Why is the onus for adhering to privacy directives (e.g. GDPR, CCPA, etc.) on a host and not the user?

Question

(Apologies in advance for the lengthy epistle)

Background: A colleague is planning to launch a social media and forum website which will appeal to a relatively narrow audience. For the sake of discussion, I've compared it to an online dating website. During a technical review, I noted he intends to block the entire EU due to GDPR regulation, as other major media outlets (presumably following legal advice) have taken the same approach. Personally, I've always detested blanket-bans as they inhibit the open and collaborative nature of the Internet. I sought for a solution that would allow EU users to knowingly waive their GDPR rights in order to use a site that was not necessarily GDPR compliant. See GDPR & Blocking EU Visitors?

In response to the question, @DavidSiegel pointed out a US State Privacy Legislation Tracker map which depicted five US states that also currently have active GDPR-like data privacy laws. Additionally, there are apparently a handful of other states that are working to introduce similar laws which are expected to possibly be active by 2023.

@DavidMulder noted that other countries like Japan, Canada, Brazil, Israel, Kenya, Argentina [and probably many others] also have their own data privacy legislation.

All this information was helpful, but it ultimately led my colleague to drastically expand his geoblock ranges to encompass these additional states and countries. Ugh!

Changing gears, I myself am also an engineer who has several services and websites I would someday like to share with the world. Consequently, this discussion around GDPR/CCPA has piqued my interest to some degree.

So now that you have an overview of the background...on to The question:

Why is the onus for adhering to privacy directives (e.g. GDPR, CCPA, etc.) on a host and not the user?

If I create a website and make it available to the Internet, anyone in the world can theoretically access it. From EU users, to Iran users, to California users. If my server resides in New York City, USA, I would expect that the laws of the USA, New York State, and New York City apply to that server.

I'm not a lawyer by any stretch of the imagination, but many articles I've reviewed seem to suggest that my server (in NYC, USA) would be responsible for adhering to GDPR if someone in the EU connected to it and provided so called PII. Likewise, if someone in California connected to my server in (NYC, USA) and provided personal info, the server must adhere to California's CCPA law.

The preceding paragraph is the crux of my concern. If my NYC server doesn't actually need to care about who is connecting from where or what data they provide, this entire question I posed is moot/there is no concern.

However, if my server must be concerned about every single privacy law legislation in existence (GDPR, CCPA, California Prop24, Colorado SB 190, Connecticut SB 6, Virginia SB 1392, Utah SB 227, and surely more to come in the US) plus Japan, Canada, Brazil, Israel, Kenya, Argentina and forthcoming privacy laws legislation from other countries (and/or their states?)...

Well hopefully, you see what I'm getting at. If it's required to support this plethora of ever increasing and changing legislation, it effectively prevents law abiding individuals or small businesses from providing interactive websites or services -- we simply just don't have the time, legal team, or financial resources that large corporations do. If this is the case, then the Internet's future does not look very bright to me.

Assuming your answer is GDPR/CCPA/XYZ compliance is required for my NYC server, how does that mandate even bear any weight? The US is a sovereign nation, not a part of EU. Even though California is a part of the US, it's not part of New York so I would expect that only servers operating within California would be required to adhere to CCPA. If/when New York State creates privacy legislation, then my NYC server would be subject to it. And Iran, only servers in Iran would be expected to follow Iran's mandate. Etc., etc. This is the only approach I can fathom that makes any sense when dealing with multiple disparate legal jurisdictions.

While I suspect (and would hope) there is a significant amount of overlap between the privacy legislation from all these legal jurisdictions, there doesn't have to be. Some jurisdictions may change their legislation more than others, add unique requirements, etc.

I don't want anyone to think that I'm against data protection or privacy; I've always been a strong technical proponent for both.

But we must ensure that individuals and small businesses can still operate in a global connected environment without having to blacklist the world for fear they don't comply with one of the ever fluctuating policies for country XYZ.

Personally I think a site that is claiming GDPR/CCPA/XYZ compliance should clearly disclose it to users when they visit the site and then leave it up to the user to decide whether or not they will use the site. (I always assumed that was the entire point of the barrage of popups that routinely appear when visiting a website?)

