GDPR took effect on May 25, 2018. About 6 months have passed and we are starting to see some of the impact of the legislation. Read on as I analyze the impact of GDPR and tell my story of the Foodland Robot!

Feature Image / License

When I was a child growing up in south western Pennsylvania there were a chain of grocery stores (in PA and WV) named Foodland. In the 1980’s during my childhood they had a mascot called the Foodland Robot. I loved going to the grocery store with my mother because I would get to hang out with the Foodland Robot. At the time, it was the coolest thing and one of my favorite memories is taking a picture with the Foodland robot. If I can find it I will post it later.

In case you think I’m joking with you, here is a picture of the Foodland Robot and a link to its Twitter page.

So why am I telling you a story about my childhood experiences visiting the grocery store and hanging out with my robotic best friend? Back in the day people imagined a better life through technology, advanced AI systems and robots living among and helping us, and great progress without much negative associated to it. We yearned for science fiction to become science fact. However, just like building software never turns out exactly like your initial design, the implications of new technologies are hard to grasp before you are faced with its manifestation.

Imagine the innocent glee of having your own personal robot help you out in the house compared to the current reality of Alexa from Amazon Echo listening to every sound. That innocence fades leaving contradicting feelings.

GDPR is a piece of legislation that has some of the same properties as writing software. It sounds great on paper as an idea, but the implementation might be buggy. It is too early to tell. Right now we can simply analyze where we are right now and surmise what we can about the future.

Measuring the Impact of GDPR

“Data is the new oil. It’s valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity; so must data be broken down, analyzed for it to have value.” –Clive Humby

Samuel Greengard contributed an article to this month’s Communications of the ACM magazine. He details his analysis of the new regulations and presents some things to think more critically think about. I want to add my commentary here.

Disclosure: I am a dues paying member of the ACM.

I am admittedly less familiar dealing with GDPR than my friends across the pond. The far reaching implications are reason enough to pay attention and think. Already there are stirrings in several states trying to make their own data privacy laws – inspired by GDPR.

The Time Before GDPR

Prior to the start and enforcement of GDPR there were a series of high profile and massive security breaches – Equifax and Cambridge Analytica to name a couple. A growing interest on data privacy is prompting changes in citizens, business, and government.

“Surveillance Is the Business Model of the Internet” —Bruce Schneier

The Internet runs on surveillance. That may be a harsh way of saying that content providers make their living by taking your data, analyzing it, and selling it to interested third parties. Combine an overall increased awareness of data privacy with the contemporary mishandling of so much of your personal data creates conflict. This conflict, simply put, is one between market forces and personal self-respect.

People lack control over how their personal data is collected, processed, and consumed.

The Intentions Behind GDPR

Personally Identifiable Information (PII) is under more scrutiny than ever before. The US and EU have very different views on data privacy. To generalize – in the US the collector of the data owns the data. We have long lived copyright laws; however, the plethora of personal data available at a scale never before seen presents new problems.

Consider someone is following you around and recording your activities. They have broken no laws and there is nothing to say that you are the owner of that information. The closest legal recourse you might have is stalking but even that denotes an element of harassment. Besides, your smart phone cannot face trial for stalking you. Without violating any law anyone can take pictures to record your happenings and largely do what they like with that data. Creepy? Yes. Illegal? No. This is how Google can send a van with cameras to your neighborhood and take pictures of your house and show it on a map.

On the other hand, the EU takes the position that a person owns their data and that privacy is a fundamental right. They recognized first that this massive data collection is not without consequences. In economics there is a saying “there is no such thing as a free lunch”. That concept applies here too. You pay either with currency, your data, or agreement to receive advertisements.

There’s no such thing as a free lunch

I think our European friends realized first that our personal data has great value. The data breaches become bigger and bigger each time. They also happen with increased frequency. Once the Internet of Things (IOT) is more mainstream I would not be surprised to see them occur bigger and more frequent. Personal assistants such as Siri, Alexa, and Cortana further drive the acquisition of personal data.

After GDPR

Now that the law has been active for about 6 months let us think about the impact. While it is still too early to judge, the right questions are surfacing. Over time we can reason what works and what doesn’t work to improve the situation.

Measuring Change

Another difference between the US and EU is the approach of opt-out vs opt-in. In the US by default you are often opt-out to data collection. You would have to change the default. However, most people do not change default settings. This plays to the advantage of Google, Facebook, and other online players. Using their services carries implied consent to give up your personal data.

