If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely. The rest of my data is no different. I own my data and the data about me, not them.

GDPR gives users the controls and governance over their data that should have always existed, but that tech companies gaslighted users into believing doesn’t exist.

This is where it becomes murky for me.

If you send me that photo via email, should you subsequently be able to revoke my access to that photo. If so, by what means?

If you used a closed messaging system (say Facebook's messaging system, or Apple's Messages), should you be able to revoke access?

If you follow the argument a hop, skip and a jump away, what happens if I submit a photo to a publication and they run it on their website? Can I revoke access? What if that publication has published that photo in a physical form?

ie, where is the line where a reasonable person should expect that the data they have willingly shared/published has slipped beyond their control?

All other rights are reserved. Would it change the dynamic to be able to revoke access to assets in a private messaging system? For sure. But copyright law (at least in the US) supports this right of the copyright owner. The inability to revoke access is a failing of the tool or the product, not the law.

> The inability to revoke access is a failing of the tool or the product, not the law.

Does the law need to change? Or (in the case of email) is it fine as is because the reasonable person realizes that once you hit 'send', the content is out of your control?

I'm sorry, but it's not. Full stop.

> If I share a photo, it’s still my photo, I still own the copyright to it, and as an American I’ve used the DMCA to revoke access to photos when tech companies wouldn’t remove my photo when asked politely.

I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.

> The rest of my data is no different.

Exactly, you have no control over it.

> I own my data and the data about me, not them.

No, you don't _own_ your data.

> GDPR gives users the controls and governance over their data that should have always existed

No, on all accounts. There is no reason at all that you need to delete accounts or force anyone to delete any information about you. That's all just silly.

> but that tech companies gaslighted users into believing doesn’t exist

That's also silly. If you don't control something, you don't control it. Full stop. I don't understand why you don't understand that.

On the one hand, the other guy is legally correct - gdpr's purpose is to legally give individuals control over data about them (pictures they upload, addresses they input, whatever). That control is responsible on a site to site basis - if a person's naked picture is leaked online, every single IP address that hosts it must take it down if requested, or violate gdpr.

You're making a functional argument - if a person's nudies are leaked online, they don't functionally have control over that data. Morals and laws be damned, that picture is staying on the internet.

You can both disagree about the morality of this but simply restating both of your points with more "full stops" is pointless. If you're both really having trouble understanding each other's positions, step back and try to defend the opponent's decision.

Which is my point. You no longer retain any control over it. A law saying you have control over it is silly, because it's worse than worthless: it makes me think I have control over something I don't have control over.

Laws cannot magically manufacture things which cannot ever be created.

Moreover, the gdpr doesn't prevent any of the problems that have caused data breaches in the past. The way that Target and Equifax (both of which could easily claim the data they had was essential to their business: Target with credit cards and Equifax being used by banks to coordinate information) are both equally likely under the gdpr and both equally unpublishable.

As for Facebook and Cambridge Analytica, how would this have been prevented? Facebook can just ask you to opt in to their usage of your info to use their service. Facebook can share information with other entities that claim to be gdpr compliant. Other entity then shares information with other people outside of Facebook's control.

I just don't see how the gdpr changes a fundamental fact: you no longer control something someone else has. Laws cannot change that. Laws can give you recourse, but they cannot change it. I actually believe that it's dangerous to believe that I have control over things I don't: it's a false sense of security.

Also there's the fact that companies can end up sharing data to other parties, or a company can be acquired and change their mind about what the data will be used for (which is allowed because of the originally nebulous scope of their T&C which was specifically designed to allow for expansion without asking for user consent explicitly when usage changes). GDPR provides methods for users to be protected in both of those cases -- while just enforcing education does not.

Not to mention that if education was mandatory, then the same companies complaining about GDPR today would be complaining about educating users how their services abuse their dignity. Cutting Google/Amazon/Facebook/etc slack for making hundreds of billions from users' personal data and creating "Big Brother"-esque profiling systems for their billions of users doesn't really seem rational to me.

If I owned a site I would not have a problem to delete someone's personal data.