Instead of burdening every service with the requirement to support every piece of privacy legislation in existence from where it's users may visit (again, how is that even legal to enforce in sovereign nations like the US?), it would be much better to do things the usual way of requiring the user to take personal responsibility for the sites that they access.

Reflect back on how things transitioned for web browser connections: In the old days, you visited a web server and it was always an unencrypted HTTP connection. Anyone between your computer and the server could read or change anything you sent or received. Later, SSL and then TLS encryption was added to scramble all data when in transit. Today, when you visit a site, popular browsers displays a padlock icon for sites that using a secure connection and a warning is first displayed if you try to access an older site that isn't setup to use encryption. Moreover, you can verify the site's certificate to ensure it matches the entity that you expect to be communicating with (e.g. your financial institution, business, etc.) The system isn't perfect, but it allows users to be much more confident that their sensitive information (e.g. a credit card number, passwords, government id numbers, PII/whatever you want to call it) won't be stolen in transit over the internet, while still allowing older non-encrypted sites to be usable.

Something similar could be setup to support all these different privacy legislations. If the site doesn't support whatever privacy legislation you desire, then choose not to use the site. (Again, I believe this is what all the popups you see when first visiting a website are trying to do.) Large businesses will quickly adapt to support whatever legislation you want because they don't want to lose sales. Sites that aren't profit driven (or generate very low profits) likely won't care and they'll just accept that the user doesn't want to use their site and will use an alternative instead.

In summary, I'm really tired of reading about privacy legislation. Attempting to foist privacy legislation on services external to the legal entity that created them is going to destroy individual and small business innovation, lead to more monopolies and ultimately be bad for everyone.

While it is important to protect PII information, all it takes is a single data compromise for it to be exposed. Large corporations routinely experience data breaches. Being GDPR/CCPA/XYZ compliant does not mitigate the problem of protecting PII.

Thanks in advance to all who share what they know about this. Looking forward to reading everyone's feedback.

Answer 1

For the same reason that states require doctors to be licensed

Surely, if I want an unqualified, unlicensed surgeon (or a person that says they’re a surgeon) to crack open my cranium and poke my brain, that’s up to me?

There is no doubt that requiring people to attend medical school for half a decade and then spending a similar period as an intern and a resident is a large barrier to entry compared to handing high school graduates a scalpel and a bone saw and telling them to learn on the job.

The same applies to engineers, lawyers, plumbers, electricians, builders etc. I mean if a building falls down because the engineer or builder didn’t know what they were doing, it can’t kill that many people, can it?

Even drivers for that matter - it’s a large cost to individuals and businesses to learn to drive, pass a test, maintain a license and a relatively clean record, register a car, keep it roadworthy etc. Surely it would be simpler to let anyone drive anything and if they cause someone harm, like dying, for that individual to seek redress through the courts?

We’ll, there’s a reason why states mandate things and it’s economic rather than legal.

When people don’t trust each other transaction costs go up. These costs are usually borne by the consumer as the suppliers engage in a “race to the bottom” - whoever provides the worst service at the lowest cost wins. Further, these costs are borne unevenly - most consumers are fine, some are very severely damaged; possibly with no real redress.

By imposing minimum standards, the state places these costs in the hands of the people who are best positioned to manage them - the supplier. Once a user has given their data to the supplier they have no control over it. Therefore the economical optimal solution to maximize economy-wide output is to make the supplier legally responsible for managing the data in accordance with minimum standards.

Extraterritoriality

In an ideal world, there would be universal privacy standards. There would also be universal standards for training doctors and engineers. But there aren’t.

Therefore, countries and states impose their own standards on organizations that operate within their jurisdiction. The threshold for the GDPR (and most other privacy laws) is whether you are targeting users within their jurisdiction. If so, they have the power under international law to assert sovereignty even if you are located elsewhere.

A state has power where it says it has power. Otherwise, you could plan a terrorist attack on the USA from the UK and not have to fear prosecution. That’s what extradition treaties and honoring other nation’s civil judgements is all about.

A website or similar platform operates in each and every jurisdiction it is accessible from. Like a surgeon with unlimited plane tickets. Therefore, it must comply with the law in each and every jurisdiction it’s operating in. Countries have adopted one of 2 solutions - China’s is to simply block all external sites, everyone else has said you can operate here but you have to follow our rules, just like every other business has to.

Now, you may not like this but there is no doubt they have the legal power to do it.

