In another week the GDPR, or the General Data Protection Regulation will become enforceable and it appears that unlike any other law to date this particular one has the interesting side effect of causing mass hysteria in the otherwise rational tech sector.
This post is an attempt to calm the nerves of those that feel that the(ir) world is about to come to an end, the important first principle when it comes to dealing with any laws, including this one is Don’t Panic. I’m aiming this post squarely at the owners of SME’s that are active on the world wide web and that feel overwhelmed by this development. A bit of background about myself: I’ve been involved in the M&A scene for about a decade, do technical due diligence for a living (together with a team of 8). This practice and my feeling that the battle for privacy on the web is one worth winning which has led me to study online privacy in some detail puts me in an excellent position to see the impact of this legislation first hand as well as how companies tend to deal with it.
First some context: Every company and every project or hobby ever has to be compliant with the law. Whether or not that is possible usually depends on what you are doing, your local legislative climate and, obviously, the law. So whether or not you are doing something for profit, as a hobby or making a few bucks on the side all the way up to a company doing billions in turnover with 10’s of thousands of employees does not matter. Compliance with the law is the norm. If you are doing business abroad then this means that you may have to be compliant with the laws of another country, and the web being as connected as it is this means there is a fairly high chance that your little domain will be impacted by the laws from multiple jurisdictions. For people from relatively insignificant (in terms of power in the rest of the world) countries this is not exactly news, they are already impacted by the laws from very powerful countries and so they are probably well adapted to this. For the inhabitants of large countries that so far have been able to ignore the laws of other places this is a new situation which may require some new level of understanding.
The easiest way to gain some of this understanding is to realize that you already have to be compliant with a lot of laws in order to be able to operate anything at all, even a lemonade stand comes with the following legal implications:
So, nothing is really simple but one more law added to the pile is also not going to be the end of the world. Because this article is not aimed at large enterprises and because I am not a lawyer (yes, that’s one of those annoying disclaimers) this article is not written in legalese, but there will be some terms from the GDPR that I will not be able to get around. These terms will be defined when they are first used, a search with your favorite, GDPR compliant search engine will usually give you more context than I can put in this article.
The first thing you have to realize in coming to terms with the GDPR is that ‘one law fits all’. The GDPR was written as a law to repair the lack of adherence to its predecessor, the DPD, the European Data Privacy Directive, which has had the unfortunate shortcoming of being a directive rather than a regulation. The effect of this - and the lack of teeth - was that it was mostly ignored by businesses. This is a recurring theme in our collective history: first there will be room to self regulate, if that does not work there will be a directive and if all that fails then finally there will be a law with penalties in case of non compliance. As the sign on the maps on billboards all over the world says ‘You are here!’. Now - in exactly 7 days - we will have a law come into effect that has some serious teeth and that you will - for a change - not be able to ignore.
So what form does the panic take? I’ve seen a lot of different kinds of it but most of it revolves around the a fairly limited number of themes that I will try to address one by one from the perspective of a small business owner in order to reduce the emotional levels to something more manageable. Getting these fallacies out the way before going into more detail about the kind of impact the GDPR does have is productive because it will allow us to concentrate in more detail on what actually matters.
- The GDPR is going to expose me to fines of up to 20 million Euros for even the slightest transgression
No, the GDPR has the potential to escalate to those levels but in the spirit of the good natured enforcers at the various data protection agencies in Europe they will first warn you with a notice that you are not in compliance with the law, give you some period of time to become compliant and will - if you ignore them - fine you. That fine will be proportional to the transgression. You can of course ignore the fine and then ‘all bets are off’ but if you pay the fine and become compliant you can consider the matter closed. The typical EU pattern in case of repeated transgressions on the same subject is increasing fines. This can get expensive quickly and most businesses tend to adjust their processes promptly once they have been fined the first time. The reason why I am sure this is the way it will go down is this is exactly how it has been done so far, every interaction with data protection authorities has followed the exact same pattern: warn, fine, increased fines. There are no known cases - though I’m willing to be surprised on this one, but none that I can find - where an entity was presented with a huge fine without first being given a chance to comply with the law.
Note that the 20 million Euros or 4% of global turnover is the maximum fine, the specific language is ‘a fine up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater’, so that’s the maximum of the fine that’s being set by the 20 million or the 4%, and this bit is there to ensure that even the likes of Facebook and Google will not simply ignore the law and pay the fine to be able to continue as they have so far. This in no way should be read as you, the small business operator will face a fine of 20 million for each and every infraction that could be found.
