In short, a president has substantial powers (granted by Congress via IEEPA and CFIUS) to institute a ban or force a divestment of any company "engaged in interstate commerce in the United States", if "national emergency" or "national security" is involved. So, legally, it seems that president can ban TikTok, under certain conditions (that may not be so difficult to achieve). The link above only explains the current legal framework, not whether banning the TikTok is in itself a good or a bad thing. IANAL, so I can't judge the competence of the presented arguments, but it is written by a respected law professor.
It is quite well possible their company does not need a DPO. But given the nature of the question there is some evidence they do, besides that hiring a DPO is not something done in isolation but most likely as as the result of a GDPR impact study done in ... 2017 or so, which I'm going to again guess was not in the cards for many companies.
So, in summary: likely the vast majority of the companies affected is only now starting to wake up to the fact that they are affected, for quite a few of these companies the effects will be relatively benign unless their servers are compromised, for the more serious offender and the larger companies that have not yet started to address these issues it is likely too late to get anything done in time but since this goes for the vast majority of them they are simply playing a complicated game of Russian roulette with the oversight bodies and a couple of them will undoubtedly get lucky to great relief of the remainder.
Data protection authorities tend to be vastly understaffed, but this too will hopefully change in the future.
It would be interesting to know whether the big companies have addressed (at least partially) their GDPR compliance. Maybe they do just "play Russian roulette" like you said, and hope for the best.. Of course, implementation guidelines are not yet fully defined (like WP29 opinions, some of them will change, even then, those opinions are not legally binding).
From what I've seen it strongly depends on the vertical but there are outliers both ways. With medical and fintech (banks, IPSPs, insurance) you can expect they are on average doing ok though there are some bad counterexamples. E-commerce is only just now starting to wake up and everybody else is going to be playing catch-up for the next couple of years.
Note that my sample is relatively small and mostly western European countries (nl, be, de, uk).
I'm sorry, but your comment about Yugoslavia is extremely simplistic, if not outright wrong. While ethnic tensions certainly played a large role, the causes for the war were numerous, and also include outside influences (end of Cold War, geopolitical situation, etc.). BTW, Tito was dead for 11 years before the war started, and while he certainly was a dictator, albeit somewhat more lenient than other communist dictators, describing him as a "violent warlord" is a mischaracterization.
I don't understand the objection; if resolving ethnic tensions was actively impeded by Tito's dictatorship, then the argument that violence was suppressed rather than resolved is untouched.
The characterization of Tito himself isn't important (call him a benevolent strongman if you prefer - I don't have a horse in the race), other than to examine the role of a system which suppressed violence rather than resolved conflict.
Hi, I'm involved with GDPR for my work, although in academic context, i.e. the primary motive in processing of personal data is in security, provisioning services, accounting purposes, etc. Also, I'm not a lawyer, and this is just my personal opinion.
So, while I do work in academic environment, I do have contact with people from industry, and they are taking this seriously. (Of topic, this actually created a new business opportunity, for compliance with the GDPR). However, GDPR is not that different from the Directive, if you were compliant with the Directive, chances are, you're probably (mostly) compliant with the GDPR. Yes, the conditions for consent are strengthened, and since now we have a Regulation, it is valid in all countries. There are other differences, and it is more stringent now, but it is not drastically different from the Directive. BTW, this link[1] have a nice overview (I'm completely unaffiliated with that firm, I just like how they structured it...):
One thing that people lost sight of, at least in my opinion, that GDPR is not just about punishment, or stopping the processing of personal data, it is also about transparency. People should not be coy/evasive/unclear about what kind of data one is collecting and for which purpose. This is one of the most important things (again, in my opinion). Processing of personal data has a valid and important purpose, and the GDPR is not there to stop it.
And for the question will the GDPR be enforced, I think it will. For the moment, though, all data protection authorities (DPAs) are a bit overloaded, and I suspect that will be the case in the near future. But obviously, EU and EC are taking GDPR quite seriously.
> One thing that people lost sight of, at least in my opinion, that GDPR is not just about punishment, or stopping the processing of personal data, it is also about transparency. People should not be coy/evasive/unclear about what kind of data one is collecting and for which purpose. This is one of the most important things (again, in my opinion). Processing of personal data has a valid and important purpose, and the GDPR is not there to stop it.
But doesn't that make the GDPR just another "Cookie Law" (albeit with more effort to implement it)? The average person will not reflect on the permissions they give I am afraid. They'll mechanically accept them like they do with EULAs.
I don't think that the GDPR is bad it's just that before launching it they should have made sure that people (especially kids in school) really understand what kind of madness they're currently engaging in.
There was an interesting discussion about 4A implications between Orin Kerr (who thinks, that according to 3rd party doctrine, there was no need for a warrant, and therefore no 4A protections of cell-cite data) and Alex Abdo (of ACLU, who argues that, since the collection was too excessive, it does trigger 4A protections).
