May 25: The General Data Protection Regulation takes effect today
It’s May 25, and the European General Data Protection Regulation (GDPR) comes into effect. It contains such a shocking amount of common sense, that companies worldwide have been scrambling in confusion to comply with its requirements. Here’s a small amount of that common sense, to give you a feel for what GDPR means.
In its most condensed form, the GDPR says that companies that have no business storing personal data about EU citizens are prohibited from doing so without their active consent, that such stored data must be adequately protected, and that companies that get audited for noncompliance can be fined quite steep amounts — the higher value of 4% of global turnover or 25 million euros. Notably, this applies to companies whether they are based in the EU or not, the moment they store data on EU citizens.
Unlike US fines, the EU is actually quite famous for meting out such corporate fines to the letter of the law — but, and this needs to be emphasized, only when bad intent or negligence is evident. People who are trying hard to comply with requirements tend to get assistance in doing so, and not fines. Companies who consider themselves above the law, on the other hand, are made to feel how this is not the case.
Beyond the shock values of the high fines for noncompliance, the GDPR is actually just a lot of common sense. The regulation says that you’re not allowed to record and store random data about people just because you find it amusing in general (or profitable in general) to do so; however, you are free to store any data required to do business with existing or potential business partners. As an example, a credit union would never need to ask consent to store their customers’ account balances, but they would need to ask consent if they were starting to record their customers’ choice of clothing when they entered the branch offices: this would be something that clearly isn’t required to perform the day-to-day business of a credit union.
Further, people are free to withdraw such consent at any time, which is a shock to companies that have been playing fast and loose with sensitive data up until now.
The “adequately protected” part of personal data storage is an interesting detail. While the GDPR doesn’t mention password policies per se, one reasonable interpretation of it is that allowing access to other people’s personal details merely by authenticating with a username and static password over the Internet is not sufficient protection of other people’s data. (However, a static password may be sufficient if it is only usable in a physically secure environment, and not remotely; there are sensible grayscales all over.) My own biggest open-source project, Swarmops, started requiring two-factor authentication to see other people’s personal details for this reason — or rather, it was a good opportunity to require something that should already have been in place anyway.
This phenomenon, “a good opportunity to require something that should already have been in place anyway”, is the feeling you get about a lot of the GDPR.
Surprisingly, a lot of companies would rather refuse service to European customers altogether, than to make the slightest effort to protect their data and have consent for collecting it. This would be one of the best ways I can think of to pop up a huge red flag for privacy regulators worldwide. Such companies include Unroll, the service that unsubscribes you from spam mailing lists (and was later discovered to be selling the contents of your private email), but also sites like Los Angeles Times and some smaller newspapers — media sites that pride themselves on acting respectably, and then appearing to do the exact opposite today. There are even services that “help you block all European clients” for this reason (services which work poorly, if at all).
(Curiously, when I linked to that Twitter page, Twitter asked for my consent to keep all the contacts it had uploaded from all of my devices. I never gave any such permission, to the best of my knowledge. This is one example of what the GDPR means with “active and informed consent” — hiding something important on page 57 of Terms-and-Conditions written in a light gray 3-point Flyspeck font just isn’t good enough anymore, and more to the point, it never was good enough.)
This also means that companies that ask you for new personal data, citing it as a “GDPR requirement”, are trying to pull a very ugly fast one. They are required to ask your consent to keep existing data that isn’t immediately related to their business (they don’t need to ask permission for data that is required to maintain current business, such as the balance on your mortgage — but they would be required to ask your permission to store your leisure preferences, even if you’re mortgaging your home with them).
Regardless, expect a torrent of companies asking you for all sorts of consent in the coming days.
In the end, therefore, privacy still remains your own responsibility.