- The GDPR will enable anybody to be able to sue me, even from abroad
The GDPR does not have this effect, but you may be interested to know that anybody can sue you or your business for whatever reason strikes their fancy. This is a direct consequence of doing business and has nothing to do with a particular law. What the GDPR allows private individuals to do is to contact their regulators and to complain if you decide to ignore their requests. So if John Doe wants to have his data removed from your service and you tell him to get stuffed then John has the right to alert his regulator to the fact that you are probably not in compliance. If the data protection entity of John’s country feels the case has merit they will send you the letter mentioned above. If not you might never hear from them. The data protection authorities will function as a clearing house. If you feel this is selective enforcement then you should be happy about it for a change: by providing this clearing house function the burden of regulation will be substantially lower than it would be without and it will ensure that the public will not be able to use the GDPR to harass businesses, and they will allow the insertion of a bar to be met before action is taken.
- Fines will land without warning and will be draconian
No, fines will be proportional and will only be levied after a chance to become compliant has been given. This has been the case in all other EU law regarding privacy to date, this one will not be any different. The EU regulators see their job as ensuring compliance, not as creating a source of income.
- The GDPR will require me to deal with complaints/paperwork in 28 different languages
The text of the GDPR is available in English, a typical regulator will send you a notice in a language that you can understand. This goes for everything in the EU that has to do with the law, from traffic fines to copyright law and everything else. If the EU is good at dealing with something it is dealing with other languages. So the paperwork - if any - that you will receive will be in a language that you can read and if you can’t there will be an English translation available. Case in point: I got a parking ticket in Paris last year where my car was on the wrong side of the road on a particular day I’d parked there on Monday, apparently on Tuesday you have to park your car on the other side of the road and me being a stupid tourist I thought I was safe because everybody else parked there too. I received my ticket in the mail a few days later, with a French text, an English text, and - most surprising - a perfectly worded Dutch text complete with instructions on how to have myself represented in court if I wished to contest the fine and instructions for paying the fine if I did not want to contest it.
- The GDPR will require me to hire people and my entity is too small to be able to afford this
No, the GDPR will require you to assign certain roles to ensure that someone is in charge of privacy related stuff.
- Faceless bureaucrats will use the selective enforcement of the GDPR to stuff the coffers of the EU at the expense of foreign companies
The EU tends to use fines as a means of forcing a company into compliance. Companies that are large and that have large European holdings or that use the EU to avoid paying taxes rightly worry about this particular aspect, especially if they have constructed their business around massive databases of profiles on EU citizens. If this isn’t you then you can probably ignore this aspect of EU legislation. If you’re Mark Zuckerberg however I would definitely advise not to ignore this, however the chances of Mark reading this blog post are nil.
- The EU is over-reaching here, as a foreigner I should be free to just comply with my local laws and ignore the rest
As soon as you do business abroad you will have to comply with the laws of those countries. That’s maybe not what you were hoping for but this has always been the case. For physical products there are all kinds of entities that ensure compliance with the laws of other countries including rules for manufacturing, transportation, storage, ingredients - all the way back to the source - and so on depending on the context and nature of your business. For online businesses this has never been any different for instance you have to comply with copyright law, laws on online gambling, the DMCA and lots of other laws that are essentially local in nature (though copyright laws were harmonized long ago to make this easier).
- Processing all these end-user requests will be a huge burden
Then automate it. If you could automate the collection of the data in the first place then you definitely can automate the rest of the life cycle. There is no technical hurdle companies won’t jump through if it gets them juicy bits of data but as soon as the data needs to be removed we’re suddenly back in the stone age and some artisan with a chisel and hammer will have to jump into action to delete the records and this will take decades for even a small website. Such arguments are not made in good faith and in general make the person making them look pretty silly after all nobody ever complained about collecting data, in fact there are whole armies of programmers working hard to scrape data from public websites which is a lot more work than properly dealing with the life cycle of that data after it has been collected. So yes, it is a burden, no, the burden isn’t huge unless you expressly make it so but that’s your problem.
- This law was sprung on us, there is absolutely no way I’m going to be prepared a week from now
The law has been in effect for over two years at this point, and the DPD, the European Data Protection Directive has been in effect for over two decades. So no, this law was not sprung on anybody, though it is very well possible that you only became aware of it a few weeks or months (or days?) ago. If that’s the case do not panic, you too will most likely be fine.
- It is impossible to be compliant with this law
Well, this website is fully compliant with the law, so at least in this particular case it seems to work. Why? Because I don’t store any information about you. That’s a conscious choice on my part which I made long before the GDPR was even talked about in public. But if your situation is more complex then you too can be compliant, or at least - and this is key - you could try to be compliant. For instance, one oft heard argument is that no webserver (or even any internet service) is going be able to be compliant because all web servers log IP addresses, and IP addresses are PII. But that argument does not hold water. There are several reasons for that, the major ones being: webservers only log IP addresses if you configure them to do so. Almost all webservers have a formatting option that determines what exactly is logged and you could configure your webserver to not log the whole address but just the network portion. You also have the option to log the address and to disclose that you do so in your privacy policy, but then you will have to allow for the removal of that data on request, which you may find burdensome (or not, that depends on the volume of such requests). Finally, you may have a legitimate reason to log the IP address, provided you delete it after you are done with whatever use you collected it for in the first place. There is enough room in the GDPR to hold on to the address for 30 days with a possible extension of another 60 days after which an automated reply to the user can tell them their IP address was purged and you’d be in compliance. That’s one of the reasons why I think the GDPR is a surprisingly good law, most of the times when legislation is written that impacts technology the end result is absolutely unworkable, in this case most scenarios seem to work well for all parties involved.
