[HN Gopher] UK to overhaul privacy rules in post-Brexit departur...
___________________________________________________________________
UK to overhaul privacy rules in post-Brexit departure from GDPR
Author : tompagenet2
Score : 88 points
Date : 2021-08-26 11:14 UTC (11 hours ago)
(HTM) web link (www.theguardian.com)
(TXT) w3m dump (www.theguardian.com)
| selfhoster11 wrote:
| Uh oh. I was worried they might start messing with GDPR. While
| GDPR can get complicated to comply with, it is a measure that I
| wholeheartedly support as a user who values their personal data.
| Ekaros wrote:
| Having something is better than having nothing. At least now
| there is some hammer for security/etc. people to use to get
| something sane how data is stored and handled.
| selfhoster11 wrote:
| Exactly what I was trying to say.
| DrBazza wrote:
| There's a name for this - when a large bloc of countries require
| something legally, and the rest of the world end up following.
|
| You can probably "thank" the EU for not having to carry around
| individual LG, Samsung, Anker, Sony, Apple, whoever charging
| bricks:
|
| https://en.wikipedia.org/wiki/Common_external_power_supply
| AstralStorm wrote:
| The name you want is Brussels Effect.
|
| It is more costly to maintain separate product lines than to
| comply.
|
| https://en.wikipedia.org/wiki/Brussels_effect
| KaiserPro wrote:
| I didn't think the cookie law is actually an intrinsic part of
| GDPR. But I could be wrong. I know you are supposed to make it
| clear that you are collecting data, and allow opt out.
|
| So, I can see the political point in "setting fire to the cookie
| law" whilst basically being GDPR in all but name.
|
| however, given the power of the present government to cock things
| up, I suspect they are going to make some stupid changes that
| threaten our equivalence with the EU. The EU will happily remove
| it, thus making it harder to trade in the EU.
|
| I notice some murmuring about science. I suspect that means
| they'll try and make it simpler to wholesale sell off the fetid
| datamine that is NHS medical history. However if we are lucky,
| they'll also undermine the concept of informed consent for
| anything to do with research/data, which will be fun.
| acatton wrote:
| > I didn't think the cookie law is actually an intrinsic part
| of GDPR
|
| Because it is not. [1] It was part of the ePrivacy directive,
| it has been amended since. The TL;DR is: today, if you don't
| use cookies for tracking and/or ads, you're fine. Just put a
| cookie consent checkbox on the user login form, and your
| website will have a much nicer user experience.
|
| If you show a cookies consent modal before your visitors can
| access anything, either:
|
| * you have personalised ads with global tracking. (~= criteo,
| amazon ads, or google adsense)
|
| * you're using a globalised analytic tool. (~= Google
| Analytics)
|
| * you're following an outdated version of the ePrivacy/GDPR
| directives.
|
| But it's easier to blame it on the EU.
|
| [1] https://gdpr.eu/cookies/
| GoblinSlayer wrote:
| They say you don't need cookie consent for login form. Login
| form is an obvious authentication, opt-in even. You need
| cookie consent when you authenticate user stealthily - how
| Google Analytics does it.
| Mindwipe wrote:
| > I didn't think the cookie law is actually an intrinsic part
| of GDPR
|
| It isn't, the DCMS is being deliberately misleading to justify
| gutting UK privacy law.
| 12ian34 wrote:
| Could you elaborate on why it is not?
| jacquesm wrote:
| Because it stems from an earlier law.
|
| The one stems from the e-privacy directive which stems from
| 2002, the other is the GDPR.
|
| https://en.wikipedia.org/wiki/EPrivacy_Regulation
|
| https://en.wikipedia.org/wiki/General_Data_Protection_Regul
| a...
|
| https://edps.europa.eu/data-protection/data-
| protection/gloss...
|
| https://gdpr-info.eu/
| account42 wrote:
| > I know you are supposed to make it clear that you are
| collecting data, and allow opt out.
|
| Just to be clear, the GDPR requires opt-*in* for any data for
| which you do not have a legitimate interest - that you means
| you need consent _before_ you start collecting.
