Slashdot Mirror

← Back to Stories (view on slashdot.org)

GAO Gives Congress Go-ahead For a GDPR-like Privacy Legislation (zdnet.com)

Posted by msmash on from the now-we-wait-for-stars-to-align dept.

An independent report authored by a US government auditing agency has recommended that Congress develop internet data privacy legislation to enhance consumer protections, similar to the EU's General Data Protection Regulation (GDPR). From a report: The 56-page report [PDF] was put together by the US Government Accountability Office (GAO), a bi-partisan government agency that provides auditing, evaluation, and investigative services for Congress. Its reports are used for hearings and drafting legislation. The House Energy and Commerce Committee, which requested the GAO report two years ago, has scheduled a hearing for February 26, during which it plans to discuss GAO's findings and the possibility in drafting the US' first federal-level internet privacy law. If the committee's members would be to follow GAO's conclusions, a GDPR-like legislation should be coming to the US.

16 of 54 comments (clear)

  1. Re:Ha like this will ever work by Anonymous Coward · · Score: 3, Insightful

    Why the fuck to people want more government?

    People don't want more government. They want big corporations to stop fucking them. Unfortunately, the only way to do this is to get the government involved.

  2. Re:Lawyers always win by Waffle+Iron · · Score: 3, Insightful

    but since the "data controller" is completely liable, personally, under GDRP for any real or imagined breach

    So they actually made somebody liable for data breaches?

    Sounds good to me, whether big company or small. Let's do it.

  3. Re: Lawyers always win by Anonymous Coward · · Score: 2, Informative

    This is incorrect. The data controller generally refers to the organization that is responsible for processing personal information. Some companies are however required to have a data protection officer.

    GDPR is essentily the general principles for privacy that have been codified into law. It probably improves privacy a lot over a few years. It is complicated, but in a few years it will probably be natural to always consider privacy.

    I work as a data protection officer myself.

  4. Hurray!!! by steak · · Score: 1

    Quacks around the country rejoice!

    --
    lose != loose
  5. Re:Lawyers always win by Waffle+Iron · · Score: 4, Insightful

    It's not my problem if an outfit is too small to responsibly handle my data. They need to up their game on security or get out.

  6. Re:Lawyers always win by Guybrush_T · · Score: 4, Insightful

    That, or stop asking customer tons of personal information then store it in an xls file accessible to everyone on the cloud.

    That's by far the biggest win of GDPR. And small shops in EU didn't disappear due to GDPR. They just need to stop doing stupid things that will hurt them and their customers.

  7. Re:Lawyers always win by WolfgangVL · · Score: 4, Insightful

    Boo-hoo, cry me a river. If safeguarding my personal information puts your business in the red, then maybe you should stop collecting so much personal information.

    You want to hoover up every bit of PI you can find about me, you're on the hook to safeguard it. As it stands right now, there is no reason not to gobble up every little data point you can get your hands on, no matter if it's relevant to your business/service or not. When you lose it (you will) you lose nothing.

    Over the past 5 years or so, have you noticed how every damn thing wants you to setup a profile? Notice how these profiles are asking all sorts of different data points that have shit-nothing to do with the provided service? Right now there is no reason not to ask for everything from sexual preference to political association, and turn around and sell to the first bidder.

    There is freemium services, and then there is what we have now. Something has got to change. If I have to click through a "we use cookies" banner from time to time, and in return, my valuable personal information is treated with a little respect.... I'm ok with that.
       

    --
    You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
  8. It is hard not to be a conspiracy theorist... by lsco · · Score: 1

    Of course! Let's give the semblance of privacy online while the NSA and security agencies gobble all your data. Seems the general person is too lazy to look after (or care about) their own privacy.

  9. Re:Lawyers always win by ceoyoyo · · Score: 2

    OR, you could just not collect personal information. Yeah, I know, radical solution.

  10. Re:Lawyers always win by cdwiegand · · Score: 2

    Just because the recommendations were "in flux" doesn't magically absolve potential liability. You are not a US criminal lawyer. And reasonable effort is decided by a judge and/or jury - not a CEO, a lawyer, or the public, unwashed masses of social media. And it can be decided many years after the fact, since the law is now on the books. The fact that you don't know, for sure, exactly HOW to follow it doesn't mean you're absolved from needing to follow it anyways.

    --
    . Define sqrt(x) as something really evil like (x / rand()), and bury it deep. Watch your coworkers go nuts.
  11. Ah , the My Campaign Needs More Dollars Act by SNRatio · · Score: 1

    It'll be a good way to get some of the wealthiest companies on earth to help re-elect everyone who opposes it.

