> Instead of being simple and straightforward to implement,
I am not sure I can fully follow you here.
If implementers accepted that they only collect what is absolutely necessary and they delete what the they are not legally requited to keep things would be much easier.
Problems start when the business model is that customers'/users' data is our product/an asset and we somehow try the find the minimum possible implementation that just meets the requirements of the law while still using all loopholes it might possibly leave.
I agree that the law is not very clear for how you should code it. Nor very detailed what you can do with a certain piece of data. So it depends on your approach: If you take a conservative approach that if in doubt, we don't keep the data it suddenly gets much clearer. If you start fiddling maybe I could still do it if we did it like this and that you end up in endless work.
And of course if you have an existing system that never had the requirement of deleting anything there is a lot of work. But the law has been in force for 2 years, so businesses that wake up now when the transition period has ended it can be a mess.
>Laws designed that way almost never actually accomplish what they set out to do.
How would you have written the law? Do you have counter-examples of laws being written so clearly that you could recommend them?
The key point really is: Many business models and practices on the internet are incompatible with the spirit of GDPR. It's a fundamental right that the users own their data and businesses are not allowed to do with it whatever they want.
Lawmakers did not want it write it that so clearly, because lobbyists would not have accepted it. And business owners still don't want to accept any suich fundamental right. So complaining about the law being too complicated is somewhat canting.
I am not sure I can fully follow you here.
If implementers accepted that they only collect what is absolutely necessary and they delete what the they are not legally requited to keep things would be much easier.
Problems start when the business model is that customers'/users' data is our product/an asset and we somehow try the find the minimum possible implementation that just meets the requirements of the law while still using all loopholes it might possibly leave.
I agree that the law is not very clear for how you should code it. Nor very detailed what you can do with a certain piece of data. So it depends on your approach: If you take a conservative approach that if in doubt, we don't keep the data it suddenly gets much clearer. If you start fiddling maybe I could still do it if we did it like this and that you end up in endless work.
And of course if you have an existing system that never had the requirement of deleting anything there is a lot of work. But the law has been in force for 2 years, so businesses that wake up now when the transition period has ended it can be a mess.
>Laws designed that way almost never actually accomplish what they set out to do.
How would you have written the law? Do you have counter-examples of laws being written so clearly that you could recommend them?
The key point really is: Many business models and practices on the internet are incompatible with the spirit of GDPR. It's a fundamental right that the users own their data and businesses are not allowed to do with it whatever they want.
Lawmakers did not want it write it that so clearly, because lobbyists would not have accepted it. And business owners still don't want to accept any suich fundamental right. So complaining about the law being too complicated is somewhat canting.