"Technical debt also happens outside the programming context, for example when builders cut corners in design". Like when you build a house with a roof line that doesn't send water away from the building!
This is great, my favourite piece that you’ve written so far! One question: do you think that the good, fast, cheap model applies to the ‘enforcement’ of laws as well as the ‘making’ of laws? Would you say that the enforcement of the GDPR has been mainly cheap and fast for at least some data protection authorities, or do you have a different view?
Thank you! It's been on my mind for awhile now, and it feels great to finally get these thoughts on the page.
You raise a good question. I do think that enforcement largely follows the easy, low-hanging fruit model -- which is why we see a lot of regulatory actions against simple process failures (failure to provide adequate notice, or notify regulatory authorities, failures to address data subject access requests, weak training). We see far less activity when it comes to addressing core business model decisions regarding the use of data, law enforcement/government excesses, impacts of new technologies on our rights, ADM. The Schufa II decision was the first CJEU case I've seen that actually addressed ADM, for example.
It takes time to dig into these concerns, even though they will have a greater impact on our lives. It means more resources (time, cost) expended and that's politically and/or physically challenging for most regulators with modest budgets and resources to muster. There's also an expertise gap that needs to get addressed (which I've written about in the EDPB article). https://careylening.substack.com/p/the-edpb-has-experts-at-the-ready
"Technical debt also happens outside the programming context, for example when builders cut corners in design". Like when you build a house with a roof line that doesn't send water away from the building!
And then folks 150 years later get to deal with that fun.
This is great, my favourite piece that you’ve written so far! One question: do you think that the good, fast, cheap model applies to the ‘enforcement’ of laws as well as the ‘making’ of laws? Would you say that the enforcement of the GDPR has been mainly cheap and fast for at least some data protection authorities, or do you have a different view?
Thank you! It's been on my mind for awhile now, and it feels great to finally get these thoughts on the page.
You raise a good question. I do think that enforcement largely follows the easy, low-hanging fruit model -- which is why we see a lot of regulatory actions against simple process failures (failure to provide adequate notice, or notify regulatory authorities, failures to address data subject access requests, weak training). We see far less activity when it comes to addressing core business model decisions regarding the use of data, law enforcement/government excesses, impacts of new technologies on our rights, ADM. The Schufa II decision was the first CJEU case I've seen that actually addressed ADM, for example.
It takes time to dig into these concerns, even though they will have a greater impact on our lives. It means more resources (time, cost) expended and that's politically and/or physically challenging for most regulators with modest budgets and resources to muster. There's also an expertise gap that needs to get addressed (which I've written about in the EDPB article). https://careylening.substack.com/p/the-edpb-has-experts-at-the-ready