GDPR takes opt-in to a whole new level. As Greengard points out “a company that violates GDPR could face a fine of up to 4% of its worldwide annual revenue from the previous fiscal year. The regulation also mandates consumers can remove themselves from a database at any time and take their data elsewhere—to a new bank, a new mobile provider, or a new content service”.

Perspectives of GDPR Stakeholders

Various interested parties have differing opinions of the law. We are all players in the game and our actions are based upon our underlying feelings. This in turn drives changes in behavior.

Each vested party plays to their own interests. These concerns are often in opposition to each other. I do not presume to know the perfect solution. However, knowing and understanding the various perspectives helps to reason our way forward.

Private Individuals

Private citizens in the EU appear more concerned with their data privacy than in the US. I hope this changes. I do not know the best implementation of rules to enforce data privacy, but I would like to see us understand and care more about it. As it stands people are happily giving away their sensitive personal data to get a coupon or play a free game.

Corporations

Corporate interests focus on profiting from the data they collect. Breaches and abuses are undesirable yet secondary, and manageable, to their primary concern. They argue as Greengard suggests “It is simply not possible to be 100% compliant. GDPR forces organizations to devote significant time and expense to comply with standards that are not consistent with the way business is done online”. To no one’s surprise business favors self-regulation.

They are, however, right that changes to the risk landscape could coax more firms to be less willing to risk and innovate. If enough people restrict the use of their personal data, then business will have to adjust their operations.

If Google, Facebook, and other online media were forced to change their business models to collect a fee instead of data then they will lose much of their value.

Online the paid model often gains much less traction than the “free” pay-with-your-data model. Did you ever wonder why Gmail outages are fixed as soon as possible? It isn’t because you are paying and may sue for lack of service. It is because people using Gmail provide extremely valuable information that they can harvest, analyze, and sell.

Why do you think services from online companies are so highly available? It isn’t because of money from purchasing customers.

Government

Government may be well-intentioned but often lags far behind the private sector. Ideally, they are neutral arbiters of justice and the law. The truth is they are neither informed, equipped, or savvy enough about the subject matter to be as effective as needed. This is most pronounced in cutting edge technology and other abstractions.

The presumption that some bureaucratic group of people estranged from your experience can order you how to run your business is a fundamental problem. It is not so much a conflict of interest as much as a disconnect of responsibility. Therefore, we must be very cautious when regulating industry that government does more good than harm.

The Future of GDPR and Data Privacy Legislation

The implications of GDPR are global. It remains to be seen how effective the data regulation will be. Reducing the misuse of personal data would be a good result. Giving people more control over their data and how it is used is a noble purpose.

However, there are abundant missteps that may arise from GDPR. It is a very complex set of regulations. Much of it is intentionally vague. The court system will play a big role interpretting the law. Striking a good balance is key to maintaining the peaceful coexistence between data usage and data privacy.

Organizations may need to keep a separate database for customers – one for the EU and another for the rest of the world. The individual choice to opt-in or opt-out of a service can create problems for the person and the business. If consumers react in large numbers rejecting the proliferation of PII collection, then companies may reach a point where they must change the nature of their business. How can they monetize for services people will only use if it involves paying in their personal data? Perhaps organizations will pay consumers for their data – in cash or perks?

If business responds to GDPR in a way similar to Sarbanes-Oxley (SOX) we can expect it to be handled like working through a checklist. But there is only so much we can spell out in law. The spirit of the law must be observed as must ethical consideration be employed. Otherwise it just becomes a set of rules to break and work around.

“When you look at groups like bio-ethicists and physicians, the starting point for discussion is how to do the right thing for society; it’s not about avoiding getting sued or how to sidestep legal and ethical provisions.”

–Greengard, Samuel “Weighing the Impact of GDPR” Blog post. Communications of the ACM, November 2018.

Striking a Balance

How GDPR will play out is anyone’s guess. Ultimately, I think it is key to have a balance between data usage and data privacy. While I do not claim to have the answer, I think it is worthwhile to understand the various points of view and reason toward a common solution we can all accept.

Thanks for reading!

If you liked this post then you might also like: Privacy Policies and Guidelines – Diagnosis With No Cure

Did you find this helpful? Please subscribe!