By Mindaugas Kiskis
It’s been more than a couple of months since GDPR (the EU General Data Protection Regulation) came into force. The promise of giving the citizens back control of their personal data was brash and resonated with many of us, but apart from emboldening few data protection activists, the GDPR has not meaningfully changed the privacy status quo and hasn’t won us much control over our data.
Nobody likes interruptions in their daily routines and the GDPR compliance stood in the way. Implementations of the GDPR have further expanded ever complicated privacy rules, increased bureaucracy for the small businesses, but did it change much in how our data is processed?
The main promise of the GDPR — to give the citizens back control of their personal data — seems as distant as it was ever before. I would be happy if the GDPR would at least slow down data processing without my knowledge and by parties with whom I have no relationship, but I see no sign of this happening.
Data broker business is booming and growing by the day. Curiously, many data brokers seem convinced that they have a way to process our data under the vague “legitimate business interest” umbrella.
“Legitimate business interest” is one of the grounds for legal processing of personal data provided by the the GDPR, what it means is not clear, even though official explanations on the legitimate interests to process personal data under the previous rules (admittedly much simpler) span almost 70 small print pages.
Other data dealers are happy to remain in the shadows and manage risks by doing their business through corporate shells or from outside of the EU. The EU itself seems to have second thoughts about the extraterritoriality of the GDPR. The concessions in the leaked travaux préparatoires of the EU free trade agreement negotiations with third countries imply the willingness to limit the reach of the GDPR.
The overpromises of the GDPR were predicted by privacy scientists rather long time ago. But there is more to it. Bluntly put, the GDPR puts forward data protection as a surrogate of privacy — but is it?
In my opinion preoccupation with the nominal personal data, actually displaces real privacy. Who cares about privacy of their name and family name, or office held? Except to hide shady politicking and worse, majority of us are happy to consciously publicize it as much as possible. It’s wrong, impractical and disrespectful to assume the contrary.
There are dozens of situations when it’s actually socially undesirable to keep it private, yet it is zealously protected under the GDPR in exactly the same way as your shopping history or your family photos. Equally questionable are formal and bureaucratic prescriptions for better data protection — more documentation, privacy impact audits, formal training, etc.
Does anyone honestly believe that more paperwork will lead to more privacy? More security risks in handling of our data (say thousands of hand signed consents) are somewhat more likely, I’m afraid.
It doesn’t deliver what we need
Apart from the right to complain under the new rules and few marginal rights — which are primarily of interest to the corrupt and the criminal, like the right to be forgotten — the average data subject barely gained any new privacy through the GDPR.
A lone useful exception, allowing some control on our data, is data portability right. On the other hand, the government data protection overlords did gain vast new powers and discretion to rule on our data processing. Especially the well publicized powers to collect hefty fines in the tens of millions. No doubt the governments enjoy new powers, but how is this helping the little guy — the data subject — to be in control?
If you take a broader look at our privacy struggles, the GDPR looks completely removed from the things which give us control. There is no acknowledgement in the GDPR of the huge problem of compensating the damages to the individual, whose privacy is violated, and no acknowledgement of the difficulties in establishing such damages.
During the 30+ year tenure of the data protection (in Europe it started in 1980), many jurisdictions in the EU have not had more than a handful cases where actual damages were awarded, even for the gravest privacy violations. The existing awards are saddening, yet in the GDPR there is not even a consideration that statutory damages (prescribed minimum amounts) may be useful.
As paradoxical as it sounds, despite all the boldest promises, as well as constant data protection drum rolling, the EU values individual privacy much less than the US. In the US the nine figure damage awards for the privacy violations are not exceptional, but in Europe low five figures would be very lucky after long years of litigation.
All of this makes me wonder whether the GDPR is actually helpful for privacy? The extra pages of legal wordcraft in the Privacy Policies and consumer agreements, which makes them GDPR compliant, do not make us more private, but definitely make us less willing to read them.
The lack of personal indemnification is sure to increase the insecurity and privacylessness. And there is no mercy for the fainthearted, as the mandated individual notices about leaks of our data are guaranteed to keep us on the edge. Understaffed and underfunded privacy supervisors in many EU countries (especially in the less well-off EU members) are also not helping my privacy under the GDPR.
Nominal data protection isn’t privacy
A separate and open issue is how the not insignificant compliance costs will reflect on competitiveness of the European businesses, especially the smaller ones. Even tougher open issue is government’s own incursions into our private lives, which are for the most invasive parts left out of the GDPR (just recall the so-called data retention or mass surveillance, which was struck down by the highest judicial body of the EU, but goes on as if nothing happened at the country level). So much for the control promise.
At an individual level, the instruments to control one’s privacy are severely lacking, and the GDPR offers nothing more but the ability to ask and complain. We were able to ask, complain and sue for privacy long before the EU has started regulating the data protection.
Now we may complain or sue about violation of the new rules, but this is very poor substitute for the real control. Also, comprehending the GDPR and pursuing one’s rights through the supervisors and the legal system is only for the brave and well-heeled financially, read: not for the vast majority of us.
Technology, not the GDPR, in my opinion offers much better and much more accessible solutions to control our privacy, and it does not compel us to follow bureaucrats’ prescriptions. Whether you want private communication or serene internet browsing, technology solutions are already available. Technology will also allow us to control our consents, to opt in and opt out, or even monetize our privacy, if we wish so, and it is not for the government to restrict us.
While it may not have been intended, as a consequence of the GDPR, individual privacy is being reduced to nominal data protection, as if our basic data is more valuable than our private lives.
Privacy is about me as an individual and about my own individual choices and controls of my private life, not about longer legal texts, vague promises of more rights, which may be simply unenforceable for an individual, and even less about more bureaucratic privacy risk management.
Ironically, so far, the GDPR has helped few privacy activists to gain publicity, rather than privacy, in challenging the giant internet corporations. Now the technological solutions have an opportunity to deliver more privacy and control of personal data for the silent and more private majority.