Eng

DK_en 2x03 - GDPR 2.0? No, thanks

dataKnightmare

dataKnightmare

10 min read
Share
DK_en 2x03 - GDPR 2.0? No, thanks
Photo by Morgan Bryan / Unsplash

Episode first aired on 29 january, 2023. Listen on Spreaker.com

Today we're talking about how the United States:

  • after trying so hard to slow down the GDPR
  • after making up nonsense like "dear websurfer, since you are from the EU you cannot view this site"
  • and still not content with having gotten away for years with their obnoxious self-certifications called Safe Harbor and Privacy Shield (yes, I am aware the European Commission has its fair share of fault here. Still, I do not blame the chimp too much for failing to properly negotiate with a gorilla)

after all this, they now aim, with some external support from their British lapdog, to push for a 'reform' of the GDPR.

Let me start by saying that, to me, American opinions on the GDPR are up there with British opinions on food and Italian opinions on organisation.

The US only sees personal data protection as part of consumer protection and has every economic interest in maintaining its monopoly on a personal data market (adtech and data brokering) that is proving to be increasingly illegal and in need of very strong restrictions.

If anyone had any doubts, the protection of personal data in Europe is a fundamental right of the person, like the right to speak or vote. Because we think of ourselves as being persons before being consumers.

Despite this, we must talk about what the US say, because the communication apparatus they can deploy is simply frightening, and someone will inevitably believe the nonsense.

So after a few weeks of deep breaths, so that my blood levels of Christlordium did not climb, we can finally talk about an article published just before Christmas 2022 in Ars Technica.

The article is by one Nick Dedeke, professor of Supply Chain and Information Management at Northeastern University in Boston.

It's not Harvard yet, but it is clearly a probe to see what kind of grip specific topics might have. The big guns will come later.

Even if individual actors may act in full faith, and I have no doubt Prof. Dedeke is among them, have no doubt, there is a direction and there is a budget behind what appear to be simple opinions on how to 'improve' GDPR.

So, let's start with what Prof. Dedeke thinks are the flaws in GDPR.

Flaw number 1: but think of the SMEs!

You may have heard this one before: 'eh but the GDPR is the same for the corporation and for the corner shop, but the corporation has scores of lawyers whioe the corner shop may at best have a cousin'.

This is subtle propaganda, and of a professional level. Let's tell it like it is. Yes, the obligations are nominally the same for the pizzeria owner and the multinational, but that does not mean that the pizzeria owner and the multinational have the same workload.

Small and micro businesses have but a handful of obligations in order to be GDPR compliant. One information notice or two if need be, the processing register, the risk analysis and the letters of assignment to the authorised data processing personnel, in case the personnel are data processors.

That's it. Nothing that cannot be done through the normal firm that already deals with work safety on a regular basis. Where is the difficulty? There is none. Of course, in the US even safety at work is seen a terrible constraint on free enterprise, but the GDPR is the product of civilised countries.

What's more, the GDPR explicitly envisages the role of trade associations, which can propose Codes of Conduct to further simplify everything. It means that the various associations that aim to promote and support business, can finally show that they are really needed. To be honest, from what I have seen so far, they haven't exactly moved quickly, but we are still at the beginning: what is six years for an epoch-making law?

So I would say that flaw number 1 only exists in the heads of those in bad faith. Let us move on.

Flaw number 2: GDPR neglects the cost-benefit ratio of compliance

In the words of good professor Dedeke:

If all of an organisation's data is accurate, what is the benefit of informing, say, 1,000 customers every year or giving them access to the data? Even if 3 per cent of the data is wrong, the cost of correcting the errors rises astronomically, even if only 500 people requested the data. Are the benefits worth the costly bureaucracy?

Now. First, how do you know that data an organisation's data are accurate if there are no controls.

Second, the GDPR places no annual obligation to inform customers.

Third, customers' right of access to their own data is precisely what helps the organisation maintain its accuracy. We can safely say that in an organisation's top 100 problems, data accuracy sneaks in unnoticed around place 76.

Fourth, if three per cent of the data in a database are incorrect, that is a huge percentage for a database, and this means the collection, input and maintenance procedures must be reviewed, in the very interest of the company. Moreover, the GDPR does not say to what degree of correctness the company must guarantee the personal data in its archives, it is the company that can define this on the basis of its own cost/benefit assessment, balanced by the fact that every single person can ask to know and possibly rectify their data.

