27 April 2018 (Paris, France) – In Europe and in the United States, we operate under this “conventional wisdom”: regulation is needed to force Silicon Valley’s digital giants to respect people’s online privacy. For instance, we are told this will begin to play out next month (25 May 2018) in Europe when the European Union’s revised General Data Protection Regulation (GDPR) becomes applicable, an attempt by the EU to harmonize data privacy laws across Europe.
In its purest sense, the GDPR is a triumph of pragmatism over principle. What has emerged is a framework that maintains the basis of data protection and adds additional protections, but which falls short of its original promise. While establishing some important innovations, the GDPR could never be described as a ground-breaking instrument for 21st Century protection of rights.
And little wonder. Having spent a good amount of time in Brussels where my e-discovery staffing unit is based, I was able to befriend various participants in the drafting process. The GDPR’s tortuous passage over four years had been accompanied by aggressive lobbying by corporate interests and by a sometimes intransigent EU Council. Dogged by hostility and stalling tactics, the initiative often ran into trouble. At times throughout its gestation, there was a real risk that the process might collapse. So … many, many compromises were forced to be taken. The Regulation became a creature of consensus. It left a lot of wiggle room which I will discuss.
And there continues to be a fatalistic belief among some companies and pundits that any attempt at international regulation in an era of globalization, cloud and ubiquitous computing is doomed to failure. As I will point out, certain aspects of the GDPR are already outdated … and it has not even come into effect.
Note: it might seem that everyone says GDPR and will know what that means. Wrong. The French refer to it as the “RGDP”, but then they also call shredders “déchiqueteuses”, so go figure. Oh, and there was a haiku poem embedded in one of the appendices. Anybody find it? Must have been one of those long nights at the Commission.
But it is important to remember … and you know this if you have had the opportunity to speak with any the EU Commission personnel behind the new GDPR, or any EU data protection officer, or any of the army of lawyers and consultants preparing for the GDPR … that reining in the large technology companies was not the primary goal of the European legislation. And the European regulators are now slowly realizing that GDPR is going to be a bitch to enforce. More on this later on.
It takes time to analyse the GDPR (my ever-present pocket version always stuffed in my travel bag), to find out what it is (and is not) about, what the implementation of its provisions mean, what the details are, where the gaps are (some intended, some not intended), etc. Because as the saying goes “the devil is in the details”. Or to quote the better version by my blogging colleague Jonathan Maas, head of the eponymous Maas Consulting Group: “the devil is ALWAYS in the details”. Jonathan’s view is that the GDPR is more of a “forced information governance device” due to the “right to be forgotten” aspects of the privacy law, plus such provisions as an employee’s right to request from his/her employer all the information the company has on him/her. This is going to require that organizations have absolute knowledge of where all EU personal data is stored – no simple task in the age of cloud and mobility. We’ll get to these information governance points a bit later on.
So it has been in this vein that over the past year members of my legal and media teams and I have been attending a rather diverse series of GDPR meetings and events. Not the usual trade shows like Legaltech/Legalweek or CLOC which tend to look at GDPR from 10,000 feet up, but at events that cover the nuts & bolts of how to deal with it. Those events have included:
- the Munich Security Conference which had one session that addressed GDPR privacy from a national security perspective. Presenters opined that the new GDPR changes may make it more difficult to track down cybercriminals and less likely that organizations will be willing to share data about new online threats. So expect governments to find a need from time-to-time to push the “national security exemption” button provided by the GDPR, and the Privacy Shield.
- InfoSecurity Belgium, an annual event which this year had red team exercises to show you how to handle the GDPR plus other unrelated cybersecurity issues.
- chats with Varonis Systems and Check Point Software, two companies that have developed what I think are the best security software platforms to track, visualize, analyze and protect data. They have also developed “Privacy by Design” and “Data Protection Impact Assessments” units built around the new GDPR. I will have video interviews with both companies.
- the Internet Area Working Group which is a body of systems administrators that acts primarily as a forum for discussing far-ranging topics that affect the entire internet area. The GDPR adds new requirements and layers for documenting IT procedures, and performing risk assessments, and they really worked me through the GDPR plumbing.
- the IBM Analytics Technical and Organizational Measures unit which basically takes a a look at your company’s internal data management processes vis-vis how GDPR will influence them, what’s the impact and how you can manage the required GDPR changes.
