The Python Software Foundation on European cybersecurity

Posted Apr 24, 2023 11:14 UTC (Mon) by Vipketsh (guest, #134480)
In reply to: The Python Software Foundation on European cybersecurity by edeloget
Parent article: The Python Software Foundation on European cybersecurity

>> 1, That GDPR thing people signed contained a little more than they thought

> That should ne be the case. All the various uses of your PII should be stated in a clear and understable language.

We are talking politics here and in politics there is always lots of money and legal expertise on how to screw your opponent over any sliver of wrongdoing. Yet despite the high-profile scandal, *nothing happened* and because of the political angle I can only presume because there was no case. Tell me all legal theory you want but the fact remains that quarter to half a country's worth of people had their data used in a way they did not want and the GDPR did nothing to prevent it. This is a failure however I try to look at it.

>> 2, The "data controller" turned out to be some foreign entity on the other side of the EU

> This is not relevant. The data controller must follow the rules, whereever it is, as long as it is handling PII from European citizens.

In theory maybe not, in practice it very much is. If you believe they are doing something wrong, your first point of contact to even try to figure out what it is, is the entity itself. You may complain to your local authorities but they won't do anything without any evidence (they definitely don't have the capacity to investigate everyone's feelings) -- and one place to even try to get it is that entity you can't communicate with.

The Python Software Foundation on European cybersecurity

Posted Apr 24, 2023 14:47 UTC (Mon) by edeloget (subscriber, #88392) [Link]

>In theory maybe not, in practice it very much is. If you believe they are doing something wrong, your first point of contact to even try to figure out what it is, is the entity itself. You may complain to your local authorities but they won't do anything without any evidence (they definitely don't have the capacity to investigate everyone's feelings) -- and one place to even try to get it is that entity you can't communicate with.

I think you lack some important knowledge about how the GDPR works and how it's enforced by local authorities. The procedure is only two steps:

1/ send a letter stating the issue at hand to the data controller; most national authorities will provide you templates and/or tools to adapt the template to your needs.

2/ if you do not receive any answer after the legal delay (1 month IIRC) you can mandate your local national authority to handle the issue. Of course, it won't be as fast as you want it to be. The point is: if it's difficult or near impossible to discuss with the data controller, they are the ones who are at risk.

Of course, you can have your own grudge against the GDPR. But maybe you can test the procedure before telling the world that it does not work. See https://www.enforcementtracker.com/ for further references.