May 252018
 

If you work in any industry that makes use of other people’s data, and odds you’ve been hearing a lot about a new European Union law going into effect called GDPR (General Data Protection Regulation if you’re curious). I’m not going to get into the law’s requirements – if it applies to you then odds are the attorneys working for or retained by your company have already discussed what you need to do to be in compliance, that’s not what interests me here (besides, I’m neck deep in implementing the things my company’s lawyers said need to be implemented to say we’re in compliance). After hearing people say that Facebook’s latest scandal could/should result in GDPR-style regulation in the US, I thought I’d take a closer look at the ideas behind GDPR, and see how well they stack up as well as take a passing look at how good or bad they’re likely going to be.

My first instinct after looking into this law was to think “Oh, this is kind of like a HIPAA for general data collection and use.” I don’t really know enough about either law to go much deeper into that analogy, or even to know how good of an analogy that actually is, but that’s where my head is in terms of how I see GDPR. Like HIPAA, I think GDPR is a very well-intentioned law that tries to codify some solid principles, although it seems like some of the implementation details are flawed.

The idea(s) behind GDPR

GDPR appears to encapsulate a few basic principles about how cloud services collect and use user data:

  • Users should ultimately still control the use of their data
  • Companies need to be clear with how they’re using the data and access they’re requesting from you
  • Companies should explicitly request permission to gather said data

The first principle – that users should ultimately control the use of their data – is probably the overarching theme of the whole legislation – it certainly informs the other 2. It’s a very noble principle, but also one that’s hard to encapsulate into law (which is the point of this blog post). That said, it’s certainly a noble enough goal that the EU deserves credit for trying. This leads to provisions in the law about being able to export data about you that companies have, as well as those companies being obligated to delete said data upon request.

The other 2 principles – that companies need to be straightfoward with what they’re doing with your data and be more explicit in getting permission to use it – involve companies being more transparent about what they’re doing. Both of these have been considered a best practice for years, so seeing this pop up in legislation isn’t surprising. While I’m not opposed to collecting user data for various profit-making activities (full disclosure, I work for a company that enables its customers to do targeted marketing), more transparency and user control over customer data collection and use is still a good thing.

GDPR has good concepts behind it

I haven’t read through the GDPR legislation itself (you try reading laws, it sucks), but from what I’ve gathered researching the law and it’s requirements, there’s some pretty good concepts included in the regulation. First and foremost is the more explicit consent requirements around gathering and processing user data. Like I said before, more transparency around this is a good thing, primarily for user trust. Honestly, I think if more companies were doing this kind of thing earlier, odds are there wouldn’t be this kind of legislation in the first place. My impression is that GDPR is largely built off of distrust about big technology companies and the amount of data people give them. I think some more transparency around data collection and use, as well as a bit better timing on permissions requests (specifically only asking for permissions when you need them, which is also considered a best practice), and GDPR wouldn’t have seemed necessary. As it is though, I do like the better transparency for users and customers.

I think these pushes are the start of legislating data as a toxifying asset. There’s been good arguments made that data should be considered a toxic asset, but generally speaking I think that data being collected has enough specific value that it isn’t really toxic at that point in time, but the reality is user data generally becomes exponentially less useful as time goes on and as a result becomes exponentially more of a liability (hence why I call it a toxifying asset rather than a toxic asset). I think as a result of people having to be more clear with what they’re doing with user data, they’re also forced to be more proactive in cleaning old data out, just to help sell the collection to the customers they’re trying to get consent from. That’s good for companies (clearing old, useless data out of your system is always nice), and good for users (less data to have exposed in a breach – not to mention psychologically it feels like companies are gathering less data on you if they’re regularly deleting it).

GDPR includes breach notification provisions. This is another good transparency clause – albeit one that’s less comforting to users. Nobody likes to find out they were the subject of a major data breach, but let’s be honest, by this point it’s happened to most of us (Equifax and Target seem to have covered a giant swath of the US population). In fact, given how many of us have had at least some data compromised, odds are that not warning customers about the issue is more infuriating than the actual breach itself. Breach notification is a known best practice, just like transparency around data collection and use, so seeing it show up in GDPR is hardly surprising.

The last couple of good points that GDPR brings is the requirement to allow you to get an export of the data on you that a company has collected as well as request it’s deletion. Data exporting is something that Google’s historically been pretty good about, and I’m hoping that GDPR forces this to become more common across the board. I also hope support data deletion becomes more universal as companies start having to put GDPR compliance tools in place. This goes back to the primary principle behind GDPR – the idea that even though you gave someone permission to collect data about you, you still ultimately “own” that data and can have that data removed if you want. This ability to have your data deleted, along with the transparency requirements, go a long way towards restoring user trust in the drive towards “personalization in everything.” If people know they can have the data that’s been collected about them deleted, they’re likely to feel a little safer allowing it to be collected in the first place.

The problems

Like everything in life, the devil’s in the implementation details, and the problem with putting these principles into legislation is that it’s hard to effectively dictate how these principles should be implemented at a universal level. While I’m all for getting explicit permission from the user for data collection and being transparent about how you use that data, it’s also very hard to do this in a way that isn’t irritating to users. Have you ever seen those big, annoying “This site uses cookies” displays on websites? That’s because of earlier EU regulations. Most of us (at least in the States) don’t care that websites use cookies to track visitors, and to be honest, most of us don’t really care that random merchants are tracking our shopping behavior to try to target their recommendations to stuff they think we’d like. Generally speaking, I think what most people consider to be more concerning is third-party tracking, and that information isn’t likely to show up in a disclaimer on a website.