| prof-dr-ir wrote:
| If UK privacy law starts to deviate significantly from GDPR then
| the EU commission will not hesitate to withdraw its 'equivalence'
| decision on UK privacy rights [0]. This will hamper the flow of
| data from the EU to the UK, the costs of which to UK businesses
| will more than offset any "Brexit dividend for individuals and
| businesses across the UK" that the culture secretary is seemingly
| so keen on obtaining.
|
| Of course, these kind of nuances tend to get forgotten by those
| who think they can secure better trade deals by spending PS200M
| on a boat [1].
|
| [0] https://www.theguardian.com/technology/2021/jun/28/eu-
| rules-...
|
| [1]
| https://www.ft.com/content/c77b7aa1-cebc-47c6-a04a-d21eef2d1...
| CodeGlitch wrote:
| I agree with removing the cookie requests. 99% of people just
| click the big green "AGREE ALL" button because they're too busy
| to go on a box-ticking exercise. I hope other aspects of GDPR
| remain in place though, and have to agree that we should be
| cherry picking the rules that make sense to UK businesses and
| users.
| jka wrote:
| The EU's upcoming ePrivacy Regulation[1] proposes, among other
| suggestions, to move cookie consent into the browser:
|
| "Simpler rules on cookies: the cookie provision, which has
| resulted in an overload of consent requests for internet users,
| will be streamlined. The new rule will be more user-friendly as
| browser settings will provide an easy way to accept or refuse
| tracking cookies and other identifiers. The proposal also
| clarifies that no consent is needed for non-privacy intrusive
| cookies that improve internet experience, such as cookies to
| remember shopping-cart history or to count the number of
| website visitors."
|
| [1] - https://ec.europa.eu/digital-single-market/en/proposal-
| epriv...
| FridayoLeary wrote:
| Google uses a dark pattern already so that law is screwed
| before it has even passed.
| frereubu wrote:
| Do you have a source to back up the claim of 99%? It seems
| feasible, but I'd be interested in hard numbers on that because
| I haven't seen any.
| CodeGlitch wrote:
| No I do not - in this case 99% = most people. I think only a
| small percentage of the population understand what a cookie
| is, and an even smaller percentage of those who care about
| their privacy enough to go ticking those boxes.
| tpush wrote:
| A big green "AGREE ALL" button is explicitly non-compliant,
| though.
|
| In theory one could preemptively block all consent popups and
| requests and continue to surf the website without being
| tracked, if the GDPR had any teeth.
| CodeGlitch wrote:
| For what it's worth here's what I do:
|
| I run my own /etc/hosts file based on :
| https://github.com/StevenBlack/hosts
|
| This should block the popular ad-ware companies.
|
| I also browse with Brave, and use their inbuilt "shields"
| feature to block 3rd party/cross-site cookies. I don't
| install any additional browser plugins.
|
| Would be nice to kill all the consent-popups, as you say.
| Macha wrote:
| A lot of these cookie requests that are the most cumbersome are
| themselves GDPR violations.
|
| You should have the options to agree or disagree to non-
| essential cookies presented equally, and then can offer the
| granular box ticking for people who really care that Google
| Analytics can use their data but Google Ads cannot.
|
| People complain that the EU's own website have cookie banners,
| but if you compare the banner on europa.eu, to say, IB times
| which is another link on the front page currently. The
| europa.eu one has two equal options, no BSing about legitimate
| interest claims for tracking that wouldn't hold up. The IB
| times one on the other hand has a totally unneeded splash
| screen, you then need to click manage settings, and for each
| purpose you need to enter it and disable extra toggles for
| "objecting" that are basically another layer of opt out consent
| since they know consent is opt in (but to my understanding if
| you don't go to manage settings at all and just click the go
| away option, they will treat that as affirmative consent).
|
| The ePrivacy Regulation is working to clarify the interaction
| with the ePrivacy Directive which leads to people asking
| consent for "essential"/non tracking cookies like shopping
| carts or the "Remember I didn't consent to tracking" cookie.
| [deleted]
| tankenmate wrote:
| Personally I would prefer something streamlined, but only if it
| allows individuals the same or better choices. And I would not
| want a situation that lead to irreconcilable differences with
| the GDPR, the hassle of non data portability would be too
| great.
