Thank you for the thoughtful and thought-provoking post. I am fully on board with simplicity and clarity. I don't remember much from my days at university in Switzerland but one think is Eugen Huber's laudable goal to make the Swiss civil code a book that everyone can consult at home and understand. There shouldn't be any lawyers required. And look at the Swiss Data Protection Act. Not perfect, but 32 pages (https://www.fedlex.admin.ch/eli/cc/2022/491/en) and structured and printed (if you use the PDF) in a way that you can actually read the thing and find relevant clauses (hello, US lawmakers!). The ICO faces a lot of criticism, but three cheers to their focus on plain and simple language in their guidance (hello, EDPB!).
I am less on board with trying to be prescriptive and consistent. I think a good law should be risk-, outcome- and principle-based. Should the small dental practice around the corner face the same DPO, DPIA, ROPA etc. requirements as Microsoft? I am also not sure if we necessarily need better laws, more importantly to me is that regulators to collaborate better on consistent and helpful guidance that solicits input from all the stakeholders before publication (EDPB could learn from the ICO and FTC on this aspect). Many more thoughts but so little time :) Thanks again.
I totally get compliance obligations and how they disproportionately affect SMEs compared to the big boys. I think what I'm talking about more is the idea that the law itself should at least _apply_ to everyone, even if an organization may not have to jump through X, Y, Z hoops.
In the US, this isn't the case. The laws themselves (CCPA, for example) simply don't apply to entities below a certain threshold. So if you're at 99,999 California Consumers, you can basically... do whatever with their data. That's nuts.
The GDPR's approach of thresholds for certain compliance-specific obligations (like a DPO/mandatory ROPA/DPIAs) makes more sense, and I'm less bothered by that. But it's not as if storing 50,000 users' sensitive information on an open server is any less bad, and the law should reflect that.
Thank you for the thoughtful and thought-provoking post. I am fully on board with simplicity and clarity. I don't remember much from my days at university in Switzerland but one think is Eugen Huber's laudable goal to make the Swiss civil code a book that everyone can consult at home and understand. There shouldn't be any lawyers required. And look at the Swiss Data Protection Act. Not perfect, but 32 pages (https://www.fedlex.admin.ch/eli/cc/2022/491/en) and structured and printed (if you use the PDF) in a way that you can actually read the thing and find relevant clauses (hello, US lawmakers!). The ICO faces a lot of criticism, but three cheers to their focus on plain and simple language in their guidance (hello, EDPB!).
I am less on board with trying to be prescriptive and consistent. I think a good law should be risk-, outcome- and principle-based. Should the small dental practice around the corner face the same DPO, DPIA, ROPA etc. requirements as Microsoft? I am also not sure if we necessarily need better laws, more importantly to me is that regulators to collaborate better on consistent and helpful guidance that solicits input from all the stakeholders before publication (EDPB could learn from the ICO and FTC on this aspect). Many more thoughts but so little time :) Thanks again.
I totally get compliance obligations and how they disproportionately affect SMEs compared to the big boys. I think what I'm talking about more is the idea that the law itself should at least _apply_ to everyone, even if an organization may not have to jump through X, Y, Z hoops.
In the US, this isn't the case. The laws themselves (CCPA, for example) simply don't apply to entities below a certain threshold. So if you're at 99,999 California Consumers, you can basically... do whatever with their data. That's nuts.
The GDPR's approach of thresholds for certain compliance-specific obligations (like a DPO/mandatory ROPA/DPIAs) makes more sense, and I'm less bothered by that. But it's not as if storing 50,000 users' sensitive information on an open server is any less bad, and the law should reflect that.
Fully agree on the rather crude thresholds in US state privacy laws and that at least the principles should apply to all.