Business

It has been a year since GDPR saved the mockery out of Silicon Valley, what's next?




Senate of Judge Department in March 2019 on GDPR and CCPA.
Photo: Alex Wong (Getty)

Is the world more private today than it was a year ago?

Get Out Streamers and Balloons: May 25, there is one year anniversary of the General Data Protection Regulation, which comes into force on the day of the world's major digital privacy legislation.

The law was hyped up to get into a roar. It has spent a lot of the last year in a whisper. However, the conversation promises to be higher soon.

"We see mixed results so that we have mixed feelings," said Estelle Masse, a senior political analyst at the Access Now privacy organization, to Gizmodo. "We had many expectations with GDPR. We believe it has a lot of potential for enhancing data protection rights. But the first year has been quite slow."

GDPR is the landmark regulatory regime designed to create and enforce digital privacy rights at a time when it feels As the internet – and the computer-savvy companies that deserve it – have long passed the law. The main weapon GDPR Wields are fines that in theory can reach up to 4 percent of the company's total annual revenue. Armed with GDPR, national privacy regulators in Europe would finally have the opportunity to shut down Silicon Valley's tech giants.

It was the point of sale. But around 144,000 privacy complaints filed in the past year have very few significant penalties.

"If you want to be more skeptical, the question is, does this whole activity actually make more privacy?" Said Omer Tene, vice president of the International Association of Privacy Professionals, an industry trade organization. "Obviously, the goal is not just to mobilize compliance and regulatory efforts, complaints and messages, but to actually result in better privacy for individuals on the ground. I think the jury is still on it. It is not clear at the turn of the year that corporate data practices are different or has changed. "

The European privacy non-profit" NOYB filed complaints on May 25, the very morning GDPR came in, "said Johnny Ryan, officer of the Brave browser. "We're still waiting for these complaints and surveys that came out of them to produce results. This is a slow-motion study."

The end result is moving towards more and better privacy? The answer is confused. Regulators and observers expect next year to be significantly higher than the last. We may not have to wait long to find out.

One of the most important privacy regulators in the world is Ireland's Data Commissioner, Helen Dixon. Most US tech giants have their European headquarters in Ireland for tax reasons, and therefore Silicon Valley falls in many ways under Dixon's jurisdiction.

Dixon's office "currently has 50 major surveys running," she told the US Congress earlier this month "which, as they conclude in the coming months, will serve to notice what is expected of organizations under the principles of transparency, justice, security and accountability. "

The surveys look at US internet holdings, including Google, Facebook, WhatsApp, Instagram, Twitter, Apple, LinkedIn and Quantcast.

Dixon predicted "significant" fines will be enforced this summer.

Earlier this week, Dixon opened its first GDPR survey against Google on the question of how Google and other ad technology companies handle personal tracking data from across the web. The inquiry looks at practices that are fundamental to ad technology. Google has denied anything wrong and says they are committed to comply with the GDPR.

Let's use our own website to illustrate the basic point:

When you go to Gizmodo dot com in your browser, you can understandably but naively think you actually only connect to Gizmodo dot com. On the contrary, you immediately connect to dozens of domains. In my last visit, I hit 50 different domains. It's the same with almost every major website for a simple reason: The ubiquitous advertising technology industry. Another phrase that summarizes them: Monitoring capitalists.

When you visit a site like ours – or almost all websites, there is really a lot of sensitive data about you sent directly to tens or hundreds of advertising agencies that again send data to thousands of advertisers who can then bid to show up their ad to the individual targeted, critics convincingly argue, none of the GDPR privacy protects it will enforce.

The information varies from details of your exact device, income, gender and age to what you read, your religion, sexual orientation, political support or health status. Your location, right down to exact latitude and longitude, can be packed right up with everything else. The next time you're seen – probably on the next website you visit or the app you are using – your unique ID follows you, so companies can build a long-term profile of everything you do.

For now, websites like ours and much of the entire advertising industry are in the wait-and-see mode. Our site operates on the basis of consent, and we, like most websites in our industry, do the best we can to keep up with the GDPR. But there are many open questions that only European surveys, enforcement and judicial decisions will answer in the coming years.

