Given the activities of Cambridge Analytica as well as Facebook’s obvious inability to even comprehend what the hell people are pissed off about there is a reinvigorated push for regulating Facebook.
And it makes sense to look at regulation of supranational entities such a Facebook, Google, Amazon and whoever else is the target of the week. Because – aside from some existing fragments on some national levels – the nobody seems to have figured out a way to effectively get a handle on what these tech-giants cook up in their labs and release into the wild: Tech iterates extremely quickly making all too focused or all to specific regulation irrelevant or ineffective quicker than it can be passed by any authority or government.
In the US I do often see a push to adopt #GDPR style regulation. The GDPR (General Data Protection Regulation) is the newest approach of the European Union to regulate and structure privacy and the processing of personal data. It will become active May 25th of 2018 and forms probably the first and most modern kind of privacy regulation of its scale on this planet. Many privacy activists celebrate(d) the regulation and some were even very involved in its creation so we should have something good here, right?
But things are usually less shiny when looking closer. Which I did in 2014 in a small tumbleblog that became a German book on the subject matter. But with it all being written in this niche language I was born into and with the texts having changed somewhat I thought it would be useful to summarize some of the biggest issues I have with the GDPR. Just to provide a little bit of added context to all the voices proposing GDPR as the silver bullet for “fixing” the Internet. Also David and Yasha asked for a short summary so here it goes.
Why should you listen to this, to me? Good question. I am a computer scientist and have been dealing with regulation of IT aspects/privacy for … damn … about a decade now. I am also a certified data protection officer for the GDPR and serve in that capacity for my employer. I’ve also been invited to the German Ministry of the Interior in the time leading up to the GDPR as an expert providing context about the regulation to the government.
This text will just look at the GDPR as it is, as regulation. I don’t really want to go into whether it would have protected people against an actor such as Cambridge Analytica (because it wouldn’t have). I also don’t really want to get into whether a data protection regulation will solve the “problems with Facebook” because a) that would require me to get into those which is a whole different ballgame and b) (as it will become clearer when looking at the regulation) the focus on the 800 pound gorilla in the room hasn’t helped the regulation to become better.
With all that being said, let’s look at the GDPR.
The GDPR is a regulation that – as already mentioned above – will go live throughout all of the European Union in May 25th. While there are ways for the EU member states to amend the regulation in specific places, it supersedes all existing privacy/data protection regulation within those member states. Starting May 25th the whole EU will have a very homogenous data protection regulation.
This was also one of the driving forces of the GDPR: To make it simpler to transfer personal data between EU member states. Because that used to be a big problem with for example Germany having very different laws and regulations as say France. This is very important and often overlooked: GDPR is not supposed to make data stay where it was gathered. Its job is to guaratee a level of protection/regulation attached to data, no matter where it goes. Even if the data leaves the EU.
If you have never read the regulation (and it is actually quite readable compared to other legal texts) you can find a very convenient directory here. But don’t worry, you don’t need to read all of it for this. I’ll point out the articles I see as key issues later in detail.
The Good parts
I want to start out with some of the good parts. Because obviously not everything about this is bad, it does have (very) good aspects as well.
Many of the “Rights of the Data Subject” (as in: The person the data at hand refers to) make sense and it’s great to have them written down and formalized.
I especially find Article 15 not a bad idea in general. It outlines that a data subject has the right to ask whether someone stores data about them and if yes what kind of data and where it comes from. We can argue about specifics a lot but the general idea is solid.
Especially when it comes to scoring or other data that can have discriminatory effects Article 16 is important giving every data subject the right to have data concerning it rectified. Good approach.
The right to data portability as outlined in Article 20 is a good idea in general but given the legal framework it is embedded in and the way it is phrased it’s largely useless in its current form. But I like the idea and would have loved to see it strengthened but it stands in conflict with much of the rest of the regulation.
Artilces 24 to 40 also include many good ideas about enforcing certain standards for data processors (as in entities using data). Enforcing processors to ensure a certain level of security within the chain of data processing, clearly specifying the kind of information a data processor has to provide their data subjects are all very reasonable ideas, most of them being phrased in a generally OK way (you can always argue about details with these kinds of things).
So while there are good things I wouldn’t have written this post if everything was fine and dandy. Let’s start looking at some problematic aspects that are hard to pin at one specific article but that keep repeating or that are underlying assumptions about the structure of the (digital) world that don’t really hold up.
While the basic legal systematic (processing of personal data is illegal unless certain conditions are met) could probably be worked with, it does create sort of an uncomfortable lever for governments to declare information about natural people illegal. Processing of personal data (and that includes storing in a CMS for publication) is illegal in general. That means that the press and everybody writing about people now has to make sure that they have a strong case for publishing said data (see the part about Article 6 a few paragraphs down). If someone powerful wants to get rid of something uncomfortable, say reports about them meeting people they shouldn’t have met carrying suitcases full of we don’t know what, they could argue that they don’t consent to their location being processed and force the article to be removed. Of course press can fight this and argue for public interest or something but every article will be a potentially expensive fight.