Also your sugguestion is that if you want to keep your data protected then you should not be using anything on the Internet or make any deals because once you have ordered something on Amazon it can sell your data to everyone else? Or when you rent an apartment, realty agency should be allowed to share your name, SSN, bank card number and address with everyone? No, I don't think it should be this way.

If I find the person that owns the server hosting my data, and I put a gun to his head, and I say, "remove my data," do I now control that data?

What if I instead pay someone else to go around putting guns to the heads of server owners? If I build an army?

What if instead of that I communitize my resources into a legal system that doesn't put guns to people's heads, but will take their money away and put them in jail if they don't follow the laws?

Don't get me wrong, I'm with you in the hacker-culture sense: fuck the system, man, if Google wanted to it could probably blackmail individual US government officials to the point that it took the country over. I get that. I guess we can get deep into a political science debate about governments and social contracts.

Put it this way: Is your sense that you can walk to work without getting mugged a false sense of security? If not, the only alternative is homesteads with militias (not walking to work anymore), or, arming entire populations (putting the burden of self-defense on the people). In the past, this has been tried, and led to gang rule.

If we "give up" on legal systems, we have ample evidence for what happens. When you apply those lessons to the digital space, maybe it's not 1:1, I guess some countries will be learning that for us, while others will try things like GDPR.

It's all a journey for human civilization. People like you that promote self-defense are great because we get amazing government-agnostic tools out of the deal. People that support GDPR are also great because we can test out "social contract" methods.

What's wrong with dancing around both sides of the aisle?

The gdpr makes people think that they don't need to think about what they share and with whom. Do you really think companies are going to significantly change just because of this? I highly doubt it. Sure there will be some things, but in the end many of the same patterns and uses will emerge.

You keep writing as if everyone has a meaningful choice about who gets data about them, but clearly that is not always the case. Someone may obtain data about someone else from a third party, and you can't avoid sharing a certain amount of data and still function as a normal member of society.

The idea of absolute, black-and-white privacy, where either you share personal information or you keep something completely to yourself, isn't very useful in the modern world. Our conventions must be more nuanced than that, and in practice that means what really matters is who gets access to data about you and what they're using it for.

That means basically don't share them with anyone, don't sign any contracts, don't work and live in the street. Because even your employer or real estate agent can sell them to anyone else in your model.

Aside from the "nuh uh; uh huh" nature of this exchange, I really don't understand what your position.

> I didn't say you don't own the photo, I said you don't have control over it. Those are two very different things.

I'm not sure what youre definition of "control" is, but based upon the arguments you've made about "control" above, I assume you mean it in some absolute sense.

Ownership definitely implies control. He can use DMCA to compel a third party to stop publishing his photo, for example. How is that not "control"?

Your definition of control seems to be somehow about capability or power, rather than normative ethics or legal right. Which is a rather absurd way of talking about this issue.

In that sense of control, I don't even control my own body. Someone who is stronger than me can hurt me; can rape me; can even kill me. I have no control.

Of course, for normative reasons, we make laws against other people controlling me in certain ways even though they have the power to do so.

Data privacy is no different. The discussion is not about what degree of control a party is physically capable of exerting. The discussion is about what degree of control the government should grant to each party.

The fact that someone somewhere is capable of hoarding my data, does not imply that this outcome is just or optimal. Your position is a textbook example of the naturalistic fallacy.

I actually cannot think of a single instance where someone has "control" over something and the law exists purely as a way of exercising that control, and I can think of hundreds of examples where laws exist to stop people from doing things they may be physically capable of doing but would produce a negative effect on society if permitted. Maybe there is such an example, but it'd be an outlier.

If anything, the anomaly here is that inappropriately using or sharing personal data about someone is in most cases still only a regulatory or at most civil matter and not a criminal offence. Obviously such an act can potentially cause far more harm to that individual than many physical acts of violence that do carry jail time.

Actually, this isn't true, for the purposes of this analogy.

You can only lock up people who are in your country and under the control of your legal system. If your ex flees to Russia and sends out these photos from there, good luck prosecuting them and putting them in jail.

