What are you doing is a classical straw man argument. I‘m not disputing that plumbers, doctors etc should be aware of their professional regulations. However certain regulations aren’t job-specific and work like tax, e.g. if you look at notary costs related to registration of business in Germany. Regulations like GDPR apply to business environment in general and they have to be designed so that the costs of compliance and risks of non-compliance are minimized. They are supposed to be followed by non-professionals, because privacy is not a job of DPO, it’s everyone’s concern. What you fail to understand in my comments is that part. I’m not disputing the usefulness of GDPR. I‘m saying that rather than strangling businesses with high compliance costs and complaining that everyone is choosing to show cookie banner instead of not tracking, we should look at how to avoid this nonsense. As a matter of fact, non-compliance is rife, people do cut corners and take the risk, because DPAs cannot catch or punish everyone. GDPR is suppressing the most egregious behavior, but it certainly not working as expected. It needs some careful reform.

> However certain regulations aren’t job-specific and work like tax, e.g. if you look at notary costs related to registration of business in Germany.

This is not that. You’re making it sound like every business has to jump through all of these hoops as a matter of doing business. You know how to not be bound by GDPR? Don’t bother storing sketchy cookie data or PII. The plumber in your example could just… not do that and not have to worry about compliance. It’s only but for the plumber choosing to store that data that they opt to be bound by the regulation. It’s not a requirement for them to operate. If the business feels like they need to store the nuclear waste, then I need to know that they are storing it properly. They could just not take in and store the nuclear waste and then there’s no compliance burden. 9 times out of 10 they don’t need it to transact their business anyway, and the tenth business probably only exists but for the sketchy data.

In the end we have arrived at the same conclusion: probably the regulation itself, the baby, has some dirty bath water. Any regulatory framework of any significant complexity does, especially a landmark first of its kind in scope regulation in the world. So we should not toss both out. We should try to get rid of just the bath water.

With above said, the plumber is not absolved here. Why did they need to store my PII again? I very much value the fact that they have to think about and answer that question. So whatever improvement should just streamline that process and not get rid of it.

Can you please read my comments in this thread in full and not just pick some parts of them?

I already explained that most businesses are not experts in privacy and usually become non-compliant accidentally, without malicious intent. If a plumber goes to some advertisement platform to promote their services online, they are not making fully informed decision with regards to privacy implications. They buy promises of lower CACs. They do not buy the storage of PII, neither they fully understand that targeted advertisement involves storage and processing of PII. And regulation requires them to either fully understand the process or spend money on external consultant. That's stupid: GDPR moved the responsibility to protect human rights from those who aggregate a lot of data to a little guy. What really should have been done is requirement for MarTech to support "Do not track" on protocol level and risk being fined or banned from EU. It does not make sense to ask users again and again on different websites if they are ok with tracking by FancyMarTech LLC, when those users already gave the answer somewhere.

It's just one example. And then there's a case with storing PII in Google Spreadsheet: everyone does that. Nobody mentions that in their privacy policy, even if DPO is involved. And probably they should not. Regulation should also consider the public risk. If one of those millions spreadsheets with a hundred names is leaked, let's fine the owner, sure. But let's not make a big compliance process for every owner of those millions spreadsheets. Let's say: Dear Google, if you want to work in EU, you cannot share the data of EU users with NSA or anyone. Keep it safe. Figure this out, we don't care how. We really should put 99% of compliance burden on processors and spare controllers.

Thanks for sharing some in depth examples. Why is the marketing firm/platform not on the hook for noncompliance in your first example? That’s kind of where the metaphor falls apart for the doctor and structural engineer examples, because in this case if you were found to be liable the responsibility would actually fall on the doctor/structural engineer. Like if I hire a structural engineer and they build a thing that fails, they’re ultimately on the hook for it, not me. Why is it not the same here?

Your Google spreadsheets example is not, in my opinion, a good example of GDPR failure. I genuinely believe if people are dumb enough to keep PII in spreadsheets they deserve to be fined out the ass. “Everyone is doing it” is a poor justification for such risky behavior. The plumber in your example would never use the wrong pipe fittings or make dumb mistakes like that in their line of work. And if they did, they would understand that they would be on the hook for that. Why should they be absolved of responsibility in some other line of work simply because “everyone does it this way”?

Your example reminds me of HVAC technicians in the States who vent refrigerant into the atmosphere. “Everyone” does it because it’s way easier and more convenient to just do it and ignore the regulations, but the long term consequences for the environment are horrific. I’m sure if I asked those HVAC technicians they also would describe the regulations that they don’t want to abide by as onerous and not necessary.

>Why is the marketing firm/platform not on the hook for noncompliance in your first example?

Because they act in good faith and expect that consent is collected before their script is executed. This is usually written in their ToS, e.g. see Google Analytics. Google expects that you maintain compliance and if, because of your failure to stay compliant, they collect PII without consent, you are liable for the damages. See what happens? Every small business who wants to know something about visitors of their website is now on the hook. They are expected to understand GDPR, to understand legal details of Google ToS etc. Since you cannot avoid having digital presence today, this looks pretty much like a compliance tax.

>I genuinely believe if people are dumb enough to keep PII in spreadsheets

You are speaking about majority of population of this planet now. Everyone prepared at least once in their life a list of contacts to send wedding invitations, list of customers for a freelance job etc etc. People are not dumb. They just keep doing what they were always doing: having a sheet with a list of contacts. And honestly, they should continue, because why not? Why we should put significantly more thought in this simple task? Yes, the tools have changed and we now have implicit privacy and security risks associated with them. We should fix the tools and assign liability properly.

> Because they act in good faith and expect that consent is collected before their script is executed.

This is the unaddressed rub here. If the doctor commits malpractice in good faith, they’re still liable. If the structural engineer built a bridge that collapsed in good faith, they’re still liable. Why does the marketing firm get off the hook here?

The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing, because it’s normal, is not sufficient. It also used to be normal and way easier for people to get on a plane without being strip searched and their privacy being violated. Society decided that forcing regular people to go through a ton of more hassle for safety was worth the trade off. The security is mostly theater, the implementation is burdensome, onerous and unpopular and a regular person is expected to navigate some kafkaesque nightmare with a bunch of rules and might unknowingly burn themselves. But we sure as hell don’t see a ton of plane hijackings any more, do we?

>Why does the marketing firm get off the hook here?

You may be surprised, but this is how this regulation is designed. Per GDPR it is the duty of controller to ensure compliance. Processor acts per instructions from controller. MarTech is not allowed to do anything outside of their contract with their users, but they are also not required to enforce consent collection, only to assist controllers with that when possible.

>The argument being presented here, that regular people should continue to be allowed to do Sloppy and Dangerous Thing

No, this is not the argument being presented here. Storing personal contacts or advertising is not "sloppy and dangerous thing" per se. The privacy risk is not that someone is processing your PII, but that this data may be used to harm you by processor or 3rd party. So the goal of regulation should not be to prevent processing, but to minimize such risks with minimal costs for society. If regulation focuses on just risk, but does not consider the costs, it must be fixed and solutions should be found that enable typical use cases.