Life in a small town

The Pause That Refreshes … New EU Privacy Laws … GDPR

“Somewhere In Neverland”, All Time Low, from the album “Don’t Panic”, (2012)

Captains Log, Stardate 20180609.1311

Well, it seems to have ended up being a protracted hiatus, having failed to post since May 30th, mainly because of connectivity issues related to changes being made by sites and contacts rooted in the May 25th effective date of the new Privacy laws of the European Union, the GDPR.

Welcome to our Brave New World, just another iteration of the Law of Unintended Consequences which we have all become so familiar with relating to the whole Global Warming debacle which is nothing more than a bureaucratic power and tax grab.

I am a now long retired CISSP, (Certified Information Systems Security Professional) who did my 10 domains training with IBM and had the nice long number after my certification. During my career I found, in North America at least, that governments at all levels actually wanted CISSP’s on staff in order to blame them when the inevitable breaches occurred.

All the while they continued dragging their departmental and  budgetary feet when it came to actually implementing anything remotely resembling actual data protection and privacy for customers, patients and citizens. Who cares about them as long as our collective derrieres are covered and we have someone to blame.

Jerry Pournelle, August 7th, 1933 to September 8th, 2017.

Jerry Pournelle, August 7th, 1933 to September 8th, 2017.

Jerry Pournelle’s Iron Law of Bureaucracy is: “in any bureaucratic organization there will be two kinds of people: those who work to further the actual goals of the organization, and those who work for the organization itself.

Examples in education would be teachers who work and sacrifice to teach children, vs. union representatives who work to protect any teacher including the most incompetent.

The Iron Law states that in all cases, the second type of person will always gain control of the organization, and will always write the rules under which the organization functions

This might seem to implicate all bureaucracies but I still believe that Corporations seem to take these privacy things more seriously because they have a real bottom line and are the biggest targets of government vampires, perhaps corporations are the actual “Main Vein”.

If I only had a few local readers it would be of no import but worldwide readership dictates necessarily complying with and dealing with privacy legislation in other countries and continents and the actions and reactions of applications, platform vendors, and providers of various services, regardless of my personal feelings about the integrity of buttock covering bureaucrats and their minions.

So now the EU joins the data privacy pyramid scheme, just because they can, and the bureaucrats and their new law impose the following sanctions:

  • a warning in writing in cases of first and non-intentional noncompliance
  • regular periodic data protection audits
  • a fine up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 5 & 6[34])
    • the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43
    • the obligations of the certification body pursuant to Articles 42 and 43
    • the obligations of the monitoring body pursuant to Article 41(4)
  • a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater, if there has been an infringement of the following provisions: (Article 83, Paragraph 4[34])
    • the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7, and 9
    • the data subjects’ rights pursuant to Articles 12 to 22
    • the transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49
    • any obligations pursuant to member state law adopted under Chapter IX
    • noncompliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority pursuant to Article 58(2) or failure to provide access in violation of Article 58(1)
Europe

Europe

So of course multinational corporations notice when bureaucrats start taking aim at a share of Annual Worldwide Turnover – this is shaping up to be one of the largest wealth grabs in the history of civilization.

Things probably won’t settle out until all the appropriate functionaries at all levels of the EU have been greased and paid off and a new system of graft and corruption settles into place. Of course all of we the little folks will only notice that everything we buy and do costs more.

At the same time, and possibly related to the GDPR fiasco, other concerns have surfaced including problems with site certificates, blanket blacklists, and related security credential issues.

I have replaced an obsolete Cisco 1800 VPN router with a new Cisco Meraki VPN and it’s bleeding edge security implementation is not compatible (it won’t let me connect to them) with some of the sites I have used often in the past.

The same goes for several browsers who seem to have beefed up their awareness of connection credentials and so on, with lots of “We won’t connect you to there. Talk to your network administrator” or something to that effect. Since I AM the network administrator, and I don’t have access to the Admin Console in 3rd party devices we are looking forward to more negotiations going forward.

Another example of exponential growth of issues resulting from know-nothing administrators playing with Fear Uncertainty and Doubt (FUD) is the whole area of GDPR consent that has given rise to a proliferating number of implications for businesses who record calls (I don’t) as a matter of practice and a typical disclaimer is no longer  considered sufficient to gain assumed consent to record calls.

Additionally, when recording has commenced, should the caller withdraw their consent, then the agent receiving the call must be able to stop a previously started recording and ensure the recording does not get stored.[42] 

IT professionals expect that compliance with this GDPR will require additional investment overall: over 80 percent of those surveyed expected GDPR-related spending to be at least USD $100,000.[43]

The concerns were echoed in a report commissioned by the law firm Baker & McKenzie that found that “around 70 percent of respondents believe that organizations will need to invest additional budget/effort to comply with the consent, data mapping and cross-border data transfer requirements under the GDPR.”[44]

The total cost for EU companies will be HUGE! It is estimated at around €200 billion while for US companies the estimate is for $41.7 billion.[45]

It has been argued that smaller businesses and startup companies might not have the financial resources to adequately comply with GDPR, unlike the larger international technology firms (such as Facebook and Google) that the regulation is ostensibly meant to target first and foremost.[46][47]

