Proposed Data Privacy Law Could Send Company Execs to Prison for 20 Years

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
Sen. Ron Wyden, D-Ore. has cooked up a new bill called the Consumer Data Protection Act that allows consumers to opt out of systems that share their data with third parties. In order to enforce this, the legislation carries steep fines and punishments for companies that violate its rules: executives could be "fined not more than $5,000,000 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period from the covered entity, prisoned not more than 20 years, or both."

The bill seems unlikely to pass, given the extreme penalties, lobbying clout of big businesses, and Republicans' control of Congress. But both Republicans and Democrats have been pushing for some kind of privacy law, and Wyden's proposal would make big fines and prison sentences part of the discussion. Wyden's announcement said his bill is supported by Consumers Union, search engine operator DuckDuckGo, and four former FTC chief technologists.
 
I'm sure the Execs from facebook, twitter, amazon, and other large companies are going to throw in their lawyers and along with their deep pockets to never let this happen.

Let's see how much our tax dollars goes to waste on this.
 
Last edited:
First thing I thought of, is a lower level employee with an axe to grind could easily compromise/sabotage a system so the execs would be punished.

So no, this sounds nice but isn't the right answer.
 
We do need some privacy protection laws that have some teeth, but this bill proposes punishments that are more severe than for manslaughter in most states. The punishment must fit the crime. What we need is to afford personal data the same protection as real property (ie, money), then many of the existing laws and regulations can be used to punish those that don't protect it.
 
First thing I thought of, is a lower level employee with an axe to grind could easily compromise/sabotage a system so the execs would be punished.

So no, this sounds nice but isn't the right answer.

Sure..... like it wouldn't leave any trace ? They need to be accountable when they take shady decisions... (No encryption... plain text PW etc).
If it's possible to show that executives took a "risk assessment" decision which compromised millions of persons, then yes they should face prison. They're responsible of those decision and ultimately they need to be accountable.

Everyone else is accountable while doing their jobs... (with some odd exception but let's not make this political).

If nobody is responsible, the executives will ALWAYS pick the choice which align with their bonuses and please the shareholders. Example: What!? It would cost 2 millions to secure this, nope... How many times did it get compromised in the last 4 years ? None, OK we're doing enough then !
Short sight thinking.
 
We do need some privacy protection laws that have some teeth, but this bill proposes punishments that are more severe than for manslaughter in most states. The punishment must fit the crime. What we need is to afford personal data the same protection as real property (ie, money), then many of the existing laws and regulations can be used to punish those that don't protect it.
How about the same punishment copyright violations/piracy receive? Seems legit.
 
I can see boards made up of fall-guys while shadow boards run the company in secret.

Even then, jail time would never work, the lawyers would have this down to community service every time. You need to hit the bosses and the shareholders in the one and only place they can feel it. $$$
 
Sure..... like it wouldn't leave any trace ? They need to be accountable when they take shady decisions... (No encryption... plain text PW etc).
If it's possible to show that executives took a "risk assessment" decision which compromised millions of persons, then yes they should face prison. They're responsible of those decision and ultimately they need to be accountable.

Everyone else is accountable while doing their jobs... (with some odd exception but let's not make this political).

If nobody is responsible, the executives will ALWAYS pick the choice which align with their bonuses and please the shareholders. Example: What!? It would cost 2 millions to secure this, nope... How many times did it get compromised in the last 4 years ? None, OK we're doing enough then !
Short sight thinking.

You're right, all companies are billion dollar organizations that have comprehensive security controls, and only billion dollar companies have executives...
A pissed off employee could never leak login info for a service account and the vpn keys of a user.

The rest of your post is kinda silly, a shit load of people aren't being held accountable, that's why this problem exists.


I'd say the security problem is irresponsible, uncaring, and unaccountable people.
The data collection/privacy problem is a separate issue.
 
I know this is an unpopular thought but:

I don't really think that most CEOs would know the finer points of cyber security and probably have a sticky note with their own password under their keyboard - or a booklet with the ever growing list of passwords needed to function these days.

There's IT managers and IT personnel that handle budgets that would look into cyber security.
 