  12. Re: Well, shit. by Zmobie · · Score: 3, Informative

    Except it really isn't that difficult to comply with GDPR regulations. I've had training on it since I work for an internationally present company, and it basically amounts to only a few tenants for most software.

    First, gather only information necessary to perform the tasks or services being offered. Any information gathered should be clearly stated in a way the user can understand and they should have easily accessible and granular controls for that information (i.e. don't bury the privacy toggle under 100 menus that don't even seem related) unless it is absolutely essential for basic operation. Finally, the user has a right to that information and should be able to get a copy of all of the data related to them and easily be able to request the irreversible deletion of that data at any time.

    There are other recommendations and compliance guidelines, but none of it is that complicated. Really it just protects users from having massive data harvesting efforts go on without their consent, gives some teeth to the courts to enforce the restrictions, and creates transparency about what a company is actually doing. I'm really not sure why people are so against it. Small companies don't even have the resources or wherewithal to be violating a large portion of the regulation without ill-intent from the start, and the violation penalties are based on the size of the company, users affected, and scales down based on their revenue. Hell, it hasn't even changed most of our development process at my job because we weren't violating this shit to begin with.

  13. Re:Lawyers always win by Zmobie · · Score: 3, Informative

    I call your bullshit. I know what the regulation requires and this is nothing but a bunch of arguments that some asshole executive at Google would parrot out. Small companies can easily comply with a large swath of the regulations without that much more effort. Most of my software and infrastructure I have at my HOUSE, developed exclusively by me, can comply with the regulations. The only people that have issues with this are people that were recklessly throwing out hot garbage to snag a quick buck at someone else's expense, companies that make most of their money from dragnet style data collection of users, or people that heard some talking head drone on about "undue hardship and government overreach."

    I plan to start a software company (without some random jackass giving me free money) within the next decade and I fully support these regulations being implemented in the US.

  14. Re:Lawyers always win by Zmobie · · Score: 1

    Did you read half of what I said? I have actually had full training on what this legislation entails and how to comply with it. You are completely idiotic if you think this is going to harm a bunch of clubs and not for profits.

    First, private citizens don't determine if someone was acting recklessly, they still have to follow the EU version of due process. Second, how much data do you think these clubs are collecting on members? If you have a damn sign up form and take down information about a person you put a fucking disclaimer at the bottom and they e-sign. Done. Unless your club is collecting a bunch of information related to the user's offsite browsing habits this isn't much of an issue. It does make sure you actually handle the data responsibly and not leave it sitting on an open AWS server for any idiot to stumble across.

    Moving on to your next hand waving bullshit, more data collected? Really? You do realize if they collect MORE data then they are creating a greater risk for themselves to mishandle it, abuse it, or draw a serious fine for it even accidentally (which is the point, this is to disincentivize mass data collect). What it has ACTUALLY done is to force the companies to reveal the data they were already collecting because they couldn't stop quick enough due to loss of revenue and/or strategy. Furthermore there are penalties for them not allowing a user to turn off data collection that is considered non-essential for the business services. If what you are saying is true all those companies will get some nasty fines levied against them very soon.

    Anyone who called it quits because of this is basically as chicken shit and uninformed as you are given the fact that most of your statements show a complete lack of understanding about what the GDPR is actually regulating. Basically you sound like one of the last people I mentioned before and you are parroting what some talking head told you. Please stop posting, locate your brain, use it to do some basic research, critically think about it, and then try again. If you can come up with some informed arguments come back and talk to me, otherwise stop supporting the shadow dragnet of Corporate America just because some pundit told you to.

  15. Re:Lawyers always win by Zmobie · · Score: 1

    Except I work for a POS manufacturer and actually write software for a living. What part of I have had actual training on this do you not understand? You know what go ahead and continue to buy into the false bill of goods you're being sold and ignore people that have literally years more experience in a field than you do. I'm sure you know better after reading the Wikipedia page for 10 minutes.

  16. Re: Well, shit. by DeVilla · · Score: 1

    I don't really disagree with what you say, but I think it could be hard to retro fit into an existing service. It's well thought out and if you have it in mind, it's actually pretty useful for reasoning how how to protect the data and support the required functionality.

    It's hard to say what would be most difficult since that is kind of dependent on the service in question. Me read though is that backups will be a general problem. It's not uncommon to store files for multiple users in one file system or record for multiple users in one DB. If you save more than 1 month's worth of backups, you either need to nuke all you backups any time someone requests their data be removed or you need a backup strategy that backs up non-user and per-user data separately. You need to be able to discard all the backups for a user at once. And you need the remainder of the backup to still be consistent.

    Like the other problems, if you plan for it, you can probably implement a general solution, but I'm not aware of any back tools that would make this easy. And then there are offline backups. Do you have a separate tape per-user?