On May 25th, 2018, the European Union began enforcing the General Data Protection Regulation (GDPR). This regulation is the most sweeping digital privacy act in the world. It changes the landscape for internet companies wanting to do business with European citizens, if not the world over. What is this much-hyped regulation, and what does it mean for tech?
The GDPR is all about Data.
The ability to use digital technology to compile and analyze data undergirds every aspect of our global economy. In case you didn’t already know, data is the 21st-century’s version of oil. What makes big tech companies like Google and Facebook so valuable is their ability to compile massive troves of data on their users—who is friends with who, who lives where, who likes what, and so forth and so on; billions of human lives digitized into a cloud of data points. By compiling and analyzing that data those companies can sell advertisements with better targeting than any technology ever before devised.
Despite the ingenuity (and profitability) of these companies, accumulating data at that scale creates huge vulnerabilities, although the technological illiteracy of the public has shielded them from scrutiny. A recent article in The Economist put it in a polite tone: “companies with sloppy approaches to data have been able to count on their customers’ lack of interest in cybersecurity” as a means of protecting their profitability and reputations. However, recent scandals—Equifax, a credit reporting agency which leaked the information of 143 million customers; Cambridge Analytica, which compiled dossiers on at least 87 million Facebook users without their consent to manipulate them—revealed the huge reach and tenuous safety of these systems, leaving both customers and regulators calling for more, and better, controls.
What Does the GDPR Do?
Enter the GDPR. Though the European Parliament began discussing it in 2012, and ratified it in 2016, the issues at stake for the new regulation disappeared from the headlines. In a great primer on the GDPR, Liaison Technologies explains that the regulation is about giving people control of how companies use their data.
For example, under the GDPR, users have the right to see their personal data and, if they would like, have it removed. This is the so-called “right to be forgotten.” It is an appealing notion. Your angry late-night and regrettable Instagram snapshots can vanish forever, dissolving into a digital mist. The same rules apply the “shadow information” that internet companies collect about their users. Where you live, who you’re dating, your music preferences, your location three weeks ago: any personal data that a company has collected about you is fair game.
For internet companies, though, the “right to be forgotten” clause of the GDPR is exasperating. Our data is diffuse. A company like Amazon, Facebook, or Google could have bits of our data spread out over hundreds of servers throughout the world. Our data does not just attach to our online fingerprint. For example, if your friend sends you an email, then removes that email, their email will still appear in your inbox. Google (if you’re both using Gmail) still has that data, but it is a step removed from your friend’s account. If your friend requests their data from Google, the company must go digging through it. Because most tech services did not begin in a GDPR-compliant environment, they may not have the tools (such as data pseudonymization; separating data from direct identifiers) needed to now follow the GDPR.
What Does All This Mean?
Now, imagine that email debacle between Google and your friend billions, if not trillions, of times over. Allison Cool, writing in the New York Times, noted that scholars “doubted that absolute compliance was even possible.” On top of that, the punishment for violating the GDPR is harsh. Companies violating it can face a fine of “up to €20 million, or 4% of your global annual turnover, whichever is higher.” For companies that have been collecting the personal data of millions (billions!) of users for more than a decade, the GDPR’s requirements seem high. As the title from this article from The Verge says, “no-one’s ready for GDPR.”
—
This article is brought to you by our Site Sponsor Claire Peters
Photo: Getty Images