As much as I like the idea of requiring disclosure to state “in plain English” what your data is going to be used for, the fact of the matter is you’re never going to get that. Any sort of legal-facing disclaimer would always be written by a company’s lawyers, and they’re concerns are covering the company’s butt and hedging bets for anything the company is doing or likely to do with user data. That’s not to say a clear disclaimer of what data is being collected and how it’s being used isn’t worth demanding, but keep in mind that you’re really going to get limited success with that, at best (still better than nothing though).

Again, I haven’t read the exact text of this law, and even if I had, I’m not a lawyer, but I’m a little vague on what the requirements for third-parties who collect and process consumer data on behalf of their customers are. Specifically the parts where the obligations and responsibilities end with the actual business whose website someone is clicking on vs. where the obligations and responsibilities of those 3rd parties begin (Again, I work for an email marketing company that helps users to do customized, targeting marketing. We have lawyers who have gone over this stuff in greater detail, and I’m working on anything they say the apps I help maintain need to do in order to be compliant with GDPR). This is something I find concerning because the first time someone who uses and third-party to help sell ads or offer any degree of customization gets accused of violating any part of GDPR, they’re going to throw that 3rd party under the bus. I don’t blame, them, it’s the obvious defense, but that’s where this uncertainty is concerning to me as a layperson. The fines max out at 20 million Euros or 4% of your annual revenues, so it’s pretty important to make sure you’re in the right with this sort of thing.

Speaking of enforcement, I’m not 100% sure how the EU intends to do that. The law applies not just businesses that operate in the EU, but any business that collects data on a member of the EU. I get how enforcing local regulations against companies that work in the EU would work, but what happens when a smaller business that only has offices in the US sells to a member of the EU and eventually gets accused of violating the GDPR unintentionally? (Before anyone gets any ideas, this does not describe my employer, we have offices in Europe, the applicability to us is very clear) Assume that said US-only business says they don’t intend to pay the fines? What’s the EU going to do? Haul an entity that doesn’t exist in any country they have jurisdiction in to court? Unless there are treaties involved here that I don’t know about (and there may likely be – I’m not a lawyer, remember), that US company isn’t going to show up in court nor are they likely to ever cut the EU a check (so long as they stay a US-only company at least).

Another issue is that the GDPR, like a lot of proposals about how to deal with user data, typically tries to treat data the same way as a tangible thing, even though it’s not. As an example, if I tell someone my phone number, there’s no real “exchange” happening – I don’t magically forget it once I’ve told it to someone else. Instead, there’s now 2 copies of that knowledge, the copy I have in my head and the copy the person I told has. Giving users more control over the transfer of information gained from them to other people, it doesn’t appear that it acknowledges that sometimes the information it gets from users could be about other users. Generally speaking, data privacy policies tend to assume that if the information doesn’t have your name on it, you’re not entitled to it. That makes it nearly impossible to ever successfully export all of your data from a service, and as Ben Thompson argues, that increases the lock-in some existing applications already have:

Secondly, all social networks should be required to enable social graph portability — the ability to export your lists of friends from one network to another. Again Instagram is the perfect example: the one-time photo-filtering app launched its network off the back of Twitter by enabling the wholesale import of your Twitter social graph. And, after it was acquired by Facebook, Instagram has only accelerated its growth by continually importing your Facebook network. Today all social networks have long since made this impossible, making it that much more difficult for competitors to arise.

GDPR also requires data protection officers to oversee a company’s data policies. I’m generally not a fan of telling businesses how they should be run, but this is also an example of how trying to regulate big businesses ends up locking the existing big businesses in and keeping potential competitors out. Big companies can afford to hire someone to make sure they’re GDPR-compliant. They probably already have someone who’s effectively a “data protection officer.” Just so we’re clear, having people in your organization who specializes in, and focuses on, security is a good thing for any company. That said, it’s easier for larger organizations to find the budget to hire said security people than businesses just starting out, which likely have a budget of near-0. And before you say that security people are so important that you should be hiring them from the beginning, pretty much every job is considered important to a business – that’s why they’re willing to pay people money to do them. The issue is, the smaller your company, the less money you have laying around for hiring people, so everyone essentially does multiple jobs. Now, to stay compliant with GDPR, you basically have to hope that the regulators are cool with the idea of someone having “data protection officer” be 1 of the many hats they wear as they’re trying to build the business.

All in all, GDPR is a noble effort to enforce some good principles and best practices by giving them the weight of law. It’s also a prime example of just how hard it is to get the implementation of legislating good principles and best practices right. I think given how increasingly popular cloud services are, it’s important to try, and GDPR on the whole represents a good first step. I also think it’s important to take a good look at how GDPR was implemented and turns out, especially considering the hype of “the US may need to adopt GDPR-style regulation in the wake of the Facebook/Cambridge Analytica scandal” from the tech news circuit. Despite its implementation issues, the GDPR is a good first step to enforcing proper standards around data collection and retention, and I hope that it’s improved, both in the EU and in other country’s adaptations of the law.

 Posted by at 11:45 AM