GAO Gives Congress Go-ahead For a GDPR-like Privacy Legislation

An independent report authored by a US government auditing agency has recommended that Congress develop internet data privacy legislation to enhance consumer protections, similar to the EU's General Data Protection Regulation (GDPR). From a report: The 56-page report [PDF] was put together by the US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress. Its reports are used for hearings and drafting legislation. The House Energy and Commerce Committee, which requested the GAO report two years ago, has scheduled a hearing for February 26, during which it plans to discuss GAO's findings and the possibility in drafting the US' first federal-level internet privacy law. If the committee's members would be to follow GAO's conclusions, a GDPR-like legislation should be coming to the US.

Re: Lawyers always win

This is incorrect. The data controller generally refers to the organization that is responsible for processing personal information. Some companies are however required to have a data protection officer.

GDPR is essentily the general principles for privacy that have been codified into law. It probably improves privacy a lot over a few years. It is complicated, but in a few years it will probably be natural to always consider privacy.

I work as a data protection officer myself.

Re: Well, shit.

[Zmobie]

Except it really isn't that difficult to comply with GDPR regulations. I've had training on it since I work for an internationally present company, and it basically amounts to only a few tenants for most software.

First, gather only information necessary to perform the tasks or services being offered. Any information gathered should be clearly stated in a way the user can understand and they should have easily accessible and granular controls for that information (i.e. don't bury the privacy toggle under 100 menus that don't even seem related) unless it is absolutely essential for basic operation. Finally, the user has a right to that information and should be able to get a copy of all of the data related to them and easily be able to request the irreversible deletion of that data at any time.

There are other recommendations and compliance guidelines, but none of it is that complicated. Really it just protects users from having massive data harvesting efforts go on without their consent, gives some teeth to the courts to enforce the restrictions, and creates transparency about what a company is actually doing. I'm really not sure why people are so against it. Small companies don't even have the resources or wherewithal to be violating a large portion of the regulation without ill-intent from the start, and the violation penalties are based on the size of the company, users affected, and scales down based on their revenue. Hell, it hasn't even changed most of our development process at my job because we weren't violating this shit to begin with.

Re:Lawyers always win

[Zmobie]

I call your bullshit. I know what the regulation requires and this is nothing but a bunch of arguments that some asshole executive at Google would parrot out. Small companies can easily comply with a large swath of the regulations without that much more effort. Most of my software and infrastructure I have at my HOUSE, developed exclusively by me, can comply with the regulations. The only people that have issues with this are people that were recklessly throwing out hot garbage to snag a quick buck at someone else's expense, companies that make most of their money from dragnet style data collection of users, or people that heard some talking head drone on about "undue hardship and government overreach."

I plan to start a software company (without some random jackass giving me free money) within the next decade and I fully support these regulations being implemented in the US.