GDPR and the irony of Europe's new privacy law
Regardless of where you live, you've likely run into Europe's new privacy regulation, GDPR, which comes into effect on May 25 across the European Union. There is so much chatter about GDPR that is utterly boring so I wanted to try and decipher what's going on, while making it not utterly boring to read.
To start: GDPR is an acronym for the very catchy law put into place two years ago, General Data Protection Regulation, which aims to force technology companies to be more responsible about how they track, store and use the data of European citizens.
The implications of GDPR are massive, wide-reaching, and almost nobody is ready. The law itself is impressive because it's the strongest privacy law we've seen since the 1990's, it sets a new global standard, and everyone is scrambling to implement their own controls before it's too late.
GDPR has triggered a hailstorm of companies adapting their privacy policies, technology and forms, almost at the same time to be compliant in time for the deadline. The law is no joke, and has been on the rails for some two years so far, but the complexity of complying is high.
The sheer irony of the law, which is designed to give us control back, is that it's caused hundreds of thousands of emails from basically every company you've interacted with ever to be sent out that require interaction. Remember that time you signed up for Bebo? No? Well, now they're emailing you again.
OK, but what does GDPR actually mean at a high level? Here's the changes almost everyone needs to make, and a quick too long, didn't read of each core tenet. I am not a lawyer, but this is my understanding from discussions, reading and beyond, so far:
1) You now must get consent from your users explicitly
If you're doing something with someone's data, like tracking them across your properties, you now need to get consent for that. A terms and conditions that's a wall of text, with a pre-checked box won't cut it anymore; you need explicit, provable consent.
On top of that, you must keep the user informed about what processing is happening to their data. Facebook, for example, deciding it wants to do facial recognition on you after you've uploaded your photos in the past? That'll require explicit consent.
You need to ask the user before crunching it, with a clear message about what the data is, what will be processed and how you'll use the result. You can see an example of this in Facebook's new popups that are attempting to obtain consent before the deadline, even if they still contain some dark patterns.
Mark Schiefelbein explains on Medium how everyone from social networks to analytics companies, like Intercom and Mixpanel which often operate behind the scenes, need to adapt for this:
Under GDPR users will always and forever retain control over their data. They can request to access it, make corrections, and demand complete deletion. Most companies have always provided some information and acceptance of terms and conditions when signing up new users. There were, however, often no ways access, export or delete data. And that needs to change.
2) Right to be forgotten, part two
GDPR requires people that hold data to make all of it available to users upon request. If neopets.com is keeping data about you, they're required to give you a handy overview of it all when you ask, and if requested, to delete it forever.
Not only do both of these requests need to be filled within 30 days, GDPR also requires you scrub that data basically from everywhere. Facebook's sneaky account deletion process that doesn't actually delete your account, for example, won't work anymore under this new law.
Unfortunately the technical realities of this part are... vague. GDPR doesn't explicitly specific whether you also need to scrub backups of data, which would be nigh impossible to purge piecemeal; it's just not how backups actually work.
Like David Froud points out, there are provisions for this in the text of GDPR, but it's still unclear in practice what this means.
3) Red-hot data
The definition of sensitive personal data is now very specific, and the ways you must handle a data breach even more explicit. First, you specifically may not process the data of minors below the age of 16-years-old and services like WhatsApp are responding by locking down access for minors already.
US law under COPPA already provided for some of these rules for under 13-years-old, which GDPR also allows. You simply can't get consent for a minor's data to be processed they're below 16 years old.
On top of this, you're required to report a data breach with 72 hours to your users. Not six months later, but almost immediately, and your users are allowed to request information about how to remedy the data that's now out there.
4) You don't get out of this even if you're an American company
If you ignored EU VAT, the European online business tax law that came into effect a few years back, you probably figured you can just ignore these types of regulation even if that isn't quite the reality. GDPR has teeth, and it applies globally, so regardless of where you're incorporated you're affected.
Essentially, the rule of thumb is simple: do you have European customers? You have to comply. The definition of customer is broad, too: if you have users in Europe, the law will apply even if your service is free!
The fines are not trivial, on purpose, as Techcrunch points out:
The maximum fine that organizations can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover (or €20M, whichever is greater). Though data protection agencies will of course be able to impose smaller fines too. And, indeed, there’s a tiered system of fines — with a lower level of penalties of up to 2% of global turnover (or €10M).
What's unclear about this is how or if these rules may be enforced on companies without an EU presence. Spiceworks' research indicates that it will be difficult for authorities to directly enforce in this case, but notes that the US authorities and international law is very friendly to chasing those violating privacy law.
In my opinion it's not worth waiting to find out.
OK, now what?
Phew, still with me? If you are, good work; this isn't easy to digest and I've struggled to understand it at times. There is so, so much more to this law that I simply can't cover here, but Techcrunch has a great guide that's worth reading if you want to know more.
What's most amusing about all of this is that it's dragging every service you've ever interacted with out of the woodwork. A precursory check of my inbox shows some 300-plus emails from companies I had forgotten existed, begging to accept their terms or face account deletion, which I had long thought would have been done.
The other side effect is that services are shutting down instead of dealing with the changes. Unroll.me, the infamous email-unsubscribe-but-also-steal-your-data service shuts down in Europe on May 25, as does Klout. There will likely be many more, over time.
GDPR is interesting because it's great for you and me, but if you're creating an online service it's something of a compliance nightmare. It doesn't matter how big or small you are, you're expected to comply on day one. No more move fast and break things.
For users, however, some more intentional consideration even at the earliest stages of a startup's life about how their data is used will be welcomed. Bring it on.
Tab Dump
Twitter is going to limit the visibility of bad actors
A big change to Twitter is coming: Twitter is going to throttle the visibility of tweets from people who are known to be behaving badly, using a number of signals including IP address, interactions, whether you only reply to people and more. I don't anticipate this really solving anything, mostly because Twitter's previous attempts at this have been awful.
HTC announces a blockchain phone
Hey, why not pile onto the hype train?
Uber will no longer require arbitration for victims of assault
This is a huge change, that means victims of sexual assault when riding with Uber aren't gagged by the company's terms and conditions. Many other services contain similar arbitration rules, and I hope that this blazes a trail for the practice to change.