This is the internet we're talking about. An EU law doesn't apply outside the EU, in places like Russia, the US, China, and many other locales. What's the EU going to do when sites in those other countries refuse to take down pictures based on this EU law?

What are you actually trying to say here?

This is similar to some other laws, you can be as slanderous as you want to someone in private but if that slander makes publication then you open yourself up to a lawsuit. You may own copyrights to the image you take of someone in public, but you cannot use their image in your merchandise despite owning the copyright to that image. If someone is doxed in an email, and the email hosting provider used is compromised and has their emails linked to the public, the person who was doxed has just as much right to request that the publicly available emails be removed from search engines, etc.

https://en.wikipedia.org/wiki/Personally_identifiable_inform...

It requires the entity to give you the ability to delete your personal data, which means a contract where you grant a service a permanent and irrevocable right to data about you in exchange for a service is illegal.

It also requires the entity to provide an equivalent service to any site visitor that chooses to not grant their data to the entity, thus making the business model of trading even revocable access to one's data for a service unviable in the long run.

It makes it illegal to offer a service in exchange for data that is stored without end-user retrievability. Therefore, it makes a contract where you grant a service irretrievable data about you in exchange for a service is illegal.

All of these reduce the range of possible voluntary interactions. It's anti consent.

And it is bonkers to imply that something that requires you to actually get affirmative consent from the user is "anti consent". You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.

>>You know what's really anti consent? 10 page TOS listings written in 10pt font that hide what's actually being done with data deep inside.

I agree that it is anti-consent. I don't have a problem with laws requiring more legible consent forms.

My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored.

No, you didn't. You gave a list of one-sided transactions where the user has no freedom or really consent at all in the matter.

"My problem is the many limitations on the range of voluntary interactions that two parties can enter into that are found in the GDPR, a few of which I listed, and which you totally ignored."

No, you didn't. All you did was post a list of "transactions" where the company has all the say, and the user really has no input whatsoever. No one is going to miss those transactions.

If you truly, honestly are concerned with "consent", then you should be applauding this law, as it does require actual, informed, affirmative consent. Not the "Here's a great wall of text, agree to give us every little bit of data with no recourse whatsoever for you or don't get any access to the service at all" form of "consent".

I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".

I have difficulty responding to such an immature mischaracterization of what I listed.

I listed a set of contractual arrangements that are now illegal. All of them could be entered into completely consensually, and cannot be reduced to being categorically one sided, given we don't know what the value of the service the user gets in exchange for their personal data will be in every instance that said contract is used.

You're infantilizing people when you claim they're not capable of consenting to the sale of their personal data. In fact, no court of law would ever agree with you that these contracts are non-consensual ipso facto what the user offers, which is why the only way these kinds of contracts could be categorically disqualified is to circumvent the courts' purview of establishing consent, by resorting to statutory interventions like GDPR.

And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.

What you're doing is absolutely reckless.

>>I'm sorry, but I cannot take seriously the idea that "if you can't sell yourself into slavery, you aren't free".

Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.

Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.

And in that set, you predicated that the user could not revoke consent. That means that it is not a free contract.

>And you're vastly over-simplifying the world, and overestimating your understanding of it, when you claim that such contracts could never be in the interest of the user.

A contract in which one can not revoke consent is a contract in which one can never truly give consent. If I am unable to revoke my consent, then it can never be in the interest of the user, because my interest may change in the future.

>What you're doing is absolutely reckless.

No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.

>Selling your personal data to someone is not slavery. Slavery is a permanent condition, affecting your future self.

Which is what you're pushing for. You don't want me to be able to withdraw consent later, thus my selling of data WILL affect my future self.

>Personal data sold at one point in time only covers the data generated to that point in time, and does not forfeit data that is generated by your future self.

It still affects your future self.

Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent! You should be ecstatic that you will now be able to exercise greater freedom than you could before. You will have that most basic of freedom to evaluate whether or not something is still in your interest, and if it's not, withdraw, without the other party still benefiting off of your information.

No I didn't. I said that these contracts enable the user to sell their personal data. If a personal data sales contract includes a clause allowing you to 'revoke consent' AFTER 'selling' your data, then you are renting your data, not selling it.

