WTF is this about? Is uMatrix visible to the server and triggering this?
Wait, are they saying that when hosting services
Is “they” me? Hosting services is not an issue because it’s a service, which means the hosting service has a GDPR obligation to express in plain language how data is processed. Code transparency does not matter in that regard.
When a controller pushes closed-source software onto data subjects who are expected to execute it on their own equipment, then the GDPR hole manifests. The controller has no obligation to tell you how your data is processed by their black box software. And worse, they go as far as to contractually block you from studying the code. In this case, your only hope for transparency is to use FOSS instead. And (as you say) that ad hoc privilege is only useful for those who can read code. But at least reviewers can explain in plain language to others what the code does.
If “they” is Google, Google is claiming closed source benefits data protection:
“Walker suggested that American companies could collaborate with European firms to implement measures ensuring data protection. Local management or servers located in Europe to store information are among the options.”
That probably includes anyone with a retirement account. It must require quite some effort to pick funds that exclude Alphabet Inc.
The only Google anything I use is my email for ‘official’
Why is that? Most public services use Microsoft for email, I find. I boycott both; which means I am mostly using postal mail.
Indeed. And as well, even if growth were needed, Google is advocating for US growth at Europe’s expense.
Did you try eating the peppers after the tincture is made? I wonder how effective the alcohol-based extraction is.. if there is any residual capsaicin left in the peppers.
Walker argues that the market moves faster than legislation and warns that regulatory friction will only leave European consumers and businesses behind in what he calls “the most competitive technological transition we have ever seen.” … Kent Walker suggested that this initiative would stifle innovation and deny people access to the “best digital tools.”
The irony. Is the EU going to fall for this? Or does the EU realise that copyright is in fact the “regulatory friction” that “stifles innovation”?
According to Google, the idea of replacing current tools with open-source programs would not contribute to economic growth.
Does Europe need growth?
And either way, how does making public service more costly by way of licensing fees increase growth in Europe? The license costs could instead be spent funding more European public workers. That’s growth, no?
Google is advocating for US growth at Europe’s expense.
Walker suggested that American companies could collaborate with European firms to implement measures ensuring data protection.
Closed-source software processes data non-transparently, thus compromising GDPR art.5. It’s also a shitty loophole around the GDPR, because when you run a closed-source app, you are technically the one processing the data.
It’s a hole in the GDPR that FOSS fixes.
The DPA is not limited to fines. A DPA can give advice, issue warnings, and orders. A DPA is unlikely to use a heavy-handed but simultaneously ineffective or inappropriate tool for enforcement. The DPA also has discretion in the amount of the fine. The law at hand w.r.t this thread disempowers the DPA from fines -- which would be increasingly important for repeat offenders.
I think it’s far-fetched to suggest that a DPA would ruin or sink a school. But it would be sensible for the penalty limit to be lower for public data controllers if that concern is realistic. There could also be an imposed leniency on 1st time offences.
The alternative that you allude to is holding DPOs personally liable for breaches and non-compliance. Again nice in theory but in practice it means that in most cases you’re holding one person responsible for the actions of someone else.
I doubt it’s legal to hold someone personally liable. I know a bar owner who would do a money grab on his bartender’s paycheck whenever he did something objectionable. I don’t think that was legal, nor would I suggest it.
The main purpose of a legal person is to shield natural persons from lawsuits. The DPA would be fining the public agency as a whole.
The public agency should of course internally attribute the DPO’s failures to the DPO. From there, I doubt it would be legal to do an instant money grab on the DPO. But there are of course legally sound corrective actions. If the DPO is an outside agency, it’s simple to outsource to another provider of DPO services. If it’s a direct employee, they can be sacked or reassigned a different role. They could be given a pay cut in the future, like at their next annual appraisal, at which point they can decide whether to accept the new terms. They could be required to attend training. It’s a management issue.
My org had a high impact breach a couple of months ago.
A breach is not in itself an infringement by a data controller. But if the data controller was negligent in their infosec and not up to GDPR standards which is then attributed to the breach, then the negligence would be an infringement.
wouldn’t teach the DPO a lesson - they’ve done everything the law requires.
Without having the details I can only figure that if the DPO did everything the law requires, then a conviction and penalty has no merit in the 1st place.
And without knowing about your org, I cannot judge whether resources are being sensibly allocated. It sounds like GDPR compliance has an low priority there (which actually makes sense if the org is legally immune to GDPR fines anyway).
I suggest posting that info to !climate_action_individual@slrpnk.net. That community would perhaps be useful for posing your question. Note these threads in particular:
Bad public services should be defunded. From there, data subjects benefit from the restructuring, which ensures the GDPR is taken seriously. The incompetent lose. They get shown the door. The people benefit from the money (which does not disappear) going to public services that respect their rights.
There is also deterrance. A DPO for a school who knows they could become responsible for the school losing funding due to their negligence will act more responsibly. The boss of the DPO who also knows a fine is possible will hire a qualified DPO, as opposed to a clown. When a data subject makes a GDPR request, the DPO and school won’t laugh at it (which is what happens now).
Imagine a school gets fined £100k.
It sounds like you have selected a suboptimal amount, by your own admission.
Absolutely nobody benefits from a fine. Everyone loses.
Privacy is a human right. Throwing human rights under the bus harms the data subjects. Data subjects benefit from effective GDPR enforcement. In the EU, such a circumstance harms the whole EU because the protection is not uniform. The GDPR becomes spotty, hit and miss.. unreliable.
A “fund” is not an individual stock. A fund is a huge collection of stocks managed by someone else. I have had retirement accounts where I just get tick boxes like: aggressive, conservative, and moderate. If you look at the docs for a mutual fund, typically only their 10 biggest holdings are disclosed. They don’t bother to list the other 500+ holdings.
I would love to specify corporations who I want to blacklist and require funds to be filtered on that, but I have never seen an investment tool that has such a thing. If you find one, please let me know.
This person has the right idea:
https://sopuli.xyz/post/41286109
Of course to get that level of purity means ditching all mutual funds and other managed funds and just picking unmanaged/specific investments. Which he suggests could be a full-time job.