As someone who works with personal data in the EU and worries about our government’s handling of personal data, I tend to worry that the GDPR, being draconian in its fees, doesn’t protect enough.
I’m implementing a system where our client may get huge fines if we don’t delete the customers’ names and addresses in a timely fashion. OK, fair enough.
But at the same time, the government wishes to unify all registrations, medical diagnoses, criminal convictions, school reports etc. concerning families and give them “scores” (story in Danish) so that a mental health diagnosis may be 3,000 points, a missed dentist’s appointment 50 points, etc., “in order to spot troubled children”. They wish, as I said, to collect this information for each and every family with children in the country.
If they can do that within the GDPR, then fuck the GDPR.
Interestingly, Richard Stallman had a piece in the Guardian yesterday where he offers an interesting solution: Regulate data collection so that no system may collect more data that it needs to perform its basic function:
"We can take the London trains and buses as a case for study.
The Transport for London digital payment card system centrally records the trips any given Oyster or bank card has paid for. When a passenger feeds the card digitally, the system associates the card with the passenger’s identity. This adds up to complete surveillance.
I expect the transport system can justify this practice under the GDPR’s rules. My proposal, by contrast, would require the system to stop tracking who goes where. The card’s basic function is to pay for transport. That can be done without centralising that data, so the transport system would have to stop doing so. When it accepts digital payments, it should do so through an anonymous payment system."
This solution would probably kill off Google and Facebook. But then, honestly, so be it. As always when it comes to these things, RMS is right.