- the International Journalism Festival in Perugia, Italy which had sessions that pretty much ripped off the veneer of Zuckerberg’s claim Facebook will adhere to the GDPR privacy safeguards, as well as the fallacy the GDPR will put an end to data-slurping.
A brief history of recent regulation of privacy in Europe
In recent years, there have been other regulatory attempts at strengthening online privacy rules but they have had little effect at chipping away at the power of the largest tech companies, ultimately aiding internet giants rather than hurting them. Avi Goldfarb, a marketing professor at the University of Toronto who has studied the effect of privacy regulations on competition, is the co-author of a 2013 report (an excellent read) that says privacy regulation could be anti-competitive because the cost of getting permission from users for their data was typically much higher for a younger company than for an established firm.
Note: I cite the Goldfarb report in my upcoming piece on why the entire business model of these data-devouring digital giants make conventional public policy tools ineffective for any real control or regulation.
The reason for the advantage? That’s because wary consumers are more prone to trust recognized names with their information than unfamiliar newcomers. And the laws may deter start-ups that do not have the resources to comply with the rules from competing with the big companies.
That Facebook and Google may emerge stronger may seem counterintuitive given these companies have been under scrutiny for months for the way they collect and use people’s data. Google’s issue has been more about its online video service YouTube. Congressional members have noted Google’s data-collection machinery is as robust as Facebook’s, if not more so.
Yet past attempts at privacy regulation have done little to mitigate the power of tech firms. Just two examples of what happened in Europe after earlier attempts at checking the power of Facebook, Google and others:
- In 2014, the European Court of Justice (Europe’s highest court) ruled that people had the “right to be forgotten” online, meaning they could ask Google and other digital companies to delete search results about them. Since then, Google has instead become a chief arbiter of what information is kept online in Europe because the company itself is responsible for determining the fate of each deletion request.
- Another 2011 European law requiring websites to alert visitors to “cookie” trackers that collect data on browsing history has largely turned into a distracting annoyance rather than changing how companies operate. People often accept the tracking to get rid of the pop-up warning without reading details about the tracking. This goes to the updated ePrivacy Regulation, meant to be complementary to the GDPR and also meant to go effective 25 May 2018, but caught up in political haggling.
And let’s look at the “right to be forgotten case” that Google lost in the London High Court just two weeks ago. The High Court entered the delisting order on the same day the judgment was handed down. But … two weeks later the files were still online. Not even the winning party or his solicitors noticed.
Note: “right to be forgotten” is generating its own cottage industry. Companies are employed to execute test searches on variety of device types and operating systems (Windows, iOS, Android), browsers (Firefox, Chrome and Safari) and connection methods (wired/Wi-Fi/4G).
On the face of it, this put Google into direct conflict with the High Court. Not doing something set out in a court judgment or order is normally regarded as contempt of court, a serious matter that can lead to fines – or even prison time for individuals. Immediately going ahead and doing the thing ordered by the court (in this case deleting the search result) is normally enough to “purge the contempt”, in the legal jargon. And that’s what the Court allowed, a “time out” so to speak, for Google to comply.
It also reawakens the arguments made in the original debates over “right to be forgotten”. People make mistakes, done something stupid, served their time and are trying to rehabilitate and move on with their lives deserve second chances. Point taken. But being able to purge old content like this also makes it much easier for such people to lie about past convictions without employers being able to check and confirm things. A tricky one.
According to both Facebook and Google, they are preparing to comply with GDPR:
- Facebook last week rolled out a new consent form asking users globally – not just Europeans – to accept its targeted advertising and to allow features like face recognition. It has also limited access to data brokers such as Acxiom, in a concession to privacy advocates.
- Google, which spent years preparing for the new rules, has stopped scanning Gmail messages for keywords used to target advertising. And it recently introduced a new marketing product for publishers that shows ads based on the context of other articles or content on a website, instead of relying on personal information.
But then in response, the privacy critics did a deep dive and challenged Facebook’s new consent forms, saying they are intended to continue encouraging users to share information widely. And Google came under fire for an updated European user consent policy that has open-ended language, which critics said violated a tenet of the new European privacy rules that requires companies to ask for user consent in specific and explicit ways. “Not so”, said Google. “The GDPR is ambiguous about consent”. Let the Games begin!