I have Nexus 4, too, and changed stock OS to LineageOS (previosly I've used cyanogenmod) and it works great, and now I have Android 7.1.2. and I receive weekly updates...
I realize that "flashing" the ROM is not what normal user would do, but it has become very easy to do, and it does extend the (usable) life of the phone..
Last time this story was here, I posted this link [1], from law prof. Orin Kerr. I find his reasoning about "foregone conclusion" and Fifth Amendment pretty interesting.
I find this reasoning by prof. Orin Kerr pretty interesting, in respect to whether always collecting the full URLs of users (by IPS) is actually legal. His argument is that it might not be legally OK to do so, and that there already are restrictions, even with rescinding the privacy rules by the FCC:
For my work, I'm working on the impact of the GDPR on the research, and how will the GDPR work in scientific communities. I'm not a lawyer, of course, so my interpretation might be a bit off (so disclaimer, IANAL, this is not a legal advice, and etc.). Anyway, these are just some of my thoughts on the subject.
Well, GDPR is a big topic, and it not yet clear how all the provisions will be implemented. It is not that different from the (currently valid) Directive, but it does clarify certain points, and makes much more stringent penalties, as mentioned in parent post (the fine is actually 4% of the global revenue, or 20M Euro, whichever is greater).
The changes in respect to the Directive are, in short:
• GDPR applies to the processing of personal data by controllers and processors in the EU, regardless
where it takes place
• Penalties – up to 4% of annual global turnover or 20M€ (whichever is greater)
• Consent – conditions are strengthened (clear and plain language, explicitly related to the
processing, easy to withdraw)
• Breach notification
• Privacy by design
• Right to be forgotten
• Data Protection Officers
• Right to access
Now, as mentioned in another comment, the right to be forgotten and erasure of data is not really wipeout, the data controller and data processor are supposed to do it using "industry standards" and "reasonable effort" (controller, e.g. should flag that the processing the data should be restricted). Also, there are exceptions (legal claims, public authorities, free speech, etc.).
Different comment points out that the Regulation, unlike Directive, makes GDPR valid in all EU countries, and this is true. However, the EU states are free to implement their own data privacy laws, which of course, need to be in line with the GDRP. This may potentially introduce legal inconsistencies across the EU for certain points.
Also, one should not underestimate the legitimate interest of the service provider, or controller, to retain the data, even if the user has asked for the data to be removed. The data may also be retained by the request of relevant public authorities, etc. One comment has suggested what will happen if the EU citizen requests the removal of it's data, while the US public authorities asks for access to this data. In this case, the relevant EU public authorities may request for the data to be kept (or not, I guess this will be decided on case by case, also the provider may have a legitimate reason to keep the data..).
And of course, the biggest problem, the transfer of data to non-EU countries. For this, there are several ways to do it, one is mentioned already, i.e. user consent (which must be clear and unambiguously given, and can be revoked at any time). Then, of course, there are contracts, binding corporate rules, etc. For EU-US transfer, there is Privacy Shield for transfer of data to US (which is a replacement for the Safe Harbor, stricken by EJC), but this is mostly for commercial services (so it does not work for academic environments..).
There are some other interesting aspects to GDPR, but this post is already getting a bit long. For more info, these links are interesting:
There are multiple WP29 interpretations on various points (some of them are actually human readable, not just legal talk..), etc. In any case, it will be interesting to see all these developments in the future.
> "industry standards" and "reasonable effort" (controller, e.g. should flag that the processing the data should be restricted).
Not quite. That sort of fits the current model, such as Facebook not deleting data, just restricting access. In this case, data should be marked for deletion, "within a reasonable time frame". Data controllers may not retain the data indefinitely, no matter how much they want to.
In practical terms, the implementation of that will probably be influenced by the fact a user should be able to download all their data without hindrance, (Data Portability).
That is correct, user will have access to the data, e.g. the images/videos user uploaded to Facebook, and I presume the Facebook will have to delete (successfully) these data upon request. However, personal data are not just images, or similar. It is also IP addresses, logs containing user's actions, etc. everything and anything that may identify a person. So, e.g. if some logs somewhere may contain IPs of a user, or some actions of the user were recorded in logs that are scattered throughout the system, the controller may argue that it "reasonably" tried to remove also these data for the user, but it can't guarantee that. However, GDRP now stipulates Privacy by design, which means some of these scenarios might have to be taken into account before creating and providing a service, so the removal of (all) user data should be more feasible.
https://www.lawfareblog.com/tiktok-and-law-primer-case-you-n...
In short, a president has substantial powers (granted by Congress via IEEPA and CFIUS) to institute a ban or force a divestment of any company "engaged in interstate commerce in the United States", if "national emergency" or "national security" is involved. So, legally, it seems that president can ban TikTok, under certain conditions (that may not be so difficult to achieve). The link above only explains the current legal framework, not whether banning the TikTok is in itself a good or a bad thing. IANAL, so I can't judge the competence of the presented arguments, but it is written by a respected law professor.