> (B) any time beyond the initial 2 times described in subparagraph (A), may allow the individual to exercise such right for a reasonable fee for each request.
Paying any sum of money to receive a copy of or request to delete my private data is unreasonable in nature.
I mean, at our company, GDPR requests have to cost at least $50 a pop. It goes to a human team to review and process with a dedicated legal representative.
Yes we should. But there are a few too many systems, and we add and drop systems with such regularity that it would still be a non-stop engineering challenge.
>stop collecting
For the few records we do return as part of GDPR requests, they are usually associated to customer and billing data. I don't know how you run a business without that.
> eu citizens wont have such a fee.
They do and it's collected in the cost of higher product costs.
Very fair point, and I understand the necessity of data collection in some cases. I do feel like that's a cost that's incurred voluntarily, though, and shouldn't fall on the shoulders of users/customers. Some people might not want data to be collected to begin with, so the cost ends up being your company's fault and not theirs.
Yeah, that's definitely the case and I see where the hassle is, but to restate my point, those costs are simply a part of overhead and not the business of users. Unless the users are given an opt-out first and foremost, they're owed ownership over their personal data.
Again, the language of the proposed bill is requiring 2 free requests per person.
$100 for an occasional person? No biggie.
Potentially infinite? That's a bit more than normal overhead.
While we haven't seen this sort of DDoS attack through our GDPR process yet, the potential is already there if bad actors or competitors wanted to exploit it.
>Although, the ICO also notes that a firm may charge a “reasonable fee” when “a request is manifestly unfounded or excessive, particularly if it is repetitive.”
Privacy request shouldn't enable mechanisms of denial of service type attacks against companies.
DoS is an understandable concern, but charging for a service is probably one of the least sensible ways to prevent it. To me, it just looks like the most profitable and impeding hurdle that companies can set up to prevent users who want to access their own data.
I would be frustrated if any application made me pay even a small fine because they suspect a DoS attack. For example, entering my credit card info because I've searched a phrase too much just isn't efficient.
The problem is, "reasonable" is subjective. Things like this need to be tethered to something. "The fee may not exceed 50% of the hourly federal minimum wage."
That’s just not true. “Reasonable” is a binding term used in contracts all of the time. The court system is extremely experienced in determining what is and is not reasonable.
Not always. According to lemon law lawyer Mr. Lehto (who runs a Youtube channel Lehto's Law), RVs are not covered under most state lemon laws, and thus defers to the federal Magnuson Moss Warranty Act which just says repairs must be under a reasonable time frame, and the RV companies say something like 10 repairs, 6 months each, is the industry standard and thus reasonable, and judges don't have anything else to base that on, so they agree.
Leaving the fee uncapped creates an incentive for business to put zero effort into making the reporting process efficient. That way, they can demonstrate that compliance requires 5 skilled hours (for example) and "reasonably" charge $250 per report.
Courts rule on the evidence provided. If a user challenges the fee, the company can easily document where every penny went, and therefore claim it is a reasonable charge. The user's only real recourse would be to prove that company is over-billing, but that would require evidence.
Pegging the cost to a set number of labor hours by law signals to companies that part of the cost of collecting this data is they must develop their internal systems in a way that they can quickly and easily comply with requests.
Yes, what's reasonable to a company may not be reasonable to a consumer. Ie, as a company can create process that uses 10 man hours and my cheapest labor with overhead is $50/hr, but we can find countless CNBC articles that say the average consumer can't afford a $500 expense.
GDPR is filled with "reasonableness" expectations and unspecified guidelines that aren't tethered to anything. Why the concern over this one specifically?
But in general, EU/EC law is full of policy that gets interpreted as human judgement calls, and US law is full of details that are interpreted as badly-written code with a choice of parsers. The two styles are not compatible.
EU laws can often be written in such a way and are a bit looser in their language in ways when compared to how it may be written in the US. EU courts are more experienced with dealing with interpretations of "reasonableness" for a given law when compared to the US, so it's not really a fair comparison.
I agree privacy request shouldn't enable mechanisms of denial of service type attacks against companies. But I don't think that justifies allowing companies to put in place fees to access personal data.
If cloudflare required people to pay to bypass their denial of service protections... well, I guess I dont know what would happen, other then that I would hate them even more then I already do for all the terrible things they do for my experience as a default tor browser user.
Users don't like a company, they automatically spam the company with large numbers of requests for personal information which they would legally be required to provide.
Guess they'd better figure out how to get people their data in a more rapid manner. I guess they could use a computer or something to automate it so that users can just click a button to download their data.
I mean, what year is this? We've been hearing "automate it, automate it, etc" for years and years now. But to get your personal data, these companies just throw up their hands and say that it's too hard?
I couldn't agree more. Even if it does require a person to do something that isn't automated, they should be required to have people on staff whose first priority is responding to these requests. It seems ridiculous to me that people are claiming this is just too hard for a company so they should get to profit off of it.
By the same token of strawmanning, you're claiming that businesses should do nothing than hire people to send your data back to you. Why even have businesses if that's the only thing you think they should do?
If you're so invested in "your data, damnit", then don't give it to them in the first place.
When we implemented CCPA lookups, one of the many necessary lookups was through a decade of glacier'd request logs (necessary to hold onto for compliance).
Even ignoring implementation cost, there was a significant computational cost that's pretty hard to avoid.
And those fees have been infamously exploited to functionally deny access to material or financially harm the requester. Perfectly illustrating why charging fees for these things is such a bad idea.
For our company, all privacy requests are handled manually by a team I am on. We manually do name searches in about a dozen platforms to see if there are any matching records.
4/5 times there aren't any - people doing the requests often use services that submit blanket requests.
When GDPR was new, several people sent "nightmare letters", deliberately and publicly designed to cause as much cost and hassle as possible. To my knowledge, no one was punished or even inconvenienced for blatantly abusing the law in this way.
Maybe they should automate the requests then. There's zero reason why they couldn't just write something where you log into your account and click "download my data."
These companies are happy to harvest up all your data, run all this crazy automation, spend millions analyzing algorithms, setting up machine learning, NFTs, run datacenters, networks, etc etc, but they can't figure out how to automate GDPR requests? FUCKING BULLSHIT.
There is literally zero reason why a data request should add any burden to a tech company.
I wonder if a company can be DoS'd via privacy request maybe they are collecting more data than they can effectively handle and that should be re-examined.
Paying any sum of money to receive a copy of or request to delete my private data is unreasonable in nature.