I know this is an unpopular thought but:

I don't really think that most CEOs would know the finer points of cyber security and probably have a sticky note with their own password under their keyboard - or a booklet with the ever growing list of passwords needed to function these days.

There's IT managers and IT personnel that handle budgets that would look into cyber security.

in general CEOs make enough money that i have no qualms about the following statement:
either learn, or make room for someone that DOES understand it.
 
What's missing from these data privacy law proposals is the awareness that companies could aggregate personal data and then sell it without it being any identifiable person's data - yet, the existence and value of that data would still be a person's personal data, and its acquisition was only possible by taking it from somebody. The cost of generating that data would still be imposed upon individuals by companies which would still be enriching themselves are people's expense, and therefore still be unjust enrichment, misuse of property, etc.

Data-privacy legislation needs to mandate that people are able to never have their data (as in, data that's not essential to a requested function) harvested by companies in the first place, so that the matter of reselling it, or anonymizing or aggregating it is never a possibility in the first place.
 
Last edited:
Nobu has the start of a good idea - like copyright violations, the selling of personal information is $X per violation. If our legal system thinks that it's proper that a major studio can win a $675,000.00 judgement against a college student for downloading music, business leaders should equally bear risk for selling, or even losing, private information.

I don't agree with the 25% fine, though - given that violations of civil law has such a low rate of incarceration, a max 25% fine allows someone to assess whether it is worth it to them do the large sellout and pay the 25%.

I also don't agree with limiting the violation to the seller. It should be equally illegal for a person to receive or trade for private information, and anyone buying or trading for private information should receive a guarantee of authenticity and a guarantee of non-liability, immediately putting all responsibility back on the seller.
 
I'd love the prison time, but, as noted, too many problems there. Instead, each time I have my data used without my permission (on a bit for bit basis), let me get some money. Say, $100 per bit, per occurrence, per user. So, Google uses 100Kb of my data and sends it on to 3 different outfits, each of which send it on to 2 more? Well, that'd be...

100 * 100Kb * 1,000/Kb * 3 * 2 = $60,000,000.

I'm in!

My data is my data. You mine me? You pay me. You don't? Well, that's robbery.

After a few multimillion dollar payouts, Google (et alia) will be a LOT more careful.
 
I oppose companies commercializing my computer, my electricity, my hardware, software, housing, etc, and my time and my activity to profit themselves. What they're doing is data-theft and unjust enrichment. It is literally no different than if some hacker installs a cryptocurrency mining virus on everybody's computers that forwards the proceeds of mining digital currency to their own wallet.

It's theft, misuse of property, unjust enrichment, commercialization without a license, etc, in their most basic forms.


Since companies are unilaterally using our personal and personally-owned data to profit themselves, aren't we therefore all also entitled to do the same with their data? Since companies are making us subsidize their businesses by stealing our electricity, processing power, components, space, time, etc... aren't all therefore justified to do the same with theirs? The actions of the companies that create revenue from our data justify any attacks on their servers by outside parties, as well as any acquisition and exploitation of the data that's on their internal servers and private computers.


If you think that you don't care about your data being harvested and sold, then kindly PM me so that we can arrange for me to install a cryptocurrency miner on your system that will use your hardware, electricity, and processing power to mine cryptocoins while funnelling all the proceeds to a private cryptocurrency wallet of mine. This arrangement will be even better for you than what corporations are doing because it won't involve any personal data of yours being distributed.

And if you oppose having me do that to your PC, then you've proven that you believe everybody is entitled to not have their data harvested by companies in the first place, let alone sold and used to profit companies.
 
Last edited:
I can see boards made up of fall-guys while shadow boards run the company in secret.

Even then, jail time would never work, the lawyers would have this down to community service every time. You need to hit the bosses and the shareholders in the one and only place they can feel it. $$$
No, jail time works. People went to jail from the savings and loan scandal. But hey, I'm for fines so large they bankrupt the company also.

Regardless, of course this won't pass. The Democrats love to propose popular bills people want when they're NOT in power.
 
now add anti-trust, false advertisement, and other crap when companies make hundreds of billions while paying 1 billion fine, when Exec's will face prison, things will finaly get under control.
 
