On Dutch law - they seem to be either similar to or implementing the EU GDPR, which is going to be implemented as a bottom line/least common denominator personal integrity law in May 2018 throughout the EU:
Of course, the GDPR is useless in some cases unless it is extraterritorial, and then in some cases impossible to enforce if it is extraterritorial (unless you have a treaty with each extraterritorial entity, like the privacy shield with the USA). Not to mention the futility of being meant to protect rights of “normies” who don’t even care to move a finger to claim them.
It is so much better than nothing.
@wendell, @ryan, as I think we will be coming back to the GDPR, here is a shallow brief:
According to this law, you must not gather ANY user identifying data without expressly explaining to the user what identifying data you are gathering and for what purpose, and that no third party you pass the data to may do more than that. Any identifying data must be stored securely, ALL of it MUST be available to the user on request (a “show-me” option), and the user may request ALL of that data to be deleted at any time (a “forget-me” option).
Interestingly a “user identifying” data is ANY data-set which can uniquely identify you. Example: a single GPS position can’t, but as you gather more GPS positions, IP-addresses, email, phone number, etc, at one time the data BECOMES a “user identifying data set” and thus immediately BECOMES subject to required secure storage, and also the show-me and forget-me options to become available to the user.
You are responsible for vetting any third parties for secure storage and data handling, but if they break the law, it is their fault.
The fee for anyone found to be breaking the law is 20 000 000 euro, or 4% (I think) of your global revenue, whichever is greater.
Following exceptions to the law exist for:
- explicit user consent
- any overriding service or otherwise agreements with the user
- avoiding other breach of law
- protecting user from actual harm / call for help
- authority requests
I actually quite much like it better than the nothing we have in EU today. I will be getting more in-depth on this before May 2018, as will almost every other dev operating in the EU.