By making contracts without such clauses illegal, you are reducing the space of contractual interaction, in making it impossible to sell one's personal data.

>>That means that it is not a free contract.

Again, I have difficulty responding to such immature mischaracterizations of reality.

Selling your personal data is a 100% "free contract".

>>No, what was absolutely reckless was the attitude of this industry that they should be entitled to suck up every last piece of data they could.

You obviously don't care to debate this issue based on rational arguments and facts. You're debating in bad faith. You've already made up your mind and are more than willing to mischaracterize the situation, and people's position, to push your views.

>>It still affects your future self.

Everything you do affects your future self, but this particular type of sale does not cover data genereted by your future self. It only covers what you have already generated.

It's absurd and totally dishonest to compare it to selling oneself into slavery. It's nothing more than hysterical fearmongering about the free market, in support of government limiting people's contractual rights.

>>Once again, you have twisted this idea of "freedom" so badly, that you are claiming that it is anti-freedom for the user to have the freedom to withdraw consent!

You're once again mischaracterizing the ability to re-voke a sale, after the fact, as "withdraw consent".

When you sell something to someone, you no longer have a claim to that something, and thus the other party no longer needs your consent to maintain ownership of it.

That I really need to explain the semantics of ownership to you, and explain how allowing retroactive and unilateral reversals of sales makes it impossible to sell something, shows just how completely delusional and dishonest you're being.

All the changes are to "consent", which is the naive consent of clicking "I accept".

You can still do anything with a proper, considered, contract.

I don't see why the new rules couldn't have been limited to those of this sort, which ensure that users are providing considered agreement.

At the very least, my original statement was overly broad.

So if I investigate you, take your picture, etc. have I stolen from you?

I actually hadn't considered it before, but I imagine that being a PI in e.g. Germany must be a veritable legal minefield.

Why do we protect any rights by law? Usually it's because some harm is likely if the right is not protected and the potential victim cannot effectively protect themselves due to some imbalance of power.

Reasonable people can debate how far privacy rights should be protected and where the balance lies between protecting the data subject and allowing data processors to do useful things. Maybe the GDPR doesn't strike the ideal balance here and favours one side too much at the expense of the other.

However, it makes no more sense to argue that someone can't have any legal control over how personal data concerning them is processed than to argue that, for example, someone can't have any legal control over whether their physical property remains in their possession. Many social conventions have proven to be useful, and we codify them in laws so that everyone can see what is considered acceptable behaviour and so that people who try to undermine those norms for their own benefit at the expense of others can be dealt with.

No, it's more like making it a crime to break or lose something lent to you. At most it's a civil matter handling damages, not an extension of control over the item lent (baring any contractual agreement).

Put another way, how is protection of privacy by restricting what someone may lawfully do with personal data any different to protection of physical property by restricting when someone may lawfully use or remove it? Typically you can't physically stop someone from sending your email address to someone else once they have that information, but then typically you also can't physically stop someone from stealing your TV while you're out once they have a big sledgehammer and access to your front window.

I think most of us would still say that we have legal control over our possessions, and most of us would still say that theft is unacceptable behaviour and should be punished. In Europe, where perhaps we tend to have stronger feelings about privacy than in some parts of the world, a lot of people similarly feel that they should have the ability to restrict how data about them is being used and shared, and that some things that some organisations have been doing until now are unacceptable behaviour and should be punished if they continue to do them.

"To have legal control over your PII" and "To have legal control over your possessions" are similar in nature. The fact that such purposes are implemented in different ways, for mostly technical reasons, does not diminish the argument.

The main technical reason is that, right now, loss of control over PII is widespread, and individually processing each claim would likely overload the judicial system of EU countries which usually don't have class action lawsuits. GDPR simulates a class action lawsuit using regulatory bodies, to be triggered by refusal to comply with a significant number GDPR requests.

GDPR attempts to fix that.

(not perfect control, but that is the same in every area where law is broken, e.g., there are burglars, but still I think you would consider being in control of your personal belongings, and nobody would argue that we should stop prosecuting burglary because many burglars will always get away with it)