The EU is enacting a new privacy directive as of today: the GDPR (short for General Data Protection Regulation).
Given the recent revelations about Facebook and the continuous stream of hacks we see in the media, this is a good thing. The question is, though: is it effective?
GDPR and this site
GDPR requires a company to follow rules regarding the data it processes. In a nutshell:
- If the data can be traced to a specific person, they have to have a valid reason to process and store it.
- Organizations should have privacy-by-design, requesting and processing as little data as they need for the service they provide and ensuring they handle and store it safely.
- Organizations need to have privacy awareness embedded in their business processes by technical and organizational measures.
- People are allowed to query what an organization stores about them.
To get to the elephant in the room: this site tries not to collect personal data. Up until today, there were social share buttons with each article, but given that those report back to Google, Facebook, etc. that you visited my site, I’ve decided to remove them.
On the effectiveness
A lot of companies are shitting bricks because of GDPR. Most of the free stuff on the internet is payed for by monetizing your personal data. Facebook and Google, for example, use your behavior on the web to present personalized advertisements.
Under GDPR, this becomes harder to do. The stricter rules make it harder to collect data, and easier to have it removed. However, that’s not the whole story.
You may have noticed a conspicuous increase in privacy related e-mails and cookie banners popping up on sites. That’s the new GDPR in action. The things is, people have a tendency not to read the banners and e-mails. Most people just click through them. In actuality the new GDPR compliant banners often offer a user the choice to block certain tracking. In reality, somewhere around 99% of users just click through the consent of the default ‘collect everything about me’ option.
So, the GDPR tries to give users back control of their personal data, but will it work?
On red flags in front of cars
Over a hundred years ago, the first automobiles appeared. At that time, they were considered dangerous. Actually, given how many people still die in car accidents each day to this day, they are dangerous, even more so than a century ago. In the beginning, the UK and the US enacted safety laws, requiring a pedestrian with a red flag to precede a car.
The new GDPR laws feel a lot like that. We know that cars are dangerous. We know that if they only travel at a few miles/kilometers per hour, they’d be safer. However, we like the convenience. The same applies to privacy. We know we want it. We know Facebook is selling advertisements based on our private data, but Facebook is just so bloody convenient. And so is the book suggestions by Amazon. Or a Google AI calling your hair dresser for you.
A lot like pedestrians with red flags in front of cars, the GDPR is trying to put the genie back in the bottle. If we accept traffic deaths to get from A to B conveniently, will we not fake news for our social media?
Let me be clear on this. I’m all for privacy, just as I’m also against traffic accidents. I’m worried that the laws we’re making are missing the point.
The next step
This doesn’t mean I think the GDPR is bad or stupid. I just think it doesn’t do the right things. Trying to give people back control of their personal data is very complex and it doesn’t seem to work. The effort to safeguard your personal data doesn’t seem to outweigh the inconvenience of doing so.
Instead, the abuses are the things we should try to constrain. The GDPR has provisions for that as well, but most of the attention seems to be going to the consent and query parts. We’re spending billions on implementing thousands of consent banners that 99% of people just click past.
I would much rather see that we constrain decision-making based on that data and focus on companies protecting their data better. I feel the election rigging by Cambridge Analytica is a much bigger problem than Facebook showing us adds based on our phone history. The fact that people get denied loans (and as a result a house to live, or a car to drive) because of intransparent analysis of personal data is the problem. Things that will still happen under GDPR.
GDPR is a step in the right direction, but I do think we need to do better. For now, at least we can have fun clicking through another round of consent banners while journalists start querying companies for their data and seeing what they can shake loose.