Fifth, personal data belong to the person, not to the company that collects or processes them. Data accuracy must be guaranteed because someone makes decisions on that data; these decisions have a cost for the company and consequences for the person. This is a normal measure of civilisation.

Also, the downfalls for mistakes are balanced against the risk for the person. In a nutshell, if the plumber gets your house number wrong on the invoice, you let him know and that's it. If, on the other hand, you are hospitalised for a vasectomy and the hospital removes your left kidney mistsaking you for your room neighbour, the Data Protection Authority takes this problem of accuracy a little more seriously.

In GDPR, the cost-benefit ratio is far less important than the company-benefit-to-risk-to-the-person ratio.

So if professor Dedeke wants to tell us that ensuring the correctness of data in databases is a cost to be reduced, I wonder with what face he teaches 'Information Management'.

Flaw number 3: GDPR has no fair use exemption

Ah, fair use. When I was young, you would take the hardbound university textbook from the rich friend, or from the library, go to the copy shop and get it copied top to bottom for the price of a couple movie tickets. This was because it was your right, as a student, to photocopy for personal use whatever you wanted. Moreover, copyright back then lasted for twenty years after the death of the author, after which anyone could publish a work without paying royalties.

This meant that at the turn of the 1990s, Disney would lose a truckload of money because anyone could reuse Mickey Mouse. God forbid. Of course, the US put its beefy hand on the scale of justice, and today copyright survives 70 years after the death of the author. This is not copyright, it is the right of the copyright trader.

Fair use, which means each one of us is slightly better off with one more free resource, has been thrown under the bus in favour of corporate profit, which means we can be charged for one more thing that was free before.

Apart from the bad faith of a US person who wants to lecture us on fair use, the point is clearly another. GDPR does provide for fair use: it is called domestic exemption. That is, there is no GDPR on your personal address book, despite what the very first GDPR critics complained. For everything else that is non-personal in scope, be it commercial or non-commercial, GDPR must be followed.

Ah but the small noprofit ah but the pilot project.

Am I not making myself clear enough? Personal data can only be used lawfully, fairly, transparently and for the purpose for which it was collected, or for compatible purposes. Simple as that.

Despite what you may be made to believe, there are plenty of good reasons for this. Let's give some real life examples:

  1. a secretary collects shares for the boss's birthday present. The GDPR prevents her from reporting to the boss who paid how much and who paid nothing;
  2. HR has the addresses, mobile phones and union memberships of all employees. The GDPR prevents HR from giving the mobile phone of the pretty new accountant to the inquiring Sales Manager, and also prevents HR from giving the list of Union members to the CEO;
  3. the supermarket can analyse how purchasing habits change, and can even make inferences with a certain degree of reliability. The GDPR prevents the supermarket from selling the list of all customers who seem to have become single to the marriage agency, or to any other "select partner" willing to pay for it.

Can anyone really say with a straight face that these constraints are excessive? Take to poker, guys.

Flaw number 4 Omission of a safe harbour exemption

Prof. Dedeke continues paraphrasing the GDPR:

it is the responsibility of the data controller to ensure that data is only shared, sold or transferred to organisations subject to equally strong data protection laws... this GDPR mandate can quickly become unmanageable for data brokers.

Bravo professor. You got it. The point is that data brokers, i.e. resellers of personal data, are precisely what the GDPR seeks to limit, precisely because that industry by definition does not set itself any purpose limitation. That is, once personal data is in the hands of data brokers, it is resold exclusively to whoever pays for it.

In the case of marketing data, this means receiving promotions from every Tom, Dick and Harry, which is a minor annoyance. But think about your financial data, your spending power, information about your work and social life, and health information. Would anyone really be comfortable knowing that they are exchanged with the same ease? I don't think so.

So as always, the GDPR is right. The fact that someone has our data does not give them the right to give it to whoever waves a bunch of dollars. On the contrary, whoever has the data has an obligation to guarantee that in any exchange the level of protection to which the data are subject is not lower than the one guaranteed by the GDPR. This can be done in three ways:

  • by exchanging the data with countries that the GDPR recognises as adequate;
  • by defining additional contractual constraints for the recipient, in the event that the country is not adequate;
  • by refraining from transferring data to other countries when it cannot be guaranteed that the data will be kept secure.