The government Exception
Most key articles dealing with restricting the processing of personal data include exceptions for government entities. This means that instead of being a strong protection against the government (you know, the people with the guns and the prisons and the secret services) this regulation mostly targets the private sector. And that is an important area to regulate. But it’s really not enough at all. It’s basically the government pointing over your shoulder yelling “look there’s a three-headed monkey behind you” and doing whatever it wants while you are distracted. That is – especially if you follow German traditions that constituted data protection specifically as a way for people to defend against government overreach – at least surprising.
The Anti-Faceboogle Law backfiring
The law is very obviously written to target the big tech companies and the way they do business. That is obvious while reading the articles as well as while reading the reasoning for the articles. That is also how the whole legislation is read outside of the EU (which is why people want to use it to destroy Facebook or something).
So the law creates very strong requirements to be allowed to process data and if you break the law there’s going to be immense punishment. Eat this Faceboogle!
The problem is: Facebook, Google and all the other companies do have the skills, the person-power and the resources to implement the regulation. They have the money to do all the data bookkeeping and pay data protection officers and all that. Especially with consent being the key mechanism within the regulation (we’ll come to that later) the big platforms are in a perfect position to funnel people through a consent acquisition process and get everything they need. How well to you think a new startup of 10 people will do in that regard? Do you think that some open source project running a bunch of servers to have people use a free and open social networking thing outside of Facebook have the skills and resources to comply with the regulation?
The immense effort necessary to comply and to be safe from the data protection agencies as well as lawyers affiliated with a competitor is only really manageable for the big players. Smaller startups and specifically decentralized free/open source projects will always be out of compliance. The law that was supposed to reign the US tech giants in (to allow European alternatives to flourish) does only strengthen the position of those already almost being monopolies.
What is data?
The GDPR has a very simplistic idea of what personal data is. If it refers to one identified (or identifiable) natural person, it is personal data that that person (the data subject) can control. Great.
So what is with the data connecting people? Say I am friends with X on Facebook. Is that information about me? About X? Who’s allowed to control it? Is X allowed to have a post removed (Right to be forgotten, we’ll get to that soon) that I wrote containing my opinion on X?
There is a lot of data that is clearly about one person. My bank statements are about me and my financial situation. Or are they? If I had kids they would also say a lot about their potential situation. Even my genetic code does not only say things about me but about my sister, my parents and potential offspring.
The understanding of data that the regulation is build on is so simple, so naive that for many real-world use cases the model simply doesn’t work.
Specific problematic articles
Ok. So after we’ve seen that some general ideas that GDPR is based on might be … not as well thought through as we’d like them to be, let’s look at just a handful somewhat problematic articles. There are more but I don’t want to let this thing get too long.
The GDPR is supposed to govern:
- Every processor (company, project, etc) within EU borders
- Every processor that also targets users/customers who reside within EU borders
While the first part is somewhat simple to figure out (if your headquarter is in Berlin, renting servers in the US won’t allow you to evade the regulation) the second part is problematic for a bunch of reasons, mostly practicality and you know national sovereignty.
What does it mean to target EU users? Is it enough to add a checkbox to the signup form making people state “I am not within the EU”? Say you are a startup in South Africa, you don’t care about the EU, you don’t think about the EU and suddenly some dude from Europe wants to fine you because a few people in Germany complained. That is a weird construct. Why should the EU parliament be allowed to decide how to regulate companies or entities it’s not legitimized to? Why does the EU parliament assume that it is allowed to override every law in the world if it feels like it?
Yes you could see my reading as overly dramatic (I am a passionate person) but I feel like Europe with its history of imperialism should maybe find better ways of dealing with international law that just saying “we know best”. The problem of conflicting legislation colliding on the Internet is neither new nor easily handled. But those questions need to be solved and not by saying “because we say so”.
Article 6 is one of the absolute key articles of the regulation, it defines the reasons that can make the processing of personal data legal.
Basically: If you can point at one of the reasons you’re mostly good to go.
Some of them are kinda boring: You can process data if you are legally required to or to fulfill a contract with the data subject. Also there is saving lives (mostly hard to argue) and “public interest” (also hard to argue unless your interest is security and you want to profile your population).
The two reasons a) and f) are more interesting though. Let’s start with f) (like fuck yeah!).
f) allows you to process personal data if you have a “legitimate interest” that’s not overridden by other interests. This is the reason most ad agencies and people spamming you will fall back onto at first. Their “legitimate interest” is “informing potential customers” so they are allowed to crunch data to find these potential customers. Of course we’ll have to see the courts rolling the dice on this one but it already is quite a big door to even push profiling through.
a) fall back to consent meaning the data subject has freely consented to the data processing. You know how these things work. You want to do something, a service asks you to sign up or check a box. Boom. You just consented. Consent is specifically what the big platforms will fall back to and which is easy to acquire for them. (Unless they find a way to make processing user data part of the contract they have with the user, I do have a few ideas of how to pull that off and I am not even a lawyer).
