Whenever I encounter the label “made in EU”, “Germany”, “Estonia”, “France” … in the footer of a web project, which implies enhanced data-protection, apparently, I wonder:
How can it be so? There’re some data-protection laws, yes. But one can’t control a hosting provider 24h/day. One can’t know whether an employer there copies all data on his memory-drivers.
Can’t the police, if need be, seize a server as easily as it would in any other country on Earth?
Don’t the majority of all of countries in Europe share information with the intelligence of US by the agreements of the 5 eyes, 9 eyes, 14 eyes? Whereas the 2nd and 3rd world countries don’t.
How is it better than a label “made in South Africa”, “Thailand”, “Costa Rica”, “Egypt”, “Kuwait”?
I can see how “made in Germany” or EU makes a project worse in terms of privacy and data-protection. How could it make it better, though?
Don’t the majority of all of countries in Europe share information with the intelligence of US? Whereas the 2nd and 3rd world countries don’t
We, in fact, do not. And knowing a project is hosted in EU helps to know that the company/hosting adheres to our privacy laws.
And on the tinfoil hat side, anything not over the pond is less likely to contain NSA backdoors. And finally, noones “controlling” anyone, but the fines for breaking data protection laws aren’t slaps on wrists like typical company fines in the US. We’re talking of sums that can literally bankrupt a company/provider.
We, in fact, do not. And knowing a project is hosted in EU helps to know that the company/hosting adheres to our privacy laws.
In fact, you do.
Are you aware of 5 eyes, 9 eyes, 14 eyes or do you pretend that you don’t?
And knowing a project is hosted in EU helps to know that the company/hosting adheres to our privacy laws.
It doesn’t which I’ve explained why in my question.
And the fact that you share data with the US intelligence nullifies it anyway.
Firstly: Your question was about data protection, not intelligence, and before you edited your question it did not contain one remark about X Eyes, which again, are intelligence sharing treaties and not about civillian data protection.
Secondly: Europe consists of 44 countries, even if some of them might have -and I’m not saying they do as I don’t pretend to know every thing - shitty laws in regards to privacy, the ones that I know have it alright, including where I live.
Being EU based is better than what you listed, and better than US. We have a metric fuckton less surveillance (even though your question was about data protection), and companies are regularly fined very large sums if they break privacy laws.
Lastly, please learn the difference between Europe and EU. You keep interchanging them in your post and it shows how little you actually understand.
And knowing a project is hosted in EU helps to know that the company/hosting adheres to our privacy laws.
That’s far fetched. You can say an EU-hosted service is bound by the GDPR, but adherence is a bit of a joke.
the fines for breaking data protection laws aren’t slaps on wrists like typical company fines in the US. We’re talking of sums that can literally bankrupt a company/provider.
Yes but there’s nothing to force the DPAs to enforce the law. If you file an article 77 complaint DPAs can just mothball your report forever. Not a single clause in the GDPR forces DPAs to properly treat art.77 complaints. So they don’t. They just treat enough to look like they’re doing something.
What are you on about? 4 415 801 704€ via over 1900 fines so far.
Adherence is taken seriously. I should know, I have to deal with the article daily in my work, and clients are quite interested in learning how to keep their sites compliant.
over 1900 fines so far
My point exactly. That’s nothing. That covers the past 5 years in 23 countries. They enforce just a enough cases to be able to suggest to the public that they are not doing absolutely nothing (because they want the public to accept the forced #digitalTransformation without resisting). GDPR violations are rampant and getting actual GDPR protection is like winning the lottery.
Adherence is taken seriously.
Bullshit. I have filed reports on well over 20 #GDPR violations citing law and evidence going ~4 years back in some cases. One of the reports was refused instantly by an incompetent desk clerk who gave a bogus rationale. The rest were accepted into litigation. Then every single one of them was silently and non-transparently mothballed. Not a single enforcement action resulted. Why? Because the GDPR does not have any teeth to force article 77 protection. If you think otherwise, please cite the text you think makes article 77 enforceable.
I’ve got 3 more art.77 reports to write as as we speak, and I struggle to get the motivation because I know they will just be mothballed as well.
clients are quite interested in learning how to keep their sites compliant.
That’s how the GDPR works. It’s voluntary, effectively. Some orgs opt to comply for optics and a bit of risk aversion (not wanting to be one of the few selected for enforcement like an inverse lottery). Orgs know enforcement is sparse and they abuse it. And when they abuse it, victims cannot get a remedy.
Also worth noting that gov agencies violate the GDPR with reckless disregard because the cognizant DPA represents the same country. There is no profit to speak of, so a fine would be moot.
I wholeheartedly disagree that more than one fine a day on average, and 4,5 billion euros are “nothing”. All of the clients in the company where I work at have taken GDPR seriously, the possible cost to not do so would be devastating.
Where I live, we have an agency that investigates, aids and notifies before action is taken, and they are very active.
If and when you want to make a notification about a violation here, there’s a clear process to do so, and failure to comply to what the agency decides will escalate the situation to the aforementioned fines.
You’re still talking about voluntary compliance. The GDPR is not entirely useless for this reason - some orgs will comply despite the unlikeliness that any action results. Great! My long history of art.77 reports show GDPR-hostile orgs getting away with it.