"Let's just remember where the verbs come from," said Johnny Ryan, the technologist who filed privacy complaints with Google that led to the new investigation. "It is an old pre-radio word. A farmer has a bag of seeds, the guy sticks his hand in and then throws them in the air and hopes it bears fruit. There is a quote request. It is not an article in the GDPR that this does not violate. "

It took a whole year of complaints to the GDPR authorities to launch a full request for the core of the advertising business that underlies Google and much of the free site. That's the pace we move on. And that's just advertising technology. Europe's regulators also plan to cope with technologies that are as large as connected cars, video surveillance, artificial intelligence, blockchain, and associated assistants. It is an ambitious and incredibly high peak to climb. The biggest privacy optimists believe that the ascent will be slow.

The basic causes of the slow pace are myriad. Under-resourced regulators reorganized and reprioritized for showdowns with some of the richest companies on the planet, a process that takes time especially when combined with an influx of thousands of complaints, data breaches alerts and data protection officer registrations. The complainants are technologically, legally and economically complex. The companies that handle personal information rarely provide voluntary basis, they are appealing in every corner. Due treatment is ice.

It has been a year of edification. With just a few exceptions, the data enforcement authorities are now finally seen as an opportunity to act. In Ireland, France, Germany, Belgium, and some other important European nations, regulators are now expressing enthusiasm for enforcement. Enforcement is what will ultimately make a fundamental difference.

GDPR has had some notable and immediate consequences. The global conversation about privacy has changed. So have the laws. As a direct result of GDPR, countries including Japan and Brazil passed GDPR-inspired privacy laws. India considers its own law. California's new Privacy Act, which comes into force in 2020, is a direct result of GDPR.

As a consequence of California's action, there is now infinite and unparalleled talk in Washington D.C. on federal privacy laws. If you want to talk about slow pacing, no one should expect the legislation to be so large that it will be sorted out and passed for at least two years when the 2020 presidential campaign is in the rearview mirror. Until then, Congress is effectively paralyzed.

In the past year, there have been a handful of important GDPR enforcements, far from a $ 57 million fine against Google from French regulators to bury privacy data on the use of user data. This is about 0.4 per cent of annual turnover. The company appeals to the decision.

"The idea that on May 26, 2018, you would get regulators bringing suddenly billions of dollars in fines against US companies, was never realistic," said Joe Jerome of the Center for Democracy and Technology. [19659005] There have been hundreds of minor fines from Regulators around Europe, but in most cases they have been for a few thousand dollars and charged smaller targets, Austrian regulators fined a $ 5,300 dealer for monitoring a public space without notice, and smaller businesses may also have a harder time to handle higher compliance costs, while the ultra-profitable Silicon Valley girls absorb the cost of battle.

It's just a glance in recent months in Silicon Valley to see that the winds have changed. Every major event, including Google's I / O and Facebook's F8, now presents privacy in a way that was previously unimaginable. After each new product announcement, companies take a blow to talk about n you have privacy features and promises. Silicon Valley leaders like Mark Zuckerberg, Sundar Pichai and Tim Cook have called GDPR style legislation to come out of DC. But a good deal of the talk is overblown marketing-speak intended to appeal to the change of public feeling, the actual details and influence are often less impressive. And, as a rule of thumb, American companies love to call regulations when they know there is an army of lobbyists who are actively preparing just the right, loop-hole-filled plan.

"Slowness is the nature of the beast. The right wheels branch slowly," said Tene. He expects this year to see the conclusion of major enforcement actions. After this, years of legal blows and appeals are inevitable.

"Even when technology companies are hit with billions of dollar fines, there's a pressure on the wrist," he said. "And I don't know if it changes underlying business models. It's not just the business model of a company, it's the whole internet. The way the Internet is built and the ruling economic model is not top of privacy. Change that requires basic and painful adjustments to how things have been structured. "

The past year has been dominated by attention-grabbing hypothetical. The range of potential billions of dollars worth of fines awaits. Facebook faces what could be a $ 2 billion fine in Europe for bad password security and a potential $ 5 billion fine in the US for privacy breaches. Ireland's expected "substantial" fines will hit companies all eligible for 10-fine – if that's the way the governor lands. It would then be the start of years long court battle.

Expect a bigger, taller and more influential year for GDPR's other go around the sun. But more importantly, expect a much longer global saga that will last many years before the fate of Internet privacy – including everything private about you being sent and sold globally at a glance – is determined.



Source link

Back to top button