As we celebrate “General Data Protection Regulation (GDPR) Day” when the Regulation becomes fully enforceable, the panic orchestra is still playing a big role. The reasons? Oh, everybody protecting their own business interests.
25 May 2018 (Berlin, Germany) – Happy GDPR Day from Germany! We just ended a 2-day event on the GDPR and artificial intelligence. The regulation requires those who process personal data to demonstrate accountability in part by limiting data collection and processing what is necessary for a specific purpose, forbidding other uses.
That may sound good, but machine learning, for example – one of the most active areas of research in artificial intelligence, used for targeted advertising, self-driving cars and more – uses data to train computer systems to make decisions that cannot be specified in advance, derived from the original data or explained after the fact. I will return to that in another post because it is causing headaches in the AI community.
As with almost no other EU regulation in the digital sector, the last few weeks were characterized by alarmism and “fake news”. Most recently, parliamentary rapporteur Jan Albrecht and EU Justice Commissioner Vera Jourova again warned of alarmist panics. The reason for the multitude of dubious and exaggerated messages are … well, the business interests of the distributors of that information.
The panic orchestra ranges from lawyers to consulting firms to e-discovery providers who need to make money on this gift from heaven, to web service providers who need to grab onto “customer service priority” and so concoct “legitimate interests to process data” policies, and to private media groups and private bloggers who will gain metrics by ripping the whole thing to shreds. An avalanche of marketing spam and phishing emails made the privacy cacophony perfect.
In reality, almost all the basic data protection regulations in the new GDPR were already contained in the EU Directive of 1995, with the new GDPR formulating those protections in more detail and also applying it to new web services. But as I noted in a post earlier this week, the drafters made the law staggeringly complex, ambiguity reigns, and the regulators themselves are woefully unprepared. What the regulation really means is likely to be decided in European courts, which is sure to be a drawn-out and confusing process.
In countries like Austria, numerous exceptions in the implementation of the new data protection rules are already being set out. But here in Germany probably the most important point is that “collective action” was not implemented so that makes it difficult, if not impossible, for non-profit organizations like Max Schrem’s NOYB (fully discussed in my earlier post) to complain to international companies like Facebook.
Although there was sufficient scaremongering in Germany of the sort seen across Europe … such as the claim that the new data protection rules would lead to increased company bankruptcies … the government tried mightily to fight false representations and keep comments within limits. One German colleague told me the most recent discussion which hit high media waves in Germany was the allegedly underestimated data protection problem of handing over and accepting maps, a bit of a bizarre issue that seemed “Germany only”.
And as everywhere, businesses here are not prepared:
What the graph shows is that three out of four companies will miss today’s deadline. But the graphic itself is less alarmist: 56% of the surveyed companies are wholly or largely finished, a third is in the middle of it, and the “really problematic” are about 10 percent.
One very interesting question raised here. Since business cards contain personal data such as name, contact address and e-mail address, does this mean the recipient would have to provide immediately his privacy policy to stay “strictly in accordance with the law”? Article 13 of the GDPR stipulates that “the information of the person concerned should be provided at the time the data is collected”. We all know that at every business conference we attend we exchange business cards – a most important ritual.
e-Privacy Regulation
A major focus here has been the supplementary and expanding EU e-Privacy Regulation – meant to be finalized today in tandem with the GDPR but still in limbo because the member states are still debating the hell out of it. The debate is primarily about a single passage, namely whether website operators may pass on the user’s metadata and interest data to any international ad networks and other data dealers without the user having to consent to the disclosure.
Yes, yes. I know. This is in diametrical opposition to the GDPR which provides for the explicit consent of the user to any disclosure and any new purpose. However, e-privacy is a “Lex Specialis” and it is possible to contradict a higher-ranking regulation such as the GDPR without any need for amendment to one of the two regulations. Lawyers? Are you salivating yet? Much work to come!
Who does not have to be afraid
As far as private websites are concerned, it is primarily bloggers who are reluctant to exclude all sorts of third-party commercial services “because it’s so convenient”. Fines are not to be feared here at all because the data protection authorities across Europe are first of all more interested in higher-value violations. And second, because they do not have the resources to track such violations on semi-private websites, an issue I have raised before. The “because it is so convenient” has been a rule of thumb for data protection on the Internet but it may no longer apply to The Big Dogs: the road to data hell may very well be paved with “Customer Convenience”.