16 03:33 · Score: 0
  
  Indeed. Furthermore, that 10-year data retention requirement could be satisfied offline. It's amazing how much security you can add to your customer data just by utilizing a printer, some paper and a filing cabinet.
25. Re:Lawyers always win by Anonymous Coward · 2019-02-16 07:07 · Score: 0
  
  That's exactly right: The only sane option is not to handle data digitally. That sounds like an excellent law, doesn't it.
26. Re: Lawyers always win by Anonymous Coward · 2019-02-16 07:56 · Score: 0
  
  Ridiculous. You didnâ(TM)t even make an effort to spell the acronym right, GDPR.
  There are exemptions for businesses under a certain size so your whole argument about this stifling small business thing falls down.
27. Re:Lawyers always win by Zmobie · 2019-02-16 19:36 · Score: 1
  
  Did you read half of what I said? I have actually had full training on what this legislation entails and how to comply with it. You are completely idiotic if you think this is going to harm a bunch of clubs and not for profits.
  First, private citizens don't determine if someone was acting recklessly, they still have to follow the EU version of due process. Second, how much data do you think these clubs are collecting on members? If you have a damn sign up form and take down information about a person you put a fucking disclaimer at the bottom and they e-sign. Done. Unless your club is collecting a bunch of information related to the user's offsite browsing habits this isn't much of an issue. It does make sure you actually handle the data responsibly and not leave it sitting on an open AWS server for any idiot to stumble across.
  Moving on to your next hand waving bullshit, more data collected? Really? You do realize if they collect MORE data then they are creating a greater risk for themselves to mishandle it, abuse it, or draw a serious fine for it even accidentally (which is the point, this is to disincentivize mass data collect). What it has ACTUALLY done is to force the companies to reveal the data they were already collecting because they couldn't stop quick enough due to loss of revenue and/or strategy. Furthermore there are penalties for them not allowing a user to turn off data collection that is considered non-essential for the business services. If what you are saying is true all those companies will get some nasty fines levied against them very soon.
  Anyone who called it quits because of this is basically as chicken shit and uninformed as you are given the fact that most of your statements show a complete lack of understanding about what the GDPR is actually regulating. Basically you sound like one of the last people I mentioned before and you are parroting what some talking head told you. Please stop posting, locate your brain, use it to do some basic research, critically think about it, and then try again. If you can come up with some informed arguments come back and talk to me, otherwise stop supporting the shadow dragnet of Corporate America just because some pundit told you to.
28. Re:Lawyers always win by Anonymous Coward · 2019-02-16 20:42 · Score: 0
  
  I've read the brochure too, but I am also seeing what the GDPR actually does, thank you very much. You still seem to think it only applies to the way people run their web sites. It does not.
29. Re:Lawyers always win by Zmobie · 2019-02-17 19:25 · Score: 1
  
  Except I work for a POS manufacturer and actually write software for a living. What part of I have had actual training on this do you not understand? You know what go ahead and continue to buy into the false bill of goods you're being sold and ignore people that have literally years more experience in a field than you do. I'm sure you know better after reading the Wikipedia page for 10 minutes.
Ha like this will ever work by Anonymous Coward · 2019-02-15 10:03 · Score: 0

Why the fuck to people want more government?
1. Re:Ha like this will ever work by Anonymous Coward · 2019-02-15 10:13 · Score: 3, Insightful
  
  Why the fuck to people want more government?
  People don't want more government. They want big corporations to stop fucking them. Unfortunately, the only way to do this is to get the government involved.
2. Re:Ha like this will ever work by Anonymous Coward · 2019-02-15 13:13 · Score: 0
  
  "Unfortunately, the only way to do this is to get fucked by the government instead."
  There, fixed that for you.
3. Re:Ha like this will ever work by Anonymous Coward · 2019-02-15 13:19 · Score: 0
  
  Buying a product from said big corporation is voluntary. If you fucking use facebook it's your own fault.
Hurray!!! by steak · 2019-02-15 10:31 · Score: 1

Quacks around the country rejoice!

--
lose != loose
Right. Who wants rights? And privacy! by Anonymous Coward · 2019-02-15 10:44 · Score: 0

Certanly not the average well-programmed American worker drone.
Soo annoying, those damn rights!
It is hard not to be a conspiracy theorist... by lsco · 2019-02-15 11:27 · Score: 1

Of course! Let's give the semblance of privacy online while the NSA and security agencies gobble all your data. Seems the general person is too lazy to look after (or care about) their own privacy.
1. Re: It is hard not to be a conspiracy theorist... by Anonymous Coward · 2019-02-15 21:23 · Score: 0
  
  It's not about being lazy. It's about understanding and accepting that there are things we can't do anything about. There is no way we can change anything as citizens so the sensible thing to do is moving on with our lives. It's called maturity. Grow up.
the merkin version by Anonymous Coward · 2019-02-15 12:32 · Score: 0

we are your coporate,overlords we are rich all your data belongs to us and you will bend over and take it pussies cause anything else is SOCALISM !!
Not "big" corporations, but all organizations by Anonymous Coward · 2019-02-15 14:06 · Score: 0

I'm unhappy when my doctor captures my data just as much as I am when Yahoo, Google, FB, Twitter, Verizon, AT&T, Comcast and the USGovt capture it unnecessarily. Actually, I'm a little pissed that they even have any of my data when I do not have any relationship with them.
Individuals should have to opt-in to any data collection. I'm fine if google refuses to let my use any of their stuff because I refuse. Actually, that would be excellent and help to break their near monopoly.
Opt-out is unacceptable for non-govt organizations.
Ah , the My Campaign Needs More Dollars Act by SNRatio · 2019-02-15 15:44 · Score: 1

It'll be a good way to get some of the wealthiest companies on earth to help re-elect everyone who opposes it.
The "we use cookies" popups by Anonymous Coward · 2019-02-15 22:31 · Score: 0

the biggest crock of shit that has ever infested the Internet. Data protection is fine, wasting users' time with idiotic popups is not.