| that_guy_iain wrote:
| And now lots of companies who are hosted in the UK are going to
| have to move out of the UK to stay in compliance with GDPR.
|
| I actually choose my newsletter service based on the fact they
| were in the UK and therefore compliant with GDPR due to the fact
| I seen Mailchimp wasn't.
| lloydatkinson wrote:
| Who do you use now?
| that_guy_iain wrote:
| https://emailoctopus.com/ is my current provider and they say
| they use EU data centers should I should be good.
| lloydatkinson wrote:
| Does it support creating emails from RSS feeds though?
| Don't see it mentioned. When I make a blog post, mailchimp
| reads the RSS feed and sends an email to subscribers.
| scaryclam wrote:
| I don't think they're going to have to move, just remain
| compliant with the GDPR rules. UK businesses still have a lot
| of customers in the EU, and will have to comply with the GDPR
| to continue their businesses, so I very much doubt much is
| going to change.
| [deleted]
| motives wrote:
| If there is sufficient deviation from GDPR (who knows what
| will happen from this speculative article alone), the UK will
| probably lose its adequacy to transfer personal data, which
| will materially impact how international organisations can
| transfer data. In fact the recent UK-EU adequacy decision
| explicitly states this [0]:
|
| 'For the first time, the adequacy decisions include a so-
| called 'sunset clause', which strictly limits their duration.
| This means that the decisions will automatically expire four
| years after their entry into force. After that period, the
| adequacy findings might be renewed, however, only if the UK
| continues to ensure an adequate level of data protection.
| During these four years, the Commission will continue to
| monitor the legal situation in the UK and could intervene at
| any point, if the UK deviates from the level of protection
| currently in place. Should the Commission decide to renew the
| adequacy finding, the adoption process would start again.'.
|
| The impact of a loss of adequacy will be significant on UK
| service providers, as it will become significantly easier
| from a regulatory perspective to just host within the EU for
| both UK and EU customers than to deal with the hassle of
| using UK datacenters.
|
| [0] - https://ec.europa.eu/commission/presscorner/detail/en/i
| p_21_...
| Nextgrid wrote:
| The reason the GDPR failed and was more an annoyance than a
| solution is because of its lack of enforcement and the total
| incompetence of the ICO.
|
| All the annoyances that seem caused by the GDPR such as the
| annoying and misleading consent popups are explicitly forbidden
| by the GDPR and do not count as compliance.
|
| If the ICO was doing their job and was using the powers the
| regulation is granting it (such as the fines everyone was fear-
| mongering about) it would've quickly forced those websites to
| comply and stop the annoyances.
| remus wrote:
| > The reason the GDPR failed and was more an annoyance than a
| solution is because of its lack of enforcement and the total
| incompetence of the ICO.
|
| I don't think it is clear that GDPR has failed. Companies
| actually think about data privacy now, to a much greater extent
| than they previously have. For example shady practices by the
| likes of google and facebook have come under the spotlight and
| companies do face significant GDPR fines when they mess up e.g.
| this 890 million euro whopper for amazon [1].
|
| [1] https://www.bloomberg.com/news/articles/2021-07-30/amazon-
| gi...
| frereubu wrote:
| If the ICO had appropriate funding I think you'd find they were
| be able to do a much better job.
| dspillett wrote:
| The consent pop-ups aren't solely due to GDPR, and GDPR is
| about much more than tracking in that sense.
| moritonal wrote:
| I can count multiple times where GDPR has improved my life as a
| customer and even as an employee. GDPR was a landmark success
| in my opinion, especially after the failure that was the cookie
| law.
| jacquesm wrote:
| The GDPR most certainly has not failed, in fact it is gathering
| steam. Compliance is increasing, more and more consumers are
| becoming aware that this law is working to their benefit, and
| fines are getting more substantial against those companies that
| have unilaterally decided the GDPR does not apply to them.
|
| Of all the legislation that has come out of Brussels I would
| count it up next to the successes, similar to the roaming
| charge law and the one about phone chargers.
| frereubu wrote:
| Gathering steam is right - people often underestimate the
| power of nation states (and blocs of nation states) because
| they can take a while to react. But it's like steering a
| supertanker - slow to turn, but once they're finally going in
| the intended direction they're impossible to ignore.