A lack of knowledge and understanding of the regulations has also been a concern in the lead-up to its adoption.[48] According to analyst Mark Smith of Ventana Research, “business and IT professionals … have not sufficiently thought through the GDPR implications of their current operations and where better data governance needs to be applied to ensure proper security and control.”[49]

The regulations, including whether an enterprise must have a data protection officer, have been criticized for potential administrative burden and unclear compliance requirements.[51]

There is also concern regarding the implementation of the GDPR in blockchain systems, as the transparent and fixed record of blockchain transactions contradicts the very nature of the GDPR.[55] Many media outlets have commented on the introduction of a “right to explanation” of algorithmic decisions,[56][57] but legal scholars have since argued that the existence of such a right is highly unclear without judicial tests and is limited at best.[58][59]

The lead-up to the effective date of the GDPR (May 25th) led to many companies and websites changing their privacy policies and features worldwide in order to comply with its requirements, and providing email and on-site notification of the changes.

Experts also noted that some reminder emails incorrectly asserted that new consent for data processing had to be obtained for when GDPR took effect, even though any previously-obtained consent to processing is valid as long as it is properly documented and meets the requirements of GDPR (Recital 171).

Phishing scams also emerged using falsified versions of such emails, and it was also argued that some GDPR notice emails may have actually been sent in violation of anti-spam laws.[60][16]

Mass adoption of GDPR privacy standards by international companies have been cited as an example of the “Brussels effect“, a phenomenon wherein European laws and regulations are used as a global baseline due to their gravitas.[61]

On the effective date, some international websites began to block EU users entirely (including Instapaper,[62] Unroll.me,[63] and Tronc-owned newspapers, such as the Chicago Tribune and the Los Angeles Times) or redirect them to stripped-down versions of their services (in the case of National Public Radio and USA Today) with limited functionality and/or no advertising, in order to remove their liabilities.[64][65][66][67]

Some companies, such as Klout, and several online video games, ceased operations entirely to coincide with its implementation, citing GDPR as a burden on their continued operations, especially due to the business models of the former two.[68][69][70] Sales volume of online behavioural advertising placements in Europe fell 25–40% on 25 May 2018.[71]

Facebook and subsidiaries WhatsApp and Instagram, as well as Google LLC (targeting Android), were immediately sued by Max Schrems‘s non-profit NOYB just hours after midnight on 25 May 2018, for their use of “forced consent”. Schrems asserts that both companies violated Article 7(4) by attempting to completely block use of their services if users decline to accept all data processing consents, in a bundled grant which also includes consents deemed unnecessary to use the service.[72][73][74][75][76]

So there seems to be a lot of “When in trouble, when in doubt, run in circles, scream and shout.” going on. In some ways this reminds me of the mad scramble surround Y2K almost 2 decades ago. Obviously the world didn’t end then, and it sure isn’t going to end now. This is all about bureaucrats covering their collective derrieres, while targeting corporate purse strings, and has nothing at all to do with protecting their citizens.

It seems a stretch to accept the “Protecting Privacy” scam being pushed by any government or collection of governments that can happily kill hundreds of thousands of their citizens with badly researched drug utilization guidelines (as has actually happened in Europe in the last decade). These folks obviously couldn’t care less about the rights and privacy of their citizens.

We are talking about the same kinds of bureaucratic systems that gave us the Nazi final solution and the Gulag at one of the extremes and now kills hundreds of thousands in legal medical procedures like Euthanasia and Abortion, above and beyond all the “accidental” killing related to regulations and the law of unintended consequences.

A cynical view is that the EU is being protectionist, trying to impede US and Canadian businesses from competing. Indeed, the EU is quite inconsistent in its adherence to principles, but so are every other government; the EU is quick to chastise the US for its massive government surveillance yet ignores such surveillance by its own member countries.

But there is hypocrisy on all sides of the issue, and I don’t think that the real hypocrisy is grounds to conclude that some players in the EU are not genuine in their desire to protect privacy. I think that the some players in the EU really do care — but the EU just speaks of rights in absolutes even though in practice it never really treats them as such.

For us here, the reality on the ground seems to be that all the essentials seem to be still working fine and my business end continues to function fine. It is only in the recreational end of things that I have felt the pinch. Ironically it seems, at first blush, that one of the biggest sectors feeling the pinch of credential changes and requirements seems to be the online gaming universe, and I still have not sorted out my favorite game and magazine sites and what has changed there.

I think some providers have simply short termed it by denying access to European based game companies but there are some US companies and Asian companies also affected. Maybe I will discover that this is all my own local issues with my systems but I doubt it right now,  and only time will tell as I sort it all out.

All of this to say that while I continue to read through my new book on Cancer as a Metabolic Disease and the effects of caloric reduction and elimination of foods which transmute into glucose (the BIG Cancer feeder) I am not yet ready to make a post on the subject. Sorry to say, that getting my IT systems restored to happiness with the global information landscape is my top priority just now.

Cheers

Joe

We desperately need a Grey Tribe Common Sense Revolution

Standard