Answer 2

Most of your arguments since you discovered this issue seem to be very self-serving. If IT security is too complex for small businesses, how do you figure individuals can reasonably assess it from the outside? I get that you had rather not have to deal with it, but clearly “foisting it” on the user is unlikely to be more effective.

As Dale M explained by taking medical professions as an example, that's a very general principle across consumer protection and labour laws (which are traditionally stronger in Europe): Individuals are considered to be inherently at a disadvantage in their dealings with professionals and businesses, the law has to establish robust standards that override contracts and make it illegal to waive certain rights or obligations for them to be effective.

While it is important to protect PII information, all it takes is a single data compromise for it to be exposed. Large corporations routinely experience data breaches. Being GDPR/CCPA/XYZ compliant does not mitigate the problem of protecting PII.

I noticed that you made a similar point in a comment and I am not sure I understand what you are trying to say. It seems obvious to me that making businesses liable and enacting specific rules can “mitigate” the problem. That it still happens from time to time is neither here nor there. Of course, it will never entirely eliminate it but that's the case for any legal mechanism.

From criminal law to consumer protection, technical standards on food or medicines, or licensing regulations, laws can always be broken. Increasing the costs of doing so (through the rules themselves, who is liable to follow them, and enforcement) can however make it less likely or less damaging.

Assuming your answer is GDPR/CCPA/XYZ compliance is required for my NYC server, how does that mandate even bear any weight? The US is a sovereign nation, not a part of EU.

That part is more interesting. You have to understand that the extra-territorial reach of this regulation may actually be a feature as far as the EU is concerned. EU-based entities (individuals, non-profits, and businesses) routinely have to contend with a lot of US regulation, from the DMCA to FATCA and FISA. Not only businesses but even individuals can find themselves “deplatformed” with little effective recourse based on a DMCA notice. For larger businesses, antitrust law and the Foreign Corrupt Practices Act also create signficant risks. In some European countries, the US Department of Justice is widely perceived to be enforcing these selectively to serve US policy goals.

Thanks to the US pre-eminent position in tech and finance, all these rules can significanly impact business operations and individual rights the world over. US law enforcement and intelligence also has privileged access to many crucial operators and can occasionnally request data or terminate access. Big tech companies do sometimes push back but they also have to collaborate with the authorities. It's typically used against things that are hard to defend (child porn, terrorism, cybercriminality) but oversight and recourses are limited, especially if you are outside of the US. To be fully out of reach, you have to renounce using most of modern cloud infrastructure and credit card payments, which is a very high price to pay.

In that context, there is a wish among some European officials that the EU uses its size and clout to create its own body of extra-territorial regulation. The calculation is that the EU as a whole is big enough and rich enough that the main US tech or financial businesses cannot entirely ignore it. Creating legal exposure for them is supposed to give the EU leverage in other areas. Being on the receiving end is a novel experience for the US public but from a European perspective, it's just the way the world works.

Leading the way on data protection also means the EU gets to define how it's going to look like. Comments mentioned many other countries that have enacted similar rules to emphasize that the first knee-jerk reaction (let's just geofence our website and ignore the EU) is foolish but in practice, smaller countries cannot set arbitrary restrictions, they mostly have to align with the rules from a few bigger blocks. The EU and US have also “exported” a lot of technical standards that way, for example on food.

If you have a large operation in other countries, you may need to appoint a representative and spend a little bit of money reviewing terms and conditions and the like but for the most part, you don't really need to do that. If you are following the spirit of the GDPR (taking care to define rules on personal data, not collecting more than necessary, implementing basic protections, picking vendors and designing your infrastructure to be able to satisfy access and deletion requests), you will be fine with all these regulations and that's the point.

And of course, there is always an easy way out: Just don't collect the data. If you are dealing with something sensitive like health or sexual orientation (even as a non-profit) or if your business model requires collecting lots of data in a way you don't want to be upfront about, you should expect some difficulties. That not everything is fair game is kind of the point of the regulation (not that it is enforced very aggressively either but that's another matter).

Answer 3

Because in most cases, the host and not the user is using and curating the data.

How could any privacy directive put the onus on the user? "Hello, Host. I'm User X and I require you to (blah lah)…" and then what? Host says "No, thanks… We do it this way" and then what?