The law wants to play hardball but in the end the ways of allowing things are so vague that it’ll end up mostly just adding a few check boxes everywhere. I don’t see a huge benefit in this to be honest. But consent has other issues as well, let’s look at it specifically.
GDPR specifies a few criteria for legal consent to data processing. So you cannot just add a check box that’s maybe hidden and says “I allow everything, Facebook, use meeee!”.
The language is supposed to be clear and specific and consent into one thing cannot be tied to other things that are independent. That is not a stupid idea as such. But consent requires understanding.
Can I really consent into what for example Facebook or Google do with the data about me? Am I really able to fully understand what Facebook really wants to do? What the consequences can and will be?
Say Facebook (I keep using them as an example) asks me to “process my interests in order to adapt the Newsfeed to my personal preferences”. That sounds clear and specific. But is it? Not even Facebook engineers can easily say what their AI will do with my data, what kind of model of me it will create.
More and more data is processed by at least partially opaque systems (such as AI/machine learning systems) even if it’s not about profiling. And who can really understand what is being done with that data? Is consent even meaningful? Or will it stay within abstract phrases such as the one I outlined above? I fear it will.
Consent is a powerful tool in human interactions. But for digital spaces it’s not as meaningful as many people – especially privacy experts – believe it to be because the level of technical, legal and organizational competence required is really not something we can expect every person to have. Especially with companies maybe wanting users to consent into more than might be in their interest.
Consent as phrased here individualizes the data protection issue. The smart, the educated, the tech people will get their privacy and the rest won’t. Because they either don’t have the skills necessary to understand what’s going on or because they might value participation in something (and the access it provides) more. This keeps the current model of privacy as a bourgeois fantasy alive and I am not a fan to be honest.
Article 17 allows people the right to have data about them deleted. Ok, sounds fair. But there is a problem for anything journalistic and in the following to the public itself.
If this article would just be used to force a company to really delete data about me after I deleted my account or force them to really really delete the naked picture of my junk I accidentally posted we wouldn’t have a lot to discuss here. But this thing ties into the question “What is data?” that I presented earlier. If I can get anything that talks about me deleted because it’s data about me how can others express their right to voice an opinion (even about me!)?
As my dear readers know I am not a Free Speech absolutionist like so so many tech libertarians but I do see free expression as a fundamental value (within certain bounds). This article can be used to repress anything negative about anyone.
And even if there was a question whether specific information (say “X is a serial scam artist, don’t invest into his schemes”) should stay for the public good or free speech, given the potential harsh penalties for non-compliance with the GDPR (up to 4% total worldwide annual turnover of the preceding financial year, Art. 83, Sec 5) when in doubt companies will delete. Because the risks are very high and the benefit is marginal.
The article is so broad, so powerful and fighting it so against every incentive that it is a big danger for free press and specifically those who write but might not have the legal staff of a big newspaper or publisher at hand. You like blogs? The GDPR doesn’t.
“Now wait tante, you scheming … schemer”, you might say, “you said Article 20 was cool! Now it’s not?” Well dear reader – who I super did not just make up – the issue is that the regulation presents a right that is pointless for most of the use cases it is supposed to address.
So I have the right to take my data out of one service in electronic form to be able to easily migrate to a different service with similar functionality. That is a great idea. Really. But what does that mean?
It’s nice that I don’t have to complete my profile writing all kinds of facts about monkeys. Awesome, saves me a lot of time. But that’s hardly what I want to do.
If I want to leave for example Facebook for some other, better, more data protecty competitor. What use is the data I get out of Facebook? Sure, I have my posts. But only those that didn’t reference some of my friends. My network graph? Is basically just data about other people I can’t just get out because it’s not just “my” data. That kind of export is pointless for migrating to other services. The social graph, the network more often that not is the value proposition.
So that is a nice right that I get. I just can’t use it for anything meaningful. Thanks.
These are some of the problems I see with the GDPR regulation as it will go live soon. Personally I can’t complain, I now can’t be fired for at least a year being data protection officer for my employer, but I hope I could show that some of the articles and ideas that the GDPR is based on are either not doing what they are supposed to do (see consent for example) or enforce existing monopolies and monocultures.
The GDPR was an important step to harmonize the law in the EU and I hope that with the people involved having changed and reality kicking the GDPR around a little bit, some of the worst issues will be fixed or at least amended in the next years. But if your plan is to regulate Facebook the GDPR won’t do too much for you. It actually does strengthen the big platform providers.
And if you look at the GDPR as a template for your own privacy laws do what you’d do with new tech: Let others experiment with the beta and wait till it’s reached version 1.1 or 1.2. Because this current version is a beta and there’s gonna be crashes and patches.
(This article is free and creative commons licensed so you can do mostly what you want with it. If you still want to support me or this work you can buy me a beverage [Paypal link to donate]. But of course you don’t have to, I appreciate you reading this)
Photo by dennis_convert