- Becoming compliant with this law will cause my business to go under
I’m terribly sorry to hear that. But consider this: this law was written with the express purpose to rein in some of the worst violations of the privacy of EU citizens during their online activities. If becoming compliant with the law will cause your business to go under that is more or less the same as saying that your business is built on gross privacy violations. So if that’s your business model then good riddance to you and your company. However if that is not your business model then most likely you will be just fine.
- It’s not fair, I have no representation in the EU because I’m not from there, why should my company comply?
Because you wish to do business in the EU. For what it’s worth, there are plenty of laws that project across the borders of countries and harmonization of laws between countries means that people are not always aware of the fact that this is happening. The DMCA is a nice example. Besides that, privacy is a fairly hot topic and there is hope in privacy advocacy circles that the EU is lighting the way here and that other countries will likely follow its example.
The fact that you or your company do not have representation in the EU does not mean you get to ignore the law, if you could then that would mean an automatic disadvantage for others that do play by the rules. You ignore the law at your peril.
- I don’t want to end up being arrested for GDPR violations when I go on a holiday in Europe (yes, I really saw that one)
This is so far fetched it is comical. The EU does not operate that way, and besides, why would you wilfully break the law and continue to do so after you have been made aware of this? I’ve yet to hear about a single individual that was lifted from their bed in a French bed and breakfast during their well deserved holiday, but maybe you’ll be the first. If it happens let me know and I’ll come visit you in jail, I might even throw some bucks towards your defense fund. (Apologies for the flippant tone in this section but it really irks me, the only case like this that I’m aware of was the USA arresting one David Carruthers of <a href="http://betonsports.com" rel="nofollow">betonsports.com</a>.)
- My business can not be compliant with this draconian and burdensome law
In that case please shut down or do not serve EU customers. But be aware that (1) you are leaving a nice opening for a competitor and (2) you are probably doing something you should not be doing in the first place, in which I would say the law is working as intended.
- The law is so complicated, there is no way I could ever make sense of it
As laws come I was actually surprised by how easy it is to read it. It’s not particularly large, it uses mostly clear language and it usually (but critically, not always and this is a justified complaint) defines its terms. The biggest area where the lack of definition is annoying (but understandable) is when it comes to determining at what size company you need to take certain measures. I understand the complainers and I understand the lawmakers positions and this probably could have been handled in a more robust manner. But there are good reasons for doing it this way, as I hope to illustrate later.
- I can’t afford the risks associated with this law so I am shutting down/I will lock Europeans out
Ok. Bye. But make sure you really understand those risks and please understand as well that it may not be possible for you to lock Europeans out reliably enough to not have any exposure under the law and realize that there are lots of other laws that you are also exposed to that could cause you to be wiped out. This law is really no different than any others in that respect. The price of using the web as a world stage is that you effectively are interacting with the legal domains of every country that you do business with.
- I should be able to engage in a contract with my users that lets them opt out from this law so I can ignore it
For once the lawmakers saw what was coming and they actually repaired this before it became an issue. I suspect that the ‘cookie law’ debacle made them realise that companies have absolutely no scruples when it comes to things like this and will happily blackmail their users into consenting to something that they’d rather not consent to just to be able to participate in what is more and more unavoidable: online interaction.
- For large companies the burden is manageable, for small companies it is too high
From what I’ve seen in my practice over the last couple of years the burden is roughly proportional to three things:
- the amount of data you hold
- the number of employees in your company
- the kind of data you hold
In effect the burden of a large company holding vast amounts of sensitive data will likely be very large. The burden on a small company holding small amounts of non-sensitive data will be very low or even none.
- Nobody knows what the GDPR really means
The text is readily available, it is true that there are no meaningful certification programmes as yet but in time these will be available. In some ways this is a pity because it would be nice to be able to say ‘We’re compliant because we have a stamp of approval from such and such a certification authority’ but at the same time the lack of certification requirements actually goes a long way towards reducing the burden on small companies.
Anyway, you get the gist by now. Each of these misconceptions is like dry tinder in the hands of those that wish to have a good old GDPR bonfire inciting others to panic as well and in general does not really contribute to the discussion. As a rule the statements are either made by well meaning people who have not really done their homework or they are done by people whose businesses depend on being able to violate other people’s privacy and they are hoping that by stoking this fire they will be able to turn the sentiment against the GDPR, to play politics. And as we all know we are in a fact-free environment when it comes to politics nowadays so anything goes. With that out of the way let’s look at some of the actual impact of the GDPR, at what level your exposure most likely is and how - according to me - the future will play out.
… to be continued, hopefully on Monday …