What's missing from these data privacy law proposals is the awareness that companies could aggregate personal data and then sell it without it being any identifiable person's data - yet, the existence and value of that data would still be a person's personal data, and its acquisition was only possible by taking it from somebody.

Data-privacy legislation needs to mandate that people are able to never have their data (as in, data that's not essential to a requested function) harvested by companies in the first place, so that the matter of reselling it, or anonymizing or aggregating it is never a possibility in the first place.

I think you are on the right track, but take it one step further. Require companies to present the data they want to collect and allow the end user to accept once, deny once, accept always, or deny always any data they are wanting to collect. The dialog could be tied to any specific domain or URL. This makes it the users choice. Much easier to enforce than what is being proposed.
 
I think you are on the right track, but take it one step further. Require companies to present the data they want to collect and allow the end user to accept once, deny once, accept always, or deny always any data they are wanting to collect. The dialog could be tied to any specific domain or URL. This makes it the users choice. Much easier to enforce than what is being proposed.
Browsers had that for cookies before...eventually it was taken out because it was annoying and when you did always block it broke websites (even though the cookie was for an external ad site).
 
Rather then locking Chief Officers up, put them in line for fiscal responsibility for covering damages done to folks who have their privacy/identity compromised due to the company's failure. If a breach happens, make the company lose any shielding their TOS/EULA/etc might have included against lawsuits. No more getting off with just a few months of credit monitoring. Make them liable for the full cost of any identity theft that happens. If the Chiefs have their money on the line, maybe they will think twice before hiring a music professor as a CSO.

Further, make websites list all scripts, the domains they run from, and why they want to run them.
 
The problem I see is that most politicians are in the same good old boys club as the CEOs. So the majority of congress will never do anything to screw over their buddies. They won't have anyone to help scratch their back when they need it...
 
We do need some privacy protection laws that have some teeth, but this bill proposes punishments that are more severe than for manslaughter in most states. The punishment must fit the crime. What we need is to afford personal data the same protection as real property (ie, money), then many of the existing laws and regulations can be used to punish those that don't protect it.
Leaked personal information is potentially far more damaging than loss of money.
 
This might pass in the EU where governments actively protect consumers, but here in America the supreme court has ruled that money is free speech and that corporations are people. The second anyone begins talking about protections for consumers, lawyers will arrive to explain how you are violating their rights.

America is a farm, it's people are the livestock, it's politicians are the overseers, their lawyers and our nation's law enforcement agencies provide the muscle. NONE of this will change as long as there is money in politics.

I forget which comedian said it, but American politicians should be mandated to wear NASCAR style jump suits which show all of their sponsor logos. You might begin to question that politician pushing for war in the middle east when he is wearing an Exxon or Halliburton logo on his breast pocket.

I actually surprised that the money hasn't been removed from the picture, because someone claimed to be draining the swamp and their political party has control of congress. That alone should open some eyes, but it won't.
 
Doesn't sound extreme when compared to laws already on the books for thing to protect corporations against individuals that can lead to fines larger than the person could earn in 10 lifetimes.
 
Punishments should be on the same scales as rewards. If you get compensation in the tens of millions of dollars, you better be prepared to serve years of jail time.

And we can get the accountability thing easily: Every manager at the appropriate level of decision making must sign off on the IT recommended action. Whether they say go or no go, it's on record. simple ticket system. And this flows all the way up the chain. No more excuse "I'm the Chief. I don't deal with that day-to-day tedium." You're the top of the totem pole which means you manage everyone below. directly or not, it's your responsibility if they screw up. they get in trouble, so do you. otherwise, why should we have you as a manager?
 
Browsers had that for cookies before...eventually it was taken out because it was annoying and when you did always block it broke websites (even though the cookie was for an external ad site).

So provide a global setting to disable it for those who do not care about privacy. Personally, I would welcome the option. If blocking personal data from being taken from your computer breaks WEB sites, then the WEB sites are poorly designed and have no business being deployed.
 
I would agree with the corporate fines and such, but the prison time clause alone is going to kill this thing. I'm not saying certain people shouldn't be doing prison time for certain things if willful negligence is shown, but has others have mentioned before, its not always the fault of the execs, and bubbling the blame to the top will create more problems than it solves.
 
Back
Top