| IdiocyInAction wrote:
| I don't think GDPR has failed. In fact, there have bern
| multiple times where I have been happy that it exists, since I
| knew that companies were limited in their ability to save data
| about me.
| agilob wrote:
| >Culture secretary says move could lead to an end to irritating
| cookie popups and consent requests online
|
| No it won't. Unless you ban EU citizens visiting your website and
| your website doesn't make business with other businesses in EU.
|
| >Britain will attempt to move away from European data protection
| regulations as it overhauls its privacy rules after Brexit, the
| government has announced.
|
| Other countries like Canada implemented GDPR directive. EU
| required this from Canada, Japan and other countries to make some
| custom/tariff -free deals. Looks like UK wants to break away from
| dealing with EU at all?
| naturalauction wrote:
| > No it won't. Unless you ban EU citizens visiting your website
| and your website doesn't make business with other businesses in
| EU.
|
| I strongly dislike the move too but this is true. The popups
| are often based on geolocation by ip. Jurisdictions with GDPR
| get the pop up and those without don't. If you want to test
| this go to the Washington Post on an EU/UK ip and an American
| ip, clearing cookies in between visits and see the difference
| for yourself.
| jka wrote:
| This will partly depend on whether the EU also decide to change
| regulations around cookie consent.
|
| You might be interested to follow the EU's ePrivacy Regulation
| proposals, described here: https://digital-
| strategy.ec.europa.eu/en/policies/eprivacy-r... (and in
| particular, the top-level item related to cookies).
| miohtama wrote:
| > Unless you ban EU citizens visiting your website and your
| website doesn't make business with other businesses in EU.
|
| You can simply break the law and ignore the EU. The cookie
| popup sanctions are not criminal and unless you are very high
| profile business, nobody cares about you. Nobody is going to
| come after you.
|
| The only regulator that international developers need to worry
| is the SEC from United States, because they pursue for US
| victims cross border. But the get on the bad side of the SEC
| you need to do something really stupid.
| tankenmate wrote:
| The maximum fines for breaking the GDPR is up to 4% of your
| global turn over. If it gets to that they can seize any
| assets in the EU, including any revenue earned in the EU up
| to the amount of the fine. Potentially directors can attract
| criminal risk by refusing to pay the fine(s), leading to an
| international arrest warrant. Obviously this is the most
| extreme case, but it is generally is easier to just comply
| with the law like a reasonable person.
| AlexAndScripts wrote:
| _or 20 million,_ whichever is higher*
| [deleted]
| martin_a wrote:
| > Nobody is going to come after you.
|
| You should doubt this.
|
| I filed several complaints with unauthorized newsletters and
| failing to comply to my GDPR requests. German officials went
| after the companies and asked them to provide the necessary
| information. For sure it took its time but it worked and for
| the companies it's been a warning shot.
| TheGigaChad wrote:
| Get a life, german cuck.
| tonyedgecombe wrote:
| >Looks like UK wants to break away from dealing with EU at all?
|
| Anything to do with the EU has become toxic to the governing
| party.
| prof-dr-ir wrote:
| Also, the cookie popups are not an immediate consequence of
| GDPR, but rather of its interplay with another directive from
| 2002 [0]. The EU has of course taken notice of the irritation
| of the public and is trying to improve on the state of affairs
| with the proposed ePrivacy Regulation [1].
|
| [0]
| https://en.wikipedia.org/wiki/Privacy_and_Electronic_Communi...
|
| [1] https://en.wikipedia.org/wiki/EPrivacy_Regulation
| rentnorove wrote:
| Irritating cookie popups are not mandated by GDPR; the opposite
| is true and most cookie popups are non-compliant with the
| legistration. If the ICO (UK regulator) actually did its job
| then this would be solvable under the existing powers, but it's
| done very little:
|
| https://www.enforcementtracker.com/
| redjet wrote:
| Practically the UK must maintain an adequacy agreement with the
| European Commission so any changes would necessarily be
| constrained by that. Given that much of what became the GDPR
| was developed by British civil servants and in line with what
| the UK wanted to achieve at the time I suspect there is more
| than a little showboating going on here from HMG.