As far as GDPR enforcement, welcome to the “Art of the Possible”
In some respects, the Regulation is the Art of the Possible – offering huge potential but lacking the detailed mechanisms that could make it work. Much of the detailed enforcement structure was stripped out during negotiations.
But in some respects, any regulation is only as effective as the authorities that enforce it. The twist in the GDPR’s fate is that most of the data protection authorities (DPAs) remain ill-equipped, under-resourced or unmotivated. I noted this in detail in a previous post.
Jack Massey, who is a data protection officer for a company in Ireland, noted:
There is a depressing parallel with the Telco regulation in the 1980s, which throughout much of Europe fell into disrepute through indolence and compromise and a “what-in-hell-can-we-do?” attitude among oversight bodies such as the UK’s OFCOM.
Many DPAs in the past have been too biased or lazy to conduct meaningful investigations. And it is way too early to see whether DPAs can change for the better. But based on an informal meeting of a few DPAs in Rome a few weeks ago, and the end-of-year meeting of the International Conference of Data Protection & Privacy Commissioners, a few things look certain:
- DPAs have freely admitted they are understaffed to enforce GDPR and it’s going to take a long while for regulatory authorities to conduct their investigations.
- Expect regulators to target “symbolic cases” … and expect calls that such enforcement is arbitrary and unfair, and ripe for litigation.
Even Giovanni Buttarelli, the European data protection supervisor who was involved in the creation of the GDPR, has said much of the impact would be determined by regulators who enact the law and who will be up against well-funded teams of lobbyists and lawyers. At the recent Global Privacy Summit he noted:
Europe has a staff of about 2,500 across all the countries working on privacy issues. That’s peanuts compared to the lawyers and lobbyists in Brussels and Strasbourg.
Earlier in the post I noted that the forced compromises left a lot of “wiggle room” in the GDPR. What I am pointing at is the flexibility for Member States to set their own rules which is reflected throughout the entirety of the data protection spectrum. It includes:
- processing for incompatible purposes
- processing of sensitive health data
- restrictions on the rights of data subjects
- security of processing
- limitations on safeguards and derogation for public interest reasons
In each case, individual states may decide for themselves the rules that will apply to the processing and transfer of data.
The GDPR’s flaws, however, extend much further. The instrument fails in many cases to provide definitions that might have formed a foundation for harmonized rules.
Worse, this latitude will have a substantial bearing on many key elements of the GDPR. Consider the aspect of consent, which is one of the main pillars of data protection rights. True, the GDPR makes a distinction between “unambiguous” and “explicit” consent, but the difference between the two remains unclear. And Facebook and Google will have a field day with that.
But on a positive note …
Yes, I am a cynic. But there are a number of clear wins for data protection rights.
- There is no question that organizations processing personal information are now on notice that they must lift their game. There appears to be consensus – even in Silicon Valley – that use of personal data requires a higher level of due diligence than in the past. Controllers and processors (both of which are now equally liable) need to think carefully about what data they have, where it is located and whose eyes are on it. In essence, this requires a more scrupulous audit and some clear thinking about risk. In many respects, this environment ushers a more systematic approach to handling information. This gets to the Jonathan Maas view that the name of the game is information governance.
- One extremely important element of the Regulation is that clarity has now been achieved on the question of processing obligations outside EU territory. Organizations handling a wide spectrum of personal data are now under an obligation to conform to data protection and security standards as if they were based on European turf. This may mean, for example, appointing a representative in Europe. The new rules require certain impositions such as the completion of “Data Protection Impact Assessments” for risky or sensitive processing. I will expand on this in Part 2.
- The GDPR is clear that controllers must only engage with processors who can provide “sufficient guarantees”. This requires data owners to check that they have effective “technical and organisational measures to ensure the security of the processing”. This element is a clear step forward for data protection.
- The GDPR has also established a requirement for the appointment of Data Protection Officers (though this would apply only rarely to Europe’s 23 million small and medium sized enterprises). One of the companies I own is a job posting service for positions in e-discovery, compliance, data analytics, etc. Over the past year we have posted 393 Data Protection Officer positions … a 87% spike from two years ago.
- The Regulation’s recitals are very clear about the need to reflect the reasonable expectations of the individual at the time of collecting data. The prevailing view of data protection lawyers is that, in practice, this condition will work in favour of the data subjects’ interests.