On 2023-08-25 04:43, Carsten Schiefner via mailop wrote:
the EU's GDPR wrt. Information Security and PII Protection luckily
hands a quite sharp sword to consumers: the fines for offenders are,
well..., "fine".
If the real recipient of RBC's communication you are getting instead
of her or him would be domiciled in EU territories (-> French overseas
departments!) and would file a complaint with the appropriate DPA, RBC
better sets aside a bit of money already. Even more so as they have
been flagged multiple times already, in this instance by you, David.
wishful dreaming! The sword is not in the hands of consumers, it is in
the hand of a government agency (DPA?). The RBC in question is most
likely the Canadian retail bank. Experience in Canada is that
government agencies do not use this kind of sword nearly enough to
tickle offenders. What we need is a private cause of action where the
user (who cares more than the bureaucrat) is handed the sword directly
and can sue the offender. There was one intended in Canadian anti-spam
laws, but it was never activated.
Even with private right of action, there are two users here that are
harmed: the one whose PII is leaked; and the one on the receiving end of
the spam.
The one whose PII is leaked has the biggest damage, but they are not
innocent. The root cause of the problem is they entered a wrong email
address. They did not bother checking that they were not receiving
expected information. Not minimizing the damage caused by RBC's
negligence exposes this user to blame. Not taking side of the spammer,
just saying that the assignment of responsibility will be contested; and
frankly, the careless user entering the wrong email address deserves a
tap on their fingers too.
The one on the receiving end of the spam has arguably near-zero damage.
Just hit delete and move on with it, argue the spammer. No, I do not
condone this. Everyone who wastes your time should be punished; and you
should be compensated for the time that is irreparably stolen from you.
What we need is for all of these government agencies to become swords in
the hand of the user whose time is being stolen; and a compensation
mechanism that is easy and streamlined to compensate the user for the
stolen time.
Within the Canadian governance model, instead of having the CRTC
(Canadian Radio & Telecommunication Commissioner), the Privacy
Commissioner, and other bureacracies regulating the industry with
GDPR-like swords that only experts understand, we need to grant the
Competition Commissioner simple administrative powers to hand small
fines efficiently; and the Canada Revenue Agency (CRA) the simple
administrative power to add those fines to a taxpayer's tax bill.
I propose the creation of the Tribunal Against the Bad Business
Practices and Other Papercuts. Laughter, laughter!
The newly created Tribunal would be a branch of the Competition
Tribunal. The Competition Commissioner would keep updated regulations
listing those bad business practices. Any user at the receiving end of
the business practice will be able to submit a simple web-form with
details that would be assumed to be true unless rebutted. The user can
point finger at any beneficiary of the spam (so if the spam benefits a
local business with an off-shore spam gun, the local business can be
taxed for it). After basic automated verification, the Tribunal issues a
standardized penalty and the tax authority adds it to the tax bill of
the entity that is benefitting from the conduct, and credit the user's
tax bill for the same amount less a fee to cover the cost of the
mechanism. The entity accused can rebut, but it is up to them to prove
that they have not wasted the user's time. General (contractual) terms
and condition should not be allowed to override the mechanism.
The Competition Tribunal would regulate what are offenses and what is
the penalty amount. For example:
- for a text messages that was sent without explicit user consent: $50
per instance
- for a purely promotional email message: $100 per instance
- for a transactional email that includes promotional messages despite
the user not wanting to receive promotional messages: $50 per instance
- for a reminder when the user does not want to be reminded: $100 per
instance
- for bugging the email with trackers when the user does not want to be
tracked: $500 per instance
- for not listening to the recipient wishes or for repeat offenses on
the same user: 2x for the first repetition, 3x for the second, and so on
until 10x.
and so on
When a sender becomes problematic enough that the complaints to the
Tribunal come from so many recipients in such a short time to raise
concern, that's when the government bureaucrats could, in theory, start
to become active. reality is that the spammers are so much nimbler than
the bureaucrats, it won't really matter.
now it is me, the wishful dreamer. until then, I am in favor of very
strict blocking, by netblocks, AS, or whatever else holds to account not
just the spammer themselves, but also the entity that is or should be
managing/regulating their neighborhood.
Yuv
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