| f32jhnjk33jj wrote:
| Cookie popups is another reason to hate the EU. The block is
| called a bureaucratic monster for a reason.
| mrunkel wrote:
| This translates to: "We are not going to require consent for data
| collection."
| tankenmate wrote:
| Which would lead to data portability issues with the EU. A
| number of companies I deal with have decided to host their data
| in the EU (even for UK source data) as a result of Brexit.
| x0x0 wrote:
| Well, you'll be able to hear the shrieking from here if Britain
| is ruled not to have an adequate data protection regime.
|
| The EU basically doesn't enforce the regulation against the US
| because we're too big a software partner for the rules to
| apply. I wouldn't bet the UK is going to get the same
| realpolitik exception.
| nixpulvis wrote:
| Um, it doesn't have too...
|
| Why not start with re-reading existing consumer data protection
| law? I bet there's stuff in there that can be applied and
| reworked.
|
| We need it to be appropriately scary for companies to abuse
| data.
| s1k3s wrote:
| Good for them, I wish EU did it too. GDPR is such a failure.
|
| Edit: Why is this downvoted? What exactly did GDPR accomplish
| except for making our web experience a mess, both for businesses
| and users.
| HatchedLake721 wrote:
| It is downvoted because you say something is a failure without
| backing it up, when GDPR is actually a success for privacy and
| consumers everywhere.
|
| 1. Marketing consent has now to be explicitly asked for when
| signing up for any service. Companies cannot enrol you to one
| if you didn't ask for it.
|
| 2. Right to be forgotten. You can request a company to erase
| all your private data they hold on you.
|
| 3. Companies have to legally report data breaches within 72
| hours after becoming aware of it.
|
| 4. Penalties for companies who do not take privacy seriously.
|
| 5. Companies can no longer just hoard sensitive/private data
| unless they have a reason for it.
|
| 6. Selling private data from company to company now requires
| original consent from the user (this stopped a lot of
| businesses selling lists for lead gen, call centres, etc)
|
| 7. Companies treat private data as a liability now, making them
| ask themselves additional questions whether it needs to be
| stored or processed at all, and if so, put additional security
| fences around it.
|
| This list can go on for ages. I don't see these benefits and
| additional rights for hundreds of millions people out there as
| a failure. It's a win win for consumers.
| guitarbill wrote:
| The web "experience" was already a mess.
|
| One example is data retention. Previously, data could and and
| was just keep around forever. With the GDPR, when you delete
| stuff, you can now expect it to actually be deleted from
| backend storage, usually within 30 days or less (yes, there are
| exceptions). This is nice, since it does limit your exposure in
| case of a breach. Speaking of breaches, they also have to be
| reported in a timely manner. Without the GDPR or equivalent,
| companies are free to suppress that as long as they want, and
| have done so.
| s1k3s wrote:
| I advise you to go back and read the law again. What you
| describe doesn't happen and it's not even enforced by it.
| guitarbill wrote:
| Storage limitation: https://ico.org.uk/for-
| organisations/guide-to-data-protectio...
|
| Personal data breaches: https://ico.org.uk/for-
| organisations/guide-to-data-protectio...
|
| Right to erasure: https://ico.org.uk/for-
| organisations/guide-to-data-protectio...
| FridayoLeary wrote:
| The GDPR should specify a standard cookie banner that must be
| used, some of them are beyond a joke. Google (for shame) has the
| most horrible, obnoxious dark-pattern banner, that they have
| obviously worked on to make as unfriendly as possible, while
| looking as benign as possible. I've never once in my life
| bothered reading the walls of script and check-boxes before
| clicking the most convenient button i can find.
| PaulKeeble wrote:
| The grand majority of them aren't really complying with the law
| as they default to cookies on and use a series of dark patterns
| to avoid you turning them off. But so far the regulators
| haven't been dealing with the problem. But its well within
| their power to do so and fix it so there is a simple dismiss
| button and the default is no cookies if they start enforcing
| the law they have.
| FridayoLeary wrote:
| Ironically The Guardian itself is violating the GDPR, doing
| precisely what you described. And this harms the reputation
| of the law as it gets associated with annoying and
| ineffective pop-ups.
| [deleted]
___________________________________________________________________
(page generated 2021-08-26 23:02 UTC)