undefined | Better HN

0 pointsrepolfx7y ago0 comments

Hah, no. I guess you haven't dealt much with regulators in the past.

Regulators can never be held to anything they say. When you ask questions, if they answer at all, it always comes with a disclaimer that it's merely "guidance" and not binding. If they later change their mind, it's always a "clarification" and not a change.

The sort of people who think vague regulations are a good idea are the sort of people who think regulators are staffed by people who are inherently good, so they're usually written to give regulators maximum power and minimum accountability. GDPR is a case in point. If you read the EU's documents on the matter closely, and I have, then you find that the EU refuses to even respond to questions at all. That's delegated to national regulators, but the EU is clear that those regulators don't have the power to issue binding declarations, only guidance. In other words, you can ask a regulator or a lawyer. Their opinion has no more or less weight than my own posts do. The only time binding decisions are made is during enforcement actions.

0 comments

gcthomas7y ago

The EU HASN'T delegated everything to local regulators. Have you not come across the Article 29 Working Party, which is dedicated to standardising GDPR interpretations across the EU?

repolfxOP7y ago

Yes, here's the latest guidance I'm referring to:

https://ec.europa.eu/commission/sites/beta-political/files/d...

The successor of the working party is a new body called the "European Data Protection Board" (or sometimes supervisor). It will issue binding decisions but only on the matter of cross-border transfer disputes, not any other aspect of the new rules:

> The European Data Protection Board will not only issue guidelines on how to interpret core concepts of the Regulation but will also be called on to issue binding decisions on disputes regarding cross-border processing.

So the EU will issue "guidance", but so will local regulators, however, it's ultimately the EU itself via the ECJ that decides what the law actually means in the end:

> It is important to recall that, where questions regarding the interpretation and application of the Regulation arise, it will be for courts at national and EU level to provide the final interpretation of the Regulation

That is, if the EDPB or a local regulator states that something is legal, that doesn't stop them later taking you to court over it and winning because ultimately their own advice is not legally binding (except, perhaps, in the cross-border case which is a special exception for some reason).

> The data protection authorities are the natural interlocutors and first point of contact for the general public, businesses and public administrations for questions regarding the Regulation. The data protection authorities' role includes informing controllers and processors of their obligations and raising the general public’s awareness and understanding of the risks, rules, safeguards and rights in relation to data processing.

In other words local regulators are now essentially advocacy organisations that will be the first point of contact, but have no special powers to actually specify what is or is not allowed.

j / k navigate · click thread line to collapse