Here’s how the math works: your expectation of a fine (cost of noncompliance) is compared to the cost of compliance (e.g. hiring subject matter experts for consultation and making adaptations as needed). The expectation of a fine is the fine amount multiplied by the probability. The fine amount is negligible (if anything) for gov agencies and the probability a fine is levied by a state against itself is even much smaller than the probability of a fine against a commercial corp. So gov offices laugh at the GDPR. Commercial orgs can get a huge fine but they tend to get warnings, not to mention the chance a DPA even bothers to engage the offender is infintesmal as it is. The cost of compliance is generally higher, which is why they don’t bother. Hence why I’m up to my neck in violations. Luckily the good samaritans orgs that comply are the ones who haven’t done the math.
The GDPR would only become an effective force if they were to amend it so that article 77 were itself enforceable against the deadbeat DPAs.
All law compliance is voluntary on the threat of consequences, that is a bad point, because since all compliance is voluntary, then you are saying that all laws are largely useless.
My personal experience, in my country, is that GDPR is working fine, just as fine as any other law. There are always some people who break laws, and there are always resource costs to catch and fine/prosecute the law breakers. As long as the observable majority are law abiding, the law works as well as it can.
Outliers don’t make the law moot, or GDPR “nothing” as you stated in your earlier post, and no amount of reasoning you attempt to give can convince me otherwise, as my personal experience and observations differ from what you are attempting to peddle.
FYI: no gov offices are laughing at GDPR in Finland, if they did, another separate branch of gov would fine them. What you are saying is that due to the fact that corruption exists, your govs are not taking the law seriously. That’s a separate issue and affects everything, not just GDPR, and again, doesn’t make GDPR moot.
All law compliance is voluntary on the threat of consequences, that is a bad point, because since all compliance is voluntary, then you are saying that all laws are largely useless.
Yes, but this only muddies the waters to mention. You’ve forgotten what I said previously. I’m not saying it’s voluntary on the trivial basis that all actions are voluntary. I’m saying compliance is voluntary because (as I have established and you failed to counter) the GDPR is not being enforced for the most part. You have ONE fine every THREE WEEKS by each DPA. How is your math not sorting that out? I will lay it out here:
52 weeks/yr ÷ 3 weeks × 23 DPAs × 5 years = 1993 + ⅓
That’s absurdly deadbeat on the DPA’s part. As one individual I am personally encountering violations at nearly that rate just on my own as one person. On average the DPA in one country is doing enough workload for one single victim. Scale that to a nation of people and the result is they’re doing fuck all.
My anecdotal experience reflects that of others and in fact mirrors the big picture. But you need not take my word for it. Read about it (“Fines are few and far between…Enforcement is, at best, patchy and inconsistent.”). Though I must say your lack of awareness makes your background questionable. You should know about the lack of enforcement problem if your career is tied to it. After all, your own numbers reflects this you’re just neglecting to do the math.
You’ve tried shifting the focus onto the revenue from the fines, which is irrelevant to the probability of getting a fine. The absurdity of that attempt is that “Meta…. accounted for 80% [of last year’s total fines], with its largest fine reaching €405 million.”
Outliers don’t make the law moot,
They do when the statistical outliers actually reflect cases of fines, as opposed to the cases of inaction. Again, 1 fine every 3 weeks for a whole country. That’s what makes the law moot from an enforcement perspective. You throw out the outliers and you’re left with no enforcement in the remaining dataset.
What you are saying is that due to the fact that corruption exists, your govs are not taking the law seriously.
I didn’t exactly assert corruption. That’d be slightly overstated. There is certainly a conflict of interest when gov agencies are accountable to DPAs of the same country. You can use your own judgement as to whether to outright assert “corruption”. Either way, that’s only a factor when the GDPR offender is a gov agency. Lack of enforcement is bigger than that. As I said, the law itself is the problem because it’s not motivational. Again, there is no enforcement clause to force DPAs to honor article 77 reports. That’s the problem which you continue to ignore. It also doesn’t help that “DPAs complain about a lack of budget and personnel. While German DPAs employ around 1200 staff, Belgian, Croatian, and Romanian DPAs average only 50.” (from the same article) So the other problem is that the GDPR does not require member states to allocate sufficient resources for the workload – though that problem would take care of itself if there were a penalty for member states who fail to uphold art.77.
Tough question, depends on what you are looking for. Hosted in the EU grants a set of pretty good data protection laws, but if you do illegal stuff, you want to host outside of this jurisdictions
Can’t the police, if need be, seize a server as easily as it would in any other country on Earth?
Yes. No privacy protections anywhere in the world protect criminal suspects from warranted surveillance. Privacy laws are only intended to protect non-suspects from unreasonable unwarranted searches.
Then why don’t you go to North Korea? Or Iran? Or China. According to you, if you do nothing wrong, you won’t have any problem there. And if you end up with a problem with a police there, then you’re a criminal, therefore must be punished anyway.
You are quite confused. The places you list are places that do not have privacy protections for non-criminals. Europe is where a law-abiding person is least likely to be unreasonably searched or interrogated.
You are quite naive - unable to see 2 steps ahead of your own reasoning.
