Experience with data protection laws (GDPR, ePD, CCPA, etc..)
This is a topic I keep revisiting. It's constantly evolving, with new laws in different parts of the world happening pretty often. And also there's a lot of grey area with vague or incomprehensive language that hasn't yet been tested in courts.
I recognize that it's a bit of a niche topic, but I think there are a lot of us at Tildes who have to think about it. After all it potentially impacts anyone maintaining or building a non-platform web presence. It also applies to less obvious things like running an advertising campaign that involves media requested from a server you control (which can therefore potentially log requests).
For my part, I've needed to research laws relating to PII in order to come up with policies and practices in various contexts. In broad strokes it's pretty simple but as you get into details what I continue to find is that there are a lot of conflicting opinions both from professionals and lawyers. A lot of it is still open to interpretation.
I'm wondering what kinds of experience other tildenauts have around data protection and PII? Have you implemented solutions? Do you wonder about it for your own websites? Have you been involved with it at companies where you've worked? Do you have questions about it?
Oh man, it's late and I'm on the verge of falling a sleep but I'll give this a shot. I work in health IT so PHI, ePHI and HIPAA is the name of the game. HITRUST and NIST were the two big "frameworks" we dealt with on a routine basis.
Healthcare data is kind of wild IMO. Basically if you are a non-clinical (or a clinical) company/provider as long as you have an active Business Associate Agreement (BAA) with a company and the patient provides "consent", you can get access to a shocking amount of information. Ideally hospitals would conduct Due Diligence and Due Care for each new BAA and on a routine basis to ensure compliance but most of the time that falls to an auditor who sends them a "checklist" that they don't really understand. Makes jt hard to have meaningful questions if the auditor doesn't even understand basic computer encryption.
So essentially your data gets shared with companies that might not have good security in place. That was kind of the purpose of a HITRUST assessment and the like but those auditor/assessors were also kind of ass and the framework had lost some credibility since when it first came out - you could basically pay-to-pass and a lot of the HITRUST alliance accreditted assesors didnt meet internal QA requirements after the fact. Nice folks but did not understand technical controls or anything.
The bigger healthcare systems get the more and more problematic data security and data hygiene becomes. Hospitals grow, merge, die, get acquired and since healthcare systems don't really prioritize IT - you often get patch work systems that are poorly documented and rarely understood well. All held together with glue and hopes and dreams. This means patient data is EVERYWHERE and that shit is hard to control. DLP? Sure. Good idea in theory but you'd need a whole group of folks dedicated to just data discovery alone, not even including tuning, writing rules and responding to alerts of non-compliance. Basically assume, if it's a machine at a healthcare system - it has PHI.
It'll be interesting to see how these next few years shake out. HIPAA is finally being reworked to be MUCH and I mean MUCH more strict about compliance and basic security controls. However our new "Boss"/Daddy RFKJ and Donny Boy might keep it held up in review/in limbo. Who knows.
Plus you have shit heads like Epic and Cerner (Oracle) fighting against data sharing and information blocking. Which makes interoperability more difficult. Oh and getting into hella petty internet blog post fights that read like they were ripped straight out of a highschool/YA novel. All of them suck and continue to make things worse. I welcome a challenge from someone who works with Epic and actually likes it.
Anyways - healthcare and by extension health related data is important for patient care but not really important enough to protect well and until there are big changes from a legal and financial perspective that incentives better stewardship nothing will change.
Thanks for coming to my Shed Talk - please leave a review.
That's interesting, I wasn't thinking of patient data but it definitely falls under data protection laws. I've never been involved with anything HIPAA related but I've heard often about the compliance requirements. It's not shocking that in actual practice the protection is haphazard and ineffective. The details are interesting though.
And yeah, Oracle is a giant amalgamated asshole.
Thank you for the insider insights!
Unless they're putting Crowdstrike software on critical systems like they aren't supposed to, right? sigh
I’ve never been on the side of “how do I comply with these” but Australia has had the Australian Privacy Principles^1 for pretty much my whole life, so while I’ve always needed to be extra careful online (most websites don’t fall under these protections if they don’t have an office within Australia) I feel like Australian businesses have always been pretty decent about how they handle private information. Of course, in recent years there’s definitely been what I would call a slipping of standards amongst Australian businesses in tandem with, or perhaps led by, tech giants’ flagrant abuse of private information for their own gain.
https://www.oaic.gov.au/privacy/australian-privacy-principles
Wow 1988, that was a forward thinking law.
Yeah I’m trying to imagine what kinds of information a business might even have collected back then, and it’s all very clearly Personally Identifying Information (PII) (like literally your name and address and phone number) and not fragments of behaviour-based patterns that we see nowadays.
And then from that, what kinds of ways could a business in the 80s use this kind of information for marketing or to profit in any way, and the only things that come to mind are directly calling or mailing the person with catalogues etc and I can totally buy the idea that politicians passing this legislation would get an easy win, because nobody wants to be bothered by cold callers or junk mail.
It just happens to have stuck around and become even more valuable over time as businesses collect more and more PII for direct and indirect marketing
In Thailand the PDPA law became in effect in 2022 after two year extension. I heard that it took quite sometimes to find people to work in the committee, PDPC.
In my personal experience the PDPA implementation by most companies are not done right at all. I've submitted some complaints to some DPO, which larger, non-shady organization seems to work as expected by law, but the PDPC did not response to any complaints at all letting violations roam free. The problems I found are:
Last year I was contacted by an insurance broker (which I never have any business relationship with) who says that my 2024 car insurance will run out soon, and offer to renew with them. I heard that it is a commonplace "scam" where some people believe that since the caller know their information they might be related to their current insurance and signed up. I did not fall for them, and so I contacted their DPO asking to use my rights to know where they get the information from. Their website doesn't even have this subject data right request in the system.
They took a few days and get back to me that "your information was received before the law become in effect" and that they've removed my information (which I never asked them to do so). The only way they could know about a 2024 car before 2022 must means they have a time machine! So, I contacted the PDPC about that. 3 months later I never heard back, so I wrote them an email asking that it is legally required for them to response in 3 months. What's the hold up? They say that in my case it is unclear what are the damages.
I don't know? They didn't scammed me successfully so it's not like I lose any money here. Do companies get a free pass to do illegal stuff when it is harmless? I wrote them anyway that my damage here is that I lose my rights to find out who is leaking my information, which I might submit another complaint and perhaps get remedy. I never got another response. The law says that the PDPC secretary must submit the case to the next committee's meeting within 3 months, but there's no SLA on when the committee has to issue any verdict or even hold that meeting at all.
Right now I'm expecting that the law will be reduced to a checkbox that does nothing within the next 10 years...
Thanks for posting, that's exactly the sort of thing I was hoping to hear about. These laws are implemented and enforced so differently in different jurisdictions. I hadn't even heard of the PDPA.
You make a good point that without enforcement the law may as well not exist at all. So far the EU has done a good job of enforcement but that's less true in a lot of other countries
And you're absolutely right that cookie consent is nearly useless, it just distracts from the real PII collection and sale issues.
That's frustrating that companies are basically able to ignore the laws in Thailand.
An interesting edge case with the law is the Thai ID card. The ID card lists your religion and blood group, both sensitive information. You're offered to not list them in your card, but it only recently becomes an option.
Hence companies have to ask for consent to store those information as well when they need your ID (eg. banking, e-kyc, insurance). Some companies write "please strike that out or otherwise you consent to the store of sensitive information". I've heard some companies even invest in OCR that automatically black out those fields.