This is why the US is pushing so hard for a new transatlantic data transfer agreement after the cancellation of the Privacy Shield: the cloud market is at stake. If we were to enforce Schrems II strictly, no US provider could process EU data anywhere, unless the US repudiates the CLOUD Act (and likely the PATRIOT Act too).

Right now, Europe is facing a choice between our principles and our economies, and we find we are economic hostages. In the long run, the result will likely be a deep redesign of our dependency on US cloud providers.

European entrepreneurs should understand that no agreement will hold before the EU Court of Justice until the US revoke the CLOUD Act, and that the GDPR is the best friend of a sovereign European cloud.

Flaw number 5: lack of respect for different jurisdictions

Once again Prof. Dedeke:

The GDPR states that every data controller in every country that serves an EU citizen or has a website that can be visited by an EU citizen, must implement the GDPR...
Imagine what would happen if all major economies did the same. In other words, the US would enact a privacy law on how European companies must handle the data of US citizens. Similarly, China would enact privacy laws for its citizens.

The US just loves other people's jurisdictions so much that the two pilots who played topgun and killed twenty people in Cermis were not tried in Italy, but brought to the US where they were told 'bad, bad boys, you misbehaved' and let go.

Sarcasm aside, this sounds like an objection from someone who has not read the GDPR, or at least has failed to understand it, which is often the case among those who propose reforming or overcoming the GDPR.

First, the GDPR is not an ethnic law, it is a territorial law. As such, it does not protect 'European citizens', it protects anyone within the territory of the Union, because that is how we roll in Europe. Unlike American privacy laws, may I say, which only protect a State's residents.

Put simply, if Professor Dedeke goes on holiday to Paris, he is protected by the GDPR (as a person, not as a consumer), whereas if I go on holiday to San Francisco, I am not protected by the California Privacy Rights Act (which would only protect me as a consumer anyway).

Also, as far as websites are concerned, the GDPR only deals with websites that explicitly target with goods or services persons in the territory of the Union; if a Bengali website has a customer from Spain, the GDPR does not apply.

Prof. Dedeke asks us to imagine if every nation made a law like the GDPR, dictating how people around the world should handle the data originating in their territory. Incidentally, that is exactly what is happening.

The idea that the protection of personal data should extend wherever the processing of that data takes place is a principle on which everyone agrees. Even the US. The reason is very simple: to prevent all protections from being bypassed by the taking the processing offshore.

The GDPR, but also California's CPRA, as well as China's PIPL, and Turkey's KVKK, and Singapore's PDPA, and Japan's APPI, and India's DPB, clearly state that it does not matter where you process data, only who the data you process belongs to.

Conclusion

As always, what appear to be well-founded and even reasonable objections, are nothing more than misconceptions and purpose-built examples to give the impression that the GDPR says things it does not say and creates problems it does not create.

I understand that the US has every interest in undermining the GDPR, it goes contrary to their idea that data is money and that every obstacle to business should be removed. In Europe we are a bit more civilised than that, and we are instead realising how necessary and useful the GDPR is. Maybe a little reluctantly, of course, but I don't know of anyone who, having really understood what the GDPR says, wants to change it.

The GDPR, moreover, is not an idea that came about on the fly, but is a law that has been developed over twenty years by some of the best legal minds in Europe. All its prescriptions have strong foundations, and everything stems from the fundamental principles of lawfulness, fairness, transparency, accuracy, purpose limitation, storage limitation, integrity and confidentiality. Principles that no one in their right mind can deny.

The British, for example, after their wonderful Brexit idea now want to 'improve' their national version of the GDPR. For example, by allowing the role of DPO in the company to be played by any executive with time and skills.

The British say that this means an excessive cost, because it is in fact an extra person. But that is obviously not the problem. The GDPR prescribes that DPOs cannot have conflicts of interest because they must safeguard customers and employees from risks and the company from liabilities.

Can you picture a Sales or Marketing Director saying no to further processing of sales data because the GDPR says so? Neither can I. Which exposes the company to fines, and GDPR fines are made to bite.

Again, a seemingly good idea that is actually not good.

Sorry, but the GDPR is made the way it is for specific reasons. I don't expect the Americans to agree, because it goes against their fundamental idea that the market must prevail over everything. But this is Europe.

Read more