SP: “Hey, Webdom, do you know a good GDPR consultant?”
SP: “Can you give me her email address?”
I’m not going to get into the details of the mind-numbing array of things the EU’s General Data Protection Regulation (GDPR) requires to be in compliance. I’m not a lawyer and much of it is open to interpretation.
No, what I want to rant about is the fact that as of May 25, 2018, the provisions of the 2-year-old regulation are now enforceable.
I hear you saying, “So what? It’s an EU law, and we aren’t in the EU.”
You crack me up.
The new regulation is supposedly to protect EU citizens and their “personally identifiable information” (PII) that may be collected, processed, stored, and transferred online.
What the EU considers PII is much broader than what the US has generally considered PII. The EU insists that anything that could directly or indirectly be used to identify someone is included.
Personal data is any information that relates to an identified or identifiable living individual.
Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
So, how the heck is the EU going to enforce the myriad complex and heavily nuanced provisions of the law? Fairly and objectively.
OK, I couldn’t even type that with a straight face.
The EU provides this helpful information:
Stronger rules on data protection mean
people have more control over their personal data businesses benefit from a level playing field
Oh, good! Businesses are going to benefit!
Well, Uncle Sam wants to help make sure that US businesses are also going to benefit. The EU-U.S. Privacy Shield Framework is the mechanism by which the EU can impose their laws and regulations on US businesses and non-profits.
What’s that? Non-profits like the Glibertarian Foundation? Why, yes!
The U.S. Federal Trade Commission (FTC) has committed to work closely with the DPA (SP note: data protection authority in the EU) to provide enforcement assistance, which, in appropriate cases, could include information sharing and investigative assistance pursuant to the U.S. SAFE WEB ACT.
Indeed, one of the key provisions of the GDPR is increased territorial scope. Because of this, any website that “processes” any data from anyone in the EU must comply. Your business website may only ever have one visitor from the EU and if you set a web browser cookie for any reason whatsoever, you must meet the requirements of the GDPR. Seriously.
What’s the penalty for non-compliance?
Infringement: the possibilities include a reprimand, a temporary or definitive ban on processing and a fine of up to €20 million or 4% of the business’s total annual worldwide turnover.
Oh, and that fine is whichever is greater. No potential there for abuse or selective enforcement! But remember, this is not about grabbing money or controlling the world. Because the Forces of Evil said it’s not.
So, what are US businesses doing? Most have been working on compliance for a long time now and are falling into line. Nobody really wants to lose their European customers and site visitors, after all.
Except for a bunch of media outlets and businesses that apparently weren’t ready for the enforcement to start on Friday. But, the EU says, don’t worry! There will not be an effect on innovation or access. Oh, wait, other organizations have just decided not to bother complying, closing business segments or blocking access from European countries.
Here at Glib HQ, we’ve determined that we have only one European registered user. We’ll miss you Pie in the Sky!*
We all know who is making bank from the GDPR, as is usual from regulation: lawyers and politicians. On Friday, many lawsuits and complaints were filed against large American tech firms like Amazon, Facebook, and Alphabet. We can expect dozens more to be filed in the coming weeks, months, and, probably, years.
Does my disgust and cynicism mean I am anti-privacy? Hell, no.
I have many stylish and useful tinfoil hats, as you all know. I use VPNs, encrypted email, mask my phone numbers, block cookies, browse from different browsers and devices, use cash for everything I can, have a prepaid cell phone for certain uses. The list goes on.
What I am is anti-government intrusion and regulation.
Remember, kids, with the exception of this Glibertopia, “If the product is free, the product is me.” Don’t like what Facebook does with your data? Don’t use Facebook; but don’t insist your congress critter pass another law or allow the FTC to enforce a cumbersome and impossible-to-get-right regulation from across the pond. Individuals and their rights always lose when bureaucracy wins.
* Just kidding, Pie.