this post was submitted on 26 Jul 2023
2140 points (98.5% liked)
Technology
59581 readers
4728 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You obviously have not read article 77. This article entitles individuals to report GDPR violations to a DPA for enforcement. Article 77 does not distinguish violations against an individual (which I suppose is what you mean by “personal enforcement”) and violations against many. Some of the violations I have reported can only be construed as violations against the general public. E.g. an org fails to designate a DPO.
The problem is there is nothing to enforce article 77 itself. When a DPA neglects to act on an article 77 report, there is no recourse. There is only a provision that allows lawsuits against the GDPR violators. But then when someone did that, and then claimed legal costs, an Italian court decided for everyone in a precedence-setting case that legal costs are not recoverable. Which essentially neuters the court action remedy. So we have an unenforced article 77 and a costly & impractical direct action option.
It’s not even doing that much, in some cases. The report has to get past the front desk secretary and be submitted into the litigation chamber before it’s even considered as something that would indicate a trend. If it doesn’t get past the secretary it does nothing whatsoever. Some of my reports were flippantly rejected by a pre-screening secretary for bogus reasons (e.g. “your complaint is ‘contractual in nature’” when in fact there is no contractual agreement, apart from the fact that the existence of a contract does not nullify the GDPR anyway).
So you’re only seeing the commercial response. Gov agencies & NGOs are also subject to the GDPR, which is where you see the most recklessness (likely due to the lack of penalty). On the commercial side banks also don’t give much of a shit about the GDPR because when they violate it there’s a shit ton of banking regs they point to and the DPAs are afraid to act against banks because of the messy entanglement of AML/KYC laws that essentially push #banks to violate the GDPR.
Indeed I’ve browsed through the enforcement tracker. It’s a good prop for making the public believe that the #GDPR is being well enforced. They are cherry-picking cases to enforce to convince the public that something is being done, but people who actually submit reports know better. We see the reports that are clearly going unenforced.
I have had article 15 access requests denied which I then reported to the DPA, who opened a case but just sat on it. For years, so far.
(edit) By the way, I suggest you leave Lemmy·world for a different instance. If you care about privacy at all, you don’t use Cloudflare nodes. I cannot even see the msg I wrote (which you replied to) because #lemmyWorld blocks me (which I give some detail here: https://lemmy.dbzer0.com/post/1435972). I had to reply to you based purely on your msg without context.